Support Centre



Law: Please note this State does not have a general privacy law in effect, you can visit USA State Law Tracker to monitor the progress of US State bills.

Regulator: The Illinois Attorney General

Summary: Although there is no comprehensive privacy law in Illinois, there is a right to privacy under the Constitution of the State of Illinois. The Biometric Information Privacy Act of 2008 ('BIPA') is, however, the most notable privacy-related statute in Illinois. BIPA prohibits the collection of biometric identifiers or information unless certain conditions apply. BIPA additionally includes a private right of action, which has been used extensively against private entities in individual cases as well as class actions. According to the Personal Information Protection Act of 2004, there is a requirement to notify personal data breaches to the AG and to any Illinois residents whose information has been breached. Other key privacy laws in Illinois include the Right to Privacy in the Workplace Act, the Electronic Mail Act, and the Illinois Banking Act.


The regulation of biometric information has become a focal point of American legislation over the last few years. However, few states have successfully enacted biometric statutes and only one state, Illinois, has enacted a biometric statute with any real teeth. In fact, Illinois' Biometric Information Privacy Act of 2008 ('BIPA') can still be considered the 'gold standard' of biometric legislation. Molly DiRago, Partner at Troutman Pepper Hamilton Sanders LLP, takes a look at BIPA and its application to recent case law.

On 17 September 2021, the First District of the Illinois Appellate Court – which covers appeals from Cook County, Illinois (the most populous country in the state) – ruled that individuals who have had their biometrics collected have five years to sue a private entity for failing to follow the Illinois Biometric Information Privacy Act's ('BIPA') retention schedule requirements, informed consent and release requirements, and data safeguarding requirements. Conversely, individuals have just one year to sue a private entity for selling, leasing, trading, or otherwise profiting from individuals' biometric data or disclosing or otherwise disseminating individuals' biometric data absent specified prerequisites, such as consent or a court order. Aaron K. Tantleff and Samuel D. Goldstick, from Foley & Lardner LLP, discuss this development and its implications.