Illinois Consumer Privacy Law (BIPA)

Which privacy laws apply to your business in Illinois?

Illinois has no comprehensive consumer-privacy statute, but it is anything but a light-touch state. The headline law is the Biometric Information Privacy Act (BIPA), which the General Assembly enacted on the finding that the public welfare, security, and safety will be served by regulating the collection, use, safeguarding, handling, storage, retention, and destruction of biometric identifiers and information . BIPA applies to any private entity — any individual, partnership, corporation, limited liability company, association, or other group, however organized — with no revenue or data-volume threshold . Around it sit three more statutes: the Genetic Information Privacy Act (GIPA), which makes genetic testing information confidential and privileged ; the Personal Information Protection Act (PIPA), the breach-notification statute that reaches essentially every entity handling nonpublic personal information of Illinois residents ; and the Consumer Fraud and Deceptive Business Practices Act, which supplies the enforcement hook for deceptive privacy practices.

What Illinois lacks is the omnibus controller-processor framework other states have adopted: there are no general rights to access, correct, delete, or opt out of the sale of personal data, no notice-at-collection mandate, and no data-protection-assessment duty under current Illinois law. What Illinois has instead is sharper teeth on three specific data types — biometric, genetic, and breached personal information — and, uniquely among the states, private rights of action with liquidated damages on the first two. That combination has made Illinois the national center of privacy class-action litigation rather than of regulatory enforcement.

The federal overlay fills the rest of the program: FTC Act § 5 reaches deceptive or unfair privacy practices nationwide, GLBA governs financial institutions, HIPAA governs covered health entities, and COPPA governs services directed to children under 13.

Sources for this answer

Primary law · 2008-10-03

A.1 740 ILCS 14/5

The General Assembly enacted BIPA on the finding that regulating the collection, use, safeguarding, handling, storage, retention, and destruction of biometric identifiers and information serves the public welfare, security, and safety.

The public welfare, security, and safety will be served by regulating the collection, use, safeguarding, handling, storage, retention, and destruction of biometric identifiers and information.

See 740 ILCS 14/5(g).

Primary law · 2024-08-02

A.2 740 ILCS 14/10

BIPA applies to any private entity — any individual, partnership, corporation, limited liability company, association, or other group, however organized — but not to state or local government agencies or Illinois courts.

"Private entity" means any individual, partnership, corporation, limited liability company, association, or other group, however organized. A private entity does not include a State or local government agency. A private entity does not include any court of Illinois, a clerk of the court, or a judge or justice thereof.

See 740 ILCS 14/10.

Primary law · 2009-01-01

A.3 410 ILCS 513/15

GIPA makes genetic testing and information derived from genetic testing confidential and privileged, releasable only to the tested individual and persons the individual specifically authorizes in writing.

Except as otherwise provided in this Act, genetic testing and information derived from genetic testing is confidential and privileged and may be released only to the individual tested and to persons specifically authorized, in writing in accordance with Section 30, by that individual to receive the information.

See 410 ILCS 513/15(a).

Primary law · 2017-01-01

A.4 815 ILCS 530/5

PIPA's breach-notification duties reach any data collector — a category that includes government agencies, universities, corporations, financial institutions, retailers, and any other entity that handles nonpublic personal information for any purpose.

"Data collector" may include, but is not limited to, government agencies, public and private universities, privately and publicly held corporations, financial institutions, retail operators, and any other entity that, for any purpose, handles, collects, disseminates, or otherwise deals with nonpublic personal information.

See 815 ILCS 530/5.

What must your Illinois privacy policy contain?

It depends on whether you touch biometric data. If you possess biometric identifiers or biometric information — fingerprints, face geometry, voiceprints, retina or iris scans — BIPA § 15(a) imposes a specific, written-policy mandate: you must develop a written policy, made available to the public, establishing a retention schedule and guidelines for permanently destroying the data when the initial purpose for collecting it has been satisfied or within 3 years of the individual's last interaction with your business, whichever occurs first . You must then actually follow that schedule: absent a valid warrant or subpoena, a private entity must comply with its established retention schedule and destruction guidelines . For everything else, no Illinois statute fixes the contents of a general consumer privacy policy — the governing rule is that whatever you publish must be true, because a policy that misstates your practices is a deceptive act under FTC Act § 5 and under the Illinois Consumer Fraud Act .

Section 15(a) is the piece businesses most often miss, and it is the cheapest BIPA violation to avoid because it does not depend on consent mechanics. The duty attaches to possession of biometric data, and it has four components on the face of the statute: (1) a written policy, (2) made available to the public — posted, not kept in a drawer; (3) a retention schedule tied to the statute's two ceilings (purpose satisfied, or 3 years after the individual's last interaction, whichever comes first); and (4) guidelines for permanently destroying the data. The companion sentence converts the policy from paper to obligation: once the schedule exists, the entity must comply with it unless a court-issued warrant or subpoena intervenes . Plaintiffs routinely plead § 15(a) alongside the consent claims, so a biometric privacy policy that is unwritten, unposted, or unenforced is itself a freestanding basis for liquidated damages.

For the non-biometric remainder of a privacy policy, build to the federal and sectoral overlay — GLBA privacy notices for financial institutions, the HIPAA notice of privacy practices for covered entities, a COPPA notice for child-directed services — and follow best practice for everyone else: describe the categories of data collected, the purposes, the third parties you share with, and how users exercise any choices you offer. The enforceable Illinois obligation outside BIPA is consistency between the statement and the conduct, because the Consumer Fraud Act declares deceptive acts or practices, including the concealment, suppression or omission of any material fact, unlawful .

Drafting caution

Write the BIPA retention-and-destruction policy before the first scan is collected, and post it where the public can find it. The statute makes the written, publicly available policy a duty of every private entity in possession of biometric data, with a destruction deadline of purpose-satisfied or 3 years after the individual's last interaction, whichever occurs first — a policy drafted after collection begins, or one that exists but was never published, leaves the company exposed on § 15(a) even if its consent paperwork is perfect .

Sources for this answer

Primary law · 2008-10-03

B.1 740 ILCS 14/15(a)

A private entity in possession of biometric data must develop a written, publicly available policy establishing a retention schedule and destruction guidelines, with destruction when the collection purpose is satisfied or within 3 years of the individual's last interaction, whichever occurs first.

