Illinois State Data Privacy Laws

In the United States, federal and state data privacy laws aim to protect consumers’ personal information from data breaches, which can lead to identity theft, fraud, extortion, and other crimes. State laws, like Illinois’ data privacy laws, carry much of this burden, as there is no comprehensive federal data breach response law. At Class Action U, our mission is to simplify the process of taking legal action after a data breach, connecting victims with our legal partners to join ongoing class actions or file individual lawsuits for the damages they’ve suffered after a breach.

Home • What is a Data Breach • Illinois State Data Privacy Laws

Last Modified date: June 17, 2025

Key Takeaways

Overview of Illinois’ Data Privacy Laws

In Illinois, three key laws protect residents’ personal information from unauthorized access and give consumers the right to take legal action if their information is not properly protected. State law protects several types of personal data, including traditional identifiers like Social Security numbers and driver’s license information, as well as other personal information like financial data, biometric data, and health information. Illinois’ three main data privacy laws include:

The Illinois Personal Information Protection Act (PIPA)
The Illinois Biometric Information Privacy Act (BIPA)
The Illinois Insurance Data Security Law

Illinois Personal Information Protection Act (PIPA)

Illinois’ Personal Information Protection Act (PIPA), which took effect in 2006, protects numerous types of personal information from unauthorized access. Legally, personal information can mean either the combination of a username and email address with a password or answer to a security question, or a combination of the user’s first and last name with one or more of the following identifiers:

Social Security number
Driver’s license number
State ID number
Bank account number

Credit or debit card number and security code
Medical information
Health insurance information
Biometric data like fingerprints, retina or iris images, and more

PIPA requires private businesses to notify consumers, and sometimes the Illinois Attorney General, in the event of a data breach. Any data collector that owns or licenses the personal information of Illinois residents must notify them at no charge that there has been a security breach following discovery of the breach “in the most expedient time possible and without unreasonable delay.” PIPA requires businesses to notify affected individuals as quickly as possible, without unreasonable delay, unless law enforcement determines that notice would interfere with an investigation or efforts are underway to assess the breach and restore system integrity.

If a data breach in Illinois affects more than 500 people, the data collector must notify the state Attorney General with a description of the nature of the breach, the number of residents affected, and steps taken to rectify the situation. If a state agency experiences a breach affecting more than 250 people, it must notify the Attorney General within 45 days of discovering the breach.

Illinois Insurance Data Security Law

The Illinois Insurance Data Security Law, established in 2024, regulates the data security practices of insurance companies and their affiliates operating in Illinois. Under the data security law, licensees must develop, implement, and maintain comprehensive written information security programs based on their risk assessment. These programs must contain administrative, technical, and physical safeguards for the protection of nonpublic information and the licensees’ information systems.

Insurance companies’ information systems must be designed to protect the security and confidentiality of nonpublic information, prevent unauthorized access, and minimize the likelihood of harm to consumers. If a data breach affects more than 250 people, licensees must notify the Director of the Illinois Department of Insurance no later than three business days after discovering the breach.

Illinois Biometric Information Privacy Act (BIPA)

The Illinois Biometric Information Privacy Act of 2008 regulates the collection, use, and storage of biometric information, such as fingerprints and facial recognition data. It requires informed consent and allows private lawsuits against companies, people, or organizations that violate the act.

Under BIPA, private entities possessing biometric identifiers or information like fingerprint data must develop a written policy establishing a retention schedule and guidelines for permanently destroying the information. Biometric data must be destroyed when its initial purpose has been satisfied or within three years of the individual’s last interaction with the entity. BIPA also prevents private entities from collecting a person’s biometric information without informing them that it is being collected, informing them how long it will be stored, and receiving written consent.

Your Privacy Rights as an Illinois Resident

Illinois consumers have various privacy rights under state law, including:

Right to timely breach notification
Right to opt out of certain data uses
Right to bring private lawsuits under BIPA
Right to access and correct personal information

What To Do If Your Data Is Compromised in Illinois

If your data is breached in Illinois, the first thing you should do is learn as much as possible about the incident. Then, change your passwords, and consider using tools like password managers and two-factor authentication for extra security, especially for bank accounts. Monitor your financial accounts for unusual activity and check your credit reports regularly to spot unauthorized actions. You can also place a fraud alert or freeze your credit to prevent new accounts from being opened in your name. After the breach, stay alert for signs of fraud, such as unexpected bills or account activity, and explore your legal options, including joining a class-action lawsuit if your data was part of a large breach.

