Polsinelli PC
What law(s) specifically govern personal data / information?
Yes. There is no comprehensive privacy law in Illinois, but Illinois has enacted the Biometric Information Privacy Act (“BIPA”), which prohibits the collection of biometric identifiers or information unless certain conditions apply. In addition, Illinois’ Personal Information Protect Act (“PIPA”) requires covered businesses to notify the Attorney General and Illinois residents of personal data breaches.
Additional laws regulating personal data in Illinois include the Student Online Personal Protection Act (“SOPPA”), Right to Privacy in the Workplace Act (“IRPWA”), and Electronic Mail Act (“EMA”).
What are the key data protection principles in this jurisdiction?:
Key principles under PIPA:
- Any data collector required to issue notice to more than 500 Illinois residents as a result of a single breach of the security system shall provide notice to the Attorney General (“AG”) of the breach.
- If a State agency is required to notify more than 250 Illinois residents, it must notify the AG within 45 days of discovery of breach or when the State agency notifies individuals affected by the breach, whichever is sooner.
- The notification to Illinois residents shall be made in the most expedient time possible and without unreasonable delay, consistent with any measures necessary to determine the scope of the breach and restore the reasonable integrity, security, and confidentiality of the data system.
- Any data collector that maintains or stores, but does not own or license, computerized data that includes personal information that the data collector does not own or license shall notify the owner or licensee of the information of any breach of the security of the data immediately following discovery, if the personal information was, or is reasonably believed to have been, acquired by an unauthorized person.
- This provision applies whether or not the data collector conducts business in Illinois.
- PIPA only applies to computerized data.
- PIPA also requires that any data collector which owns or licenses, or maintains or stores Illinois residents' personal information to implement and maintain “reasonable security measures to protect those records from unauthorised access, acquisition, destruction, use, modification, or disclosure,” and that such measures be contractually flowed down to subcontractors. 815 ILCS 530/45(a).
Key Principals under BIPA:
The BIPA provides a set of five (5) rules for businesses to follow when collecting biometric data of state residents:
- Prior consent required before collection of biometric data.
- Permits a limited right to disclosure.
- Mandates protection obligations and retention guidelines.
- Prohibits profiting from biometric data.
- Private right of action for violations.
Key Principals under SOPPA:
- School districts must adopt a policy for designating which school employees can enter into written agreements with operators.
- Each school shall post and maintain on its website or, if the school does not maintain a website, make available for inspection by the general public at its administrative office:
- An explanation of the data elements of covered information collected by the school;
- A list of operators/vendors/suppliers that the school has an agreement with;
- Procedures a parent must use to access covered information ; and
- A listing of any breaches realized.
- After a determination of a breach of covered information maintained by the school, a school shall notify, no later than 30 calendar days after receipt or the notice or determination, that a breach has occurred.
- Each school must implement and maintain reasonable security procedures and practices that otherwise meet or exceed industry standards designed to protect covered information from unauthorized access, destruction, use, modification, or disclosure.
- Each school may designate an appropriate staff person as a privacy officer, who may also be an official records custodian as designated under the Illinois School Student Records Act, to carry out the duties and responsibilities assigned to schools and to ensure compliance with the requirements of SOPPA.
- A school shall make a request to delete covered information on behalf of a student’s parent if the parent requests from the school that the student’s covered information held be deleted. (Deletion must not violate any state or federal records laws.)
Key Principles under IRPWA:
- Employers cannot discriminate against employees in the workplace for engaging in a lawful activity outside of work, including political activity as well as those who are prescribed and take medical marijuana.
- Employers are prohibited from:
- Acquiring or requiring workers to disclose their username and passwords for personal online or social media accounts;
- Requiring an applicant to access their personal online or social media account with the employer present;
- Requiring an employee or applicant to invite their employer to join a group related to the employee’s or applicant’s personal online account;
- Requiring an employee or applicant to join or invite the employer to join any account that would allow the employer access to the employee’s or applicant’s personal online accounts;
- Discriminating against or refusing to hire an employee or applicant if they refuse an employer’s request that violated IRPWA.
- Employers are prohibited from misusing an employee’s Social Security Number, including:
- Publicly posting or displaying Social Security numbers
- Printing Social Security numbers on an ID card;
- Requiring an individual to transmit their Social Security number over the internet (unless through secure or encrypted means);
- Requiring the use of a Social Security number to access a website;
- Printing Social Security numbers on any materials that mailed to the individual (unless required by state or federal law).
Key Principles under EMA:
- Covered businesses and individuals are prohibited from selling or transferring an email address after a recipient has opted out of receiving unsolicited emails.
- Unsolicited emails are required to include an unsubscribe button or link in the heading and closing of the email, and the subject line of the unsolicited emails must include “ADV:” as the first four characters.
