QUESTION

What are the Illinois specific data privacy laws?

SHORT ANSWER
Although not as broad or well-known as CCPA or GDPR, Illinois does have specific privacy laws of which businesses must be aware.
Read More Below

Although GDPR and the California Consumer Privacy Act (“CCPA”) garner the majority of attention with regard to data privacy laws, Illinois does have its own set of specific statutes of which businesses collecting personal information should be aware. The following laws may be of particular interest.

The Illinois Personal Information Protection Act (“PIPA”) requires businesses with personal information of Illinois residents to implement and maintain reasonable security measures to protect data, and to dispose of such information so as to render it unusable. It also mandates notice of a data breach to the individuals whose personal information is the subject of the breach, as well as notice to the Illinois Attorney General for breaches affecting more than 500 Illinois residents. Personal information includes a person’s name in combination with other information such as Social Security number, driver’s license number, credit card number, or medical information. Violations of PIPA constitute unlawful practices under the Illinois Consumer Fraud and Deceptive Business Practices Act.

The Biometric Information Privacy Act (“BIPA”) requires written consent before collecting any biometric information, which includes retina or iris scans, fingerprints, voiceprints, and scans of the hand or facial geometry. It covers such information regardless of how it is captured, converted, stored or shared. In addition to consent, BIPA requires a public written policy for the retention and destroying of biometric information. Further, no business may sell, lease, trade or otherwise profit from a person’s biometric information. An individual whose rights are violated under BIPA can recover actual damages or liquidated damages of $1,000 per violation, whichever is greater. Liquidated damages increase to $5,000 for intentional or reckless violations.

The Illinois Children’s Privacy Protection and Parental Empowerment Act (“CPPPEA”) prohibits the sale or purchase of personal information concerning children under the age of 16 without parental consent. The Illinois Student Online Personal Protection Act (“SOPPA”) governs businesses that operate websites, online services or apps, or mobile apps used by K through 12 schools. SOPPA prohibits such businesses from selling or renting information obtained from such services, or disclosing such information. SOPPA also prohibits targeted advertising or amassing a profile based on information obtained from the services provided to the schools. Educational companies that deal with schools must be cognizant of both CPPEA and SOPPA.

Of course, Illinois businesses must also comply with the various federal privacy statutes.

Finally, although Illinois does not have a broad data privacy law like CCPA, such legislation was passed by the Illinois House in 2019, but died in the Senate.