A private entity in possession of biometric identifiers or biometric information must develop a written policy, made available to the public, establishing a retention schedule and guidelines for permanently destroying biometric identifiers and biometric information when the initial purpose for collecting or obtaining such identifiers or information has been satisfied or within 3 years of the individual's last interaction with the private entity, whichever occurs first.

See 740 ILCS 14/15(a).

Primary law · 2008-10-03

B.2 740 ILCS 14/15(a)

Once the retention schedule and destruction guidelines exist, the private entity must actually comply with them, unless a valid court-issued warrant or subpoena provides otherwise.

Absent a valid warrant or subpoena issued by a court of competent jurisdiction, a private entity in possession of biometric identifiers or biometric information must comply with its established retention schedule and destruction guidelines.

See 740 ILCS 14/15(a).

Primary law

B.3 FTC Act § 5

Section 5 of the FTC Act declares unfair or deceptive acts or practices in or affecting commerce unlawful, which reaches a privacy policy that misstates a business's actual data practices.

Unfair methods of competition in or affecting commerce, and unfair or deceptive acts or practices in or affecting commerce, are hereby declared unlawful.

See 15 U.S.C. § 45(a)(1).

Primary law

B.4 815 ILCS 505/2

The Illinois Consumer Fraud Act declares deceptive acts or practices — including concealment, suppression, or omission of material facts — unlawful in trade or commerce, which reaches privacy representations that do not match actual practice.

Unfair methods of competition and unfair or deceptive acts or practices, including but not limited to the use or employment of any deception fraud, false pretense, false promise, misrepresentation or the concealment, suppression or omission of any material fact, with intent that others rely upon the concealment, suppression or omission of such material fact, or the use or employment of any practice described in Section 2 of the "Uniform Deceptive Trade Practices Act", approved August 5, 1965, in the conduct of any trade or commerce are hereby declared unlawful whether any person has in fact been misled, deceived or damaged thereby.

See 815 ILCS 505/2.

Do you need written consent to collect fingerprints or face scans in Illinois?

Yes — before collection, in writing, and after specific disclosures. BIPA § 15(b) prohibits a private entity from collecting, capturing, purchasing, receiving through trade, or otherwise obtaining a person's biometric identifier or biometric information unless it first informs the person in writing that the data is being collected or stored, informs the person in writing of the specific purpose and length of term of the collection, and receives a written release executed by the subject . A biometric identifier means a retina or iris scan, fingerprint, voiceprint, or scan of hand or face geometry . Three companion duties travel with the data: no private entity may sell, lease, trade, or otherwise profit from a person's biometric data ; disclosure to anyone else requires the subject's consent or another narrow statutory basis ; and the data must be stored and protected using the reasonable standard of care within the entity's industry, at least as protectively as other confidential and sensitive information .

The order of operations is what trips businesses up: the statute says first. Consent collected after the first scan does not cure the collection that already happened, and the disclosures must cover both the specific purpose and the length of term of the collection — a generic onboarding acknowledgment that never mentions storage duration misses an element on the face of § 15(b). In the workplace, the statute's definition of a written release expressly contemplates a release executed by an employee as a condition of employment, and — since the 2024 amendment — an electronic signature qualifies . So a compliant biometric time-clock or facility-access program is achievable with ordinary HR paperwork: written notice of what is collected, why, and for how long, plus a signed (or e-signed) release, all completed before enrollment.

Scope limits matter in both directions. The definition excludes photographs, writing samples, physical descriptions, and information captured from a patient in a health care setting . Plaintiffs have litigated faceprints computed from photographs under the scan of face geometry language, so photo-based systems still deserve BIPA review. And BIPA does not apply to everyone: it carves out financial institutions subject to GLBA Title V , state and local government agencies , and contractors working for them .

Practice caution

Treat the no-profit rule as a flat ban, not a consent question. Section 15(c) prohibits selling, leasing, trading, or otherwise profiting from biometric identifiers or biometric information outright — unlike collection under § 15(b) or disclosure under § 15(d), there is no consent mechanism that authorizes monetizing the data itself, so a business model that prices access to biometric databases cannot be papered over with releases .

Sources for this answer

Primary law · 2024-08-02

C.2 740 ILCS 14/10

A biometric identifier is a retina or iris scan, fingerprint, voiceprint, or scan of hand or face geometry; the definition excludes photographs, physical descriptions, patient information captured in health care settings, and health care treatment, payment, or operations information under HIPAA.

"Biometric identifier" means a retina or iris scan, fingerprint, voiceprint, or scan of hand or face geometry. Biometric identifiers do not include writing samples, written signatures, photographs, human biological samples used for valid scientific testing or screening, demographic data, tattoo descriptions, or physical descriptions such as height, weight, hair color, or eye color. Biometric identifiers do not include donated organs, tissues, or parts as defined in the Illinois Anatomical Gift Act or blood or serum stored on behalf of recipients or potential recipients of living or cadaveric transplants and obtained or stored by a federally designated organ procurement agency. Biometric identifiers do not include biological materials regulated under the Genetic Information Privacy Act. Biometric identifiers do not include information captured from a patient in a health care setting or information collected, used, or stored for health care treatment, payment, or operations under the federal Health Insurance Portability and Accountability Act of 1996.

See 740 ILCS 14/10.

Primary law · 2008-10-03

C.3 740 ILCS 14/15(c)

A private entity in possession of biometric data may not sell, lease, trade, or otherwise profit from it — a flat prohibition with no consent exception.

No private entity in possession of a biometric identifier or biometric information may sell, lease, trade, or otherwise profit from a person's or a customer's biometric identifier or biometric information.

See 740 ILCS 14/15(c).

Primary law · 2008-10-03

C.4 740 ILCS 14/15(d)

A private entity may not disclose, redisclose, or disseminate a person's biometric data unless the subject consents, the disclosure completes a transaction the subject authorized, or law or legal process requires it.

No private entity in possession of a biometric identifier or biometric information may disclose, redisclose, or otherwise disseminate a person's or a customer's biometric identifier or biometric information unless: (1) the subject of the biometric identifier or biometric information or the subject's legally authorized representative consents to the disclosure or redisclosure; (2) the disclosure or redisclosure completes a financial transaction requested or authorized by the subject of the biometric identifier or the biometric information or the subject's legally authorized representative; (3) the disclosure or redisclosure is required by State or federal law or municipal ordinance; or (4) the disclosure is required pursuant to a valid warrant or subpoena issued by a court of competent jurisdiction.

