open-agreements 0.7.7 → 0.8.0

package/skills/legal-explainers/data-privacy-law-explainer/content/idaho.md

@@ -0,0 +1,149 @@
+---
+jurisdiction: "Idaho"
+slug: idaho
+countryCode: US
+snapshotAsOf: "2026-06-19"
+lastReviewed: "2026-06-11"
+canonicalUrl: https://openagreements.org/practice-guides/privacy/us/idaho
+license: CC BY 4.0
+stale: false
+---
+
+> [!IMPORTANT]
+> **Informational only — not legal advice.** This is a snapshot of an OpenAgreements practice note,
+> provided for general information. It is not legal advice, does not create an attorney-client
+> relationship, and is not a substitute for a licensed attorney in the relevant jurisdiction.
+> Laws change; verify against the canonical version before relying on it.
+>
+> **Canonical:** https://openagreements.org/practice-guides/privacy/us/idaho · **Snapshot as of:** 2026-06-19 · License: CC BY 4.0 · © openagreements.org
+
+# Idaho Consumer Privacy Law[^about]
+
+Idaho has no comprehensive consumer-privacy statute. The operative state framework is the data-breach notification provisions of Idaho Code §§ 28-51-104 to 28-51-107 plus the Idaho Consumer Protection Act as the deception hook, layered under the federal overlay (FTC Act § 5, GLBA, HIPAA, COPPA) — with two narrow new laws (social-media minors, conversational AI) arriving July 2026 and July 2027.
+
+
+## At a glance
+
+| Question | Idaho |
+| --- | --- |
+| **Law coverage** | No comprehensive law |
+| **Summary** | Idaho has not enacted a comprehensive consumer-privacy law, so there are no general data-rights, notice-at-collection, consent, or processor-contract duties under state law. The operative state statutes are the breach-notification provisions in the identity-theft chapter — a misuse-triggered notice duty with no day-count deadline and no regulator notice for private businesses — and the Idaho Consumer Protection Act, which makes a privacy policy you publish but do not follow a deceptive practice. Build to the federal overlay (FTC Act § 5, GLBA, HIPAA, COPPA) and the breach statute, and watch two narrow 2026 enactments, one on social-media minors and one on conversational AI. |
+| **Main law** | Idaho Code §§ 28-51-104 to 28-51-107 (data-breach notification) plus the Idaho Consumer Protection Act, Idaho Code § 48-601 et seq. — Idaho has no comprehensive consumer-privacy statute |
+| **Privacy policy required?** | No Idaho statute requires a consumer privacy policy or fixes its contents; the binding constraints are FTC Act § 5 and the Idaho Consumer Protection Act's ban on misleading or deceptive practices, plus GLBA, HIPAA, and COPPA where the business is in scope |
+| **Who does it cover?** | Any agency, individual, or commercial entity (for profit or not) that conducts business in Idaho and owns or licenses computerized personal information about Idaho residents; no revenue or consumer-volume threshold |
+| **Can consumers sue?** | Limited path |
+| **Privacy policy rule** | No state policy checklist |
+| **Consent for sensitive data?** | No special rule |
+| **Browser opt-out signals?** | Not required |
+| **Lawsuit detail** | Not under the breach statute — enforcement runs through each entity's primary regulator; the Idaho Consumer Protection Act gives purchasers a private action for actual damages or $1,000 (Idaho Code § 48-608), with narrow 2026 sectoral enactments to track separately |
+| **Who enforces it?** | Idaho Attorney General (the primary regulator for most businesses; the Department of Finance and Department of Insurance for their licensees) |
+
+## Which privacy laws apply to your business in Idaho? {#which-privacy-laws-apply}
+
+**Short answer.** There is no comprehensive Idaho consumer-privacy law. The operative state framework has two pieces. First, the breach-notification provisions of the identity-theft chapter apply to any city, county, or state agency, individual, or commercial entity that conducts business in Idaho and owns or licenses computerized data that includes personal information about an Idaho resident [^breach-duty-scope] — *commercial entity* sweeps in essentially every legal entity, for profit or not [^commercial-entity-def], and there is no revenue or volume threshold. Second, the Idaho Consumer Protection Act (ICPA) bans, among other listed practices, engaging in any act or practice that is otherwise misleading, false, or deceptive to the consumer — the hook that reaches privacy misrepresentations [^icpa-catchall].
+
+Idaho has not enacted an omnibus privacy statute of the kind now common in other states, so Idaho residents have no general state-law rights to access, delete, or correct their personal data or to opt out of its sale, and businesses face no state notice-at-collection, consent, data-protection-assessment, or processor-contract duties. The breach statute governs incident response; the ICPA governs what you tell consumers. The rest of an Idaho-facing privacy program rides the federal overlay: Section 5 of the FTC Act reaches deceptive or unfair privacy practices nationwide, the Gramm-Leach-Bliley Act governs financial institutions, HIPAA governs covered health entities and their business associates, and the Children's Online Privacy Protection Act governs services directed to children under 13.
+
+Around that spine, Idaho legislates by sector and by harm rather than by data inventory. Recent examples include payment-card receipt truncation, an age-verification law for adult sites with a ban on retaining identifying information, genetic-testing restrictions on employers, license-plate-reader limits for government agencies, and mortgage trigger-lead disclosure rules — none of which imposes general data-handling duties on a typical business.
+
+Two 2026 enactments deserve a calendar entry: the Stop Harms from Addictive Social Media Act (House Bill 542, 2026 Session Laws chapter 268) and the Conversational AI Safety Act (Senate Bill 1297, 2026 Session Laws chapter 249). Treat both as narrow sectoral watchlist items, not as an omnibus privacy regime. *Open codification question:* both acts were designated as a new chapter 21 of title 48, Idaho Code, with overlapping section numbers, so until the code commission resolves the collision in the July 2026 compilation, cite these laws by session-law chapter rather than by a section number in chapter 21.
+
+## What must your Idaho privacy policy contain? {#privacy-policy-contents}
+
+**Short answer.** No Idaho statute requires a general consumer privacy policy or fixes what it must say. The binding rule is that whatever you publish has to be true. Under Section 5 of the FTC Act, unfair or deceptive acts or practices in or affecting commerce are unlawful [^ftc5-deceptive], and the Idaho Consumer Protection Act separately declares unlawful any act or practice that is otherwise misleading, false, or deceptive to the consumer [^icpa-deception-policy] — so a privacy policy that misstates how you actually collect, use, share, retain, or secure data is actionable under both. Where a sectoral regime applies, that regime supplies the contents: a HIPAA covered entity, for example, must give individuals adequate notice of the uses and disclosures of their protected health information and of their rights and the entity's duties [^hipaa-notice], and a GLBA financial institution must deliver a privacy notice before sharing nonpublic personal information with nonaffiliated third parties [^glba-notice].
+
+In practice the Idaho drafting question is less what must be included and more does the policy match actual practice. The ICPA's list of unlawful practices carries a knowledge element — it reaches a person who knows, or in the exercise of due care should know, that a practice is deceptive [^icpa-deception-policy] — which arguably extends to negligently inaccurate policy statements, not just deliberate ones. And unlike the ICPA's private remedy, the Attorney General's enforcement powers carry no purchase-or-lease or ascertainable-loss limit, so public enforcement does not depend on showing that any consumer paid for anything.
+
+Build the policy from the overlay that actually binds you: the GLBA privacy-notice rules if you are a financial institution, the HIPAA Notice of Privacy Practices if you are a covered entity, HIPAA business-associate and security obligations if you are a business associate, a COPPA notice if COPPA applies, and the comprehensive laws of other states whose residents you reach — many of which mandate a posted policy regardless of where your business sits. For everyone else, follow best practice — describe the categories of data collected, the purposes, the third parties you share with, and how users exercise any choices you offer — and then honor it, because in Idaho the enforceable obligation is consistency between the statement and the conduct.
+
+## What must your contracts with vendors say? {#vendor-contracts}
+
+**Short answer.** Idaho has no data-processing-agreement requirement — no state statute prescribes controller-to-processor terms, audit rights, deletion clauses, or subprocessor flow-downs. The one vendor-facing duty in Idaho law is a breach-response rule: an entity that maintains computerized personal information it does not own or license must notify and cooperate with the data's owner or licensee immediately following discovery of a breach if misuse of an Idaho resident's information occurred or is reasonably likely to occur [^breach-maintainer-notice].
+
+Where a federal or sectoral regime is in scope, it supplies the contracting obligations: the GLBA Safeguards Rule requires financial institutions to oversee service providers, including by requiring them by contract to implement and maintain appropriate safeguards [^glba-safeguards], and HIPAA business-associate rules require a compliant agreement establishing the permitted uses and disclosures of protected health information [^hipaa-baa]. Outside those verticals, the prudent move is to carry the same protections forward as a matter of best practice — processing limited to documented instructions, confidentiality, reasonable security, breach notification back to your business, and return or deletion of data at the end of the engagement — even though no Idaho statute compels them.
+
+The maintainer-notice rule is worth writing into vendor contracts anyway. The statute requires the vendor to notify the owner immediately and to share information relevant to the breach, but it sets no contractual specifics — so a well-drafted agreement should fix the notice channel, the timeline, and the cooperation duties the statute leaves general, and should allocate who pays for resident notification, since under Idaho law the notice duty to residents stays with the entity that owns or licenses the data.
+
+## Do Idaho residents have rights to access, delete, or opt out? {#consumer-rights}
+
+**Short answer.** No. Idaho law gives consumers no general rights to access, correct, delete, or port their personal data, no right to opt out of its sale or of targeted advertising, and no duty on businesses to honor universal opt-out signals such as Global Privacy Control. The generally applicable Idaho resident-facing disclosure duty is breach notice when the breach statute's trigger is met: if a covered entity's investigation determines that misuse of a resident's personal information has occurred or is reasonably likely, the entity must give that resident notice as soon as possible [^rights-breach-notice].
