Regulon — IL-SB-2203 · IL SB 2203 (Preventing Algorithmic Discrimination Act)

2025-02-07 introduced Filed with Secretary by Sen. Graciela Guzmán

2025-02-07 introduced First Reading

2025-02-07 committee referral Referred to Assignments

2025-03-12 committee referral Assigned to Executive

2025-03-19 To AI and Social Media

2025-03-21 Rule 2-10 Committee Deadline Established As April 11, 2025 Rule 2-10 Committee Deadline Established As April 11, 2025

2025-04-11 committee referral Rule 3-9(a) / Re-referred to Assignments

Summary

Creates the Preventing Algorithmic Discrimination Act, imposing obligations on deployers of automated decision tools used to make consequential decisions in employment, education, housing, healthcare, financial services, criminal justice, and other high-stakes domains. Deployers must perform annual impact assessments (beginning January 1, 2027) analyzing risks of algorithmic discrimination across protected characteristics and submit those assessments to the Attorney General within 60 days of completion. Deployers must notify individuals before a consequential decision is made using an automated decision tool and, when the decision is made solely by the tool, accommodate requests for an alternative process if technically feasible. Deployers must establish a governance program with administrative and technical safeguards and designate a responsible employee. A private right of action for algorithmic discrimination claims is available beginning January 1, 2028, requiring proof of actual harm. Small deployers (fewer than 25 employees, unless the tool impacts more than 999 people per year) are exempt from the impact assessment and governance program requirements.

Enforcement & Penalties

Enforcement Authority

Attorney General enforcement through the Consumer Fraud and Deceptive Business Practices Act (815 ILCS 505). All remedies, penalties, and authority granted to the Attorney General under that Act are available for enforcement. For violations of the impact assessment submission requirement (Section 35), the Attorney General may bring an administrative enforcement action. Private right of action available only for algorithmic discrimination claims under Section 30(b), beginning January 1, 2028; plaintiff must demonstrate actual harm caused by the deployer's use of the automated decision tool.

Penalties

For algorithmic discrimination claims (Section 30): compensatory damages, declaratory relief, and reasonable attorney's fees and costs. Plaintiff must prove actual harm. For failure to submit impact assessments (Section 35): administrative fine of up to $10,000 per violation, with each day of non-submission constituting a distinct violation. For all other violations: remedies and penalties available under the Consumer Fraud and Deceptive Business Practices Act (815 ILCS 505), including civil penalties of up to $50,000 per violation.

Who Is Covered

"Deployer" means a person, partnership, State or local government agency, or corporation that uses an automated decision tool to make a consequential decision.

What Is Covered

"Automated decision tool" means a system or service that uses artificial intelligence and has been specifically developed and marketed to, or specifically modified to, make, or be a controlling factor in making, consequential decisions.

Compliance Obligations 7 obligations · click obligation ID to open requirement page

H-02 Non-Discrimination & Bias Assessment · H-02.3 H-02.4 H-02.10 · Deployer · Automated Decisionmaking

Sections 10(a)-(c) and 35(a)-(c)

Plain Language

Deployers must conduct a comprehensive impact assessment for each automated decision tool they use, initially by January 1, 2027, and annually thereafter. The assessment must cover the tool's purpose, outputs, data types collected, analysis of potential adverse impacts across protected characteristics, safeguards for algorithmic discrimination risks, human oversight and monitoring arrangements, and validity evaluation. A new impact assessment must also be performed as soon as feasible whenever a significant update occurs — meaning changes to the tool's use case, key functionality, or expected outcomes. Within 60 days of completing each assessment, the deployer must submit it to the Attorney General. Knowing failure to submit triggers administrative fines of up to $10,000 per violation, with each day of non-submission counting as a separate violation. Deployers with fewer than 25 employees are exempt unless their tool impacted more than 999 people in the prior year.

