# Illinois Consumer Privacy Law (BIPA)[^about] Illinois has no comprehensive consumer-privacy act, but the Biometric Information Privacy Act (740 ILCS 14) is the most litigated state privacy statute in the country — written consent and a public retention policy are required, and private plaintiffs can sue for liquidated damages without proving actual harm. ## Which privacy laws apply to your business in Illinois? {#which-privacy-laws-apply} **Short answer.** Illinois has no comprehensive consumer-privacy statute, but it is anything but a light-touch state. The headline law is the Biometric Information Privacy Act (BIPA), which the General Assembly enacted on the finding that the public welfare, security, and safety will be served by regulating the collection, use, safeguarding, handling, storage, retention, and destruction of biometric identifiers and information [^stat-bipa-5-findings]. BIPA applies to any private entity — any individual, partnership, corporation, limited liability company, association, or other group, however organized — with no revenue or data-volume threshold [^stat-bipa-10-private-entity]. Around it sit three more statutes: the Genetic Information Privacy Act (GIPA), which makes genetic testing information confidential and privileged [^stat-gipa-15-confidential]; the Personal Information Protection Act (PIPA), the breach-notification statute that reaches essentially every entity handling nonpublic personal information of Illinois residents [^stat-pipa-5-data-collector]; and the Consumer Fraud and Deceptive Business Practices Act, which supplies the enforcement hook for deceptive privacy practices. What Illinois lacks is the omnibus controller-processor framework other states have adopted: there are no general rights to access, correct, delete, or opt out of the sale of personal data, no notice-at-collection mandate, and no data-protection-assessment duty under current Illinois law. What Illinois has instead is sharper teeth on three specific data types — biometric, genetic, and breached personal information — and, uniquely among the states, private rights of action with liquidated damages on the first two. That combination has made Illinois the national center of privacy class-action litigation rather than of regulatory enforcement. The federal overlay fills the rest of the program: FTC Act § 5 reaches deceptive or unfair privacy practices nationwide, GLBA governs financial institutions, HIPAA governs covered health entities, and COPPA governs services directed to children under 13. ## What must your Illinois privacy policy contain? {#privacy-policy-contents} **Short answer.** It depends on whether you touch biometric data. If you possess biometric identifiers or biometric information — fingerprints, face geometry, voiceprints, retina or iris scans — BIPA § 15(a) imposes a specific, written-policy mandate: you must develop a written policy, made available to the public, establishing a retention schedule and guidelines for permanently destroying the data when the initial purpose for collecting it has been satisfied or within 3 years of the individual's last interaction with your business, whichever occurs first [^stat-15a-written-policy]. You must then actually follow that schedule: absent a valid warrant or subpoena, a private entity must comply with its established retention schedule and destruction guidelines [^stat-15a-comply]. For everything else, no Illinois statute fixes the contents of a general consumer privacy policy — the governing rule is that whatever you publish must be true, because a policy that misstates your practices is a deceptive act under FTC Act § 5 [^fed-ftc5-deceptive] and under the Illinois Consumer Fraud Act [^stat-icfa-2-deceptive]. Section 15(a) is the piece businesses most often miss, and it is the cheapest BIPA violation to avoid because it does not depend on consent mechanics. The duty attaches to *possession* of biometric data, and it has four components on the face of the statute: (1) a *written* policy, (2) *made available to the public* — posted, not kept in a drawer; (3) a *retention schedule* tied to the statute's two ceilings (purpose satisfied, or 3 years after the individual's last interaction, whichever comes first); and (4) *guidelines for permanently destroying* the data. The companion sentence converts the policy from paper to obligation: once the schedule exists, the entity must comply with it unless a court-issued warrant or subpoena intervenes [^stat-15a-comply]. Plaintiffs routinely plead § 15(a) alongside the consent claims, so a biometric privacy policy that is unwritten, unposted, or unenforced is itself a freestanding basis for liquidated damages. For the non-biometric remainder of a privacy policy, build to the federal and sectoral overlay — GLBA privacy notices for financial institutions, the HIPAA notice of privacy practices for covered entities, a COPPA notice for child-directed services — and follow best practice for everyone else: describe the categories of data collected, the purposes, the third parties you share with, and how users exercise any choices you offer. The enforceable Illinois obligation outside BIPA is consistency between the statement and the conduct, because the Consumer Fraud Act declares deceptive acts or practices, including the concealment, suppression or omission of any material fact, unlawful [^stat-icfa-2-deceptive]. > [!CAUTION] > **Drafting note.** > > Write the BIPA retention-and-destruction policy *before* the first scan is collected, and post it where the public can find it. The statute makes the written, publicly available policy a duty of every private entity in possession of biometric data, with a destruction deadline of purpose-satisfied or 3 years after the individual's last interaction, whichever occurs first — a policy drafted after collection begins, or one that exists but was never published, leaves the company exposed on § 15(a) even if its consent paperwork is perfect [^stat-15a-written-policy]. ## Do you need written consent to collect fingerprints or face scans in Illinois? {#biometric-consent} **Short answer.