+
+The rights an Idaho resident does hold come from federal sectoral law, where applicable. A GLBA financial institution must give consumers the opportunity to opt out before their nonpublic personal information is disclosed to nonaffiliated third parties [^glba-optout]. Under COPPA, a parent can refuse to permit an operator's further use, maintenance, or future collection of the child's personal information [^coppa-parental]. HIPAA adds access, amendment, and accounting rights for protected health information, and the FCRA adds access and dispute rights in consumer reports. Residents of other states may also carry their home-state rights into dealings with an Idaho business that meets those statutes' thresholds — the absence of an Idaho law does not insulate an Idaho company from California, Colorado, or Washington requests.
+
+One narrow set of state-law rights is scheduled to arrive under the Stop Harms from Addictive Social Media Act (2026 Session Laws chapter 268), but it is a sectoral social-media minors law, not a general access, deletion, or opt-out regime. Track that act separately before treating it as an operational consumer-rights workflow.
+
+## When must you notify people of a data breach in Idaho? {#breach-notification}
+
+**Short answer.** When your investigation shows misuse — not merely access. An entity that becomes aware of a breach must conduct a good-faith, reasonable, and prompt investigation into the likelihood of misuse; if the investigation determines that misuse of an Idaho resident's information has occurred or is reasonably likely to occur, notice must go to the affected resident in the most expedient time possible and without unreasonable delay [^breach-trigger-timing]. A reportable breach is the illegal acquisition of unencrypted computerized data that materially compromises the security, confidentiality, or integrity of personal information [^breach-def] — so encryption is a built-in safe harbor. There is no day-count deadline and no statutory notice-content checklist.
+
+Be precise about who owes notice to whom, because Idaho splits the regulator-notice duty by entity type. A government *agency* that becomes aware of a breach must notify the office of the Idaho Attorney General within twenty-four hours of discovery [^breach-agency-ag-notice]. A private business owes no notice to the Attorney General or any other state regulator at any threshold — Idaho is one of the few states where a commercial breach never has to be reported to a state agency; the only mandatory recipients are the affected residents themselves (and the data's owner, if you are a vendor holding someone else's data). Notice may be written, telephonic, or electronic, with substitute notice (email plus website posting plus statewide media) available when costs would exceed $25,000, more than 50,000 residents are affected, or contact information is insufficient [^breach-notice-methods], and notice may be delayed at law enforcement's request [^breach-law-enforcement-delay].
+
+*Personal information* is also narrower than in modern statutes: a resident's name combined with an unencrypted Social Security number, driver's license or Idaho ID number, or a financial-account or card number with its access code [^breach-personal-info] — no medical, biometric, health-insurance, or online-credential elements. Two compliance off-ramps round out the scheme: an entity that follows its own information-security-policy notice procedures consistent with the statute's timing is deemed compliant, and an entity regulated by state or federal law that follows its primary or functional regulator's breach procedures is likewise deemed compliant [^breach-safe-harbor] — which effectively lets GLBA- and HIPAA-regulated businesses run their federal playbooks. The cost of getting it wrong is concentrated on concealment: an entity that intentionally fails to give notice faces a fine of up to $25,000 per breach, enforceable by its primary regulator — the Attorney General for most businesses [^breach-fine].
+
+## Can a consumer sue your business in Idaho over privacy? {#consumer-lawsuit}
+
+**Short answer.** Not under the breach statute — that chapter creates no private right of action. Enforcement belongs to each entity's primary regulator, which may bring a civil action to enforce compliance and enjoin further violations when it believes an entity failed to give required notice [^breach-enforcement]; for businesses not overseen by the Department of Finance, the Department of Insurance, or a federal regulator, that primary regulator is the Attorney General [^primary-regulator-def]. The consumer's route is the Idaho Consumer Protection Act: a person who purchases or leases goods or services and suffers an ascertainable loss from a deceptive practice — which can include a privacy promise the business did not keep — may sue for actual damages or $1,000, whichever is greater [^icpa-pra].
+
+The ICPA action comes with real teeth and real limits. A prevailing plaintiff recovers mandatory attorney's fees [^icpa-fees], courts may award punitive damages for repeated or flagrant violations, and an elderly (62 or older) or disabled plaintiff who proves an enumerated severe loss adds an enhanced penalty of $15,000 or treble actual damages [^icpa-elderly]. But standing requires a purchase or lease plus ascertainable loss — whether a user of a free, ad-supported service can satisfy that is untested in Idaho appellate case law — and class actions are largely defanged: the statute caps a class's statutory recovery at $1,000 total for the class [^icpa-pra], leaving only actual damages (hard to prove in privacy cases) uncapped.
+
+Public enforcement faces none of those limits. The Attorney General may sue for injunctions, consumer restitution, and civil penalties of up to $5,000 per violation plus expenses, investigative costs, and attorney's fees [^icpa-ag-penalties] — and must ordinarily first give the target written notice and an opportunity to execute an assurance of voluntary compliance or consent judgment [^icpa-avc], Idaho's nearest analog to a cure period. Two narrower sectoral remedies round out the picture. A merchant that prints more than the last five digits of a payment-card number or prints the expiration date on a receipt faces civil penalties; the cardholder's personal action is expressly keyed to a receipt that printed the payment-card number and the prosecuting attorney's failure to act within sixty days [^card-receipt-action]. And the 2026 social-media minors and conversational-AI enactments should be tracked as narrow sectoral remedy changes, not as general consumer-privacy causes of action.
+
+[^about]: By Steven Obiajulu, J.D. Published by [openagreements.org](https://openagreements.org). Last reviewed 2026-06-11. License: CC BY 4.0. Steven Obiajulu, J.D. is admitted in New York, not Idaho. This article synthesizes Idaho primary law and is not legal advice from a Idaho-admitted attorney. This article is for informational purposes only and does not create an attorney-client relationship.
+
+[^breach-duty-scope]: **Idaho Code § 28-51-105** — "A city, county or state agency, individual or a commercial entity that conducts business in Idaho and that owns or licenses computerized data that includes personal information about a resident of Idaho shall, when it becomes aware of a breach of the security of the system, conduct in good faith a reasonable and prompt investigation to determine the likelihood that personal information has been or will be misused." *Idaho Code § 28-51-105(1).* <https://legislature.idaho.gov/statutesrules/idstat/Title28/T28CH51/SECT28-51-105/>
+
+[^commercial-entity-def]: **Idaho Code § 28-51-104** — "‘Commercial entity’ includes corporation, business trust, estate, trust, partnership, limited partnership, limited liability partnership, limited liability company, association, organization, joint venture and any other legal entity, whether for profit or not-for-profit." *Idaho Code § 28-51-104(3).* <https://legislature.idaho.gov/statutesrules/idstat/Title28/T28CH51/SECT28-51-104/>
+
+[^icpa-catchall]: **Idaho Code § 48-603** — "Engaging in any act or practice that is otherwise misleading, false, or deceptive to the consumer" *Idaho Code § 48-603(17).* <https://legislature.idaho.gov/statutesrules/idstat/Title48/T48CH6/SECT48-603/>
+
+[^ftc5-deceptive]: **FTC Act § 5** — "Unfair methods of competition in or affecting commerce, and unfair or deceptive acts or practices in or affecting commerce, are hereby declared unlawful." *15 U.S.C. § 45(a)(1).* <https://www.law.cornell.edu/uscode/text/15/45#:~:text=Unfair%20methods%20of%20competition%20in,commerce%2C%20are%20hereby%20declared%20unlawful.>
+
+[^icpa-deception-policy]: **Idaho Code § 48-603** — "The following unfair methods of competition and unfair or deceptive acts or practices in the conduct of any trade or commerce are hereby declared to be unlawful, where a person knows, or in the exercise of due care should know, that he has in the past, or is: (1) Passing off goods or services as those of another; (2) Causing likelihood of confusion or of misunderstanding as to the source, sponsorship, approval, or certification of goods or services; (3) Causing likelihood of confusion or of misunderstanding as to affiliation, connection, or association with, or certification by, another; (4) Using deceptive representations or designations of geographic origin in connection with goods or services; (5) Representing that goods or services have sponsorship, approval, characteristics, ingredients, uses, benefits, or quantities that they do not have or that a person has a sponsorship, approval, status, affiliation, connection, qualifications or license that he does not have; (6) Representing that goods are original or new if they are deteriorated, altered, reconditioned, reclaimed, used, or secondhand; (7) Representing that goods or services are of a particular standard, quality, or grade, or that goods are of a particular style or model, if they are of another; (8) Disparaging the goods, services, or business of another by false or misleading representation of fact; (9) Advertising goods or services with intent not to sell them as advertised; (10) Advertising goods or services with intent not to supply reasonably expectable public demand, unless the advertisement discloses a limitation of quantity; (11) Making false or misleading statements of fact concerning the reasons for, existence of, or amounts of price reductions; (12) Obtaining the signature of the buyer to a contract when it contains blank spaces to be filled in after it has been signed; (13) Failing to deliver to the consumer at the time of the consumer’s signature a legible copy of the contract or of any other document that the seller or lender has required or requested the buyer to sign, and that he has signed, during or after the contract negotiation; (14) Making false or misleading statements of fact concerning the age, extent of use, or mileage of any goods; (15) Promising or offering to pay, credit or allow to any buyer or lessee any compensation or reward in consideration of his giving to the seller or lessor the names of prospective purchasers or lessees, or otherwise aiding the seller or lessor in making a sale or lease to another person, if the earning of the rebate, discount or other value is contingent upon the occurrence of an event subsequent to the time the buyer or lessee agrees to buy or lease; (16) Representing that services, replacements or repairs are needed if they are not needed, or providing services, replacements or repairs that are not needed; (17) Engaging in any act or practice that is otherwise misleading, false, or deceptive to the consumer" *Idaho Code § 48-603.* <https://legislature.idaho.gov/statutesrules/idstat/Title48/T48CH6/SECT48-603/>