Statutory Text

(a) On or before January 1, 2027, and annually thereafter, a deployer of an automated decision tool shall perform an impact assessment for any automated decision tool the deployer uses that includes all of the following: (1) a statement of the purpose of the automated decision tool and its intended benefits, uses, and deployment contexts; (2) a description of the automated decision tool's outputs and how they are used to make, or be a controlling factor in making, a consequential decision; (3) a summary of the type of data collected from natural persons and processed by the automated decision tool when it is used to make, or be a controlling factor in making, a consequential decision; (4) an analysis of potential adverse impacts on the basis of sex, race, color, ethnicity, religion, age, national origin, limited English proficiency, disability, veteran status, or genetic information from the deployer's use of the automated decision tool; (5) a description of the safeguards implemented, or that will be implemented, by the deployer to address any reasonably foreseeable risks of algorithmic discrimination arising from the use of the automated decision tool known to the deployer at the time of the impact assessment; (6) a description of how the automated decision tool will be used by a natural person, or monitored when it is used, to make, or be a controlling factor in making, a consequential decision; and (7) a description of how the automated decision tool has been or will be evaluated for validity or relevance. (b) A deployer shall, in addition to the impact assessment required by subsection (a), perform, as soon as feasible, an impact assessment with respect to any significant update. (c) This Section does not apply to a deployer with fewer than 25 employees unless, as of the end of the prior calendar year, the deployer deployed an automated decision tool that impacted more than 999 people per year. Section 35. Impact assessment. (a) Within 60 days after completing an impact assessment required by this Act, a deployer shall provide the impact assessment to the Attorney General. (b) A deployer who knowingly violates this Section shall be liable for an administrative fine of not more than $10,000 per violation in an administrative enforcement action brought by the Attorney General. Each day on which an automated decision tool is used for which an impact assessment has not been submitted as required under this Section shall give rise to a distinct violation of this Section. (c) The Attorney General may share impact assessments with other State entities as appropriate.

H-01 Human Oversight of Automated Decisions · H-01.3 · Deployer · Automated Decisionmaking

Section 15(a)

Plain Language

Before or at the time an automated decision tool is used to make a consequential decision, the deployer must notify the affected individual that an automated tool is involved. The notification must include the tool's purpose, deployer contact information, and a plain-language description of the tool covering both its human and automated components and how the automated component informs the decision. This is a pre-decision or contemporaneous notice requirement — it cannot be satisfied after the decision has been made. The range of covered consequential decisions is very broad, spanning employment, education, housing, utilities, healthcare, financial services, criminal justice, legal services, voting, and access to benefits.

Statutory Text

(a) A deployer shall, at or before the time an automated decision tool is used to make a consequential decision, notify any natural person who is the subject of the consequential decision that an automated decision tool is being used to make, or be a controlling factor in making, the consequential decision. A deployer shall provide to a natural person notified under this subsection all of the following: (1) a statement of the purpose of the automated decision tool; (2) the contact information for the deployer; and (3) a plain language description of the automated decision tool that includes a description of any human components and how any automated component is used to inform a consequential decision.

H-01 Human Oversight of Automated Decisions · H-01.4 · Deployer · Automated Decisionmaking

Section 15(b)

Plain Language

When a consequential decision is made solely by an automated decision tool (with no human component in the final decision), the deployer must accommodate a request from the affected individual to opt out of the automated tool and instead be subject to an alternative process — but only if technically feasible. The deployer may ask the individual for identifying information to process the request, and if the individual does not provide it, the deployer has no obligation to provide an alternative. This right applies only when the decision is made solely by the tool; if there is meaningful human involvement in the decision, this opt-out provision does not apply.

Statutory Text

(b) If a consequential decision is made solely based on the output of an automated decision tool, a deployer shall, if technically feasible, accommodate a natural person's request to not be subject to the automated decision tool and to be subject to an alternative selection process or accommodation. After a request is made under this subsection, a deployer may reasonably request, collect, and process information from a natural person for the purposes of identifying the person and the associated consequential decision. If the person does not provide that information, the deployer shall not be obligated to provide an alternative selection process or accommodation.

G-01 AI Governance Program & Documentation · G-01.1 G-01.2 G-01.3 G-01.6 · Deployer · Automated Decisionmaking

Section 20(a)-(d)

Plain Language

Deployers must establish, document, implement, and maintain a governance program with reasonable administrative and technical safeguards to manage algorithmic discrimination risks. The program's safeguards must be proportionate to the tool's use, the deployer's size and resources, and the technical feasibility and cost of available risk management tools. The program must be designed to identify and implement discrimination safeguards, integrate impact assessment processes, conduct annual compliance reviews, retain impact assessment results for at least two years, and make reasonable adjustments in response to material changes in technology, risk profile, standards, or business operations. Deployers must designate at least one employee responsible for overseeing the governance program, who has authority to raise compliance concerns and whose employer must promptly and fully assess any issue raised. Small deployers (fewer than 25 employees, unless the tool impacts more than 999 people per year) are exempt.

