Illinois
Illinois Data Privacy Laws: BIPA, Consumer Rights & Penalties (2026)
Illinois protects biometric data under the Biometric Information Privacy Act (BIPA), 740 ILCS 14, which gives residents a private right of action to sue for $1,000 per negligent violation or $5,000 per intentional violation, without proving actual harm. Illinois also covers data breaches, student records, genetic data, and AI hiring through separate sectoral statutes.
Illinois leads the nation in biometric privacy enforcement through the Biometric Information Privacy Act (BIPA), 740 ILCS 14, which has generated more than $1.5 billion in settlements since 2008. The state's sectoral privacy framework also covers data breaches, student records, employee monitoring, genetic data, and AI in hiring, giving Illinois residents enforceable rights that most other states lack.
This article addresses Illinois state privacy laws as of May 2026. It covers BIPA, the Personal Information Protection Act (PIPA), the Student Online Personal Protection Act (SOPPA), the Right to Privacy in the Workplace Act, the Genetic Information Privacy Act (GIPA), the AI Video Interview Act, the 2026 Illinois Human Rights Act AI amendment, federal laws that apply in Illinois, and the current status of proposed comprehensive consumer privacy legislation.
The Biometric Information Privacy Act (BIPA): 740 ILCS 14
The Biometric Information Privacy Act took effect on October 3, 2008, after the Illinois General Assembly passed it in response to the 2007 bankruptcy of Pay By Touch, a biometric payments company. The collapse raised concerns about what would happen to the millions of fingerprint records the company had collected from consumers, with no legal mechanism to force their destruction. BIPA filled that gap by creating binding obligations on private entities that collect or use biometric data, backed by a private right of action that has made Illinois the most litigated biometric privacy jurisdiction in the world.
What BIPA Covers
BIPA regulates the collection, storage, use, and dissemination of biometric identifiers and biometric information by private entities operating in Illinois. Under Section 10 of BIPA (740 ILCS 14/10), a "biometric identifier" includes a retina or iris scan, fingerprint, voiceprint, or scan of hand or face geometry. The statute explicitly excludes writing samples, written signatures, photographs, physical descriptions, demographic data, tattoo descriptions, and medical or health information.
"Biometric information" is defined more broadly as any information based on a biometric identifier that is used to identify an individual, regardless of how it was captured or converted.
BIPA's Core Requirements
Section 15 of BIPA (740 ILCS 14/15) establishes four primary obligations for any private entity that collects or possesses biometric data.
Written retention and destruction policy. Every entity possessing biometric identifiers or biometric information must develop a written policy establishing a retention schedule and guidelines for permanently destroying the data. Destruction must occur when the initial purpose for collection has been satisfied, or within three years of the individual's last interaction with the entity, whichever comes first. The policy must be made available to the public.
Informed written consent before collection. Before collecting a biometric identifier, the entity must inform the individual in writing that biometric data is being collected or stored, state the specific purpose and length of time for which the data will be collected, stored, and used, and obtain a written release. The 2024 amendment to BIPA updated the definition of "written release" to include electronic signatures, giving companies a path to compliant consent through digital onboarding systems.
No sale or profit from biometric data. BIPA prohibits any private entity from selling, leasing, trading, or otherwise profiting from a person's biometric identifier or biometric information.
Restrictions on disclosure. A private entity may not disclose or disseminate biometric data to another party unless the individual consents, the disclosure completes a financial transaction the individual requested or authorized, state or federal law requires disclosure, or a valid warrant or subpoena requires it.
The Private Right of Action
Section 20 of BIPA is what makes the law uniquely powerful in comparison to other state privacy statutes. BIPA allows any person aggrieved by a violation to file a lawsuit directly, without needing to show any actual financial harm. The damages structure:
- Negligent violations: the greater of $1,000 or actual damages for each violation
- Intentional or reckless violations: the greater of $5,000 or actual damages for each violation
- Reasonable attorney fees and litigation costs for the prevailing party
- Injunctive relief available
Most state privacy laws channel enforcement through the attorney general only. BIPA's private right of action means individual consumers, employees, and classes of claimants can pursue companies directly in state or federal court.