** Yes — before collection, in writing, and after specific disclosures. BIPA § 15(b) prohibits a private entity from collecting, capturing, purchasing, receiving through trade, or otherwise obtaining a person's biometric identifier or biometric information unless it first informs the person in writing that the data is being collected or stored, informs the person in writing of the specific purpose and length of term of the collection, and receives a written release executed by the subject [^stat-15b-consent]. A biometric identifier means a retina or iris scan, fingerprint, voiceprint, or scan of hand or face geometry [^stat-10-biometric-identifier]. Three companion duties travel with the data: no private entity may sell, lease, trade, or otherwise profit from a person's biometric data [^stat-15c-no-profit]; disclosure to anyone else requires the subject's consent or another narrow statutory basis [^stat-15d-disclosure]; and the data must be stored and protected using the reasonable standard of care within the entity's industry, at least as protectively as other confidential and sensitive information [^stat-15e-safeguards]. The order of operations is what trips businesses up: the statute says *first*. Consent collected after the first scan does not cure the collection that already happened, and the disclosures must cover both the specific purpose and the length of term of the collection — a generic onboarding acknowledgment that never mentions storage duration misses an element on the face of § 15(b). In the workplace, the statute's definition of a *written release* expressly contemplates a release executed by an employee as a condition of employment, and — since the 2024 amendment — an electronic signature qualifies [^stat-10-written-release]. So a compliant biometric time-clock or facility-access program is achievable with ordinary HR paperwork: written notice of what is collected, why, and for how long, plus a signed (or e-signed) release, all completed before enrollment. Scope limits matter in both directions. The definition excludes photographs, writing samples, physical descriptions, and information captured from a patient in a health care setting [^stat-10-biometric-identifier]. Plaintiffs have litigated faceprints computed *from* photographs under the *scan of face geometry* language, so photo-based systems still deserve BIPA review. And BIPA does not apply to everyone: it carves out financial institutions subject to GLBA Title V [^stat-bipa-25-glba], state and local government agencies [^q3-stat-bipa-10-private-entity], and contractors working for them [^stat-bipa-25-contractors]. > [!NOTE] > **Practice note.** > > Treat the no-profit rule as a flat ban, not a consent question. Section 15(c) prohibits selling, leasing, trading, or otherwise profiting from biometric identifiers or biometric information outright — unlike collection under § 15(b) or disclosure under § 15(d), there is no consent mechanism that authorizes monetizing the data itself, so a business model that prices access to biometric databases cannot be papered over with releases [^stat-15c-no-profit]. ## Can someone sue your business under BIPA without proving actual harm? {#bipa-lawsuit-exposure} **Short answer.** Yes — this is the feature that makes Illinois unlike any other state. BIPA § 20 gives any person aggrieved by a violation a right of action in state circuit court or as a supplemental claim in federal court, with liquidated damages of $1,000 per negligent violation or $5,000 per intentional or reckless violation (or actual damages if greater), plus attorneys' fees and costs [^stat-20a-damages]. In *Rosenbach v. Six Flags Entertainment Corp.*, the Illinois Supreme Court held that "an individual need not allege some actual injury or adverse effect, beyond violation of his or her rights under the Act, in order to qualify as an ‘aggrieved’ person and be entitled to seek liquidated damages and injunctive relief pursuant to the Act"[^case-rosenbach] [^case-rosenbach]. And the window is long: in *Tims v. Black Horse Carriers, Inc.*, the court held that the five-year catchall limitations period of section 13-205 of the Code of Civil Procedure controls claims under the Act [^case-tims]. The mechanics deserve emphasis because each element compounds the others. The violation *is* the injury — a fingerprint collected without the § 15(b) disclosures and release is actionable the day it is scanned, with no identity theft, data breach, or out-of-pocket loss required. The *Rosenbach* court was explicit that this is the design, not an accident: "When private entities face liability for failure to comply with the law’s requirements without requiring affected individuals or customers to show some injury beyond violation of their statutory rights, those entities have the strongest possible incentive to conform to the law and prevent problems before they occur and cannot be undone."[^case-rosenbach-deterrence] [^case-rosenbach-deterrence] Stack the per-person liquidated amounts across a workforce or user base, add a five-year reach-back under *Tims*, and a routine timekeeping or photo-tagging practice becomes a class action with eight-or-nine-figure exposure. BIPA exposure management is litigation prevention: compliant paperwork, vendor disclosures, and retention policies matter more than regulator relations. The Illinois Supreme Court explained in *Rosenbach* that, other than the private right of action authorized in section 20, no other enforcement mechanism is available [^case-rosenbach-no-agency]. > [!NOTE] > **Practice note.** > > Do not read the per-person figures as an automatic award. Even while reaffirming its plaintiff-friendly accrual rule, the Illinois Supreme Court treated runaway aggregate damages as a policy problem for the General Assembly and respectfully suggested that the legislature review those concerns and make clear its intent on the assessment of damages under the Act [^q4-cothron-invitation]. The legislature accepted that invitation in 2024 — the next question covers how the amendment changed the arithmetic — but no business should price its compliance posture on judicial or legislative moderation arriving in time. ## How are BIPA damages counted in Illinois — per person or per scan — after the 2024 amendment? {#per-scan-damages} **Short answer.** For repeated, identical collections: one recovery per person, per method — and that cap now governs pending cases too. The sequence matters. In *Cothron v. White Castle System, Inc.* (Feb. 17, 2023), the Illinois Supreme Court held that "a separate claim accrues under the Act each time a private entity scans or transmits an individual’s biometric identifier or information in violation of section 15(b) or 15(d)"[^case-cothron-per-scan] [^case-cothron-per-scan] — the per-scan reading that produced multibillion-dollar class exposure. The General Assembly answered with Public Act 103-0769, effective August 2, 2024, which added subsections 20(b) and 20(c): an entity that repeatedly collects the same biometric identifier from the same person using the same method of collection has committed a single violation, for which the aggrieved person is entitled to, at most, one recovery [^stat-20b-single-recovery], with the same rule for repeated disclosures of the same data to the same recipient [^stat-20c-single-disclosure]. And on April 1, 2026, the Seventh Circuit in *Gregg v. Central Transport LLC* held that "this amendment applies retroactively because it impacts only the statutory damages available to plaintiffs—it does not change BIPA’s substantive standards of liability"[^case-gregg-retroactive] [^case-gregg-retroactive]. The 2023–2026 arc is worth a timeline, because each date changed the settlement value of every pending BIPA case: - - - > [!NOTE] > **Practice note.