Statutory Text

(a) A deployer shall establish, document, implement, and maintain a governance program that contains reasonable administrative and technical safeguards to map, measure, manage, and govern the reasonably foreseeable risks of algorithmic discrimination associated with the use or intended use of an automated decision tool. The safeguards required by this subsection shall be appropriate to all of the following: (1) the use or intended use of the automated decision tool; (2) the deployer's role as a deployer; (3) the size, complexity, and resources of the deployer; (4) the nature, context, and scope of the activities of the deployer in connection with the automated decision tool; and (5) the technical feasibility and cost of available tools, assessments, and other means used by a deployer to map, measure, manage, and govern the risks associated with an automated decision tool. (b) The governance program required by this Section shall be designed to do all of the following: (1) identify and implement safeguards to address reasonably foreseeable risks of algorithmic discrimination resulting from the use or intended use of an automated decision tool; (2) if established by a deployer, provide for the performance of impact assessments as required by Section 10; (3) conduct an annual and comprehensive review of policies, practices, and procedures to ensure compliance with this Act; (4) maintain for 2 years after completion the results of an impact assessment; and (5) evaluate and make reasonable adjustments to administrative and technical safeguards in light of material changes in technology, the risks associated with the automated decision tool, the state of technical standards, and changes in business arrangements or operations of the deployer. (c) A deployer shall designate at least one employee to be responsible for overseeing and maintaining the governance program and compliance with this Act. An employee designated under this subsection shall have the authority to assert to the employee's employer a good faith belief that the design, production, or use of an automated decision tool fails to comply with the requirements of this Act. An employer of an employee designated under this subsection shall conduct a prompt and complete assessment of any compliance issue raised by that employee. (d) This Section does not apply to a deployer with fewer than 25 employees unless, as of the end of the prior calendar year, the deployer deployed an automated decision tool that impacted more than 999 people per year.

G-02 Public Transparency & Documentation · G-02.4 · Deployer · Automated Decisionmaking

Section 25

Plain Language

Deployers must publish a publicly accessible, clear policy summarizing (1) the types of automated decision tools they currently use or make available and (2) how they manage the foreseeable risks of algorithmic discrimination associated with those tools. This is a standing public disclosure obligation — the policy must be maintained and kept current as the deployer's tool inventory and risk management practices change. Unlike the impact assessment submission to the Attorney General, this disclosure is directed at the public.

Statutory Text

A deployer shall make publicly available, in a readily accessible manner, a clear policy that provides a summary of both of the following: (1) the types of automated decision tools currently in use or made available to others by the deployer; and (2) how the deployer manages the reasonably foreseeable risks of algorithmic discrimination that may arise from the use of the automated decision tools it currently uses or makes available to others.

H-02 Non-Discrimination & Bias Assessment · Deployer · Automated Decisionmaking

Section 30(a)-(c)

Plain Language

Deployers are categorically prohibited from using an automated decision tool that results in algorithmic discrimination — unjustified differential treatment or adverse impacts based on protected characteristics. Beginning January 1, 2028, individuals harmed by algorithmic discrimination may bring a private civil action for compensatory damages, declaratory relief, and reasonable attorney's fees and costs. The plaintiff bears the burden of proving that the deployer's use of the tool resulted in algorithmic discrimination causing actual harm. Two carve-outs apply: self-testing to identify or prevent discrimination, and use to expand applicant pools for diversity or to redress historical discrimination. Private clubs exempt under the Civil Rights Act of 1964 are also excluded.

Statutory Text

(a) A deployer shall not use an automated decision tool that results in algorithmic discrimination. (b) On and after January 1, 2028, a person may bring a civil action against a deployer for violation of this Section. In an action brought under this subsection, the plaintiff shall have the burden of proof to demonstrate that the deployer's use of the automated decision tool resulted in algorithmic discrimination that caused actual harm to the person bringing the civil action. (c) In addition to any other remedy at law, a deployer that violates this Section shall be liable to a prevailing plaintiff for any of the following: (1) compensatory damages; (2) declaratory relief; and (3) reasonable attorney's fees and costs.

Other · Automated Decisionmaking

Section 40; 815 ILCS 505/2HHHH

Plain Language

Violations of the Preventing Algorithmic Discrimination Act are per se unlawful practices under Illinois' Consumer Fraud and Deceptive Business Practices Act (815 ILCS 505). This gives the Attorney General access to the full range of remedies, penalties, and investigative authority available under the CFDBPA — including civil penalties, injunctive relief, and investigative subpoenas — without the need to independently prove that the conduct constitutes an unfair or deceptive practice. This is an enforcement hook, not a new compliance obligation.

Statutory Text

A violation of this Act constitutes an unlawful practice under the Consumer Fraud and Deceptive Business Practices Act. All remedies, penalties, and authority granted to the Attorney General by the Consumer Fraud and Deceptive Business Practices Act shall be available to him or her for the enforcement of this Act. Sec. 2HHHH. Violations of the Preventing Algorithmic Discrimination Act. A person who violates the Preventing Algorithmic Discrimination Act commits an unlawful practice within the meaning of this Act.