The 2024 Amendment: Public Act 103-769
On August 2, 2024, Governor J.B. Pritzker signed Senate Bill 2979 into law as Public Act 103-769, effective immediately. The amendment responded directly to the Illinois Supreme Court's February 2023 decision in Cothron v. White Castle System, Inc., 2023 IL 128004, which held that a separate BIPA violation occurred each time a company collected the same biometric identifier from the same person. Under that interpretation, an employee whose fingerprint was scanned at the start of every work shift for five years could theoretically recover millions of dollars for a single employer's systematic noncompliance.
Public Act 103-769 added language to Section 20 providing that a private entity that collects or discloses "the same biometric identifier or biometric information from the same person using the same method of collection" has committed only a single violation. An aggrieved person is therefore entitled to, at most, a single recovery for repeated identical collections, whether the statutory amount is $1,000 or $5,000.
Seventh Circuit Retroactivity Ruling: Clay v. Union Pacific (2026)
On April 1, 2026, the U.S. Court of Appeals for the Seventh Circuit issued a significant ruling in Clay v. Union Pacific Railroad Company, No. 25-2185 (7th Cir. 2026), holding that the 2024 damages-limiting amendment applies retroactively to cases that were already pending when the amendment was enacted.
The court applied Illinois's established retroactivity framework, which distinguishes between substantive statutory changes (which generally do not apply retroactively) and remedial or procedural changes (which do). The Seventh Circuit held the BIPA amendment was remedial because it addressed only the scope of available damages, not the underlying substantive obligations or standards of liability. The ruling reverses three prior Illinois federal district court decisions that had reached the opposite conclusion.
For defendants facing pending BIPA litigation, the ruling is significant: plaintiffs may now recover at most $5,000 for intentional violations or $1,000 for negligent violations per person, rather than aggregating a separate violation for every single scan. In the Clay case itself, the plaintiff had alleged approximately 1,500 fingerprint scans. At per-scan rates, potential damages would have been $7.5 million for a single plaintiff; the amendment caps that at $5,000.
Major BIPA Settlements and Verdicts
BIPA has produced some of the largest privacy-related settlements in U.S. history. The following table summarizes the most significant resolved cases.
| Company | Year | Amount | Allegation |
|---|---|---|---|
| Facebook (Meta) | 2020 | $650 million | Facial recognition tagging feature scanned Illinois users' faces without informed written consent |
| BNSF Railway | 2023 | $75 million (after $228M jury verdict) | Required truck drivers to scan fingerprints for yard access without BIPA-compliant consent |
| Google Photos | 2022 | $100 million | Face-grouping feature collected face geometry data without consent |
| TikTok (ByteDance) | 2021 | $92 million | Collected face and voice biometric data from users, including minors, without consent |
| Meta Instagram | 2023 | $68.5 million | Instagram's facial recognition technology collected and stored biometric data without BIPA-compliant consent |
| Clearview AI | 2025 | $51.75 million (equity) | Scraped facial images from social media without consent; settlement structured as a 23% equity stake in Clearview AI |
| Motorola Solutions (FaceSearch) | 2025 | $47.5 million | Collected biometric data through FaceSearch facial recognition and booking-photo gallery technology; final approval September 15, 2025 |
| Snapchat (Snap Inc.) | 2022 | $35 million | Collected facial scan data through AR lenses and filters without adequate consent |
| Speedway | 2025 | $12.1 million | Required employees to use fingerprint scanners without BIPA notice and consent |
| Lytx, Inc. | 2025 | $4.25 million | Collected truck drivers' biometric identifiers without adequate notice or consent; final approval July 25, 2025 |
| YouTube (Face Blur) | 2025 | $6 million | Collected biometric data through the Face Blur feature for uploaded videos without compliant consent; final approval December 30, 2025 |
The BNSF Railway case was the first BIPA case to reach a jury trial. The jury found BNSF had recklessly or intentionally violated BIPA 45,600 times, producing a $228 million verdict at the $5,000-per-violation rate. That verdict was vacated on appeal, and BNSF settled for $75 million. The Clearview AI settlement was the first to use equity rather than cash; class members received a collective 23 percent stake valued at approximately $51.75 million based on a January 2024 company valuation of $225 million.
