Illinois Data Privacy Laws: BIPA, Consumer Rights & Penalties (2026)
Why Illinois Is the National Leader in Data Privacy
Illinois has built one of the most aggressive data privacy frameworks in the United States. While most states have limited their privacy protections to data breach notification laws, Illinois went further by creating an enforceable private right of action for biometric privacy violations years before any other state took similar steps.
The centerpiece of Illinois data privacy law is BIPA (740 ILCS 14), which took effect on October 3, 2008. No other state biometric privacy law has generated as much litigation, as many high-profile settlements, or as much corporate compliance activity. BIPA is the reason Illinois residents have received direct payments from companies like Facebook, Google, and TikTok for unauthorized use of their biometric data.
Beyond BIPA, Illinois maintains a network of privacy statutes that cover data breaches, student records, employee monitoring, genetic information, and artificial intelligence in hiring. Together, these laws give Illinois residents some of the strongest privacy protections in the country.
The Biometric Information Privacy Act (BIPA): 740 ILCS 14
What BIPA Covers
BIPA regulates the collection, storage, use, and dissemination of biometric identifiers and biometric information by private entities operating in Illinois. The Illinois General Assembly passed BIPA after Pay By Touch, a biometric payment company, went bankrupt in 2007, raising concerns about what would happen to the millions of fingerprint records it had collected from consumers.
Under Section 10 of BIPA, a "biometric identifier" includes a retina or iris scan, fingerprint, voiceprint, or scan of hand or face geometry. The definition explicitly excludes writing samples, written signatures, photographs, physical descriptions, demographic data, tattoo descriptions, and medical or health information.
"Biometric information" is defined more broadly as any information based on a biometric identifier that is used to identify an individual, regardless of how it was captured or converted.
BIPA's Core Requirements
Section 15 of BIPA establishes four main obligations for any private entity that collects biometric data.
Written policy on retention and destruction. Every entity that possesses biometric identifiers or biometric information must develop a written policy establishing a retention schedule and guidelines for permanently destroying biometric data. The data must be destroyed when the initial purpose for collection has been satisfied or within three years of the individual's last interaction with the entity, whichever occurs first. This policy must be made available to the public.
Informed consent before collection. Before collecting a biometric identifier, the entity must inform the individual in writing that biometric data is being collected or stored. The entity must also inform the individual of the specific purpose and length of time for which the data will be collected, stored, and used. The individual must then provide a written release authorizing the collection.
No sale or profit from biometric data. BIPA prohibits any private entity from selling, leasing, trading, or otherwise profiting from a person's biometric identifier or biometric information.
Restrictions on disclosure. A private entity may not disclose or disseminate biometric data unless the individual consents, the disclosure completes a financial transaction that the individual requested or authorized, the disclosure is required by state or federal law, or the disclosure is required by a valid warrant or subpoena.
The Private Right of Action
Section 20 of BIPA is what makes the law uniquely powerful. Unlike most privacy statutes that rely solely on government enforcement, BIPA allows any person aggrieved by a violation to file a lawsuit directly against the offending entity.
The damages structure is significant:
- Negligent violations: The greater of $1,000 or actual damages for each violation
- Intentional or reckless violations: The greater of $5,000 or actual damages for each violation
- Attorney fees and costs: The prevailing party may recover reasonable attorney fees and litigation costs
- Injunctive relief: Courts may issue orders requiring entities to stop violating BIPA
This private right of action is the engine behind every major BIPA lawsuit. Most state privacy laws give enforcement authority exclusively to the attorney general. BIPA lets individual consumers and classes of consumers take companies to court and collect statutory damages without needing to prove they suffered any financial harm.
The 2024 Amendment: Public Act 103-769
On August 2, 2024, Governor J.B. Pritzker signed SB 2979 into law as Public Act 103-769, effective immediately. This amendment made two important changes to BIPA.
Per-person damages cap. The amendment added language to Section 20 specifying that a private entity that collects or discloses "the same biometric identifier or biometric information from the same person using the same method of collection" has committed only a single violation. This means an aggrieved person is entitled to, at most, a single recovery for repeated identical collections.