** > > The single-recovery rule is narrower than the headline suggests. The statutory text caps recovery only where the *same* biometric identifier is taken from the *same* person using the *same method of collection* — and, for disclosure, only as to the *same recipient* [^stat-20b-single-recovery] [^stat-20c-single-disclosure]. A business that runs a fingerprint time clock *and* a face-scan access system, or that shares biometric data with multiple vendors, can still face multiple recoveries per person, and class exposure still scales with headcount because every affected person keeps his or her own recovery. ## Can you ask Illinois employees or job applicants for genetic tests or genetic information? {#genetic-information-employment} **Short answer.** No. The Genetic Information Privacy Act (GIPA) prohibits an employer, employment agency, labor organization, or licensing agency from directly or indirectly soliciting, requesting, requiring, or purchasing genetic testing or genetic information of a person or a person's family member — or administering a genetic test — as a condition of employment, a preemployment application, membership, or licensure [^stat-gipa-25-employment]. GIPA provides private-suit exposure: any person aggrieved by a violation may sue and recover liquidated damages of $2,500 per negligent violation or $15,000 per intentional or reckless violation (or actual damages if greater), plus attorneys' fees, subject to the Illinois Insurance Code remedy for insurer violations of section 30 [^stat-gipa-40-damages]. Two statutory features give the employment prohibition a long reach. First, the ban covers both the person and the person's family member when the request is tied to employment, preemployment application, labor-organization membership, or licensure [^stat-gipa-25-employment]. Second, *genetic testing* expressly includes direct-to-consumer commercial genetic testing [^stat-gipa-10-definitions], so consumer DNA-kit results are covered the same as clinical tests. The statute also bars employers from using genetic testing or genetic information to affect terms or conditions, limit or classify employees, or retaliate against anyone alleging a violation [^stat-gipa-25-employment]. It separately prohibits offering employment, membership, licensure, pay, or benefits in return for taking a genetic test [^stat-gipa-25-pay-benefit], with narrow statutory provisions for workplace wellness programs [^stat-gipa-25-wellness], employee-requested workers' compensation testing [^stat-gipa-25-workers-comp], and toxic-substance genetic monitoring [^stat-gipa-25-toxic-monitoring]. The practical risk is indirect collection. The statute reaches requests made through employment agencies, licensing agencies, labor organizations, and other employment-related channels, so Illinois hiring and occupational-health forms should be reviewed for genetic testing or genetic-information fields before they are given to applicants or employees [^stat-gipa-25-employment]. > [!CAUTION] > **Drafting note.** > > Strip family-medical-history questions out of Illinois hiring and occupational-health paperwork, including forms administered by third-party clinics on your behalf. The statutory prohibition reaches *indirect* solicitation and requests made as a condition of a preemployment application [^stat-gipa-25-employment], so routing the questionnaire through an outside examiner does not take the inquiry outside GIPA — and each affected applicant carries $2,500-to-$15,000 liquidated-damages exposure [^stat-gipa-40-damages]. ## Do Illinois residents have rights to access, delete, or opt out of the sale of their data? {#consumer-rights-opt-outs} **Short answer.** Not as general rights — Illinois has no omnibus statute granting access, correction, deletion, portability, or sale opt-outs across all personal data, and no Illinois law requires businesses to honor universal opt-out preference signals such as Global Privacy Control. What Illinois residents have instead are targeted, data-type-specific controls with unusual force: biometric data cannot be collected at all without prior written notice and a written release [^q7-stat-15b-consent], and it must be destroyed when the collection purpose is satisfied or within 3 years of the person's last interaction with the business [^q7-stat-15a-destruction]; genetic test results cannot be disclosed in identifiable form except to the tested person and those the person authorizes [^q7-stat-gipa-30-disclosure]. The practical translation: an Illinois consumer cannot email a retailer and demand a copy or deletion of an ordinary marketing profile the way a resident of an omnibus-law state can. But for the two data types the legislature singled out, the Illinois model is stronger than a rights-request regime — it is consent-or-nothing on the front end (biometrics may not be obtained without a release; genetic information may not be solicited by employers at all), an automatic destruction clock rather than a deletion request [^q7-stat-15a-destruction], and a flat ban on profiting from biometric data that no opt-in can waive. A business cannot paper around these rules with terms of service, and the rights are self-executing through the private rights of action covered above rather than through a regulator's complaint portal. ## When must you notify people of a data breach in Illinois? {#breach-notification} **Short answer.** In the most expedient time possible and without unreasonable delay. Under the Personal Information Protection Act (PIPA), any data collector that owns or licenses personal information concerning an Illinois resident must notify the resident, at no charge, following discovery or notification of a breach — with delay tolerated only for measures necessary to determine the breach's scope and restore the system's integrity, security, and confidentiality [^stat-pipa-10-notice]. A breach means unauthorized acquisition of computerized data that compromises the security, confidentiality, or integrity of personal information [^stat-pipa-5-breach]. If a single breach requires notice to more than 500 Illinois residents, the data collector must also notify the Attorney General [^stat-pipa-10e-ag], and a violation of the Act is an unlawful practice under the Consumer Fraud and Deceptive Business Practices Act [^stat-pipa-20-icfa]. *Personal information* under PIPA is broader than the classic name-plus-SSN formula. It covers a name combined with an unencrypted Social Security number, driver's license or state ID number, financial-account or card data, medical information (expressly including information provided to a website or mobile application), health-insurance information, or unique biometric data used to authenticate an individual [^stat-pipa-5-personal-info] — and, separately, a username or email address combined with a password or