Impact of the 2024 amendment on litigation volume. Following Public Act 103-769 and the Seventh Circuit's retroactivity ruling, new BIPA class action filings fell to approximately 150 in 2025, compared to 427 filings in 2024. Total 2025 BIPA settlements were approximately $136.6 million, down from over $206 million in 2024.
Illinois Personal Information Protection Act (PIPA): 815 ILCS 530
The Personal Information Protection Act is Illinois's data breach notification law. It requires any entity that conducts business in Illinois and handles nonpublic personal information to notify affected individuals when their data is compromised.
What Triggers Notification
A data breach notification obligation arises when there is an "unauthorized acquisition of computerized data that compromises the security, confidentiality, or integrity of personal information." Personal information under PIPA means an individual's name combined with any of the following:
- Social Security number
- Driver's license or state ID number
- Financial account number with any required security code, access code, or password
- Medical information
- Health insurance information
- Unique biometric data (fingerprint, retina, or iris image)
The law also covers username or email address combined with a password or security questions that would permit access to an online account.
Notification Requirements
Entities must notify affected Illinois residents "in the most expedient time possible and without unreasonable delay." Notification may be delayed only if law enforcement submits a written request stating that notification would interfere with a criminal investigation.
Acceptable methods of notification include written notice to the individual's last known address, electronic notice that complies with the federal E-SIGN Act, or substitute notice if the costs of direct notice would exceed $250,000 or more than 500,000 Illinois residents are affected. Substitute notice requires email notification, conspicuous posting on the entity's website, and notification to major statewide media.
State Agency Reporting
State agencies that experience a breach affecting 250 or more Illinois residents must notify the Illinois Attorney General within 45 days. State agencies directly responsible to the Governor must also notify the Chief Information Security Officer within 72 hours.
Penalties
Violations of PIPA constitute unlawful practices under the Illinois Consumer Fraud and Deceptive Business Practices Act. The Attorney General may pursue civil penalties of up to $100 per individual affected, with a maximum of $50,000 per breach incident, and may seek injunctive relief.
Student Online Personal Protection Act (SOPPA): 105 ILCS 85
The Student Online Personal Protection Act protects the personal data of K-12 students who use educational technology services. SOPPA applies to "operators," defined as entities that run websites, online services, or applications designed and marketed primarily for use in K-12 schools.
What SOPPA Prohibits
Operators are prohibited from engaging in targeted advertising based on student data or persistent identifiers, creating advertising profiles based on student information, selling or renting student information, or disclosing covered information except for specified educational purposes.
What SOPPA Requires
Operators must implement reasonable security procedures, delete student information on a school's request, publicly disclose their data practices, execute written data agreements with schools before receiving covered information, and notify schools within 30 days of a data breach.
Schools must post information about data practices and operator agreements publicly, designate a privacy officer, notify parents within 30 days of a breach, and adopt policies designating who has authority to enter agreements with operators.
Parent and Student Rights
Parents may inspect and review covered information about their child, request copies in paper or electronic form, and request corrections to factual inaccuracies. Operators or schools must respond to correction requests within 90 days. Violations of SOPPA are enforceable under the Illinois Consumer Fraud and Deceptive Business Practices Act.
Genetic Information Privacy Act (GIPA): 410 ILCS 513
The Genetic Information Privacy Act protects the confidentiality of genetic testing information and has recently become the subject of a major surge in class action litigation.