+
+[^hipaa-notice]: **HIPAA Notice of Privacy Practices** — "an individual has a right to adequate notice of the uses and disclosures of protected health information that may be made by the covered entity, and of the individual's rights and the covered entity's legal duties with respect to protected health information" *45 C.F.R. § 164.520(a)(1).* <https://www.law.cornell.edu/cfr/text/45/164.520#:~:text=an%20individual%20has%20a%20right,respect%20to%20protected%20health%20information>
+
+[^glba-notice]: **GLBA privacy notice** — "a financial institution may not, directly or through any affiliate, disclose to a nonaffiliated third party any nonpublic personal information, unless such financial institution provides or has provided to the consumer a notice that complies with section 6803 of this title." *15 U.S.C. § 6802(a).* <https://www.law.cornell.edu/uscode/text/15/6802#:~:text=a%20financial%20institution%20may%20not%2C,section%206803%20of%20this%20title.>
+
+[^breach-maintainer-notice]: **Idaho Code § 28-51-105** — "An agency, individual or a commercial entity that maintains computerized data that includes personal information that the agency, individual or the commercial entity does not own or license shall give notice to and cooperate with the owner or licensee of the information of any breach of the security of the system immediately following discovery of a breach if misuse of personal information about an Idaho resident occurred or is reasonably likely to occur." *Idaho Code § 28-51-105(2).* <https://legislature.idaho.gov/statutesrules/idstat/Title28/T28CH51/SECT28-51-105/>
+
+[^glba-safeguards]: **GLBA Safeguards Rule** — "Requiring your service providers by contract to implement and maintain such safeguards" *16 C.F.R. § 314.4(f)(2).* <https://www.law.cornell.edu/cfr/text/16/314.4#:~:text=Requiring%20your%20service%20providers%20by,implement%20and%20maintain%20such%20safeguards>
+
+[^hipaa-baa]: **HIPAA Business Associate Contracts** — "A contract between the covered entity and a business associate must: (i) Establish the permitted and required uses and disclosures of protected health information by the business associate." *45 C.F.R. § 164.504(e)(2).* <https://www.law.cornell.edu/cfr/text/45/164.504#:~:text=A%20contract%20between%20the%20covered,information%20by%20the%20business%20associate.>
+
+[^rights-breach-notice]: **Idaho Code § 28-51-105** — "If the investigation determines that the misuse of information about an Idaho resident has occurred or is reasonably likely to occur, the agency, individual or the commercial entity shall give notice as soon as possible to the affected Idaho resident." *Idaho Code § 28-51-105(1).* <https://legislature.idaho.gov/statutesrules/idstat/Title28/T28CH51/SECT28-51-105/>
+
+[^glba-optout]: **GLBA opt-out** — "A financial institution may not disclose nonpublic personal information to a nonaffiliated third party unless— (A) such financial institution clearly and conspicuously discloses to the consumer, in writing or in electronic form or other form permitted by the regulations prescribed under section 6804 of this title, that such information may be disclosed to such third party; (B) the consumer is given the opportunity, before the time that such information is initially disclosed, to direct that such information not be disclosed to such third party; and (C) the consumer is given an explanation of how the consumer can exercise that nondisclosure option." *15 U.S.C. § 6802(b)(1).* <https://www.law.cornell.edu/uscode/text/15/6802#:~:text=A%20financial%20institution%20may%20not%20disclose,can%20exercise%20that%20nondisclosure%20option.>
+
+[^coppa-parental]: **COPPA parental rights** — "the opportunity at any time to refuse to permit the operator’s further use or maintenance in retrievable form, or future online collection, of personal information from that child" *15 U.S.C. § 6502(b)(1)(B)(ii).* <https://www.law.cornell.edu/uscode/text/15/6502#:~:text=the%20opportunity%20at%20any%20time,personal%20information%20from%20that%20child>
+
+[^breach-trigger-timing]: **Idaho Code § 28-51-105** — "If the investigation determines that the misuse of information about an Idaho resident has occurred or is reasonably likely to occur, the agency, individual or the commercial entity shall give notice as soon as possible to the affected Idaho resident. Notice must be made in the most expedient time possible and without unreasonable delay, consistent with the legitimate needs of law enforcement and consistent with any measures necessary to determine the scope of the breach, to identify the individuals affected, and to restore the reasonable integrity of the computerized data system." *Idaho Code § 28-51-105(1).* <https://legislature.idaho.gov/statutesrules/idstat/Title28/T28CH51/SECT28-51-105/>
+
+[^breach-def]: **Idaho Code § 28-51-104** — "‘Breach of the security of the system’ means the illegal acquisition of unencrypted computerized data that materially compromises the security, confidentiality, or integrity of personal information for one (1) or more persons maintained by an agency, individual or a commercial entity." *Idaho Code § 28-51-104(2).* <https://legislature.idaho.gov/statutesrules/idstat/Title28/T28CH51/SECT28-51-104/>
+
+[^breach-agency-ag-notice]: **Idaho Code § 28-51-105** — "When an agency becomes aware of a breach of the security of the system, it shall, within twenty-four (24) hours of such discovery, notify the office of the Idaho attorney general." *Idaho Code § 28-51-105(1).* <https://legislature.idaho.gov/statutesrules/idstat/Title28/T28CH51/SECT28-51-105/>
+
+[^breach-notice-methods]: **Idaho Code § 28-51-104** — "‘Notice’ means: (a) Written notice to the most recent address the agency, individual or commercial entity has in its records; (b) Telephonic notice; (c) Electronic notice, if the notice provided is consistent with the provisions regarding electronic records and signatures set forth in 15 U.S.C. section 7001; or (d) Substitute notice, if the agency, individual or the commercial entity required to provide notice demonstrates that the cost of providing notice will exceed twenty-five thousand dollars ($25,000), or that the number of Idaho residents to be notified exceeds fifty thousand (50,000), or that the agency, individual or the commercial entity does not have sufficient contact information to provide notice. Substitute notice consists of all of the following: (i) E-mail notice if the agency, individual or the commercial entity has e-mail addresses for the affected Idaho residents; and (ii) Conspicuous posting of the notice on the website page of the agency, individual or the commercial entity if the agency, individual or the commercial entity maintains one; and (iii) Notice to major statewide media." *Idaho Code § 28-51-104(4).* <https://legislature.idaho.gov/statutesrules/idstat/Title28/T28CH51/SECT28-51-104/>
+
+[^breach-law-enforcement-delay]: **Idaho Code § 28-51-105** — "Notice required by this section may be delayed if a law enforcement agency advises the agency, individual or commercial entity that the notice will impede a criminal investigation. Notice required by this section must be made in good faith, without unreasonable delay and as soon as possible after the law enforcement agency advises the agency, individual or commercial entity that notification will no longer impede the investigation." *Idaho Code § 28-51-105(3).* <https://legislature.idaho.gov/statutesrules/idstat/Title28/T28CH51/SECT28-51-105/>
+
+[^breach-personal-info]: **Idaho Code § 28-51-104** — "‘Personal information’ means an Idaho resident’s first name or first initial and last name in combination with any one (1) or more of the following data elements that relate to the resident, when either the name or the data elements are not encrypted: (a) Social security number; (b) Driver’s license number or Idaho identification card number; or (c) Account number, or credit or debit card number, in combination with any required security code, access code, or password that would permit access to a resident’s financial account." *Idaho Code § 28-51-104(5).* <https://legislature.idaho.gov/statutesrules/idstat/Title28/T28CH51/SECT28-51-104/>
+
+[^breach-safe-harbor]: **Idaho Code § 28-51-106** — "An agency, individual or a commercial entity that maintains its own notice procedures as part of an information security policy for the treatment of personal information, and whose procedures are otherwise consistent with the timing requirements of section 28-51-105, Idaho Code, is deemed to be in compliance with the notice requirements of section 28-51-105, Idaho Code, if the agency, individual or the commercial entity notifies affected Idaho residents in accordance with its policies in the event of a breach of security of the system. (2) An individual or a commercial entity that is regulated by state or federal law and that maintains procedures for a breach of the security of the system pursuant to the laws, rules, regulations, guidances, or guidelines established by its primary or functional state or federal regulator is deemed to be in compliance with section 28-51-105, Idaho Code, if the individual or the commercial entity complies with the maintained procedures when a breach of the security of the system occurs." *Idaho Code § 28-51-106(1)-(2).* <https://legislature.idaho.gov/statutesrules/idstat/Title28/T28CH51/SECT28-51-106/>
+
+[^breach-fine]: **Idaho Code § 28-51-107** — "Any agency, individual or commercial entity that intentionally fails to give notice in accordance with section 28-51-105, Idaho Code, shall be subject to a fine of not more than twenty-five thousand dollars ($25,000) per breach of the security of the system." *Idaho Code § 28-51-107.* <https://legislature.idaho.gov/statutesrules/idstat/Title28/T28CH51/SECT28-51-107/>
+
+[^breach-enforcement]: **Idaho Code § 28-51-107** — "In any case in which an agency’s, commercial entity’s or individual’s primary regulator has reason to believe that an agency, individual or commercial entity subject to that primary regulator’s jurisdiction under section 28-51-104(6), Idaho Code, has violated section 28-51-105, Idaho Code, by failing to give notice in accordance with that section, the primary regulator may bring a civil action to enforce compliance with that section and enjoin that agency, individual or commercial entity from further violations." *Idaho Code § 28-51-107.* <https://legislature.idaho.gov/statutesrules/idstat/Title28/T28CH51/SECT28-51-107/>
+
+[^primary-regulator-def]: **Idaho Code § 28-51-104** — "the primary regulator of a commercial entity or individual licensed by the department of finance is the department of finance, the primary regulator of a commercial entity or individual licensed by the department of insurance is the department of insurance and, for all agencies and all other commercial entities or individuals, the primary regulator is the attorney general." *Idaho Code § 28-51-104(6).* <https://legislature.idaho.gov/statutesrules/idstat/Title28/T28CH51/SECT28-51-104/>
+