security question and answer, a category with its own lighter notice option directing users to change credentials [^stat-pipa-10-credential-notice]. Encrypted or redacted data is outside the quoted definition unless the keys were acquired without authorization through the breach [^stat-pipa-5-personal-info]. The AG notice for 500-plus-resident breaches must arrive no later than the consumer notices, and the Attorney General may publish the breached entity's name [^stat-pipa-10e-ag]. The duties cannot be contracted away: any waiver of PIPA is void and unenforceable [^stat-pipa-15-waiver]. Enforcement runs through the Attorney General — and that is the one place in Illinois privacy law where the AG, rather than a class-action plaintiff, holds the pen. Because a PIPA violation is deemed an unlawful practice under the Consumer Fraud Act [^stat-pipa-20-icfa], the AG can seek injunctions and civil penalties for late or omitted notice, with no cure period written into the statute. A private plaintiff, by contrast, has no liquidated-damages remedy here: a consumer suing over a breach must proceed under the Consumer Fraud Act, which requires actual damage from the violation [^stat-icfa-10a-actual] — a sharp contrast with BIPA and GIPA, where the statutory violation alone supports liquidated damages. Note the interaction for biometric incidents: a breach of authentication-grade biometric data triggers PIPA notice duties *and* invites scrutiny of the § 15(e) safeguards duty under BIPA, where the per-person liquidated-damages regime does apply. ## What must your contracts with vendors say in Illinois? {#vendor-contracts} **Short answer.** Illinois has no omnibus data-processing-agreement statute — no state law prescribes controller-processor terms, audit rights, or subprocessor flow-downs for general personal data. But two Illinois statutes put hard edges on vendor arrangements. Under BIPA, handing biometric data to a vendor is a *disclosure* that requires the subject's consent or another narrow statutory basis [^q9-stat-15d-disclosure], so the consent paperwork and the vendor contract have to be designed together. Under PIPA, a vendor that maintains or stores personal information it does not own must notify the owner of any breach immediately following discovery and cooperate in the response [^stat-pipa-10b-vendor]. The biometric-vendor scenario deserves specific attention because it is the standard BIPA fact pattern: an employer runs a fingerprint time clock, and a third-party vendor hosts and matches the templates. Both the employer and the vendor can face § 15 exposure — the employer for collecting and disclosing without the statutory disclosures and release, the vendor as a private entity obtaining biometric data itself — and the 2024 single-recovery amendment caps repeated disclosures only as to the *same recipient* [^q9-stat-20c-single-disclosure], so each additional vendor in the chain is a separate exposure line. A compliant program therefore names the vendor categories in the written consent, binds the vendor by contract to BIPA's storage, protection, no-sale, and destruction standards, and allocates defense and indemnity for biometric claims expressly. Where a federal sectoral regime applies, it supplies the contract terms directly: the GLBA Safeguards Rule requires financial institutions to oversee service providers by contract — requiring your service providers by contract to implement and maintain appropriate safeguards [^fed-glba-safeguards] — and HIPAA requires a business-associate agreement with mandatory data-protection, breach-reporting, and subcontractor terms before protected health information moves [^fed-hipaa-baa]. Outside those verticals, carry the same architecture forward as best practice: processing limited to documented instructions, confidentiality, reasonable security, breach notification back to you on PIPA's immediate-notice clock [^stat-pipa-10b-vendor], return or deletion at the end of the engagement, and — for any Illinois-facing biometric or genetic data — express compliance with BIPA and GIPA by name. [^about]: By Steven Obiajulu, J.D. Published by [openagreements.org](https://openagreements.org) · Maintained by [UseJunior](https://usejunior.com). Last reviewed 2026-06-11. License: CC BY 4.0. Steven Obiajulu, J.D. is admitted in New York, not Illinois. This article synthesizes Illinois primary law and is not legal advice from a Illinois-admitted attorney. This article is for informational purposes only and does not create an attorney-client relationship. [^stat-bipa-5-findings]: **740 ILCS 14/5** — "The public welfare, security, and safety will be served by regulating the collection, use, safeguarding, handling, storage, retention, and destruction of biometric identifiers and information." *740 ILCS 14/5(g).* [^stat-bipa-10-private-entity]: **740 ILCS 14/10** — "‘Private entity’ means any individual, partnership, corporation, limited liability company, association, or other group, however organized. A private entity does not include a State or local government agency. A private entity does not include any court of Illinois, a clerk of the court, or a judge or justice thereof." *740 ILCS 14/10.* [^stat-gipa-15-confidential]: **410 ILCS 513/15** — "Except as otherwise provided in this Act, genetic testing and information derived from genetic testing is confidential and privileged and may be released only to the individual tested and to persons specifically authorized, in writing in accordance with Section 30, by that individual to receive the information." *410 ILCS 513/15(a).* [^stat-pipa-5-data-collector]: **815 ILCS 530/5** — "‘Data collector’ may include, but is not limited to, government agencies, public and private universities, privately and publicly held corporations, financial institutions, retail operators, and any other entity that, for any purpose, handles, collects, disseminates, or otherwise deals with nonpublic personal information." *815 ILCS 530/5.* [^stat-15a-written-policy]: **740 ILCS 14/15(a)** — "A private entity in possession of biometric identifiers or biometric information must develop a written policy, made available to the public, establishing a retention schedule and guidelines for permanently destroying biometric identifiers and biometric information when the initial purpose for collecting or obtaining such identifiers or information has been satisfied or within 3 years of the individual's last interaction with the private entity, whichever occurs first." *740 ILCS 14/15(a).* [^stat-15a-comply]: **740 ILCS 14/15(a)** — "Absent a valid warrant or subpoena issued by a court of competent jurisdiction, a private entity in possession of biometric identifiers or biometric information must comply with its established retention schedule and destruction guidelines." *740 ILCS 14/15(a).