- After a recipient opts out, the sender has 10 days to stop sending emails to that address and can only use it for compliance purposes.
- The unsubscribe mechanism must be able to process opt-out requests for at least 30 days.
- The opt-out notice must be clear and easy to understand, and can include a return email address or other online method for recipients to communicate their choice.
- Violations of EMA are considered unlawful practices under the Consumer Fraud and Deceptive Business Practices Act.
What is the supervisory authority / regulator in charge of data protection?
Illinois Attorney General Kwame Raoul.
Is there a requirement to register with a supervisory authority / regulator?
No requirement to register with a supervisory authority/ regulator.
Is there a requirement to notify the supervisory authority / regulator?
There is no requirement to notify.
Is it possible to register with / notify the supervisory authority / regulator online?
Not applicable.
What are the key data subject rights under the data protection laws of this jurisdiction?
See key principles above.
Does your jurisdiction specifically restrict the transfer of personal data out of the jurisdiction? If so, please provide an overview of the restrictions and what transfer tools / mechanisms can be utilised to allow a lawful transfer of personal data.
No.
Do the data protection laws in this jurisdiction have 'extra-territorial effect' (i.e. do they apply to organisations outside this jurisdiction)?
No.
Does your jurisdiction require a data protection officer (or equivalent) being appointed? If so, in what circumstances?
Yes, under PIPA. A data collector shall provide notice to the Attorney General when the security breach involves more than 500 Illinois residents within 45 days of discovery of the security breach or when the data collector provides notice to consumers, whichever is sooner.
Yes, under SOPPA. After receipt of notice of a determination of a breach of covered information maintained by the school, a school shall notify within the most expedient time possible and without unreasonable delay, but no later than 30 calendar days after receipt of the notice or determination that a breach has occurred, the parent of any student whose covered information is involved in the breach. 105 ILCS 85/15(5); 105 ILCS 85/27(d).
Does your jurisdiction have specific circumstances where a data protection impact assessment is required?
No.
Does your jurisdiction have any specific data breach notification requirements? If so, please provide further details (for example, who needs to be notified (the supervisory authority / regulator and/or the data subject) and what is the time frame for doing so).
No.
Does your jurisdiction have any rules specifically dealing with marketing (including electronic marketing via emails and text messages)?
No.
Do different rules apply to business-to-business and business-to-consumer marketing?
See the key principles of the Kansas No-Call Act and Kansas Commercial Electronic Mail Act above.
Does your jurisdiction have any rules specifically dealing with cookies? If so, please provide further details (for example, is there a need to differentiate between the types of cookies used).
No.
What are the consequences of non compliance with data protections laws (including marketing laws) within your jurisdiction? Please provide an overview of the level of fines that may be imposed by a supervisory authority/regulator.
Under PIPA, the Attorney General may seek remedies against any data collector in violation of the law.
- Those remedies include:
- injunctive relief;
- suspension of licenses;
- revocation of the right to do business in Illinois; and
- restitution, and civil penalties up to USD $50,000.
- If the violation is performed with the intent to defraud a resident, a court may impose a civil penalty of up to USD $50,000 for each violation.
- Additional penalties apply to violations involving a person over the age of 65.
- PIPA also allows for a private right of action.
Under BIPA, if a business negligently violates this law, the law will allow the alleged injured party to claim:
- Damages of USD $1,000 per violation, or
- Actual damages.
If this law was violated intentionally or recklessly, the alleged injured party can claim:
- Damages of up to USD $5,000 per violation; or
- Actual damages.
Under IRPWA, damages awarded to a successful employee or applicant includes:
- USD $200 plus costs, reasonable attorneys’ fees, and actual damages for a wilful and knowing violation
- USD $500 per affected employee plus costs, reasonable attorneys’ fees, and actual damages for a wilful and knowing violation of Section 12(c) or 12(c-2) of the act.
Under EMA, the injured party may recover attorneys’ fees and costs, and in lieu of recovery of actual damages, can recover the lesser of USD $10 for each unsolicited email transmitted in violation of the act, or USD $25,000 per day.
In broad terms, multinational organisations should be aware of what key factors if they process personal data / information from individuals within this jurisdiction, without being located there?
There are no unique factors, but businesses that collect personal data of Illinois residents must understand the legal requirements under Illinois law to ensure compliance.
What upcoming data protection developments should multinational organisations be aware of?
There were two major privacy laws proposed in Illinois in 2025. The Illinois Data Privacy and Protection Act would require businesses to limit data collection to what is necessary, require consent for certain processing, and provide data subject rights. The Privacy Rights Act also grants consumers expanded control over how their personal data is used and shared. If passed, these laws would establish data protection standards similar to the CCPA and other comprehensive state privacy laws. Currently, both laws are still pending in the Illinois legislature and have not yet been enacted.