+[^icpa-pra]: **Idaho Code § 48-608** — "Any person who purchases or leases goods or services and thereby suffers any ascertainable loss of money or property, real or personal, as a result of the use or employment by another person of a method, act or practice declared unlawful by this chapter, may treat any agreement incident thereto as voidable or, in the alternative, may bring an action to recover actual damages or one thousand dollars ($1,000), whichever is the greater; provided, however, that in the case of a class action, the class may bring an action for actual damages or a total for the class that may not exceed one thousand dollars ($1,000), whichever is the greater." *Idaho Code § 48-608(1).* <https://legislature.idaho.gov/statutesrules/idstat/Title48/T48CH6/SECT48-608/>
+
+[^icpa-fees]: **Idaho Code § 48-608** — "In any action brought by a person under this section, the court shall award, in addition to the relief provided in this section, reasonable attorney’s fees to the plaintiff if he prevails." *Idaho Code § 48-608(5).* <https://legislature.idaho.gov/statutesrules/idstat/Title48/T48CH6/SECT48-608/>
+
+[^icpa-elderly]: **Idaho Code § 48-608** — "An elderly person or a disabled person who brings an action under subsection (1) of this section shall, in addition to the remedies available under subsection (1) of this section, recover from the offending party an enhanced penalty of fifteen thousand dollars ($15,000) or treble the actual damages, whichever is greater. (a) In order to recover the enhanced penalty, the court must find that the offending party knew or should have known that his conduct was perpetrated against an elderly or disabled person and that his conduct caused one (1) of the following: (i) Loss or encumbrance of the elderly or disabled person’s primary residence; (ii) Loss of more than twenty-five percent (25%) of the elderly or disabled person’s principal monthly income; (iii) Loss of more than twenty-five percent (25%) of the funds belonging to the elderly or disabled person set aside by the elderly or disabled person for retirement or for personal or family care or maintenance; (iv) Loss of more than twenty-five percent (25%) of the monthly payments that the elderly or disabled person receives under a pension or retirement plan; or (v) Loss of assets essential to the health or welfare of the elderly or disabled person. (b) If the court orders restitution under subsection (1) of this section for a pecuniary or monetary loss suffered by an elderly or disabled person, the court shall require that the restitution be paid by the offending party before he pays the enhanced penalty imposed by this subsection. (c) In this subsection: (i) ‘Disabled person’ means a person who has an impairment of a physical, mental or emotional nature that substantially limits at least one (1) major life activity. (ii) ‘Elderly person’ means a person who is at least sixty-two (62) years of age." *Idaho Code § 48-608(2).* <https://legislature.idaho.gov/statutesrules/idstat/Title48/T48CH6/SECT48-608/>
+
+[^icpa-ag-penalties]: **Idaho Code § 48-606** — "Whenever the attorney general has reason to believe that any person is using, has used, or is about to use any method, act or practice declared by this chapter to be unlawful, and that proceedings would be in the public interest, he may bring an action in the name of the state against such person: (a) To obtain a declaratory judgment that a method, act or practice violates the provisions of this chapter; (b) To enjoin any method, act or practice that violates the provisions of this chapter by issuance of a temporary restraining order or preliminary or permanent injunction, upon the giving of appropriate notice to that person as provided by the Idaho rules of civil procedure; (c) To recover on behalf of consumers actual damages or restitution of money, property or other things received from such consumers in connection with a violation of the provisions of this chapter; (d) To order specific performance by the violator; (e) To recover from the alleged violator civil penalties of up to five thousand dollars ($5,000) per violation for violation of the provisions of this chapter; and (f) To recover from the alleged violator reasonable expenses, investigative costs and attorney’s fees incurred by the attorney general." *Idaho Code § 48-606(1).* <https://legislature.idaho.gov/statutesrules/idstat/Title48/T48CH6/SECT48-606/>
+
+[^icpa-avc]: **Idaho Code § 48-606** — "Unless the attorney general finds in writing that the purposes of this chapter will be substantially and materially impaired by delay in instituting legal proceedings, he shall, before initiating any legal proceedings as provided in this section, give notice in writing that such proceedings are contemplated to the person against whom proceedings are contemplated and allow such person a reasonable opportunity to appear before the attorney general and execute an assurance of voluntary compliance or a consent judgment as in this chapter provided." *Idaho Code § 48-606(3).* <https://legislature.idaho.gov/statutesrules/idstat/Title48/T48CH6/SECT48-606/>
+
+[^card-receipt-action]: **Idaho Code § 28-51-103** — "A merchant who accepts a payment card for the transaction of business may not print more than the last five (5) digits of the payment card’s account number or print the payment card’s expiration date on a receipt provided to the cardholder. This subsection does not apply to a transaction in which the sole means of recording the payment card’s account number or expiration date is by handwriting or by an imprint or copy of the payment card. Effective January 1, 2004, this section applies to all receipts that are electronically printed using a cash register or other machine or device that is first used on or after July 1, 2003. Effective January 1, 2005, this section applies to all receipts that are electronically printed, including those printed using a cash register or other machine or device that is first used before July 1, 2003. (3) A merchant who violates this section shall be subject to a civil penalty of not more than two hundred fifty dollars ($250) for the first violation and one thousand dollars ($1,000) for a second or subsequent violation. An action to recover the civil penalty may be brought by a prosecuting attorney. If the prosecuting attorney does not file an action for such a civil penalty within sixty (60) days from the date the violation is reported by the cardholder whose payment card number was printed on a receipt in violation of this section, the cardholder may file such action." *Idaho Code § 28-51-103(2)-(3).* <https://legislature.idaho.gov/statutesrules/idstat/Title28/T28CH51/SECT28-51-103/>

package/skills/legal-explainers/data-privacy-law-explainer/content/illinois.md

@@ -0,0 +1,238 @@
+---
+jurisdiction: "Illinois"
+slug: illinois
+countryCode: US
+snapshotAsOf: "2026-06-19"
+lastReviewed: "2026-06-11"
+canonicalUrl: https://openagreements.org/practice-guides/privacy/us/illinois
+license: CC BY 4.0
+stale: false
+---
+
+> [!IMPORTANT]
+> **Informational only — not legal advice.** This is a snapshot of an OpenAgreements practice note,
+> provided for general information. It is not legal advice, does not create an attorney-client
+> relationship, and is not a substitute for a licensed attorney in the relevant jurisdiction.
+> Laws change; verify against the canonical version before relying on it.
+>
+> **Canonical:** https://openagreements.org/practice-guides/privacy/us/illinois · **Snapshot as of:** 2026-06-19 · License: CC BY 4.0 · © openagreements.org
+
+# Illinois Consumer Privacy Law (BIPA)[^about]
+
+Illinois has no comprehensive consumer-privacy act, but the Biometric Information Privacy Act (740 ILCS 14) is the most litigated state privacy statute in the country — written consent and a public retention policy are required, and private plaintiffs can sue for liquidated damages without proving actual harm.
+
+
+## At a glance
+
+| Question | Illinois |
+| --- | --- |
+| **Law coverage** | Specific data types only |
+| **Summary** | Illinois has not enacted a comprehensive consumer-privacy law, but it is the highest-exposure privacy state in the country for one reason — the Biometric Information Privacy Act. Before collecting a fingerprint, face scan, or voiceprint, a business must publish a written retention-and-destruction policy and obtain informed written consent, and any person whose rights are violated can sue for $1,000 or $5,000 in liquidated damages per person without proving actual harm, on a five-year limitations period. A 2024 amendment capped repeated identical scans at one recovery per person per method of collection, and in April 2026 the Seventh Circuit held that cap applies retroactively to pending cases. Genetic data carries parallel private-suit exposure under GIPA, and breach notification under the Personal Information Protection Act is the Attorney General's lane. |
+| **Main law** | Biometric Information Privacy Act (BIPA), 740 ILCS 14 — Illinois has no comprehensive consumer-privacy law; BIPA sits alongside the Genetic Information Privacy Act (410 ILCS 513), the Personal Information Protection Act breach statute (815 ILCS 530), and the Consumer Fraud Act |
+| **Privacy policy required?** | Yes for biometric data — BIPA § 15(a) requires a written, publicly available policy with a retention schedule and destruction guidelines; no Illinois statute fixes the contents of a general consumer privacy policy, so FTC Act § 5 and the Consumer Fraud Act truthfulness rules govern the rest |
+| **Who does it cover?** | BIPA reaches any private entity — any individual, partnership, corporation, LLC, association, or other group — that handles biometric identifiers or biometric information of people in Illinois, with no revenue or volume threshold; government agencies and GLBA financial institutions are carved out |
+| **Can consumers sue?** | Yes |
+| **Privacy policy rule** | Policy required only for specific data |
+| **Consent for sensitive data?** | Only for certain data types |
+| **Browser opt-out signals?** | Not required |
+| **Lawsuit detail** | Yes — BIPA § 20 allows suit without actual injury beyond the statutory violation under Rosenbach; GIPA § 40 separately provides a private right of action and liquidated damages of $2,500/$15,000 per violation |
+| **Who enforces it?** | BIPA is enforced through private plaintiffs; GIPA has a private right of action, with insurer-related § 30 violations handled through the Illinois Insurance Code; PIPA is enforced through the Consumer Fraud and Deceptive Business Practices Act |
+
+## Which privacy laws apply to your business in Illinois? {#which-privacy-laws-apply}
+
+**Short answer.** Illinois has no comprehensive consumer-privacy statute, but it is anything but a light-touch state. The headline law is the Biometric Information Privacy Act (BIPA), which the General Assembly enacted on the finding that the public welfare, security, and safety will be served by regulating the collection, use, safeguarding, handling, storage, retention, and destruction of biometric identifiers and information [^stat-bipa-5-findings]. BIPA applies to any private entity — any individual, partnership, corporation, limited liability company, association, or other group, however organized — with no revenue or data-volume threshold [^stat-bipa-10-private-entity]. Around it sit three more statutes: the Genetic Information Privacy Act (GIPA), which makes genetic testing information confidential and privileged [^stat-gipa-15-confidential]; the Personal Information Protection Act (PIPA), the breach-notification statute that reaches essentially every entity handling nonpublic personal information of Illinois residents [^stat-pipa-5-data-collector]; and the Consumer Fraud and Deceptive Business Practices Act, which supplies the enforcement hook for deceptive privacy practices.