Core GIPA Protections
Under GIPA, genetic testing and any information derived from genetic testing is confidential and privileged. Key provisions:
- Genetic test results may only be released to the individual tested and to persons specifically authorized in writing by that individual
- Employers may not use genetic information, genetic testing, or biomarker testing as a condition of employment or in making employment decisions
- Insurers may not seek genetic testing information for use in connection with accident or health insurance policies, unless the individual voluntarily submits favorable results
- No person may disclose or be compelled to disclose the identity of any person who undergoes genetic testing, or the results of that testing, in a manner that permits identification of the subject
GIPA's damages structure carries higher statutory amounts than BIPA: $2,500 per negligent violation and $15,000 per intentional or reckless violation, plus reasonable attorney fees and costs.
GIPA Litigation Surge (2023-2026)
Since 2023, more than 100 class action lawsuits have been filed under GIPA, primarily targeting employers whose pre-employment medical questionnaires or physical examinations request family medical history. Plaintiffs argue that requesting family medical history constitutes a request for genetic information under GIPA, triggering the statute's consent and confidentiality requirements.
Defendants in these suits have included major employers such as United Airlines and AbbVie. Legal commentators attribute the surge in part to the BIPA amendments limiting per-scan recovery: plaintiffs' attorneys have shifted attention to GIPA, where the single-violation rule of the BIPA amendment does not apply, and where individual damages are substantially higher. Class certification briefings are expected in the earliest-filed 2023 cases in 2026, with summary judgment decisions likely to clarify which employer inquiries constitute prohibited requests for genetic information.
Right to Privacy in the Workplace Act: 820 ILCS 55
The Right to Privacy in the Workplace Act protects Illinois employees and job applicants in four specific areas.
Off-duty conduct protection. Employers may not refuse to hire, terminate, or otherwise disadvantage any individual because the individual uses lawful products off the employer's premises during non-work hours.
Social media and online account privacy. Employers are prohibited from requesting, requiring, or coercing any employee or job applicant to provide their username, password, or other means of accessing a personal online account, including social media accounts. Employers may still monitor company-owned equipment, establish acceptable use policies for work devices, and view publicly available information.
Workers' compensation inquiry restrictions. Employers may not ask prospective employees whether they have previously filed claims or received benefits under the Workers' Compensation Act or the Workers' Occupational Diseases Act.
No-match letter protections. Employers may not take adverse employment action based solely on receiving a "no-match" letter or discrepancy notice from a federal agency. When an employer receives such a notice, they must provide written notice to the affected employee.
The Act is enforced by the Illinois Department of Labor, the Attorney General, or through private lawsuits in Illinois circuit court without prior agency exhaustion.
AI in Employment: Video Interview Act and Human Rights Act Amendment
Illinois has enacted two separate laws governing the use of artificial intelligence in employment, making it one of the leading states in AI employment regulation.
AI Video Interview Act: 820 ILCS 42
Effective January 1, 2020, the Artificial Intelligence Video Interview Act was one of the first laws in the nation to regulate AI in employment decisions. When an employer uses AI to analyze a video interview for a position based in Illinois, the employer must notify the applicant before the interview that AI may be used to analyze the video, explain how the AI works and what general types of characteristics it uses to evaluate applicants, and obtain consent from the applicant before the interview begins.
Applicants may request deletion of their video interview within 30 days, and employers must comply. Employers may not share applicant videos except with persons whose expertise is necessary to evaluate the applicant's fitness. Employers relying solely on AI analysis must report demographic data, including race and ethnicity, on applicants who are and are not selected for in-person interviews, to the Illinois Department of Commerce and Economic Opportunity annually.
Illinois Human Rights Act AI Amendment: HB 3773 (Effective January 1, 2026)
Governor Pritzker signed House Bill 3773 on August 9, 2024, and it took effect on January 1, 2026, amending the Illinois Human Rights Act (775 ILCS 5) to impose two major obligations on employers.