See 740 ILCS 14/15(d).

Primary law · 2008-10-03

C.5 740 ILCS 14/15(e)

A private entity must store, transmit, and protect biometric data using the reasonable standard of care in its industry, and at least as protectively as it protects other confidential and sensitive information.

A private entity in possession of a biometric identifier or biometric information shall: (1) store, transmit, and protect from disclosure all biometric identifiers and biometric information using the reasonable standard of care within the private entity's industry; and (2) store, transmit, and protect from disclosure all biometric identifiers and biometric information in a manner that is the same as or more protective than the manner in which the private entity stores, transmits, and protects other confidential and sensitive information.

See 740 ILCS 14/15(e).

Primary law · 2024-08-02

C.6 740 ILCS 14/10

A written release under BIPA means informed written consent or an electronic signature, and in the employment context it may be a release executed by an employee as a condition of employment.

"Written release" means informed written consent, electronic signature, or, in the context of employment, a release executed by an employee as a condition of employment.

See 740 ILCS 14/10.

Primary law · 2024-08-02

C.8 740 ILCS 14/10

BIPA's private-entity definition excludes state and local government agencies.

"Private entity" means any individual, partnership, corporation, limited liability company, association, or other group, however organized. A private entity does not include a State or local government agency. A private entity does not include any court of Illinois, a clerk of the court, or a judge or justice thereof.

See 740 ILCS 14/10.

Primary law · 2008-10-03

C.7 740 ILCS 14/25(c)

BIPA does not apply to financial institutions, or affiliates of financial institutions, subject to Title V of the Gramm-Leach-Bliley Act.

Nothing in this Act shall be deemed to apply in any manner to a financial institution or an affiliate of a financial institution that is subject to Title V of the federal Gramm-Leach-Bliley Act of 1999 and the rules promulgated thereunder.

See 740 ILCS 14/25(c).

Primary law · 2008-10-03

C.9 740 ILCS 14/25(e)

BIPA does not apply to a contractor, subcontractor, or agent of a state agency or local unit of government while working for that agency or unit.

Nothing in this Act shall be construed to apply to a contractor, subcontractor, or agent of a State agency or local unit of government when working for that State agency or local unit of government.

See 740 ILCS 14/25(e).

Can someone sue your business under BIPA without proving actual harm?

Yes — this is the feature that makes Illinois unlike any other state. BIPA § 20 gives any person aggrieved by a violation a right of action in state circuit court or as a supplemental claim in federal court, with liquidated damages of $1,000 per negligent violation or $5,000 per intentional or reckless violation (or actual damages if greater), plus attorneys' fees and costs . In Rosenbach v. Six Flags Entertainment Corp., the Illinois Supreme Court held that “an individual need not allege some actual injury or adverse effect, beyond violation of his or her rights under the Act, in order to qualify as an ‘aggrieved’ person and be entitled to seek liquidated damages and injunctive relief pursuant to the Act” . And the window is long: in Tims v. Black Horse Carriers, Inc., the court held that the five-year catchall limitations period of section 13-205 of the Code of Civil Procedure controls claims under the Act .

The mechanics deserve emphasis because each element compounds the others. The violation is the injury — a fingerprint collected without the § 15(b) disclosures and release is actionable the day it is scanned, with no identity theft, data breach, or out-of-pocket loss required. The Rosenbach court was explicit that this is the design, not an accident: “When private entities face liability for failure to comply with the law’s requirements without requiring affected individuals or customers to show some injury beyond violation of their statutory rights, those entities have the strongest possible incentive to conform to the law and prevent problems before they occur and cannot be undone.” Stack the per-person liquidated amounts across a workforce or user base, add a five-year reach-back under Tims, and a routine timekeeping or photo-tagging practice becomes a class action with eight-or-nine-figure exposure.

BIPA exposure management is litigation prevention: compliant paperwork, vendor disclosures, and retention policies matter more than regulator relations. The Illinois Supreme Court explained in Rosenbach that, other than the private right of action authorized in section 20, no other enforcement mechanism is available .

Practice caution

Do not read the per-person figures as an automatic award. Even while reaffirming its plaintiff-friendly accrual rule, the Illinois Supreme Court treated runaway aggregate damages as a policy problem for the General Assembly and respectfully suggested that the legislature review those concerns and make clear its intent on the assessment of damages under the Act . The legislature accepted that invitation in 2024 — the next question covers how the amendment changed the arithmetic — but no business should price its compliance posture on judicial or legislative moderation arriving in time.

Sources for this answer

Primary law · 2024-08-02

D.1 740 ILCS 14/20(a)

Any person aggrieved by a BIPA violation may sue and recover, per violation, liquidated damages of $1,000 for negligent violations or $5,000 for intentional or reckless violations (or actual damages if greater), plus attorneys' fees.

Any person aggrieved by a violation of this Act shall have a right of action in a State circuit court or as a supplemental claim in federal district court against an offending party. A prevailing party may recover for each violation: (1) against a private entity that negligently violates a provision of this Act, liquidated damages of $1,000 or actual damages, whichever is greater; (2) against a private entity that intentionally or recklessly violates a provision of this Act, liquidated damages of $5,000 or actual damages, whichever is greater;

See 740 ILCS 14/20(a).

Case law · 2019-01-25

D.2 Rosenbach v. Six Flags Entertainment Corp., 2019 IL 123186

The Illinois Supreme Court held that a person is aggrieved under BIPA — and may seek liquidated damages and injunctive relief — without alleging any actual injury beyond the violation of his or her statutory rights.

Contrary to the appellate court’s view, an individual need not allege some actual injury or adverse effect, beyond violation of his or her rights under the Act, in order to qualify as an “aggrieved” person and be entitled to seek liquidated damages and injunctive relief pursuant to the Act.

See Rosenbach v. Six Flags Entertainment Corp., 2019 IL 123186, ¶ 40.

Case law · 2019-01-25

D.4 Rosenbach v. Six Flags Entertainment Corp., 2019 IL 123186

The court explained that no-injury liability is BIPA's deterrence design: liability without proof of further injury gives private entities the strongest possible incentive to comply before biometric harms occur and cannot be undone.