+
+What Illinois lacks is the omnibus controller-processor framework other states have adopted: there are no general rights to access, correct, delete, or opt out of the sale of personal data, no notice-at-collection mandate, and no data-protection-assessment duty under current Illinois law. What Illinois has instead is sharper teeth on three specific data types — biometric, genetic, and breached personal information — and, uniquely among the states, private rights of action with liquidated damages on the first two. That combination has made Illinois the national center of privacy class-action litigation rather than of regulatory enforcement.
+
+The federal overlay fills the rest of the program: FTC Act § 5 reaches deceptive or unfair privacy practices nationwide, GLBA governs financial institutions, HIPAA governs covered health entities, and COPPA governs services directed to children under 13.
+
+## What must your Illinois privacy policy contain? {#privacy-policy-contents}
+
+**Short answer.** It depends on whether you touch biometric data. If you possess biometric identifiers or biometric information — fingerprints, face geometry, voiceprints, retina or iris scans — BIPA § 15(a) imposes a specific, written-policy mandate: you must develop a written policy, made available to the public, establishing a retention schedule and guidelines for permanently destroying the data when the initial purpose for collecting it has been satisfied or within 3 years of the individual's last interaction with your business, whichever occurs first [^stat-15a-written-policy]. You must then actually follow that schedule: absent a valid warrant or subpoena, a private entity must comply with its established retention schedule and destruction guidelines [^stat-15a-comply]. For everything else, no Illinois statute fixes the contents of a general consumer privacy policy — the governing rule is that whatever you publish must be true, because a policy that misstates your practices is a deceptive act under FTC Act § 5 [^fed-ftc5-deceptive] and under the Illinois Consumer Fraud Act [^stat-icfa-2-deceptive].
+
+Section 15(a) is the piece businesses most often miss, and it is the cheapest BIPA violation to avoid because it does not depend on consent mechanics. The duty attaches to *possession* of biometric data, and it has four components on the face of the statute: (1) a *written* policy, (2) *made available to the public* — posted, not kept in a drawer; (3) a *retention schedule* tied to the statute's two ceilings (purpose satisfied, or 3 years after the individual's last interaction, whichever comes first); and (4) *guidelines for permanently destroying* the data. The companion sentence converts the policy from paper to obligation: once the schedule exists, the entity must comply with it unless a court-issued warrant or subpoena intervenes [^stat-15a-comply]. Plaintiffs routinely plead § 15(a) alongside the consent claims, so a biometric privacy policy that is unwritten, unposted, or unenforced is itself a freestanding basis for liquidated damages.
+
+For the non-biometric remainder of a privacy policy, build to the federal and sectoral overlay — GLBA privacy notices for financial institutions, the HIPAA notice of privacy practices for covered entities, a COPPA notice for child-directed services — and follow best practice for everyone else: describe the categories of data collected, the purposes, the third parties you share with, and how users exercise any choices you offer. The enforceable Illinois obligation outside BIPA is consistency between the statement and the conduct, because the Consumer Fraud Act declares deceptive acts or practices, including the concealment, suppression or omission of any material fact, unlawful [^stat-icfa-2-deceptive].
+
+> [!CAUTION]
+> **Drafting note.**
+>
+> Write the BIPA retention-and-destruction policy *before* the first scan is collected, and post it where the public can find it. The statute makes the written, publicly available policy a duty of every private entity in possession of biometric data, with a destruction deadline of purpose-satisfied or 3 years after the individual's last interaction, whichever occurs first — a policy drafted after collection begins, or one that exists but was never published, leaves the company exposed on § 15(a) even if its consent paperwork is perfect [^stat-15a-written-policy].
+
+## Do you need written consent to collect fingerprints or face scans in Illinois? {#biometric-consent}
+
+**Short answer.** Yes — before collection, in writing, and after specific disclosures. BIPA § 15(b) prohibits a private entity from collecting, capturing, purchasing, receiving through trade, or otherwise obtaining a person's biometric identifier or biometric information unless it first informs the person in writing that the data is being collected or stored, informs the person in writing of the specific purpose and length of term of the collection, and receives a written release executed by the subject [^stat-15b-consent]. A biometric identifier means a retina or iris scan, fingerprint, voiceprint, or scan of hand or face geometry [^stat-10-biometric-identifier]. Three companion duties travel with the data: no private entity may sell, lease, trade, or otherwise profit from a person's biometric data [^stat-15c-no-profit]; disclosure to anyone else requires the subject's consent or another narrow statutory basis [^stat-15d-disclosure]; and the data must be stored and protected using the reasonable standard of care within the entity's industry, at least as protectively as other confidential and sensitive information [^stat-15e-safeguards].
+
+The order of operations is what trips businesses up: the statute says *first*. Consent collected after the first scan does not cure the collection that already happened, and the disclosures must cover both the specific purpose and the length of term of the collection — a generic onboarding acknowledgment that never mentions storage duration misses an element on the face of § 15(b). In the workplace, the statute's definition of a *written release* expressly contemplates a release executed by an employee as a condition of employment, and — since the 2024 amendment — an electronic signature qualifies [^stat-10-written-release]. So a compliant biometric time-clock or facility-access program is achievable with ordinary HR paperwork: written notice of what is collected, why, and for how long, plus a signed (or e-signed) release, all completed before enrollment.
+
+Scope limits matter in both directions. The definition excludes photographs, writing samples, physical descriptions, and information captured from a patient in a health care setting [^stat-10-biometric-identifier]. Plaintiffs have litigated faceprints computed *from* photographs under the *scan of face geometry* language, so photo-based systems still deserve BIPA review. And BIPA does not apply to everyone: it carves out financial institutions subject to GLBA Title V [^stat-bipa-25-glba], state and local government agencies [^q3-stat-bipa-10-private-entity], and contractors working for them [^stat-bipa-25-contractors].
+
+> [!NOTE]
+> **Practice note.**
+>
+> Treat the no-profit rule as a flat ban, not a consent question. Section 15(c) prohibits selling, leasing, trading, or otherwise profiting from biometric identifiers or biometric information outright — unlike collection under § 15(b) or disclosure under § 15(d), there is no consent mechanism that authorizes monetizing the data itself, so a business model that prices access to biometric databases cannot be papered over with releases [^stat-15c-no-profit].
+
+## Can someone sue your business under BIPA without proving actual harm? {#bipa-lawsuit-exposure}
+
+**Short answer.** Yes — this is the feature that makes Illinois unlike any other state. BIPA § 20 gives any person aggrieved by a violation a right of action in state circuit court or as a supplemental claim in federal court, with liquidated damages of $1,000 per negligent violation or $5,000 per intentional or reckless violation (or actual damages if greater), plus attorneys' fees and costs [^stat-20a-damages]. In *Rosenbach v. Six Flags Entertainment Corp.*, the Illinois Supreme Court held that "an individual need not allege some actual injury or adverse effect, beyond violation of his or her rights under the Act, in order to qualify as an ‘aggrieved’ person and be entitled to seek liquidated damages and injunctive relief pursuant to the Act"[^case-rosenbach] [^case-rosenbach]. And the window is long: in *Tims v. Black Horse Carriers, Inc.*, the court held that the five-year catchall limitations period of section 13-205 of the Code of Civil Procedure controls claims under the Act [^case-tims].
+
+The mechanics deserve emphasis because each element compounds the others. The violation *is* the injury — a fingerprint collected without the § 15(b) disclosures and release is actionable the day it is scanned, with no identity theft, data breach, or out-of-pocket loss required. The *Rosenbach* court was explicit that this is the design, not an accident: "When private entities face liability for failure to comply with the law’s requirements without requiring affected individuals or customers to show some injury beyond violation of their statutory rights, those entities have the strongest possible incentive to conform to the law and prevent problems before they occur and cannot be undone."[^case-rosenbach-deterrence] [^case-rosenbach-deterrence] Stack the per-person liquidated amounts across a workforce or user base, add a five-year reach-back under *Tims*, and a routine timekeeping or photo-tagging practice becomes a class action with eight-or-nine-figure exposure.