Written notice requirement. Employers must provide written notice to applicants and employees whenever AI is used "to influence or facilitate" a recruitment, hiring, promotion, renewal of employment, training, apprenticeship, discharge, discipline, tenure, or other employment decision. The Illinois Department of Human Rights issued draft implementing regulations requiring disclosures of the AI product name, developer, vendor, purpose, and categories of data used. Employers must update notices within 30 days of adopting new AI systems.
Prohibition on discriminatory AI. Employers are prohibited from using AI that has the effect of subjecting employees or applicants to discrimination on the basis of a protected class. Liability attaches regardless of whether the discriminatory effect was intentional. The draft regulations also prohibit using zip codes as a proxy for protected characteristics in AI-driven employment decisions.
The Illinois Department of Human Rights is tasked with adopting final regulations implementing the HB 3773 requirements.
Geolocation Privacy Protection Act
Illinois enacted its Geolocation Privacy Protection Act in 2017. The law requires applications that collect location data along with other personal information to obtain consent before collecting that data. A proposed strengthening bill (HB 3712) was introduced in the 104th General Assembly in April 2025, which would require affirmative consent and create a private right of action for violations, but as of May 2026 the bill remains at the introduced stage.
Pending Comprehensive Consumer Privacy Legislation
As of May 2026, Illinois does not have a comprehensive consumer data privacy law comparable to the California Consumer Privacy Act (CCPA) or the Virginia Consumer Data Protection Act. Multiple bills are pending in the 104th General Assembly, none of which have advanced to the floor.
Senate Bill 2875, the Illinois Consumer Data Privacy Act, sponsored by Senator Laura M. Murphy, was introduced January 16, 2026. It applies to entities that process personal data of 100,000 or more Illinois consumers, or that derive more than 25 percent of gross revenue from the sale of personal data while processing data of at least 25,000 consumers. Consumer rights under the bill would include the right to access personal data, obtain a list of third parties to whom data has been disclosed, request corrections, and opt out of profiling. The bill was referred to the Senate AI and Social Media Committee in February 2026; a committee amendment was filed in March 2026. As of May 2026, it has not advanced beyond committee.
Senate Bill 0052 (Privacy Rights Act) would impose duties on businesses that collect consumers' personal information and establish consumer rights including the right to delete, correct, and opt out of the sale or sharing of personal information. It remains in committee as of May 2026.
A separately proposed Illinois Personal Information Privacy Act failed to pass in the 2025-2026 legislative session.
Federal Laws That Apply in Illinois
Federal privacy law provides a baseline floor for Illinois residents regardless of state law developments.
TAKE IT DOWN Act (Pub. L. 119-12). President Trump signed the TAKE IT DOWN Act on May 19, 2025. The law criminalizes publishing non-consensual intimate imagery (NCII) and AI-generated deepfake NCII. As of May 19, 2026, covered online platforms are required to establish a removal process and, upon receiving a valid removal request, remove the intimate image within 48 hours and make reasonable efforts to remove known identical copies. The Federal Trade Commission enforces the platform obligations.
HIPAA. Covered healthcare entities and their business associates are subject to the HIPAA Privacy Rule (45 C.F.R. Part 164) and Security Rule. HIPAA preempts state health privacy rules that provide weaker protections, but Illinois statutes that offer stronger protections apply in parallel.
COPPA. The Children's Online Privacy Protection Act applies to online operators that collect personal information from children under 13. Illinois operators serving child-directed content must comply with COPPA's parental consent and deletion requirements.
GLBA. Financial institutions are subject to the Gramm-Leach-Bliley Act's safeguards and privacy notice requirements.
FTC Act Section 5. The Federal Trade Commission has authority to pursue unfair or deceptive data practices by companies subject to FTC jurisdiction.