When private entities face liability for failure to comply with the law’s requirements without requiring affected individuals or customers to show some injury beyond violation of their statutory rights, those entities have the strongest possible incentive to conform to the law and prevent problems before they occur and cannot be undone.

See Rosenbach v. Six Flags Entertainment Corp., 2019 IL 123186, ¶ 37.

Case law · 2019-01-25

D.5 Rosenbach v. Six Flags Entertainment Corp., 2019 IL 123186

The Illinois Supreme Court stated that BIPA has no enforcement mechanism other than the private right of action authorized in section 20.

Other than the private right of action authorized in section 20 of the Act, no other enforcement mechanism is available.

See Rosenbach v. Six Flags Entertainment Corp., 2019 IL 123186, ¶ 37.

Case law · 2023-02-02

D.3 Tims v. Black Horse Carriers, Inc., 2023 IL 127801

The Illinois Supreme Court held that the five-year catchall limitations period of 735 ILCS 5/13-205 governs all claims under BIPA, rejecting a one-year period for the publication-based subsections.

For the aforementioned reasons, we find that the five-year limitations period contained in section 13-205 of the Code controls claims under the Act.

See Tims v. Black Horse Carriers, Inc., 2023 IL 127801, ¶ 42.

Case law · 2023-02-17

D.6 Cothron v. White Castle System, Inc., 2023 IL 128004

While adhering to its per-scan accrual reading, the Illinois Supreme Court expressly invited the legislature to review the policy concerns about excessive damages awards and clarify its intent on the assessment of damages under BIPA.

We respectfully suggest that the legislature review these policy concerns and make clear its intent regarding the assessment of damages under the Act.

See Cothron v. White Castle System, Inc., 2023 IL 128004, ¶ 43.

How are BIPA damages counted in Illinois — per person or per scan — after the 2024 amendment?

For repeated, identical collections: one recovery per person, per method — and that cap now governs pending cases too. The sequence matters. In Cothron v. White Castle System, Inc. (Feb. 17, 2023), the Illinois Supreme Court held that “a separate claim accrues under the Act each time a private entity scans or transmits an individual’s biometric identifier or information in violation of section 15(b) or 15(d)” — the per-scan reading that produced multibillion-dollar class exposure. The General Assembly answered with Public Act 103-0769, effective August 2, 2024, which added subsections 20(b) and 20(c): an entity that repeatedly collects the same biometric identifier from the same person using the same method of collection has committed a single violation, for which the aggrieved person is entitled to, at most, one recovery , with the same rule for repeated disclosures of the same data to the same recipient . And on April 1, 2026, the Seventh Circuit in Gregg v. Central Transport LLC held that “this amendment applies retroactively because it impacts only the statutory damages available to plaintiﬀs—it does not change BIPA’s substantive standards of liability” .

The 2023–2026 arc is worth a timeline, because each date changed the settlement value of every pending BIPA case:

February 17, 2023: Cothron answers the Seventh Circuit's certified question — claims accrue with every scan or transmission, not only the first . A workforce clocking in by fingerprint for five years suddenly represented thousands of violations per employee, and the court closed by inviting the legislature to clarify its intent on damages.
August 2, 2024: Public Act 103-0769 takes effect the day it is signed. It leaves § 15's substantive duties and § 20(a)'s per-violation amounts untouched, but adds the single-recovery rule for repeated same-person, same-method collections and same-recipient disclosures , and it modernizes consent by adding an electronic signature to the definition of a written release.
April 1, 2026: In Gregg — a trio of consolidated appeals with Clay v. Union Pacific Railroad and Willis v. Universal Intermodal Services — a unanimous Seventh Circuit panel, in an opinion by Chief Judge Brennan, holds that the amendment is a remedial change: “That makes it ‘procedural’ under Illinois law, so courts should apply the amendment to cases pending at the time the statute was enacted.” Plaintiffs who had banked on per-scan damages for pre-2024 conduct — one plaintiff alleged roughly 1,500 scans, a potential $7.5 million for a single person — lost that multiplier in federal court.

Practice caution

The single-recovery rule is narrower than the headline suggests. The statutory text caps recovery only where the same biometric identifier is taken from the same person using the same method of collection — and, for disclosure, only as to the same recipient . A business that runs a fingerprint time clock and a face-scan access system, or that shares biometric data with multiple vendors, can still face multiple recoveries per person, and class exposure still scales with headcount because every affected person keeps his or her own recovery.

Sources for this answer

Case law · 2023-02-17

E.1 Cothron v. White Castle System, Inc., 2023 IL 128004

The Illinois Supreme Court held that a separate BIPA claim accrues each time a private entity scans or transmits a person's biometric identifier or information in violation of section 15(b) or 15(d) — not only on the first collection.

We hold that a separate claim accrues under the Act each time a private entity scans or transmits an individual’s biometric identifier or information in violation of section 15(b) or 15(d).

See Cothron v. White Castle System, Inc., 2023 IL 128004, ¶ 1.

Primary law · 2024-08-02

E.2 740 ILCS 14/20(b)

Under the 2024 amendment (P.A. 103-0769), repeated collection of the same biometric identifier from the same person by the same method is a single violation of section 15(b), entitling the aggrieved person to at most one recovery.

For purposes of subsection (b) of Section 15, a private entity that, in more than one instance, collects, captures, purchases, receives through trade, or otherwise obtains the same biometric identifier or biometric information from the same person using the same method of collection in violation of subsection (b) of Section 15 has committed a single violation of subsection (b) of Section 15 for which the aggrieved person is entitled to, at most, one recovery under this Section.

See 740 ILCS 14/20(b), added by P.A. 103-0769 (eff. Aug. 2, 2024).

Primary law · 2024-08-02

E.3 740 ILCS 14/20(c)

The 2024 amendment applies the same single-recovery rule to repeated disclosures: disseminating the same person's biometric data to the same recipient in violation of section 15(d) is one violation with at most one recovery, regardless of how many times it occurs.

For purposes of subsection (d) of Section 15, a private entity that, in more than one instance, discloses, rediscloses, or otherwise disseminates the same biometric identifier or biometric information from the same person to the same recipient using the same method of collection in violation of subsection (d) of Section 15 has committed a single violation of subsection (d) of Section 15 for which the aggrieved person is entitled to, at most, one recovery under this Section regardless of the number of times the private entity disclosed, redisclosed, or otherwise disseminated the same biometric identifier or biometric information of the same person to the same recipient.