+
+BIPA exposure management is litigation prevention: compliant paperwork, vendor disclosures, and retention policies matter more than regulator relations. The Illinois Supreme Court explained in *Rosenbach* that, other than the private right of action authorized in section 20, no other enforcement mechanism is available [^case-rosenbach-no-agency].
+
+> [!NOTE]
+> **Practice note.**
+>
+> Do not read the per-person figures as an automatic award. Even while reaffirming its plaintiff-friendly accrual rule, the Illinois Supreme Court treated runaway aggregate damages as a policy problem for the General Assembly and respectfully suggested that the legislature review those concerns and make clear its intent on the assessment of damages under the Act [^q4-cothron-invitation]. The legislature accepted that invitation in 2024 — the next question covers how the amendment changed the arithmetic — but no business should price its compliance posture on judicial or legislative moderation arriving in time.
+
+## How are BIPA damages counted in Illinois — per person or per scan — after the 2024 amendment? {#per-scan-damages}
+
+**Short answer.** For repeated, identical collections: one recovery per person, per method — and that cap now governs pending cases too. The sequence matters. In *Cothron v. White Castle System, Inc.* (Feb. 17, 2023), the Illinois Supreme Court held that "a separate claim accrues under the Act each time a private entity scans or transmits an individual’s biometric identifier or information in violation of section 15(b) or 15(d)"[^case-cothron-per-scan] [^case-cothron-per-scan] — the per-scan reading that produced multibillion-dollar class exposure. The General Assembly answered with Public Act 103-0769, effective August 2, 2024, which added subsections 20(b) and 20(c): an entity that repeatedly collects the same biometric identifier from the same person using the same method of collection has committed a single violation, for which the aggrieved person is entitled to, at most, one recovery [^stat-20b-single-recovery], with the same rule for repeated disclosures of the same data to the same recipient [^stat-20c-single-disclosure]. And on April 1, 2026, the Seventh Circuit in *Gregg v. Central Transport LLC* held that "this amendment applies retroactively because it impacts only the statutory damages available to plaintiffs—it does not change BIPA’s substantive standards of liability"[^case-gregg-retroactive] [^case-gregg-retroactive].
+
+The 2023–2026 arc is worth a timeline, because each date changed the settlement value of every pending BIPA case:
+
+- 
+- 
+- 
+
+> [!NOTE]
+> **Practice note.**
+>
+> The single-recovery rule is narrower than the headline suggests. The statutory text caps recovery only where the *same* biometric identifier is taken from the *same* person using the *same method of collection* — and, for disclosure, only as to the *same recipient* [^stat-20b-single-recovery] [^stat-20c-single-disclosure]. A business that runs a fingerprint time clock *and* a face-scan access system, or that shares biometric data with multiple vendors, can still face multiple recoveries per person, and class exposure still scales with headcount because every affected person keeps his or her own recovery.
+
+## Can you ask Illinois employees or job applicants for genetic tests or genetic information? {#genetic-information-employment}
+
+**Short answer.** No. The Genetic Information Privacy Act (GIPA) prohibits an employer, employment agency, labor organization, or licensing agency from directly or indirectly soliciting, requesting, requiring, or purchasing genetic testing or genetic information of a person or a person's family member — or administering a genetic test — as a condition of employment, a preemployment application, membership, or licensure [^stat-gipa-25-employment]. GIPA provides private-suit exposure: any person aggrieved by a violation may sue and recover liquidated damages of $2,500 per negligent violation or $15,000 per intentional or reckless violation (or actual damages if greater), plus attorneys' fees, subject to the Illinois Insurance Code remedy for insurer violations of section 30 [^stat-gipa-40-damages].
+
+Two statutory features give the employment prohibition a long reach. First, the ban covers both the person and the person's family member when the request is tied to employment, preemployment application, labor-organization membership, or licensure [^stat-gipa-25-employment]. Second, *genetic testing* expressly includes direct-to-consumer commercial genetic testing [^stat-gipa-10-definitions], so consumer DNA-kit results are covered the same as clinical tests. The statute also bars employers from using genetic testing or genetic information to affect terms or conditions, limit or classify employees, or retaliate against anyone alleging a violation [^stat-gipa-25-employment]. It separately prohibits offering employment, membership, licensure, pay, or benefits in return for taking a genetic test [^stat-gipa-25-pay-benefit], with narrow statutory provisions for workplace wellness programs [^stat-gipa-25-wellness], employee-requested workers' compensation testing [^stat-gipa-25-workers-comp], and toxic-substance genetic monitoring [^stat-gipa-25-toxic-monitoring].
+
+The practical risk is indirect collection. The statute reaches requests made through employment agencies, licensing agencies, labor organizations, and other employment-related channels, so Illinois hiring and occupational-health forms should be reviewed for genetic testing or genetic-information fields before they are given to applicants or employees [^stat-gipa-25-employment].
+
+> [!CAUTION]
+> **Drafting note.**
+>
+> Strip family-medical-history questions out of Illinois hiring and occupational-health paperwork, including forms administered by third-party clinics on your behalf. The statutory prohibition reaches *indirect* solicitation and requests made as a condition of a preemployment application [^stat-gipa-25-employment], so routing the questionnaire through an outside examiner does not take the inquiry outside GIPA — and each affected applicant carries $2,500-to-$15,000 liquidated-damages exposure [^stat-gipa-40-damages].
+
+## Do Illinois residents have rights to access, delete, or opt out of the sale of their data? {#consumer-rights-opt-outs}
+
+**Short answer.** Not as general rights — Illinois has no omnibus statute granting access, correction, deletion, portability, or sale opt-outs across all personal data, and no Illinois law requires businesses to honor universal opt-out preference signals such as Global Privacy Control. What Illinois residents have instead are targeted, data-type-specific controls with unusual force: biometric data cannot be collected at all without prior written notice and a written release [^q7-stat-15b-consent], and it must be destroyed when the collection purpose is satisfied or within 3 years of the person's last interaction with the business [^q7-stat-15a-destruction]; genetic test results cannot be disclosed in identifiable form except to the tested person and those the person authorizes [^q7-stat-gipa-30-disclosure].
+
+The practical translation: an Illinois consumer cannot email a retailer and demand a copy or deletion of an ordinary marketing profile the way a resident of an omnibus-law state can. But for the two data types the legislature singled out, the Illinois model is stronger than a rights-request regime — it is consent-or-nothing on the front end (biometrics may not be obtained without a release; genetic information may not be solicited by employers at all), an automatic destruction clock rather than a deletion request [^q7-stat-15a-destruction], and a flat ban on profiting from biometric data that no opt-in can waive. A business cannot paper around these rules with terms of service, and the rights are self-executing through the private rights of action covered above rather than through a regulator's complaint portal.
+
+## When must you notify people of a data breach in Illinois? {#breach-notification}
+
+**Short answer.** In the most expedient time possible and without unreasonable delay. Under the Personal Information Protection Act (PIPA), any data collector that owns or licenses personal information concerning an Illinois resident must notify the resident, at no charge, following discovery or notification of a breach — with delay tolerated only for measures necessary to determine the breach's scope and restore the system's integrity, security, and confidentiality [^stat-pipa-10-notice]. A breach means unauthorized acquisition of computerized data that compromises the security, confidentiality, or integrity of personal information [^stat-pipa-5-breach]. If a single breach requires notice to more than 500 Illinois residents, the data collector must also notify the Attorney General [^stat-pipa-10e-ag], and a violation of the Act is an unlawful practice under the Consumer Fraud and Deceptive Business Practices Act [^stat-pipa-20-icfa].
+
+*Personal information* under PIPA is broader than the classic name-plus-SSN formula. It covers a name combined with an unencrypted Social Security number, driver's license or state ID number, financial-account or card data, medical information (expressly including information provided to a website or mobile application), health-insurance information, or unique biometric data used to authenticate an individual [^stat-pipa-5-personal-info] — and, separately, a username or email address combined with a password or security question and answer, a category with its own lighter notice option directing users to change credentials [^stat-pipa-10-credential-notice]. Encrypted or redacted data is outside the quoted definition unless the keys were acquired without authorization through the breach [^stat-pipa-5-personal-info]. The AG notice for 500-plus-resident breaches must arrive no later than the consumer notices, and the Attorney General may publish the breached entity's name [^stat-pipa-10e-ag]. The duties cannot be contracted away: any waiver of PIPA is void and unenforceable [^stat-pipa-15-waiver].
+
+Enforcement runs through the Attorney General — and that is the one place in Illinois privacy law where the AG, rather than a class-action plaintiff, holds the pen. Because a PIPA violation is deemed an unlawful practice under the Consumer Fraud Act [^stat-pipa-20-icfa], the AG can seek injunctions and civil penalties for late or omitted notice, with no cure period written into the statute. A private plaintiff, by contrast, has no liquidated-damages remedy here: a consumer suing over a breach must proceed under the Consumer Fraud Act, which requires actual damage from the violation [^stat-icfa-10a-actual] — a sharp contrast with BIPA and GIPA, where the statutory violation alone supports liquidated damages. Note the interaction for biometric incidents: a breach of authentication-grade biometric data triggers PIPA notice duties *and* invites scrutiny of the § 15(e) safeguards duty under BIPA, where the per-person liquidated-damages regime does apply.
+
+## What must your contracts with vendors say in Illinois? {#vendor-contracts}
+
+**Short answer.** Illinois has no omnibus data-processing-agreement statute — no state law prescribes controller-processor terms, audit rights, or subprocessor flow-downs for general personal data. But two Illinois statutes put hard edges on vendor arrangements. Under BIPA, handing biometric data to a vendor is a *disclosure* that requires the subject's consent or another narrow statutory basis [^q9-stat-15d-disclosure], so the consent paperwork and the vendor contract have to be designed together. Under PIPA, a vendor that maintains or stores personal information it does not own must notify the owner of any breach immediately following discovery and cooperate in the response [^stat-pipa-10b-vendor].