APRA (American Privacy Rights Act). A 2024 bicameral federal privacy bill did not pass. An APRA 2.0 proposal was introduced in 2025. As of May 2026, no federal comprehensive consumer privacy law has been enacted.
Summary of Illinois Data Privacy Laws
| Law | Citation | Year | Key Protection | Enforcement |
|---|---|---|---|---|
| Biometric Information Privacy Act (BIPA) | 740 ILCS 14 | 2008 | Biometric data consent, retention, and destruction | Private right of action + AG |
| Personal Information Protection Act (PIPA) | 815 ILCS 530 | 2006 | Data breach notification | AG enforcement |
| Student Online Personal Protection Act (SOPPA) | 105 ILCS 85 | 2017 | K-12 student data protection | Consumer Fraud Act |
| Right to Privacy in the Workplace Act | 820 ILCS 55 | 1988 | Employee and applicant privacy | Dept. of Labor, AG, private suit |
| Genetic Information Privacy Act (GIPA) | 410 ILCS 513 | 1998 | Genetic and biomarker testing data | AG + private right of action |
| AI Video Interview Act | 820 ILCS 42 | 2020 | AI transparency in video hiring | DCEO reporting |
| Illinois Human Rights Act (AI amendment) | 775 ILCS 5 | 2026 (eff.) | Employer AI notice + anti-discrimination | Illinois Dept. of Human Rights |
| Geolocation Privacy Protection Act | 740 ILCS 14/10 (separate act) | 2017 | Consent for location data collection | Private suit + AG |
How Illinois Residents Exercise Their Rights
Illinois residents have direct, enforceable rights under multiple statutes, not just notification rights.
Under BIPA: If a company collected your fingerprint, face scan, iris scan, or voiceprint without providing written notice, explaining the retention period, or obtaining your written consent, you may file a lawsuit directly in Illinois circuit court or federal district court. You do not need to prove financial harm. An attorney experienced in BIPA class actions can assess whether you have a viable individual or class claim.
Under GIPA: If your employer required you to disclose family medical history on a pre-employment questionnaire or during a physical exam without your written consent, you may have a GIPA claim. Consult an employment attorney to assess whether the questionnaire constituted a request for genetic information as defined by the statute.
Under PIPA: If you received a data breach notification from a company that does business in Illinois, you are entitled to know the type of personal information compromised and the number of Illinois residents affected. If the entity failed to notify you, you may contact the Illinois Attorney General's Consumer Protection Division to report the failure.
Under the Right to Privacy in the Workplace Act: If an employer demanded your social media passwords, asked about prior workers' compensation claims, or took adverse action based on a no-match letter without notice, you may file a complaint with the Illinois Department of Labor or file suit in circuit court.
Under HB 3773 (AI notice): If your employer used AI to screen, rank, or make decisions about your employment and did not provide written notice, you may file a complaint with the Illinois Department of Human Rights.
Practical Compliance Steps for Businesses
Businesses operating in Illinois should take the following baseline steps.
For BIPA compliance: (1) Audit all systems that collect fingerprints, facial geometry, iris scans, or voiceprints; (2) publish a publicly available written retention and destruction schedule; (3) obtain written consent before any biometric data collection; (4) never sell or profit from biometric data; (5) limit internal disclosure to authorized personnel; and (6) update onboarding consent forms to accept electronic signatures.
For GIPA compliance: (1) Review all pre-employment medical questionnaires and physical exam protocols to remove family medical history questions; (2) train HR personnel not to request or record genetic information; (3) segregate any genetic data already collected.
For HB 3773 (AI in employment): (1) Inventory all AI tools used in recruitment, hiring, promotion, training, discipline, and termination; (2) prepare written disclosure templates identifying the AI tool name, developer, purpose, and data categories; (3) deliver notices to applicants before use and employees before decisions; (4) conduct disparate impact audits on AI tools; (5) do not use zip codes as proxies for protected characteristics.