See 740 ILCS 14/20(c), added by P.A. 103-0769 (eff. Aug. 2, 2024).

Case law · 2026-04-01

E.4 Gregg v. Central Transport LLC (7th Cir. Apr. 1, 2026)

The Seventh Circuit held that the 2024 single-recovery amendment to BIPA section 20 applies retroactively to cases pending when it was enacted, because it affects only the statutory damages available — not BIPA's substantive standards of liability.

We hold that this amendment applies retroactively because it impacts only the statutory damages available to plaintiﬀs—it does not change BIPA’s substantive standards of liability.

See Gregg v. Central Transport LLC, Nos. 25-2185, 25-2761, 25-2762 (7th Cir. Apr. 1, 2026).

Case law · 2026-04-01

E.5 Gregg v. Central Transport LLC (7th Cir. Apr. 1, 2026)

The panel classified the amendment as a remedial change — procedural under Illinois retroactivity law — so courts should apply it to cases that were pending when the statute was enacted.

The amendment to BIPA Section 20 is a remedial change. That makes it “procedural” under Illinois law, so courts should apply the amendment to cases pending at the time the statute was enacted.

See Gregg v. Central Transport LLC, Nos. 25-2185, 25-2761, 25-2762 (7th Cir. Apr. 1, 2026).

Can you ask Illinois employees or job applicants for genetic tests or genetic information?

No. The Genetic Information Privacy Act (GIPA) prohibits an employer, employment agency, labor organization, or licensing agency from directly or indirectly soliciting, requesting, requiring, or purchasing genetic testing or genetic information of a person or a person's family member — or administering a genetic test — as a condition of employment, a preemployment application, membership, or licensure . GIPA provides private-suit exposure: any person aggrieved by a violation may sue and recover liquidated damages of $2,500 per negligent violation or $15,000 per intentional or reckless violation (or actual damages if greater), plus attorneys' fees, subject to the Illinois Insurance Code remedy for insurer violations of section 30 .

Two statutory features give the employment prohibition a long reach. First, the ban covers both the person and the person's family member when the request is tied to employment, preemployment application, labor-organization membership, or licensure . Second, genetic testing expressly includes direct-to-consumer commercial genetic testing , so consumer DNA-kit results are covered the same as clinical tests. The statute also bars employers from using genetic testing or genetic information to affect terms or conditions, limit or classify employees, or retaliate against anyone alleging a violation . It separately prohibits offering employment, membership, licensure, pay, or benefits in return for taking a genetic test , with narrow statutory provisions for workplace wellness programs , employee-requested workers' compensation testing , and toxic-substance genetic monitoring .

The practical risk is indirect collection. The statute reaches requests made through employment agencies, licensing agencies, labor organizations, and other employment-related channels, so Illinois hiring and occupational-health forms should be reviewed for genetic testing or genetic-information fields before they are given to applicants or employees .

Drafting caution

Strip family-medical-history questions out of Illinois hiring and occupational-health paperwork, including forms administered by third-party clinics on your behalf. The statutory prohibition reaches indirect solicitation and requests made as a condition of a preemployment application , so routing the questionnaire through an outside examiner does not take the inquiry outside GIPA — and each affected applicant carries $2,500-to-$15,000 liquidated-damages exposure .

Sources for this answer

Primary law · 2018-01-01

F.1 410 ILCS 513/25

GIPA prohibits employment-related solicitation, requests, requirements, purchases, administration, use, classification, and retaliation involving genetic testing or genetic information of a person or family member.

An employer, employment agency, labor organization, and licensing agency shall not directly or indirectly do any of the following: (1) solicit, request, require or purchase genetic testing or genetic information of a person or a family member of the person, or administer a genetic test to a person or a family member of the person as a condition of employment, preemployment application, labor organization membership, or licensure; (2) affect the terms, conditions, or privileges of employment, preemployment application, labor organization membership, or licensure, or terminate the employment, labor organization membership, or licensure of any person because of genetic testing or genetic information with respect to the employee or family member, or information about a request for or the receipt of genetic testing by such employee or family member of such employee; (3) limit, segregate, or classify employees in any way that would deprive or tend to deprive any employee of employment opportunities or otherwise adversely affect the status of the employee as an employee because of genetic testing or genetic information with respect to the employee or a family member, or information about a request for or the receipt of genetic testing or genetic information by such employee or family member of such employee; and (4) retaliate through discharge or in any other manner against any person alleging a violation of this Act or participating in any manner in a proceeding under this Act.

See 410 ILCS 513/25(c).

Primary law · 2015-01-01

F.2 410 ILCS 513/40

Any person aggrieved by a GIPA violation has a private right of action and may recover liquidated damages, attorneys' fees, costs, and other relief; Article XL of the Illinois Insurance Code is the exclusive remedy for insurer violations of section 30.

Any person aggrieved by a violation of this Act shall have a right of action in a State circuit court or as a supplemental claim in a federal district court against an offending party. A prevailing party may recover for each violation: (1) Against any party who negligently violates a provision of this Act, liquidated damages of $2,500 or actual damages, whichever is greater. (2) Against any party who intentionally or recklessly violates a provision of this Act, liquidated damages of $15,000 or actual damages, whichever is greater. (3) Reasonable attorney's fees and costs, including expert witness fees and other litigation expenses. (4) Such other relief, including an injunction, as the State or federal court may deem appropriate. (b) Article XL of the Illinois Insurance Code shall provide the exclusive remedy for violations of Section 30 by insurers.

See 410 ILCS 513/40(a)-(b).

Primary law · 2025-08-15

F.3 410 ILCS 513/10

GIPA defines genetic testing by reference to HIPAA and expressly extends the definition to direct-to-consumer commercial genetic testing.

"Genetic testing" and "genetic test" have the meaning ascribed to "genetic test" under HIPAA, as specified in 45 CFR 160.103. "Genetic testing" includes direct-to-consumer commercial genetic testing.

See 410 ILCS 513/10.

Primary law · 2018-01-01

F.4 410 ILCS 513/25(d)

GIPA prohibits employment-related agreements offering employment, membership, licensure, pay, or benefits in return for taking a genetic test.

