State Privacy Tracker: Illinois

Illinois has some existing narrow privacy laws in place for over a decade, and was a trendsetter in the area of biometric privacy laws, passing the first biometric privacy law back in 2009.

In 2023, Illinois lawmakers are in the midst of processing a flurry of bills seeking to amend the existing Illinois BIPA law, as well as introduce new privacy laws like the Right to Know Act and a consumer privacy act.  

In the next two sections, we’ll discuss existing Illinois privacy-related legislation.

Illinois Personal Information Protection Act

The Illinois Personal Information Protection Act (PIPA) is a state law in Illinois that governs data breach notifications and sets requirements for the protection of personal information. PIPA was created to protect the people of Illinois from mismanagement, abuse, or exploitation of their personal information. Companies and other organizations that gather, manage, or store non-public personal information are subject to a number of regulations imposed by the act. PIPA specifies what actions companies must take in the case of a security breach.

In 2006, PIPA made Illinois only the second state in the country to respond to major security breach cases in the form of legislation.

Key Points About PIPA:

1. Data Breach Notification: PIPA requires businesses and government entities that experience a data breach involving personal information to notify affected individuals. The law defines personal information broadly and includes elements such as social security numbers, driver’s license numbers, financial account information, and more.
2. Notification Requirements: The law specifies the timing and content of the breach notifications. Businesses are required to provide notice to affected individuals “in the most expedient time possible and without unreasonable delay” following the discovery of a data breach. The notification should include information about the breach, the type of information exposed, and any steps individuals can take to protect themselves.
3. Attorney General Notification: PIPA mandates that businesses notify the Illinois Attorney General’s office if a data breach affects more than 500 Illinois residents. The notice must include details about the breach, the number of affected individuals, and the steps taken or planned to address the incident.
4. Definition of Personal Information: PIPA defines personal information broadly and includes elements such as social security numbers, driver’s license numbers, financial account information, and more.
5. Reasonable Security Measures: PIPA requires businesses that handle personal information to implement and maintain reasonable security measures to protect that information from unauthorized access, disclosure, or acquisition. The law does not provide specific technical requirements but expects organizations to follow industry standards and best practices.
6. Exception for Encrypted Data: PIPA offers an exception from the breach notification requirement if the personal information that was breached was encrypted in a manner that renders it unreadable or unusable.
7. Enforcement and Penalties: PIPA empowers the Illinois Attorney General to enforce compliance with the law’s data disposal provisions. If a business fails to comply, the Attorney General may seek injunctive relief, civil penalties, and attorney’s fees.
8. Private Right of Action: In addition to enforcement by the Illinois Attorney General, PIPA grants a private right of action to individuals whose personal information is compromised due to a business’s failure to comply with the law. Individuals may seek damages, injunctive relief, and attorney’s fees.

In addition to PIPA, Illinois passed the nation’s first state-level biometric information privacy act (BIPA) in 2008.

Biometric Privacy Act Illinois (BIPA)

The BIPA is an Illinois data privacy law that governs the collection, use, and storage of biometric information by private entities. Biometric information includes unique biological or behavioral characteristics such as fingerprints, retina scans, voice prints, and facial recognition data.

Here are some key points about the Illinois Biometric Information Privacy Act:

1. Purpose: The primary purpose of BIPA is to protect individuals’ biometric information from unauthorized use and potential misuse, ensuring privacy and security.
2. Scope: BIPA applies to private entities operating in Illinois that collect, store, or use biometric information. It does not apply to government agencies or publicly available information.
3. Consent and Notice: BIPA requires private entities to inform individuals about the collection and storage of their biometric information, the purpose of its use, and the duration of retention. They must obtain written consent from individuals before collecting their biometric data.
4. Retention and Destruction: The law mandates that private entities must have a written policy outlining the retention schedule and guidelines for destroying biometric information. They must destroy the information once the purpose for collection is fulfilled or after three years, whichever occurs first.
5. Prohibition of Sale: BIPA prohibits the sale, lease, or other disclosure of biometric information without obtaining prior consent from the individual.
6. Safeguards: Private entities must exercise reasonable care in handling biometric information by implementing and maintaining appropriate security measures to protect against unauthorized access, acquisition, or disclosure.
7. Private Right of Action: BIPA provides individuals with a private right of action, allowing them to sue private entities for violations of the act. Individuals can seek damages ranging from $1,000 for negligent violations to $5,000 for intentional or reckless violations, plus attorneys’ fees and other legal remedies.