How To File a Complaint or Take Legal Action in Illinois

In the event of a data breach, victims may be able to take legal action or file a complaint with the Illinois Attorney General. To report a data breach to the Attorney General’s Office, email databreach@ilag.gov or call 1-800-243-0618. The Attorney General’s Office can also provide information about data security breaches, credit monitoring, and fraud detection services.

If your information was stolen in a data breach, you may be entitled to file legal action for your financial damages, emotional distress, and risk of imminent harm. If the data breach was large, you may have the option to join a class action lawsuit. The advantage of a class action lawsuit is that you can receive compensation with minimal effort, time, and legal fees.

Recent Data Breaches Affecting Illinois Residents

Advocate Aurora Health Breach – May 2024

Advocate Aurora Health, a 26-hospital health care system in Illinois and Wisconsin, suffered a data breach that exposed the data of three million patients.

Illinois Department of Human Services Breach – April 2024

The Illinois Department of Human Services experienced a privacy breach involving unauthorized access to employee accounts and files, including the Social Security numbers of nearly 5,000 customers. More than one million others’ public assistance account information was also accessed.

Illinois Secretary of State Breach – April 2024

After an unknown person obtained access to a county government’s computer system in Illinois, 50,000 Illinois residents received notice that their information, including names, driver’s license numbers, and Social Security numbers, may have been accessed.

Global Data Security Attack – May 2023

International hackers launched a coordinated attack on large multinational businesses and governments, taking Illinois files from a third-party company. Nearly 400,000 Illinois residents were affected.

Illinois Data Privacy Laws FAQs

Who Does Illinois BIPA Apply To?

Illinois’ Biometric Information Privacy Act applies to any individual or business entity that possesses biometric identifiers or biometric information under state law. BIPA does not apply to state or local government agencies.

Who Enforces Data Privacy Laws in Illinois?

Primarily, the Illinois Attorney General enforces data privacy and breach notification laws.

Do Illinois Data Privacy Laws Apply To Companies Outside the State?

Yes, businesses that collect or process personal data of Illinois residents must comply with Illinois laws.

Can I Sue a Company Under Illinois Data Privacy Laws?

Yes, Illinois residents have the right to bring private lawsuits for data breaches, especially under BIPA. Other data privacy violations may also be actionable.

Stay Informed and Protect Your Data in Illinois

Illinois offers robust data privacy laws to protect consumers from having their personal information stolen. However, it’s still crucial to remain vigilant in monitoring notices of data breaches, exercising your privacy rights, and consulting experts for legal support if you have been affected by a breach.

If you’ve been affected by a data breach in Illinois and are interested in pursuing legal action, we encourage you to share your information with Class Action U. Our site offers a straightforward way to sign up for those eligible to participate in a class action with no cost and no obligations. Reach out to Class Action U today to learn more about protecting your rights after a breach.

"*" indicates required fields

Name*

First Name Last Name

Email*

Phone Number*

Zip Code*

Tell Us About Your Case

By submitting this form, I agree to the Terms, Disclaimer and Privacy Notice and to receiving calls and emails from the law firm handling this investigation

TCPA*

By checking this box and clicking "Submit", I am providing my electronic signature expressly consenting to receive marketing phone calls, emails, and SMS text messages from Kopelowitz Ostrow Ferguson Weiselberg Gilbert (KO), or parties acting on its behalf, related to the products or services that I am inquiring about on the landline and/or mobile phone number that I provided, regardless of whether it is on any Do Not Call registry. I confirm that the phone number set forth above is accurate and that I am the regular user of the phone number. I understand that these calls may be generated using an automatic telephone dialing system and may contain pre-recorded and/or artificial voice messages. I understand that consent is not required as a condition for purchasing or obtaining any products or services. For SMS messages campaigns, text "STOP" to stop and "HELP" for help. Msg & data rates may apply.

Name

This field is for validation purposes and should be left unchanged.