An agreement between a person and an employer, prospective employer, employment agency, labor organization, or licensing agency, or its employees, agents, or members offering the person employment, labor organization membership, licensure, or any pay or benefit in return for taking a genetic test is prohibited.

See 410 ILCS 513/25(d).

Primary law · 2018-01-01

F.5 410 ILCS 513/25(e)

GIPA allows use of genetic information or testing in a workplace wellness program only if statutory authorization, access, confidentiality, and no-penalty conditions are met.

An employer shall not use genetic information or genetic testing in furtherance of a workplace wellness program benefiting employees unless (1) health or genetic services are offered by the employer, (2) the employee provides written authorization in accordance with Section 30 of this Act, (3) only the employee or family member if the family member is receiving genetic services and the licensed health care professional or licensed genetic counselor involved in providing such services receive individually identifiable information concerning the results of such services, and (4) any individually identifiable information is only available for purposes of such services and shall not be disclosed to the employer except in aggregate terms that do not disclose the identity of specific employees. An employer shall not penalize an employee who does not disclose his or her genetic information or does not choose to participate in a program requiring disclosure of the employee's genetic information.

See 410 ILCS 513/25(e).

Primary law · 2018-01-01

F.6 410 ILCS 513/25(f)

GIPA does not prohibit genetic testing requested and authorized by an employee for the purpose of initiating a workers' compensation claim.

Nothing in this Act shall be construed to prohibit genetic testing of an employee who requests a genetic test and who provides written authorization, in accordance with Section 30 of this Act, from taking a genetic test for the purpose of initiating a workers' compensation claim under the Workers' Compensation Act.

See 410 ILCS 513/25(f).

Primary law · 2018-01-01

F.7 410 ILCS 513/25(i)

GIPA does not prohibit workplace toxic-substance genetic monitoring if notice, authorization or legal requirement, individual results, regulatory compliance, and aggregate-only employer-result conditions are met.

Nothing in this Act shall be construed to prohibit an employer from requesting or requiring genetic information to be used for genetic monitoring of the biological effects of toxic substances in the workplace, but only if (1) the employer provides written notice of the genetic monitoring to the employee; (2) the employee provides written authorization under Section 30 of this Act or the genetic monitoring is required by federal or State law; (3) the employee is informed of individual monitoring results; (4) the monitoring is in compliance with any federal genetic monitoring regulations or State genetic monitoring regulations under the authority of the federal Occupational Safety and Health Act of 1970; and (5) the employer, excluding any health care provider, health care professional, or health facility that is involved in the genetic monitoring program, receives the results of the monitoring only in aggregate terms that do not disclose the identity of specific employees.

See 410 ILCS 513/25(i).

Do Illinois residents have rights to access, delete, or opt out of the sale of their data?

Not as general rights — Illinois has no omnibus statute granting access, correction, deletion, portability, or sale opt-outs across all personal data, and no Illinois law requires businesses to honor universal opt-out preference signals such as Global Privacy Control. What Illinois residents have instead are targeted, data-type-specific controls with unusual force: biometric data cannot be collected at all without prior written notice and a written release , and it must be destroyed when the collection purpose is satisfied or within 3 years of the person's last interaction with the business ; genetic test results cannot be disclosed in identifiable form except to the tested person and those the person authorizes .

The practical translation: an Illinois consumer cannot email a retailer and demand a copy or deletion of an ordinary marketing profile the way a resident of an omnibus-law state can. But for the two data types the legislature singled out, the Illinois model is stronger than a rights-request regime — it is consent-or-nothing on the front end (biometrics may not be obtained without a release; genetic information may not be solicited by employers at all), an automatic destruction clock rather than a deletion request , and a flat ban on profiting from biometric data that no opt-in can waive. A business cannot paper around these rules with terms of service, and the rights are self-executing through the private rights of action covered above rather than through a regulator's complaint portal.

Sources for this answer

Primary law · 2008-10-03

G.2 740 ILCS 14/15(a)

Illinois law imposes an automatic biometric-data destruction deadline — when the collection purpose is satisfied or within 3 years of the individual's last interaction, whichever occurs first — rather than a consumer-initiated deletion request.

establishing a retention schedule and guidelines for permanently destroying biometric identifiers and biometric information when the initial purpose for collecting or obtaining such identifiers or information has been satisfied or within 3 years of the individual's last interaction with the private entity, whichever occurs first

See 740 ILCS 14/15(a).

Primary law · 2016-01-01

G.3 410 ILCS 513/30

No person may disclose, or be compelled to disclose, the identity of a person tested or genetic test results in identifiable form, except to the tested person and recipients the person specifically authorizes in writing.

No person may disclose or be compelled to disclose the identity of any person upon whom a genetic test is performed or the results of a genetic test in a manner that permits identification of the subject of the test, except to the following persons: (1) The subject of the test or the subject's legally authorized representative. This paragraph does not create a duty or obligation under which a health care provider must notify the subject's spouse or legal guardian of the test results, and no such duty or obligation shall be implied. No civil liability or criminal sanction under this Act shall be imposed for any disclosure or nondisclosure of a test result to a spouse by a physician acting in good faith under this paragraph. For the purpose of any proceedings, civil or criminal, the good faith of any physician acting under this paragraph shall be presumed. (2) Any person designated in a specific written legally effective authorization for release of the test results executed by the subject of the test or the subject's legally authorized representative.

See 410 ILCS 513/30(a)(1)-(2).

When must you notify people of a data breach in Illinois?

In the most expedient time possible and without unreasonable delay. Under the Personal Information Protection Act (PIPA), any data collector that owns or licenses personal information concerning an Illinois resident must notify the resident, at no charge, following discovery or notification of a breach — with delay tolerated only for measures necessary to determine the breach's scope and restore the system's integrity, security, and confidentiality . A breach means unauthorized acquisition of computerized data that compromises the security, confidentiality, or integrity of personal information . If a single breach requires notice to more than 500 Illinois residents, the data collector must also notify the Attorney General , and a violation of the Act is an unlawful practice under the Consumer Fraud and Deceptive Business Practices Act .