* [^fed-ftc5-deceptive]: **FTC Act § 5** — "Unfair methods of competition in or affecting commerce, and unfair or deceptive acts or practices in or affecting commerce, are hereby declared unlawful." *15 U.S.C. § 45(a)(1).* [^stat-icfa-2-deceptive]: **815 ILCS 505/2** — "Unfair methods of competition and unfair or deceptive acts or practices, including but not limited to the use or employment of any deception fraud, false pretense, false promise, misrepresentation or the concealment, suppression or omission of any material fact, with intent that others rely upon the concealment, suppression or omission of such material fact, or the use or employment of any practice described in Section 2 of the ‘Uniform Deceptive Trade Practices Act’, approved August 5, 1965, in the conduct of any trade or commerce are hereby declared unlawful whether any person has in fact been misled, deceived or damaged thereby." *815 ILCS 505/2.* [^stat-15b-consent]: **740 ILCS 14/15(b)** — "No private entity may collect, capture, purchase, receive through trade, or otherwise obtain a person's or a customer's biometric identifier or biometric information, unless it first: (1) informs the subject or the subject's legally authorized representative in writing that a biometric identifier or biometric information is being collected or stored; (2) informs the subject or the subject's legally authorized representative in writing of the specific purpose and length of term for which a biometric identifier or biometric information is being collected, stored, and used; and (3) receives a written release executed by the subject of the biometric identifier or biometric information or the subject's legally authorized representative." *740 ILCS 14/15(b).* [^stat-10-biometric-identifier]: **740 ILCS 14/10** — "‘Biometric identifier’ means a retina or iris scan, fingerprint, voiceprint, or scan of hand or face geometry. Biometric identifiers do not include writing samples, written signatures, photographs, human biological samples used for valid scientific testing or screening, demographic data, tattoo descriptions, or physical descriptions such as height, weight, hair color, or eye color. Biometric identifiers do not include donated organs, tissues, or parts as defined in the Illinois Anatomical Gift Act or blood or serum stored on behalf of recipients or potential recipients of living or cadaveric transplants and obtained or stored by a federally designated organ procurement agency. Biometric identifiers do not include biological materials regulated under the Genetic Information Privacy Act. Biometric identifiers do not include information captured from a patient in a health care setting or information collected, used, or stored for health care treatment, payment, or operations under the federal Health Insurance Portability and Accountability Act of 1996." *740 ILCS 14/10.* [^stat-15c-no-profit]: **740 ILCS 14/15(c)** — "No private entity in possession of a biometric identifier or biometric information may sell, lease, trade, or otherwise profit from a person's or a customer's biometric identifier or biometric information." *740 ILCS 14/15(c).* [^stat-15d-disclosure]: **740 ILCS 14/15(d)** — "No private entity in possession of a biometric identifier or biometric information may disclose, redisclose, or otherwise disseminate a person's or a customer's biometric identifier or biometric information unless: (1) the subject of the biometric identifier or biometric information or the subject's legally authorized representative consents to the disclosure or redisclosure; (2) the disclosure or redisclosure completes a financial transaction requested or authorized by the subject of the biometric identifier or the biometric information or the subject's legally authorized representative; (3) the disclosure or redisclosure is required by State or federal law or municipal ordinance; or (4) the disclosure is required pursuant to a valid warrant or subpoena issued by a court of competent jurisdiction." *740 ILCS 14/15(d).* [^stat-15e-safeguards]: **740 ILCS 14/15(e)** — "A private entity in possession of a biometric identifier or biometric information shall: (1) store, transmit, and protect from disclosure all biometric identifiers and biometric information using the reasonable standard of care within the private entity's industry; and (2) store, transmit, and protect from disclosure all biometric identifiers and biometric information in a manner that is the same as or more protective than the manner in which the private entity stores, transmits, and protects other confidential and sensitive information." *740 ILCS 14/15(e).* [^stat-10-written-release]: **740 ILCS 14/10** — "‘Written release’ means informed written consent, electronic signature, or, in the context of employment, a release executed by an employee as a condition of employment." *740 ILCS 14/10.* [^stat-bipa-25-glba]: **740 ILCS 14/25(c)** — "Nothing in this Act shall be deemed to apply in any manner to a financial institution or an affiliate of a financial institution that is subject to Title V of the federal Gramm-Leach-Bliley Act of 1999 and the rules promulgated thereunder." *740 ILCS 14/25(c).* [^q3-stat-bipa-10-private-entity]: **740 ILCS 14/10** — "‘Private entity’ means any individual, partnership, corporation, limited liability company, association, or other group, however organized. A private entity does not include a State or local government agency. A private entity does not include any court of Illinois, a clerk of the court, or a judge or justice thereof." *740 ILCS 14/10.* [^stat-bipa-25-contractors]: **740 ILCS 14/25(e)** — "Nothing in this Act shall be construed to apply to a contractor, subcontractor, or agent of a State agency or local unit of government when working for that State agency or local unit of government." *740 ILCS 14/25(e).* [^stat-20a-damages]: **740 ILCS 14/20(a)** — "Any person aggrieved by a violation of this Act shall have a right of action in a State circuit court or as a supplemental claim in federal district court against an offending party. A prevailing party may recover for each violation: (1) against a private entity that negligently violates a provision of this Act, liquidated damages of $1,000 or actual damages, whichever is greater; (2) against a private entity that intentionally or recklessly violates a provision of this Act, liquidated damages of $5,000 or actual damages, whichever is greater;" *740 ILCS 14/20(a).* [^case-rosenbach]: **Rosenbach v. Six Flags Entertainment Corp., 2019 IL 123186** — "Contrary to the appellate court’s view, an individual need not allege some actual injury or adverse effect, beyond violation of his or her rights under the Act, in order to qualify as an ‘aggrieved’ person and be entitled to seek liquidated damages and injunctive relief pursuant to the Act." *Rosenbach v. Six Flags Entertainment Corp., 2019 IL 123186, ¶ 40.