+
+The biometric-vendor scenario deserves specific attention because it is the standard BIPA fact pattern: an employer runs a fingerprint time clock, and a third-party vendor hosts and matches the templates. Both the employer and the vendor can face § 15 exposure — the employer for collecting and disclosing without the statutory disclosures and release, the vendor as a private entity obtaining biometric data itself — and the 2024 single-recovery amendment caps repeated disclosures only as to the *same recipient* [^q9-stat-20c-single-disclosure], so each additional vendor in the chain is a separate exposure line. A compliant program therefore names the vendor categories in the written consent, binds the vendor by contract to BIPA's storage, protection, no-sale, and destruction standards, and allocates defense and indemnity for biometric claims expressly.
+
+Where a federal sectoral regime applies, it supplies the contract terms directly: the GLBA Safeguards Rule requires financial institutions to oversee service providers by contract — requiring your service providers by contract to implement and maintain appropriate safeguards [^fed-glba-safeguards] — and HIPAA requires a business-associate agreement with mandatory data-protection, breach-reporting, and subcontractor terms before protected health information moves [^fed-hipaa-baa]. Outside those verticals, carry the same architecture forward as best practice: processing limited to documented instructions, confidentiality, reasonable security, breach notification back to you on PIPA's immediate-notice clock [^stat-pipa-10b-vendor], return or deletion at the end of the engagement, and — for any Illinois-facing biometric or genetic data — express compliance with BIPA and GIPA by name.
+
+[^about]: By Steven Obiajulu, J.D. Published by [openagreements.org](https://openagreements.org). Last reviewed 2026-06-11. License: CC BY 4.0. Steven Obiajulu, J.D. is admitted in New York, not Illinois. This article synthesizes Illinois primary law and is not legal advice from a Illinois-admitted attorney. This article is for informational purposes only and does not create an attorney-client relationship.
+
+[^stat-bipa-5-findings]: **740 ILCS 14/5** — "The public welfare, security, and safety will be served by regulating the collection, use, safeguarding, handling, storage, retention, and destruction of biometric identifiers and information." *740 ILCS 14/5(g).* <https://www.ilga.gov/documents/legislation/ilcs/documents/074000140K5.htm>
+
+[^stat-bipa-10-private-entity]: **740 ILCS 14/10** — "‘Private entity’ means any individual, partnership, corporation, limited liability company, association, or other group, however organized. A private entity does not include a State or local government agency. A private entity does not include any court of Illinois, a clerk of the court, or a judge or justice thereof." *740 ILCS 14/10.* <https://www.ilga.gov/documents/legislation/ilcs/documents/074000140K10.htm>
+
+[^stat-gipa-15-confidential]: **410 ILCS 513/15** — "Except as otherwise provided in this Act, genetic testing and information derived from genetic testing is confidential and privileged and may be released only to the individual tested and to persons specifically authorized, in writing in accordance with Section 30, by that individual to receive the information." *410 ILCS 513/15(a).* <https://www.ilga.gov/documents/legislation/ilcs/documents/041005130K15.htm>
+
+[^stat-pipa-5-data-collector]: **815 ILCS 530/5** — "‘Data collector’ may include, but is not limited to, government agencies, public and private universities, privately and publicly held corporations, financial institutions, retail operators, and any other entity that, for any purpose, handles, collects, disseminates, or otherwise deals with nonpublic personal information." *815 ILCS 530/5.* <https://www.ilga.gov/documents/legislation/ilcs/documents/081505300K5.htm>
+
+[^stat-15a-written-policy]: **740 ILCS 14/15(a)** — "A private entity in possession of biometric identifiers or biometric information must develop a written policy, made available to the public, establishing a retention schedule and guidelines for permanently destroying biometric identifiers and biometric information when the initial purpose for collecting or obtaining such identifiers or information has been satisfied or within 3 years of the individual's last interaction with the private entity, whichever occurs first." *740 ILCS 14/15(a).* <https://www.ilga.gov/documents/legislation/ilcs/documents/074000140K15.htm>
+
+[^stat-15a-comply]: **740 ILCS 14/15(a)** — "Absent a valid warrant or subpoena issued by a court of competent jurisdiction, a private entity in possession of biometric identifiers or biometric information must comply with its established retention schedule and destruction guidelines." *740 ILCS 14/15(a).* <https://www.ilga.gov/documents/legislation/ilcs/documents/074000140K15.htm>
+
+[^fed-ftc5-deceptive]: **FTC Act § 5** — "Unfair methods of competition in or affecting commerce, and unfair or deceptive acts or practices in or affecting commerce, are hereby declared unlawful." *15 U.S.C. § 45(a)(1).* <https://www.law.cornell.edu/uscode/text/15/45#:~:text=Unfair%20methods%20of%20competition%20in,commerce%2C%20are%20hereby%20declared%20unlawful.>
+
+[^stat-icfa-2-deceptive]: **815 ILCS 505/2** — "Unfair methods of competition and unfair or deceptive acts or practices, including but not limited to the use or employment of any deception fraud, false pretense, false promise, misrepresentation or the concealment, suppression or omission of any material fact, with intent that others rely upon the concealment, suppression or omission of such material fact, or the use or employment of any practice described in Section 2 of the ‘Uniform Deceptive Trade Practices Act’, approved August 5, 1965, in the conduct of any trade or commerce are hereby declared unlawful whether any person has in fact been misled, deceived or damaged thereby." *815 ILCS 505/2.* <https://www.ilga.gov/documents/legislation/ilcs/documents/081505050K2.htm>
+
+[^stat-15b-consent]: **740 ILCS 14/15(b)** — "No private entity may collect, capture, purchase, receive through trade, or otherwise obtain a person's or a customer's biometric identifier or biometric information, unless it first: (1) informs the subject or the subject's legally authorized representative in writing that a biometric identifier or biometric information is being collected or stored; (2) informs the subject or the subject's legally authorized representative in writing of the specific purpose and length of term for which a biometric identifier or biometric information is being collected, stored, and used; and (3) receives a written release executed by the subject of the biometric identifier or biometric information or the subject's legally authorized representative." *740 ILCS 14/15(b).* <https://www.ilga.gov/documents/legislation/ilcs/documents/074000140K15.htm>
+
+[^stat-10-biometric-identifier]: **740 ILCS 14/10** — "‘Biometric identifier’ means a retina or iris scan, fingerprint, voiceprint, or scan of hand or face geometry. Biometric identifiers do not include writing samples, written signatures, photographs, human biological samples used for valid scientific testing or screening, demographic data, tattoo descriptions, or physical descriptions such as height, weight, hair color, or eye color. Biometric identifiers do not include donated organs, tissues, or parts as defined in the Illinois Anatomical Gift Act or blood or serum stored on behalf of recipients or potential recipients of living or cadaveric transplants and obtained or stored by a federally designated organ procurement agency. Biometric identifiers do not include biological materials regulated under the Genetic Information Privacy Act. Biometric identifiers do not include information captured from a patient in a health care setting or information collected, used, or stored for health care treatment, payment, or operations under the federal Health Insurance Portability and Accountability Act of 1996." *740 ILCS 14/10.* <https://www.ilga.gov/documents/legislation/ilcs/documents/074000140K10.htm>
+
+[^stat-15c-no-profit]: **740 ILCS 14/15(c)** — "No private entity in possession of a biometric identifier or biometric information may sell, lease, trade, or otherwise profit from a person's or a customer's biometric identifier or biometric information." *740 ILCS 14/15(c).* <https://www.ilga.gov/documents/legislation/ilcs/documents/074000140K15.htm>
+
+[^stat-15d-disclosure]: **740 ILCS 14/15(d)** — "No private entity in possession of a biometric identifier or biometric information may disclose, redisclose, or otherwise disseminate a person's or a customer's biometric identifier or biometric information unless: (1) the subject of the biometric identifier or biometric information or the subject's legally authorized representative consents to the disclosure or redisclosure; (2) the disclosure or redisclosure completes a financial transaction requested or authorized by the subject of the biometric identifier or the biometric information or the subject's legally authorized representative; (3) the disclosure or redisclosure is required by State or federal law or municipal ordinance; or (4) the disclosure is required pursuant to a valid warrant or subpoena issued by a court of competent jurisdiction." *740 ILCS 14/15(d).* <https://www.ilga.gov/documents/legislation/ilcs/documents/074000140K15.htm>
+
+[^stat-15e-safeguards]: **740 ILCS 14/15(e)** — "A private entity in possession of a biometric identifier or biometric information shall: (1) store, transmit, and protect from disclosure all biometric identifiers and biometric information using the reasonable standard of care within the private entity's industry; and (2) store, transmit, and protect from disclosure all biometric identifiers and biometric information in a manner that is the same as or more protective than the manner in which the private entity stores, transmits, and protects other confidential and sensitive information." *740 ILCS 14/15(e).* <https://www.ilga.gov/documents/legislation/ilcs/documents/074000140K15.htm>
+
+[^stat-10-written-release]: **740 ILCS 14/10** — "‘Written release’ means informed written consent, electronic signature, or, in the context of employment, a release executed by an employee as a condition of employment." *740 ILCS 14/10.* <https://www.ilga.gov/documents/legislation/ilcs/documents/074000140K10.htm>