Personal information under PIPA is broader than the classic name-plus-SSN formula. It covers a name combined with an unencrypted Social Security number, driver's license or state ID number, financial-account or card data, medical information (expressly including information provided to a website or mobile application), health-insurance information, or unique biometric data used to authenticate an individual — and, separately, a username or email address combined with a password or security question and answer, a category with its own lighter notice option directing users to change credentials . Encrypted or redacted data is outside the quoted definition unless the keys were acquired without authorization through the breach . The AG notice for 500-plus-resident breaches must arrive no later than the consumer notices, and the Attorney General may publish the breached entity's name . The duties cannot be contracted away: any waiver of PIPA is void and unenforceable .

Enforcement runs through the Attorney General — and that is the one place in Illinois privacy law where the AG, rather than a class-action plaintiff, holds the pen. Because a PIPA violation is deemed an unlawful practice under the Consumer Fraud Act , the AG can seek injunctions and civil penalties for late or omitted notice, with no cure period written into the statute. A private plaintiff, by contrast, has no liquidated-damages remedy here: a consumer suing over a breach must proceed under the Consumer Fraud Act, which requires actual damage from the violation — a sharp contrast with BIPA and GIPA, where the statutory violation alone supports liquidated damages. Note the interaction for biometric incidents: a breach of authentication-grade biometric data triggers PIPA notice duties and invites scrutiny of the § 15(e) safeguards duty under BIPA, where the per-person liquidated-damages regime does apply.

Sources for this answer

Primary law · 2020-01-01

H.1 815 ILCS 530/10

A data collector that owns or licenses personal information of an Illinois resident must notify the resident of a breach in the most expedient time possible and without unreasonable delay, allowing only for scope determination and system restoration.

Any data collector that owns or licenses personal information concerning an Illinois resident shall notify the resident at no charge that there has been a breach of the security of the system data following discovery or notification of the breach. The disclosure notification shall be made in the most expedient time possible and without unreasonable delay, consistent with any measures necessary to determine the scope of the breach and restore the reasonable integrity, security, and confidentiality of the data system.

See 815 ILCS 530/10(a).

Primary law · 2017-01-01

H.2 815 ILCS 530/5

A reportable breach is the unauthorized acquisition of computerized data that compromises the security, confidentiality, or integrity of personal information maintained by the data collector.

"Breach of the security of the system data" or "breach" means unauthorized acquisition of computerized data that compromises the security, confidentiality, or integrity of personal information maintained by the data collector.

See 815 ILCS 530/5.

Primary law · 2020-01-01

H.3 815 ILCS 530/10(e)

A breach requiring notice to more than 500 Illinois residents also requires notice to the Attorney General, describing the breach, the number of residents affected, and the steps taken.

Any data collector required to issue notice pursuant to this Section to more than 500 Illinois residents as a result of a single breach of the security system shall provide notice to the Attorney General of the breach, including: (A) A description of the nature of the breach of security or unauthorized acquisition or use. (B) The number of Illinois residents affected by such incident at the time of notification. (C) Any steps the data collector has taken or plans to take relating to the incident. Such notification must be made in the most expedient time possible and without unreasonable delay but in no event later than when the data collector provides notice to consumers pursuant to this Section. If the date of the breach is unknown at the time the notice is sent to the Attorney General, the data collector shall send the Attorney General the date of the breach as soon as possible. Upon receiving notification from a data collector of a breach of personal information, the Attorney General may publish the name of the data collector that suffered the breach, the types of personal information compromised in the breach, and the date range of the breach.

See 815 ILCS 530/10(e)(2).

Primary law · 2006-01-01

H.4 815 ILCS 530/20

A PIPA violation constitutes an unlawful practice under the Consumer Fraud and Deceptive Business Practices Act, which is the statute's enforcement mechanism.

A violation of this Act constitutes an unlawful practice under the Consumer Fraud and Deceptive Business Practices Act.

See 815 ILCS 530/20.

Primary law · 2017-01-01

H.5 815 ILCS 530/5

PIPA's definition of personal information includes name-plus-sensitive-data categories, biometric authentication data, and online-account credentials, with encrypted or redacted data outside the definition unless the keys were acquired without authorization through the breach.

"Personal information" means either of the following: (1) An individual's first name or first initial and last name in combination with any one or more of the following data elements, when either the name or the data elements are not encrypted or redacted or are encrypted or redacted but the keys to unencrypt or unredact or otherwise read the name or data elements have been acquired without authorization through the breach of security: (A) Social Security number. (B) Driver's license number or State identification card number. (C) Account number or credit or debit card number, or an account number or credit card number in combination with any required security code, access code, or password that would permit access to an individual's financial account. (D) Medical information. (E) Health insurance information. (F) Unique biometric data generated from measurements or technical analysis of human body characteristics used by the owner or licensee to authenticate an individual, such as a fingerprint, retina or iris image, or other unique physical representation or digital representation of biometric data. (2) User name or email address, in combination with a password or security question and answer that would permit access to an online account, when either the user name or email address or password or security question and answer are not encrypted or redacted or are encrypted or redacted but the keys to unencrypt or unredact or otherwise read the data elements have been obtained through the breach of security. "Personal information" does not include publicly available information that is lawfully made available to the general public from federal, State, or local government records.

See 815 ILCS 530/5.

Primary law · 2020-01-01

H.6 815 ILCS 530/10(a)(2)

For a breach of username or email credentials, PIPA allows electronic or other notice directing residents to change credentials and take appropriate account-protection steps.

With respect to personal information defined in Section 5 in paragraph (2) of the definition of "personal information", notice may be provided in electronic or other form directing the Illinois resident whose personal information has been breached to promptly change his or her user name or password and security question or answer, as applicable, or to take other steps appropriate to protect all online accounts for which the resident uses the same user name or email address and password or security question and answer.

See 815 ILCS 530/10(a)(2).

Primary law · 2017-01-01

H.9 815 ILCS 530/5

PIPA's definition of personal information includes unique biometric data — such as a fingerprint or retina or iris image — used by the owner or licensee to authenticate an individual.

Unique biometric data generated from measurements or technical analysis of human body characteristics used by the owner or licensee to authenticate an individual, such as a fingerprint, retina or iris image, or other unique physical representation or digital representation of biometric data.

See 815 ILCS 530/5.

Primary law · 2006-01-01

H.7 815 ILCS 530/15

PIPA's duties cannot be waived by contract — any waiver of the Act is contrary to public policy and void.

Any waiver of the provisions of this Act is contrary to public policy and is void and unenforceable.