* [^case-tims]: **Tims v. Black Horse Carriers, Inc., 2023 IL 127801** — "For the aforementioned reasons, we find that the five-year limitations period contained in section 13-205 of the Code controls claims under the Act." *Tims v. Black Horse Carriers, Inc., 2023 IL 127801, ¶ 42.* [^case-rosenbach-deterrence]: **Rosenbach v. Six Flags Entertainment Corp., 2019 IL 123186** — "When private entities face liability for failure to comply with the law’s requirements without requiring affected individuals or customers to show some injury beyond violation of their statutory rights, those entities have the strongest possible incentive to conform to the law and prevent problems before they occur and cannot be undone." *Rosenbach v. Six Flags Entertainment Corp., 2019 IL 123186, ¶ 37.* [^case-rosenbach-no-agency]: **Rosenbach v. Six Flags Entertainment Corp., 2019 IL 123186** — "Other than the private right of action authorized in section 20 of the Act, no other enforcement mechanism is available." *Rosenbach v. Six Flags Entertainment Corp., 2019 IL 123186, ¶ 37.* [^q4-cothron-invitation]: **Cothron v. White Castle System, Inc., 2023 IL 128004** — "We respectfully suggest that the legislature review these policy concerns and make clear its intent regarding the assessment of damages under the Act." *Cothron v. White Castle System, Inc., 2023 IL 128004, ¶ 43.* [^case-cothron-per-scan]: **Cothron v. White Castle System, Inc., 2023 IL 128004** — "We hold that a separate claim accrues under the Act each time a private entity scans or transmits an individual’s biometric identifier or information in violation of section 15(b) or 15(d)." *Cothron v. White Castle System, Inc., 2023 IL 128004, ¶ 1.* [^stat-20b-single-recovery]: **740 ILCS 14/20(b)** — "For purposes of subsection (b) of Section 15, a private entity that, in more than one instance, collects, captures, purchases, receives through trade, or otherwise obtains the same biometric identifier or biometric information from the same person using the same method of collection in violation of subsection (b) of Section 15 has committed a single violation of subsection (b) of Section 15 for which the aggrieved person is entitled to, at most, one recovery under this Section." *740 ILCS 14/20(b), added by P.A. 103-0769 (eff. Aug. 2, 2024).* [^stat-20c-single-disclosure]: **740 ILCS 14/20(c)** — "For purposes of subsection (d) of Section 15, a private entity that, in more than one instance, discloses, rediscloses, or otherwise disseminates the same biometric identifier or biometric information from the same person to the same recipient using the same method of collection in violation of subsection (d) of Section 15 has committed a single violation of subsection (d) of Section 15 for which the aggrieved person is entitled to, at most, one recovery under this Section regardless of the number of times the private entity disclosed, redisclosed, or otherwise disseminated the same biometric identifier or biometric information of the same person to the same recipient." *740 ILCS 14/20(c), added by P.A. 103-0769 (eff. Aug. 2, 2024).* [^case-gregg-retroactive]: **Gregg v. Central Transport LLC (7th Cir. Apr. 1, 2026)** — "We hold that this amendment applies retroactively because it impacts only the statutory damages available to plaintiffs—it does not change BIPA’s substantive standards of liability." *Gregg v. Central Transport LLC, Nos. 25-2185, 25-2761, 25-2762 (7th Cir. Apr. 1, 2026).* [^stat-gipa-25-employment]: **410 ILCS 513/25** — "An employer, employment agency, labor organization, and licensing agency shall not directly or indirectly do any of the following: (1) solicit, request, require or purchase genetic testing or genetic information of a person or a family member of the person, or administer a genetic test to a person or a family member of the person as a condition of employment, preemployment application, labor organization membership, or licensure; (2) affect the terms, conditions, or privileges of employment, preemployment application, labor organization membership, or licensure, or terminate the employment, labor organization membership, or licensure of any person because of genetic testing or genetic information with respect to the employee or family member, or information about a request for or the receipt of genetic testing by such employee or family member of such employee; (3) limit, segregate, or classify employees in any way that would deprive or tend to deprive any employee of employment opportunities or otherwise adversely affect the status of the employee as an employee because of genetic testing or genetic information with respect to the employee or a family member, or information about a request for or the receipt of genetic testing or genetic information by such employee or family member of such employee; and (4) retaliate through discharge or in any other manner against any person alleging a violation of this Act or participating in any manner in a proceeding under this Act." *410 ILCS 513/25(c).* [^stat-gipa-40-damages]: **410 ILCS 513/40** — "Any person aggrieved by a violation of this Act shall have a right of action in a State circuit court or as a supplemental claim in a federal district court against an offending party. A prevailing party may recover for each violation: (1) Against any party who negligently violates a provision of this Act, liquidated damages of $2,500 or actual damages, whichever is greater. (2) Against any party who intentionally or recklessly violates a provision of this Act, liquidated damages of $15,000 or actual damages, whichever is greater. (3) Reasonable attorney's fees and costs, including expert witness fees and other litigation expenses. (4) Such other relief, including an injunction, as the State or federal court may deem appropriate. (b) Article XL of the Illinois Insurance Code shall provide the exclusive remedy for violations of Section 30 by insurers." *410 ILCS 513/40(a)-(b).* [^stat-gipa-10-definitions]: **410 ILCS 513/10** — "‘Genetic testing’ and ‘genetic test’ have the meaning ascribed to ‘genetic test’ under HIPAA, as specified in 45 CFR 160.103. ‘Genetic testing’ includes direct-to-consumer commercial genetic testing." *410 ILCS 513/10.* [^stat-gipa-25-pay-benefit]: **410 ILCS 513/25(d)** — "An agreement between a person and an employer, prospective employer, employment agency, labor organization, or licensing agency, or its employees, agents, or members offering the person employment, labor organization membership, licensure, or any pay or benefit in return for taking a genetic test is prohibited." *410 ILCS 513/25(d).