Penningtons Manches Cooper LLP


The following law(s) specifically govern personal data / information:

Illinois Personal Information Protection Act (“PIPA”). §§ 815 ILCS 530/1 to 815 ILCS 530/900.

Illinois Biometric Privacy Act 2008 (“BIPA”). 740 ILCS 14/1 to 740 ILCS 14/99.

Also, the Student Online Personal Protection Act (“SOPPA”). 105 ILCS 85/1 to 105 ILCS 85/99.


The key data protection principles in this jurisdiction are:

Key principles under PIPA:

  • Any data collector required to issue notice to more than 500 Illinois residents as a result of a single breach of the security system shall provide notice to the Attorney General (“AG”) of the breach.
    • If a State agency is required to notify more than 250 Illinois residents, it must notify the AG within 45 days of discovery of breach or when the State agency notifies individuals affected by the breach, whichever is sooner.
    • The notification to Illinois residents shall be made in the most expedient time possible and without unreasonable delay, consistent with any measures necessary to determine the scope of the breach and restore the reasonable integrity, security, and confidentiality of the data system.
  • Any data collector that maintains or stores, but does not own or license, computerized data that includes personal information that the data collector does not own or license shall notify the owner or licensee of the information of any breach of the security of the data immediately following discovery, if the personal information was, or is reasonably believed to have been, acquired by an unauthorized person.
    • This provision applies whether or not the data collector conducts business in Illinois.
    • PIPA only applies to computerized data.
  • PIPA also requires that any data collector which owns or licenses, or maintains or stores Illinois residents' personal information to implement and maintain “reasonable security measures to protect those records from unauthorised access, acquisition, destruction, use, modification, or disclosure,” and that such measures be contractually flowed down to subcontractors. 815 ILCS 530/45(a).

Key Principals under BIPA:

The BIPA provides a set of five (5) rules for businesses to follow when collecting biometric data of state residents:

    1. Prior consent required before collection of biometric data.
    2. Permits a limited right to disclosure.
    3. Mandates protection obligations and retention guidelines.
    4. Prohibits profiting from biometric data.
    5. Private right of action for violations.

Key Principals under SOPPA:

  • School districts must adopt a policy for designating which school employees can enter into written agreements with operators.
  • Each school shall post and maintain on its website or, if the school does not maintain a website, make available for inspection by the general public at its administrative office:
    • An explanation of the data elements of covered information collected by the school;
    • A list of operators/vendors/suppliers that the school has an agreement with;
    • Procedures a parent must use to access covered information ; and
    • A listing of any breaches realized.
  • After a determination of a breach of covered information maintained by the school, a school shall notify, no later than 30 calendar days after receipt or the notice or determination, that a breach has occurred.
  • Each school must implement and maintain reasonable security procedures and practices that otherwise meet or exceed industry standards designed to protect covered information from unauthorized access, destruction, use, modification, or disclosure.
  • Each school may designate an appropriate staff person as a privacy officer, who may also be an official records custodian as designated under the Illinois School Student Records Act, to carry out the duties and responsibilities assigned to schools and to ensure compliance with the requirements of SOPPA.
  • A school shall make a request to delete covered information on behalf of a student’s parent if the parent requests from the school that the student’s covered information held be deleted. (Deletion must not violate any state or federal records laws.)


The supervisory authority / regulator in charge of data protection is:

Attorney General Kwame Raoul.


Is there a requirement to register with a supervisory authority / regulator?



Is there a requirement to notify the supervisory authority / regulator?



Is it possible to register with / notify the supervisory authority / regulator online?



The key data subject rights under the data protection laws of this jurisdiction are:



Is there a requirement to appoint a data protection officer (or equivalent)?



Do data protection/ privacy impact assessments need to be carried out in certain circumstances?



Does this jurisdiction have any specific data breach notification requirements?

Yes, under PIPA. A data collector shall provide notice to the Attorney General when the security breach involves more than 500 Illinois residents within 45 days of discovery of the security breach or when the data collector provides notice to consumers, whichever is sooner.

Yes, under SOPPA. After receipt of notice of a determination of a breach of covered information maintained by the school, a school shall notify within the most expedient time possible and without unreasonable delay, but no later than 30 calendar days after receipt of the notice or determination that a breach has occurred, the parent of any student whose covered information is involved in the breach. 105 ILCS 85/15(5); 105 ILCS 85/27(d).


The following restrictions apply to the international transfer of personal data / information:



Do the data protection laws in this jurisdiction have “extra-territorial effect” (i.e. do they apply to organisations outside this jurisdiction)?



The following rules specifically deal with marketing:



Do different rules apply to business-to-business and business-to-consumer marketing?



The following rules specially deal with electronic marketing (for example, by email, text message, WhatsApp message, online ads etc):



The following rules specifically deal with cookies:



The consequences of non compliance with data protections laws (including marketing laws) are:

Under PIPA, the Attorney General may seek remedies against any data collector in violation of the law.

  • Those remedies include:
    • injunctive relief;
    • suspension of licenses;
    • revocation of the right to do business in Illinois; and
    • restitution, and civil penalties up to $50,000.
  • If the violation is performed with the intent to defraud a resident, a court may impose a civil penalty of up to $50,000 for each violation.
  • Additional penalties apply to violations involving a person over the age of 65.
  • PIPA also allows for a private right of action.

Under BIPA, if a business negligently violates this law, the law will allow the alleged injured party to claim:

  • Damages of $1,000 per violation, or
  • Actual damages.

If this law was violated intentionally or recklessly, the alleged injured party can claim:

  • Damages of up to $5,000 per violation; or
  • Actual damages.


In broad terms, are there any factors unique to your jurisdiction that you would advise a multinational to consider if it is processing personal data from individuals within your jurisdictions, without being located there?

Failure to comply these laws could result in a crippling effect to any data collector. If a data collector collects the personal data of Illinois residents, it must understand the legal requirements under Illinois law to ensure compliance.


Multinational organisations should be aware of the following upcoming data protection developments:



Search by:

Need more information?
Contact a member firm:
Elizabeth (Liz) Harding