See 815 ILCS 530/15.

Primary law

H.8 815 ILCS 505/10a

A private Consumer Fraud Act action — the consumer's route for a PIPA violation — requires actual damage as a result of the violation, unlike the liquidated-damages regimes of BIPA and GIPA.

Any person who suffers actual damage as a result of a violation of this Act committed by any other person may bring an action against such person.

See 815 ILCS 505/10a(a).

What must your contracts with vendors say in Illinois?

Illinois has no omnibus data-processing-agreement statute — no state law prescribes controller-processor terms, audit rights, or subprocessor flow-downs for general personal data. But two Illinois statutes put hard edges on vendor arrangements. Under BIPA, handing biometric data to a vendor is a disclosure that requires the subject's consent or another narrow statutory basis , so the consent paperwork and the vendor contract have to be designed together. Under PIPA, a vendor that maintains or stores personal information it does not own must notify the owner of any breach immediately following discovery and cooperate in the response .

The biometric-vendor scenario deserves specific attention because it is the standard BIPA fact pattern: an employer runs a fingerprint time clock, and a third-party vendor hosts and matches the templates. Both the employer and the vendor can face § 15 exposure — the employer for collecting and disclosing without the statutory disclosures and release, the vendor as a private entity obtaining biometric data itself — and the 2024 single-recovery amendment caps repeated disclosures only as to the same recipient , so each additional vendor in the chain is a separate exposure line. A compliant program therefore names the vendor categories in the written consent, binds the vendor by contract to BIPA's storage, protection, no-sale, and destruction standards, and allocates defense and indemnity for biometric claims expressly.

Where a federal sectoral regime applies, it supplies the contract terms directly: the GLBA Safeguards Rule requires financial institutions to oversee service providers by contract — requiring your service providers by contract to implement and maintain appropriate safeguards — and HIPAA requires a business-associate agreement with mandatory data-protection, breach-reporting, and subcontractor terms before protected health information moves . Outside those verticals, carry the same architecture forward as best practice: processing limited to documented instructions, confidentiality, reasonable security, breach notification back to you on PIPA's immediate-notice clock , return or deletion at the end of the engagement, and — for any Illinois-facing biometric or genetic data — express compliance with BIPA and GIPA by name.

Sources for this answer

Primary law · 2008-10-03

I.1 740 ILCS 14/15(d)

Disclosing or disseminating a person's biometric data — including to a service vendor — requires the subject's consent, completion of an authorized financial transaction, a legal requirement, or a warrant or subpoena.

No private entity in possession of a biometric identifier or biometric information may disclose, redisclose, or otherwise disseminate a person's or a customer's biometric identifier or biometric information unless: (1) the subject of the biometric identifier or biometric information or the subject's legally authorized representative consents to the disclosure or redisclosure; (2) the disclosure or redisclosure completes a financial transaction requested or authorized by the subject of the biometric identifier or the biometric information or the subject's legally authorized representative; (3) the disclosure or redisclosure is required by State or federal law or municipal ordinance; or (4) the disclosure is required pursuant to a valid warrant or subpoena issued by a court of competent jurisdiction.

See 740 ILCS 14/15(d).

Primary law · 2024-08-02

I.3 740 ILCS 14/20(c)

The 2024 BIPA amendment caps repeated disclosures of the same person's biometric data to the same recipient as one section 15(d) violation with at most one recovery.

For purposes of subsection (d) of Section 15, a private entity that, in more than one instance, discloses, rediscloses, or otherwise disseminates the same biometric identifier or biometric information from the same person to the same recipient using the same method of collection in violation of subsection (d) of Section 15 has committed a single violation of subsection (d) of Section 15 for which the aggrieved person is entitled to, at most, one recovery under this Section regardless of the number of times the private entity disclosed, redisclosed, or otherwise disseminated the same biometric identifier or biometric information of the same person to the same recipient.

See 740 ILCS 14/20(c), added by P.A. 103-0769 (eff. Aug. 2, 2024).

Primary law · 2020-01-01

I.2 815 ILCS 530/10(b)

A vendor that maintains or stores personal information it does not own or license must notify the owner or licensee of a breach immediately following discovery and must cooperate in the breach response.

Any data collector that maintains or stores, but does not own or license, computerized data that includes personal information that the data collector does not own or license shall notify the owner or licensee of the information of any breach of the security of the data immediately following discovery, if the personal information was, or is reasonably believed to have been, acquired by an unauthorized person. In addition to providing such notification to the owner or licensee, the data collector shall cooperate with the owner or licensee in matters relating to the breach. That cooperation shall include, but need not be limited to, (i) informing the owner or licensee of the breach, including giving notice of the date or approximate date of the breach and the nature of the breach, and (ii) informing the owner or licensee of any steps the data collector has taken or plans to take relating to the breach. The data collector's cooperation shall not, however, be deemed to require either the disclosure of confidential business information or trade secrets or the notification of an Illinois resident who may have been affected by the breach.

See 815 ILCS 530/10(b).

Primary law

I.4 GLBA Safeguards Rule

The GLBA Safeguards Rule requires a financial institution to oversee its service providers, including by requiring them by contract to implement and maintain appropriate safeguards for customer information.

Requiring your service providers by contract to implement and maintain such safeguards

See 16 C.F.R. § 314.4(f)(2).

Primary law

I.5 HIPAA Business Associate Contracts

HIPAA requires a written business-associate contract that establishes the permitted uses and disclosures of protected health information and binds the business associate to safeguard it.

A contract between the covered entity and a business associate must: (i) Establish the permitted and required uses and disclosures of protected health information by the business associate. The contract may not authorize the business associate to use or further disclose the information in a manner that would violate the requirements of this subpart, if done by the covered entity, except that: (A) The contract may permit the business associate to use and disclose protected health information for the proper management and administration of the business associate, as provided in paragraph (e)(4) of this section; and (B) The contract may permit the business associate to provide data aggregation services relating to the health care operations of the covered entity. (ii) Provide that the business associate will: (A) Not use or further disclose the information other than as permitted or required by the contract or as required by law; (B) Use appropriate safeguards and comply, where applicable, with subpart C of this part with respect to electronic protected health information, to prevent use or disclosure of the information other than as provided for by its contract;

See 45 C.F.R. § 164.504(e)(2).