Creates the Illinois Consumer Data Privacy Act. Applies to legal entities that conduct business in Illinois or produce products or services that are targeted to Illinois residents and that satisfy one or more of the following thresholds: during a calendar year, controls or processes personal data of 100,000 consumers or more, excluding personal data controlled or processed solely for the purpose of completing a payment transaction; or derives over 25% of gross revenue from the sale of personal data and processes or controls personal data of 25,000 consumers or more. "Personal data" means any information that is linked or reasonably linkable to an identified or identifiable natural person but does not include deidentified data or publicly available information. Requires a controller who, alone or jointly with others, to consider the purposes and means of the processing of personal data in protecting the security of consumers while processing personal data and in notifying consumers of a breach of the security of the system. Authorizes rights to consumers under the Act to include, but not be limited to, the right to access their personal data, obtain a list of third parties to whom their data has been disclosed, request corrections to inaccurate data, and question the profiling of their information. Creates an appeal process for a consumer to gather more information on the actions of a covered entity. Exempts the State, a political subdivision of the State, and units of local government, a federally recognized Indian tribe, nonprofits established to prevent insurance fraud, and data already covered by federal law. Authorizes the Attorney General to enforce the Act. Makes definitions. Makes other changes. Limits the concurrent exercise of home rule powers. Contains a severability provision.