This change was a direct response to the Illinois Supreme Court's 2023 decision in Cothron v. White Castle System, Inc., which held that a separate violation of BIPA occurred each time a company scanned an employee's fingerprint without consent. Under that interpretation, a single employee who scanned their fingerprint at the start of every shift for five years could potentially recover millions of dollars in statutory damages. The amendment eliminates that per-scan exposure.
Electronic signatures. The amendment also updated the definition of "written release" to include electronic signatures. An electronic signature is defined as an electronic sound, symbol, or process attached to or logically associated with a record, executed or adopted by a person with the intent to sign. This gives companies a clearer path to obtaining compliant consent through digital forms and onboarding systems.
Major BIPA Settlements and Verdicts
BIPA has produced some of the largest privacy-related settlements in U.S. history. The following table summarizes the most significant cases.
| Company | Year | Amount | Allegation |
|---|---|---|---|
| Facebook (Meta) | 2020 | $650 million | Facial recognition tagging feature scanned Illinois users' faces without informed written consent |
| BNSF Railway | 2022-2023 | $228M verdict / $75M settlement | Required truck drivers to scan fingerprints for yard access without BIPA-compliant consent |
| 2022 | $100 million | Google Photos face-grouping feature collected face geometry data without consent | |
| TikTok (ByteDance) | 2021 | $92 million | Collected face and voice biometric data from users, including minors, without consent |
| Clearview AI | 2025 | $51.75 million (equity) | Scraped 60+ billion facial images from social media and public websites without consent |
| Snapchat (Snap Inc.) | 2022 | $35 million | Collected facial scan data through lenses and filters without adequate consent |
| Speedway | 2024 | $12.1 million | Required employees to use fingerprint scanners without BIPA notice and consent |
The BNSF Railway case is particularly notable because it was the first BIPA case to reach a jury trial. The jury found that BNSF had recklessly or intentionally violated BIPA 45,600 times, resulting in a $228 million damages award at the $5,000-per-violation rate. The damages award was later vacated on appeal, and BNSF ultimately settled for $75 million.
The Clearview AI settlement was structured differently from other BIPA cases. Rather than direct cash payments, class members received a collective 23 percent equity stake in Clearview AI, valued at approximately $51.75 million based on the company's January 2024 valuation of $225 million. This was the first BIPA settlement to use an equity-based resolution.
Illinois Personal Information Protection Act (PIPA): 815 ILCS 530
The Personal Information Protection Act is Illinois's data breach notification law. It requires any entity that conducts business in Illinois and handles nonpublic personal information to notify affected individuals when their data is compromised.
What Triggers Notification
Under Section 10 of PIPA, a data breach notification obligation arises when there is an "unauthorized acquisition of computerized data that compromises the security, confidentiality, or integrity of personal information."
Personal information under PIPA includes an individual's name combined with any of the following:
- Social Security number
- Driver's license number or state identification card number
- Financial account number with any required security code, access code, or password
- Medical information
- Health insurance information
- Unique biometric data (fingerprint, retina, or iris image)
The law also covers username or email address combined with a password or security questions that would permit access to an online account.
Notification Requirements
Entities must notify affected Illinois residents "in the most expedient time possible and without unreasonable delay." Notification may be delayed only if law enforcement provides a written request stating that notification would interfere with a criminal investigation.
Acceptable methods of notification include:
- Written notice sent to the individual's last known address
- Electronic notice that complies with the federal Electronic Signatures in Global and National Commerce Act
- Substitute notice (if costs exceed $250,000 or more than 500,000 Illinois residents are affected), which requires email notification, conspicuous posting on the entity's website, and notification to major statewide media
State Agency Reporting to the Attorney General
State agencies that experience a breach affecting 250 or more Illinois residents must notify the Illinois Attorney General within 45 days. State agencies directly responsible to the Governor must also notify the Chief Information Security Officer within 72 hours.
The notice to the Attorney General must include the types of personal information compromised and the number of Illinois residents affected.
Penalties
Violations of PIPA constitute unlawful practices under the Illinois Consumer Fraud and Deceptive Business Practices Act. The Attorney General may pursue civil penalties of up to $100 per individual affected, with a maximum of $50,000 per breach incident. The AG may also seek injunctive relief.