* [^stat-gipa-25-wellness]: **410 ILCS 513/25(e)** — "An employer shall not use genetic information or genetic testing in furtherance of a workplace wellness program benefiting employees unless (1) health or genetic services are offered by the employer, (2) the employee provides written authorization in accordance with Section 30 of this Act, (3) only the employee or family member if the family member is receiving genetic services and the licensed health care professional or licensed genetic counselor involved in providing such services receive individually identifiable information concerning the results of such services, and (4) any individually identifiable information is only available for purposes of such services and shall not be disclosed to the employer except in aggregate terms that do not disclose the identity of specific employees. An employer shall not penalize an employee who does not disclose his or her genetic information or does not choose to participate in a program requiring disclosure of the employee's genetic information." *410 ILCS 513/25(e).* [^stat-gipa-25-workers-comp]: **410 ILCS 513/25(f)** — "Nothing in this Act shall be construed to prohibit genetic testing of an employee who requests a genetic test and who provides written authorization, in accordance with Section 30 of this Act, from taking a genetic test for the purpose of initiating a workers' compensation claim under the Workers' Compensation Act." *410 ILCS 513/25(f).* [^stat-gipa-25-toxic-monitoring]: **410 ILCS 513/25(i)** — "Nothing in this Act shall be construed to prohibit an employer from requesting or requiring genetic information to be used for genetic monitoring of the biological effects of toxic substances in the workplace, but only if (1) the employer provides written notice of the genetic monitoring to the employee; (2) the employee provides written authorization under Section 30 of this Act or the genetic monitoring is required by federal or State law; (3) the employee is informed of individual monitoring results; (4) the monitoring is in compliance with any federal genetic monitoring regulations or State genetic monitoring regulations under the authority of the federal Occupational Safety and Health Act of 1970; and (5) the employer, excluding any health care provider, health care professional, or health facility that is involved in the genetic monitoring program, receives the results of the monitoring only in aggregate terms that do not disclose the identity of specific employees." *410 ILCS 513/25(i).* [^q7-stat-15b-consent]: **740 ILCS 14/15(b)** — "No private entity may collect, capture, purchase, receive through trade, or otherwise obtain a person's or a customer's biometric identifier or biometric information, unless it first: (1) informs the subject or the subject's legally authorized representative in writing that a biometric identifier or biometric information is being collected or stored; (2) informs the subject or the subject's legally authorized representative in writing of the specific purpose and length of term for which a biometric identifier or biometric information is being collected, stored, and used; and (3) receives a written release executed by the subject of the biometric identifier or biometric information or the subject's legally authorized representative." *740 ILCS 14/15(b).* [^q7-stat-15a-destruction]: **740 ILCS 14/15(a)** — "establishing a retention schedule and guidelines for permanently destroying biometric identifiers and biometric information when the initial purpose for collecting or obtaining such identifiers or information has been satisfied or within 3 years of the individual's last interaction with the private entity, whichever occurs first" *740 ILCS 14/15(a).* [^q7-stat-gipa-30-disclosure]: **410 ILCS 513/30** — "No person may disclose or be compelled to disclose the identity of any person upon whom a genetic test is performed or the results of a genetic test in a manner that permits identification of the subject of the test, except to the following persons: (1) The subject of the test or the subject's legally authorized representative. This paragraph does not create a duty or obligation under which a health care provider must notify the subject's spouse or legal guardian of the test results, and no such duty or obligation shall be implied. No civil liability or criminal sanction under this Act shall be imposed for any disclosure or nondisclosure of a test result to a spouse by a physician acting in good faith under this paragraph. For the purpose of any proceedings, civil or criminal, the good faith of any physician acting under this paragraph shall be presumed. (2) Any person designated in a specific written legally effective authorization for release of the test results executed by the subject of the test or the subject's legally authorized representative." *410 ILCS 513/30(a)(1)-(2).* [^stat-pipa-10-notice]: **815 ILCS 530/10** — "Any data collector that owns or licenses personal information concerning an Illinois resident shall notify the resident at no charge that there has been a breach of the security of the system data following discovery or notification of the breach. The disclosure notification shall be made in the most expedient time possible and without unreasonable delay, consistent with any measures necessary to determine the scope of the breach and restore the reasonable integrity, security, and confidentiality of the data system." *815 ILCS 530/10(a).* [^stat-pipa-5-breach]: **815 ILCS 530/5** — "‘Breach of the security of the system data’ or ‘breach’ means unauthorized acquisition of computerized data that compromises the security, confidentiality, or integrity of personal information maintained by the data collector." *815 ILCS 530/5.* [^stat-pipa-10e-ag]: **815 ILCS 530/10(e)** — "Any data collector required to issue notice pursuant to this Section to more than 500 Illinois residents as a result of a single breach of the security system shall provide notice to the Attorney General of the breach, including: (A) A description of the nature of the breach of security or unauthorized acquisition or use. (B) The number of Illinois residents affected by such incident at the time of notification. (C) Any steps the data collector has taken or plans to take relating to the incident. Such notification must be made in the most expedient time possible and without unreasonable delay but in no event later than when the data collector provides notice to consumers pursuant to this Section. If the date of the breach is unknown at the time the notice is sent to the Attorney General, the data collector shall send the Attorney General the date of the breach as soon as possible. Upon receiving notification from a data collector of a breach of personal information, the Attorney General may publish the name of the data collector that suffered the breach, the types of personal information compromised in the breach, and the date range of the breach." *815 ILCS 530/10(e)(2).* [^stat-pipa-20-icfa]: **815 ILCS 530/20** — "A violation of this Act constitutes an unlawful practice under the Consumer Fraud and Deceptive Business Practices Act." *815 ILCS 530/20.