For PIPA compliance: Maintain a written incident response plan, designate a data breach response lead, and establish notification workflows capable of triggering within days of a discovered breach.
This article presents general legal information about Illinois data privacy laws as of May 2026. It is not legal advice and does not create an attorney-client relationship. Laws are subject to amendment and judicial interpretation. Consult a licensed Illinois attorney for advice specific to your situation.
More Illinois Laws
- Illinois AI Meeting Recording Laws
- Illinois Alimony Laws
- Illinois At-Will Employment Laws
- Illinois Car Accident Laws
- Illinois Car Seat Laws
- Illinois Child Custody Laws
- Illinois Child Support Laws
- Illinois Common Law Marriage Laws
- Illinois Deepfake Laws
- Illinois Divorce Laws
- Illinois Dog Bite Laws
- Illinois Emancipation Laws
- Illinois Expungement Laws
- Illinois Hit and Run Laws
- Illinois Landlord-Tenant Laws
- Illinois Lemon Laws
Related news
Frequently Asked Questions
What is the Illinois Biometric Information Privacy Act (BIPA)?
BIPA (740 ILCS 14) is a 2008 Illinois law that regulates how private entities collect, store, use, and share biometric identifiers such as fingerprints, facial geometry scans, iris scans, and voiceprints. It requires companies to provide written notice, explain the purpose and duration of collection, and obtain a written release before collecting any biometric data. BIPA is uniquely powerful because its Section 20 creates a private right of action allowing individuals to sue for $1,000 per negligent violation or $5,000 per intentional or reckless violation, plus attorney fees, without proving actual harm.
How did the 2024 BIPA amendment change damages?
Public Act 103-769, signed August 2, 2024, amended Section 20 of BIPA to provide that collecting or disclosing the same biometric identifier from the same person using the same method of collection constitutes a single violation, not one violation per scan. This directly reversed the Illinois Supreme Court's 2023 ruling in Cothron v. White Castle, which had allowed per-scan recovery. In April 2026, the Seventh Circuit in Clay v. Union Pacific Railroad held that this amendment applies retroactively to all cases pending when the amendment was enacted, further limiting plaintiff recovery to at most $1,000 or $5,000 per person per identical collection activity.
Does Illinois have a comprehensive consumer data privacy law?
As of May 2026, Illinois does not have a comprehensive consumer data privacy law comparable to California's CCPA or Virginia's Consumer Data Protection Act. Multiple bills are pending in the 104th General Assembly, including Senate Bill 2875 (Illinois Consumer Data Privacy Act) and Senate Bill 0052 (Privacy Rights Act). Both remain in committee as of May 2026. A separately proposed Illinois Personal Information Privacy Act failed to pass in the 2025-2026 legislative session.
What are Illinois data breach notification requirements?
Under the Personal Information Protection Act (815 ILCS 530), any entity conducting business in Illinois that experiences a data breach compromising personal information must notify affected Illinois residents in the most expedient time possible and without unreasonable delay. State agencies must notify the Attorney General within 45 days if 250 or more residents are affected, and agencies under the Governor must notify the Chief Information Security Officer within 72 hours. Penalties include up to $100 per person and a maximum of $50,000 per breach under the Consumer Fraud and Deceptive Business Practices Act.
Can my employer access my social media passwords in Illinois?
No. The Illinois Right to Privacy in the Workplace Act (820 ILCS 55) prohibits employers from requesting, requiring, or coercing any employee or job applicant to provide usernames, passwords, or other credentials for personal online accounts, including social media. Employers may still monitor company-owned equipment, establish acceptable use policies for work devices, and view publicly available social media content. Violations can be enforced through the Department of Labor, the Attorney General, or private lawsuits in Illinois circuit court.
What is the GIPA litigation surge and how does it affect Illinois employers?