Student Online Personal Protection Act (SOPPA): 105 ILCS 85
The Student Online Personal Protection Act protects the personal data of K-12 students who use educational technology services. SOPPA applies to "operators," defined as entities that run websites, online services, or applications designed and marketed primarily for use in K-12 schools.
What SOPPA Prohibits
Operators of educational technology services are prohibited from:
- Engaging in targeted advertising based on student data or persistent identifiers
- Creating advertising profiles based on student information
- Selling or renting student information
- Disclosing covered information except for specified educational purposes
What SOPPA Requires
Operators must implement and maintain reasonable security procedures to protect student data. They must delete student information when a school or district requests deletion. They must publicly disclose their data collection and use practices. They must execute written agreements with schools before receiving covered information. They must notify schools within 30 days of a data breach.
Schools have obligations too. They must post information about data practices and operator agreements publicly. They must designate a privacy officer. They must notify parents within 30 days of a breach. They must adopt policies designating who within the school system has authority to enter agreements with operators.
Parent and Student Rights
Parents may inspect and review covered information about their child regardless of which entity holds the data. Parents may request copies in paper or electronic form. They may request corrections to factual inaccuracies, and operators or schools must respond within 90 days.
Violations of SOPPA are enforceable under the Illinois Consumer Fraud and Deceptive Business Practices Act.
Right to Privacy in the Workplace Act: 820 ILCS 55
The Right to Privacy in the Workplace Act protects Illinois employees and job applicants in four specific areas.
Off-Duty Conduct Protection
Employers may not refuse to hire, terminate, or otherwise disadvantage any individual because the individual uses lawful products off the employer's premises during non-work hours. This provision was designed primarily to prevent employers from firing employees for legal activities like smoking or consuming alcohol on their own time.
Social Media and Online Account Privacy
Employers are prohibited from requesting, requiring, or coercing any employee or job applicant to provide their username, password, or any other means of accessing a personal online account. This includes social media accounts like Facebook, Instagram, and X (Twitter).
However, the law includes carve-outs allowing employers to monitor company-owned equipment, establish policies regarding the use of employer devices, and view publicly available information.
Workers' Compensation Inquiry Restrictions
Employers may not ask prospective employees whether they have previously filed claims or received benefits under the Workers' Compensation Act or the Workers' Occupational Diseases Act.
No-Match Letter Protections
Employers may not take adverse employment action against an employee based solely on receiving a "no-match" letter or discrepancy notice from a federal agency regarding identifying documents. When an employer receives such a notice, they must provide written notice to the affected employee.
Enforcement
The Act is enforced by the Illinois Department of Labor, the Attorney General, or through private lawsuits. Aggrieved individuals may file a lawsuit in Illinois circuit court without first filing a complaint with the Department of Labor.
Genetic Information Privacy Act (GIPA): 410 ILCS 513
The Genetic Information Privacy Act protects the confidentiality of genetic testing information. Under GIPA, genetic testing and any information derived from genetic testing is confidential and privileged.
Key provisions include:
- Genetic test results may only be released to the individual tested and to persons specifically authorized in writing by that individual
- Employers may not use genetic information, genetic testing, or biomarker testing as a condition of employment or in making employment decisions
- Insurers may not seek genetic testing information for use in connection with accident or health insurance policies, unless the individual voluntarily submits results that are favorable to them
- No person may disclose or be compelled to disclose the identity of any person who undergoes genetic testing, or the results of that testing, in a manner that permits identification of the subject
The Act has been amended over time to extend protections to biomarker testing in addition to genetic testing.
Artificial Intelligence Video Interview Act: 820 ILCS 42
Effective January 1, 2020, the Artificial Intelligence Video Interview Act was one of the first laws in the nation to regulate the use of AI in employment decisions.
When an employer uses AI to analyze a video interview of a job applicant for a position based in Illinois, the employer must:
- Notify the applicant before the interview that AI may be used to analyze the video
- Explain how the AI works and what general types of characteristics it uses to evaluate applicants
- Obtain consent from the applicant before the interview begins
Applicants may request deletion of their video interview within 30 days, and employers must comply. Employers may not share applicant videos except with persons whose expertise or technology is necessary to evaluate the applicant's fitness.