* [^stat-pipa-5-personal-info]: **815 ILCS 530/5** — "‘Personal information’ means either of the following: (1) An individual's first name or first initial and last name in combination with any one or more of the following data elements, when either the name or the data elements are not encrypted or redacted or are encrypted or redacted but the keys to unencrypt or unredact or otherwise read the name or data elements have been acquired without authorization through the breach of security: (A) Social Security number. (B) Driver's license number or State identification card number. (C) Account number or credit or debit card number, or an account number or credit card number in combination with any required security code, access code, or password that would permit access to an individual's financial account. (D) Medical information. (E) Health insurance information. (F) Unique biometric data generated from measurements or technical analysis of human body characteristics used by the owner or licensee to authenticate an individual, such as a fingerprint, retina or iris image, or other unique physical representation or digital representation of biometric data. (2) User name or email address, in combination with a password or security question and answer that would permit access to an online account, when either the user name or email address or password or security question and answer are not encrypted or redacted or are encrypted or redacted but the keys to unencrypt or unredact or otherwise read the data elements have been obtained through the breach of security. ‘Personal information’ does not include publicly available information that is lawfully made available to the general public from federal, State, or local government records." *815 ILCS 530/5.* [^stat-pipa-10-credential-notice]: **815 ILCS 530/10(a)(2)** — "With respect to personal information defined in Section 5 in paragraph (2) of the definition of ‘personal information’, notice may be provided in electronic or other form directing the Illinois resident whose personal information has been breached to promptly change his or her user name or password and security question or answer, as applicable, or to take other steps appropriate to protect all online accounts for which the resident uses the same user name or email address and password or security question and answer." *815 ILCS 530/10(a)(2).* [^stat-pipa-15-waiver]: **815 ILCS 530/15** — "Any waiver of the provisions of this Act is contrary to public policy and is void and unenforceable." *815 ILCS 530/15.* [^stat-icfa-10a-actual]: **815 ILCS 505/10a** — "Any person who suffers actual damage as a result of a violation of this Act committed by any other person may bring an action against such person." *815 ILCS 505/10a(a).* [^q9-stat-15d-disclosure]: **740 ILCS 14/15(d)** — "No private entity in possession of a biometric identifier or biometric information may disclose, redisclose, or otherwise disseminate a person's or a customer's biometric identifier or biometric information unless: (1) the subject of the biometric identifier or biometric information or the subject's legally authorized representative consents to the disclosure or redisclosure; (2) the disclosure or redisclosure completes a financial transaction requested or authorized by the subject of the biometric identifier or the biometric information or the subject's legally authorized representative; (3) the disclosure or redisclosure is required by State or federal law or municipal ordinance; or (4) the disclosure is required pursuant to a valid warrant or subpoena issued by a court of competent jurisdiction." *740 ILCS 14/15(d).* [^stat-pipa-10b-vendor]: **815 ILCS 530/10(b)** — "Any data collector that maintains or stores, but does not own or license, computerized data that includes personal information that the data collector does not own or license shall notify the owner or licensee of the information of any breach of the security of the data immediately following discovery, if the personal information was, or is reasonably believed to have been, acquired by an unauthorized person. In addition to providing such notification to the owner or licensee, the data collector shall cooperate with the owner or licensee in matters relating to the breach. That cooperation shall include, but need not be limited to, (i) informing the owner or licensee of the breach, including giving notice of the date or approximate date of the breach and the nature of the breach, and (ii) informing the owner or licensee of any steps the data collector has taken or plans to take relating to the breach. The data collector's cooperation shall not, however, be deemed to require either the disclosure of confidential business information or trade secrets or the notification of an Illinois resident who may have been affected by the breach." *815 ILCS 530/10(b).* [^q9-stat-20c-single-disclosure]: **740 ILCS 14/20(c)** — "For purposes of subsection (d) of Section 15, a private entity that, in more than one instance, discloses, rediscloses, or otherwise disseminates the same biometric identifier or biometric information from the same person to the same recipient using the same method of collection in violation of subsection (d) of Section 15 has committed a single violation of subsection (d) of Section 15 for which the aggrieved person is entitled to, at most, one recovery under this Section regardless of the number of times the private entity disclosed, redisclosed, or otherwise disseminated the same biometric identifier or biometric information of the same person to the same recipient." *740 ILCS 14/20(c), added by P.A. 103-0769 (eff. Aug. 2, 2024).* [^fed-glba-safeguards]: **GLBA Safeguards Rule** — "Requiring your service providers by contract to implement and maintain such safeguards" *16 C.F.R. § 314.4(f)(2).* [^fed-hipaa-baa]: **HIPAA Business Associate Contracts** — "A contract between the covered entity and a business associate must: (i) Establish the permitted and required uses and disclosures of protected health information by the business associate. The contract may not authorize the business associate to use or further disclose the information in a manner that would violate the requirements of this subpart, if done by the covered entity, except that: (A) The contract may permit the business associate to use and disclose protected health information for the proper management and administration of the business associate, as provided in paragraph (e)(4) of this section; and (B) The contract may permit the business associate to provide data aggregation services relating to the health care operations of the covered entity. (ii) Provide that the business associate will: (A) Not use or further disclose the information other than as permitted or required by the contract or as required by law; (B) Use appropriate safeguards and comply, where applicable, with subpart C of this part with respect to electronic protected health information, to prevent use or disclosure of the information other than as provided for by its contract;" *45 C.F.R. § 164.504(e)(2).*