The Genetic Information Privacy Act (GIPA), 410 ILCS 513, has triggered more than 100 class action lawsuits since 2023. Plaintiffs primarily allege that employer pre-employment medical questionnaires that ask about family medical history constitute unlawful requests for genetic information. GIPA damages are higher than BIPA: $2,500 per negligent violation and $15,000 per intentional or reckless violation, plus attorney fees. Illinois employers should review all pre-employment medical forms and physical exam protocols and remove questions about family medical history.
What are the new AI employment notice requirements effective January 2026?
House Bill 3773, effective January 1, 2026, amended the Illinois Human Rights Act (775 ILCS 5) to require employers to provide written notice to applicants and employees whenever AI is used to influence or facilitate a hiring, promotion, training, discipline, or other employment decision. The notice must identify the AI tool name, developer, purpose, and data categories used. Employers are also prohibited from using AI that produces a discriminatory effect on protected classes, with strict liability regardless of intent. The Illinois Department of Human Rights is finalizing implementing regulations.
Which BIPA settlements have Illinois residents received money from?
Major BIPA settlements include Facebook ($650 million, 2020), BNSF Railway ($75 million, 2023), Google Photos ($100 million, 2022), TikTok ($92 million, 2021), Meta Instagram ($68.5 million, 2023), Clearview AI ($51.75 million in equity, 2025), Motorola FaceSearch ($47.5 million, final approval September 2025), Snapchat ($35 million, 2022), Speedway ($12.1 million, 2025), and YouTube Face Blur ($6 million, final approval December 2025). Illinois residents who appeared in covered photos or worked at covered locations during the relevant periods may have been eligible for payments from these class action settlements.
Sources and References
- Illinois Biometric Information Privacy Act (BIPA), 740 ILCS 14 -- Full Text(ilga.gov).gov
- BIPA Section 15 -- Retention, Collection, Disclosure, and Destruction Requirements(ilga.gov).gov
- BIPA Section 10 -- Definitions of Biometric Identifier and Biometric Information(ilga.gov).gov
- Illinois Personal Information Protection Act, 815 ILCS 530 -- Full Text(ilga.gov).gov
- Illinois Attorney General -- Data Breach Notification Requirements(illinoisattorneygeneral.gov).gov
- Illinois Student Online Personal Protection Act (SOPPA), 105 ILCS 85 -- Full Text(ilga.gov).gov
- Illinois Right to Privacy in the Workplace Act -- Illinois Dept. of Labor(labor.illinois.gov).gov
- Illinois Genetic Information Privacy Act, 410 ILCS 513 -- Full Text(ilga.gov).gov
- Illinois AI Video Interview Act, 820 ILCS 42 -- Full Text(ilga.gov).gov
- SB 2979 (Public Act 103-769) -- 2024 BIPA Amendment(legiscan.com)
- SB 2875 -- Illinois Consumer Data Privacy Act (104th GA)(ilga.gov).gov
- Illinois Dept. of Labor -- Workplace Privacy FAQs(labor.illinois.gov).gov
- Illinois Human Rights Act AI Amendment (HB 3773) -- Seyfarth Shaw Analysis(seyfarth.com)
- Clay v. Union Pacific Railroad Company, No. 25-2185 (7th Cir. April 1, 2026) -- BIPA Amendment Retroactivity(datamatters.sidley.com)
- $47.5M Motorola Solutions FaceSearch BIPA Settlement -- ClassAction.org(classaction.org)
- YouTube Face Blur $6M BIPA Settlement -- TopClassActions(topclassactions.com)
- GIPA Litigation Surge Against Illinois Employers -- InsidePrivacy(insideprivacy.com)
- FTC -- Complying With the Take It Down Act(ftc.gov).gov
- 2025 Year-in-Review: Biometric Privacy Litigation -- PrivacyWorld Blog(privacyworld.blog)
- Historic Biometric Privacy Suit Settles for $650 Million (Facebook) -- American Bar Association(americanbar.org)
- Data Protection and Privacy 2026: USA -- Illinois -- Chambers and Partners(practiceguides.chambers.com)