Employers relying solely on AI analysis must report demographic data, including race and ethnicity of applicants who are and are not selected for in-person interviews, to the Illinois Department of Commerce and Economic Opportunity annually.
Pending Legislation: Illinois Consumer Data Privacy Act
As of March 2026, Illinois does not yet have a comprehensive consumer data privacy law comparable to the California Consumer Privacy Act (CCPA) or the EU's General Data Protection Regulation (GDPR). However, several bills are moving through the 104th General Assembly.
Senate Bill 2875, sponsored by Senator Laura M. Murphy, would create the Illinois Consumer Data Privacy Act. It applies to entities that process personal data of 100,000 or more Illinois consumers, or that derive more than 25 percent of gross revenue from the sale of personal data while processing data of 25,000 or more consumers.
Consumer rights under SB 2875 would include the right to access personal data, obtain a list of third parties to whom data has been disclosed, request corrections, and question the profiling of their information. The bill was referred to the Senate AI and Social Media Committee in February 2026, with a committee amendment filed in March 2026.
Additional bills, including SB 3548 and HB 5221, propose similar comprehensive privacy frameworks with opt-out rights for targeted advertising, data sales, and profiling. None have advanced beyond committee as of this writing.
Summary of Illinois Data Privacy Laws
| Law | Citation | Year | Key Protection | Enforcement |
|---|---|---|---|---|
| Biometric Information Privacy Act (BIPA) | 740 ILCS 14 | 2008 | Biometric data consent, retention, and destruction | Private right of action + AG |
| Personal Information Protection Act (PIPA) | 815 ILCS 530 | 2006 | Data breach notification | AG enforcement |
| Student Online Personal Protection Act (SOPPA) | 105 ILCS 85 | 2017 | K-12 student data protection | Consumer Fraud Act |
| Right to Privacy in the Workplace Act | 820 ILCS 55 | 1988 | Employee/applicant privacy | Dept. of Labor, AG, private suit |
| Genetic Information Privacy Act (GIPA) | 410 ILCS 513 | 1998 | Genetic and biomarker testing data | AG enforcement |
| AI Video Interview Act | 820 ILCS 42 | 2020 | AI transparency in hiring | DCEO reporting |
More Illinois Laws
- Illinois Recording Laws
- Illinois Whistleblower Laws
- Illinois Car Seat Laws
- Illinois Statute of Limitations
- Illinois Lemon Laws
- Illinois Hit and Run Laws
- Data Privacy Laws by State
This article is for informational purposes only and does not constitute legal advice. If you need legal guidance regarding Illinois data privacy laws, consult a licensed attorney in your jurisdiction.
Sources and References
- Illinois Biometric Information Privacy Act (BIPA), 740 ILCS 14 -- Full Text(ilga.gov).gov
- BIPA Section 15 -- Retention, Collection, Disclosure, and Destruction Requirements(ilga.gov).gov
- BIPA Section 10 -- Definitions of Biometric Identifier and Biometric Information(ilga.gov).gov
- Illinois Personal Information Protection Act, 815 ILCS 530 -- Full Text(ilga.gov).gov
- Illinois Attorney General -- Data Breach Notification Requirements(illinoisattorneygeneral.gov).gov
- Illinois Student Online Personal Protection Act (SOPPA), 105 ILCS 85 -- Full Text(ilga.gov).gov
- Illinois Right to Privacy in the Workplace Act -- Illinois Dept. of Labor(labor.illinois.gov).gov
- Illinois Genetic Information Privacy Act, 410 ILCS 513 -- Full Text(ilga.gov).gov
- Illinois AI Video Interview Act, 820 ILCS 42 -- Full Text(ilga.gov).gov
- SB 2979 (Public Act 103-769) -- 2024 BIPA Amendment(legiscan.com)
- SB 2875 -- Illinois Consumer Data Privacy Act (104th GA)(ilga.gov).gov
- Illinois Dept. of Labor -- Workplace Privacy FAQs(labor.illinois.gov).gov