+
+[^stat-bipa-25-glba]: **740 ILCS 14/25(c)** — "Nothing in this Act shall be deemed to apply in any manner to a financial institution or an affiliate of a financial institution that is subject to Title V of the federal Gramm-Leach-Bliley Act of 1999 and the rules promulgated thereunder." *740 ILCS 14/25(c).* <https://www.ilga.gov/documents/legislation/ilcs/documents/074000140K25.htm>
+
+[^q3-stat-bipa-10-private-entity]: **740 ILCS 14/10** — "‘Private entity’ means any individual, partnership, corporation, limited liability company, association, or other group, however organized. A private entity does not include a State or local government agency. A private entity does not include any court of Illinois, a clerk of the court, or a judge or justice thereof." *740 ILCS 14/10.* <https://www.ilga.gov/documents/legislation/ilcs/documents/074000140K10.htm>
+
+[^stat-bipa-25-contractors]: **740 ILCS 14/25(e)** — "Nothing in this Act shall be construed to apply to a contractor, subcontractor, or agent of a State agency or local unit of government when working for that State agency or local unit of government." *740 ILCS 14/25(e).* <https://www.ilga.gov/documents/legislation/ilcs/documents/074000140K25.htm>
+
+[^stat-20a-damages]: **740 ILCS 14/20(a)** — "Any person aggrieved by a violation of this Act shall have a right of action in a State circuit court or as a supplemental claim in federal district court against an offending party. A prevailing party may recover for each violation: (1) against a private entity that negligently violates a provision of this Act, liquidated damages of $1,000 or actual damages, whichever is greater; (2) against a private entity that intentionally or recklessly violates a provision of this Act, liquidated damages of $5,000 or actual damages, whichever is greater;" *740 ILCS 14/20(a).* <https://www.ilga.gov/documents/legislation/ilcs/documents/074000140K20.htm>
+
+[^case-rosenbach]: **Rosenbach v. Six Flags Entertainment Corp., 2019 IL 123186** — "Contrary to the appellate court’s view, an individual need not allege some actual injury or adverse effect, beyond violation of his or her rights under the Act, in order to qualify as an ‘aggrieved’ person and be entitled to seek liquidated damages and injunctive relief pursuant to the Act." *Rosenbach v. Six Flags Entertainment Corp., 2019 IL 123186, ¶ 40.* <https://www.courtlistener.com/opinion/4658484/rosenbach-v-six-flags-entertainment-corp/#:~:text=Contrary%20to%20the%20appellate%20court%E2%80%99s,relief%20pursuant%20to%20the%20Act.>
+
+[^case-tims]: **Tims v. Black Horse Carriers, Inc., 2023 IL 127801** — "For the aforementioned reasons, we find that the five-year limitations period contained in section 13-205 of the Code controls claims under the Act." *Tims v. Black Horse Carriers, Inc., 2023 IL 127801, ¶ 42.* <https://www.courtlistener.com/opinion/9372460/tims-v-black-horse-carriers-inc/#:~:text=For%20the%20aforementioned%20reasons%2C%20we,controls%20claims%20under%20the%20Act.>
+
+[^case-rosenbach-deterrence]: **Rosenbach v. Six Flags Entertainment Corp., 2019 IL 123186** — "When private entities face liability for failure to comply with the law’s requirements without requiring affected individuals or customers to show some injury beyond violation of their statutory rights, those entities have the strongest possible incentive to conform to the law and prevent problems before they occur and cannot be undone." *Rosenbach v. Six Flags Entertainment Corp., 2019 IL 123186, ¶ 37.* <https://www.courtlistener.com/opinion/4658484/rosenbach-v-six-flags-entertainment-corp/#:~:text=When%20private%20entities%20face%20liability,occur%20and%20cannot%20be%20undone.>
+
+[^case-rosenbach-no-agency]: **Rosenbach v. Six Flags Entertainment Corp., 2019 IL 123186** — "Other than the private right of action authorized in section 20 of the Act, no other enforcement mechanism is available." *Rosenbach v. Six Flags Entertainment Corp., 2019 IL 123186, ¶ 37.* <https://www.courtlistener.com/opinion/4658484/rosenbach-v-six-flags-entertainment-corp/#:~:text=Other%20than%20the%20private%20right,other%20enforcement%20mechanism%20is%20available.>
+
+[^q4-cothron-invitation]: **Cothron v. White Castle System, Inc., 2023 IL 128004** — "We respectfully suggest that the legislature review these policy concerns and make clear its intent regarding the assessment of damages under the Act." *Cothron v. White Castle System, Inc., 2023 IL 128004, ¶ 43.* <https://www.courtlistener.com/opinion/9413971/cothron-v-white-castle-system-inc/#:~:text=We%20respectfully%20suggest%20that%20the,of%20damages%20under%20the%20Act.>
+
+[^case-cothron-per-scan]: **Cothron v. White Castle System, Inc., 2023 IL 128004** — "We hold that a separate claim accrues under the Act each time a private entity scans or transmits an individual’s biometric identifier or information in violation of section 15(b) or 15(d)." *Cothron v. White Castle System, Inc., 2023 IL 128004, ¶ 1.* <https://www.courtlistener.com/opinion/9413971/cothron-v-white-castle-system-inc/#:~:text=We%20hold%20that%20a%20separate,of%20section%2015(b)%20or%2015(d).>
+
+[^stat-20b-single-recovery]: **740 ILCS 14/20(b)** — "For purposes of subsection (b) of Section 15, a private entity that, in more than one instance, collects, captures, purchases, receives through trade, or otherwise obtains the same biometric identifier or biometric information from the same person using the same method of collection in violation of subsection (b) of Section 15 has committed a single violation of subsection (b) of Section 15 for which the aggrieved person is entitled to, at most, one recovery under this Section." *740 ILCS 14/20(b), added by P.A. 103-0769 (eff. Aug. 2, 2024).* <https://www.ilga.gov/documents/legislation/ilcs/documents/074000140K20.htm>
+
+[^stat-20c-single-disclosure]: **740 ILCS 14/20(c)** — "For purposes of subsection (d) of Section 15, a private entity that, in more than one instance, discloses, rediscloses, or otherwise disseminates the same biometric identifier or biometric information from the same person to the same recipient using the same method of collection in violation of subsection (d) of Section 15 has committed a single violation of subsection (d) of Section 15 for which the aggrieved person is entitled to, at most, one recovery under this Section regardless of the number of times the private entity disclosed, redisclosed, or otherwise disseminated the same biometric identifier or biometric information of the same person to the same recipient." *740 ILCS 14/20(c), added by P.A. 103-0769 (eff. Aug. 2, 2024).* <https://www.ilga.gov/documents/legislation/ilcs/documents/074000140K20.htm>
+
+[^case-gregg-retroactive]: **Gregg v. Central Transport LLC (7th Cir. Apr. 1, 2026)** — "We hold that this amendment applies retroactively because it impacts only the statutory damages available to plaintiffs—it does not change BIPA’s substantive standards of liability." *Gregg v. Central Transport LLC, Nos. 25-2185, 25-2761, 25-2762 (7th Cir. Apr. 1, 2026).* <https://www.courtlistener.com/opinion/10831566/john-gregg-v-central-transport-llc/#:~:text=We%20hold%20that%20this%20amendment%20applies,BIPA%E2%80%99s%20substantive%20standards%20of%20liability.>
+
+[^stat-gipa-25-employment]: **410 ILCS 513/25** — "An employer, employment agency, labor organization, and licensing agency shall not directly or indirectly do any of the following: (1) solicit, request, require or purchase genetic testing or genetic information of a person or a family member of the person, or administer a genetic test to a person or a family member of the person as a condition of employment, preemployment application, labor organization membership, or licensure; (2) affect the terms, conditions, or privileges of employment, preemployment application, labor organization membership, or licensure, or terminate the employment, labor organization membership, or licensure of any person because of genetic testing or genetic information with respect to the employee or family member, or information about a request for or the receipt of genetic testing by such employee or family member of such employee; (3) limit, segregate, or classify employees in any way that would deprive or tend to deprive any employee of employment opportunities or otherwise adversely affect the status of the employee as an employee because of genetic testing or genetic information with respect to the employee or a family member, or information about a request for or the receipt of genetic testing or genetic information by such employee or family member of such employee; and (4) retaliate through discharge or in any other manner against any person alleging a violation of this Act or participating in any manner in a proceeding under this Act." *410 ILCS 513/25(c).* <https://www.ilga.gov/documents/legislation/ilcs/documents/041005130K25.htm>
+
+[^stat-gipa-40-damages]: **410 ILCS 513/40** — "Any person aggrieved by a violation of this Act shall have a right of action in a State circuit court or as a supplemental claim in a federal district court against an offending party. A prevailing party may recover for each violation: (1) Against any party who negligently violates a provision of this Act, liquidated damages of $2,500 or actual damages, whichever is greater. (2) Against any party who intentionally or recklessly violates a provision of this Act, liquidated damages of $15,000 or actual damages, whichever is greater. (3) Reasonable attorney's fees and costs, including expert witness fees and other litigation expenses. (4) Such other relief, including an injunction, as the State or federal court may deem appropriate. (b) Article XL of the Illinois Insurance Code shall provide the exclusive remedy for violations of Section 30 by insurers." *410 ILCS 513/40(a)-(b).* <https://www.ilga.gov/documents/legislation/ilcs/documents/041005130K40.htm>
+
+[^stat-gipa-10-definitions]: **410 ILCS 513/10** — "‘Genetic testing’ and ‘genetic test’ have the meaning ascribed to ‘genetic test’ under HIPAA, as specified in 45 CFR 160.103. ‘Genetic testing’ includes direct-to-consumer commercial genetic testing." *410 ILCS 513/10.* <https://www.ilga.gov/documents/legislation/ilcs/documents/041005130K10.htm>
+
+[^stat-gipa-25-pay-benefit]: **410 ILCS 513/25(d)** — "An agreement between a person and an employer, prospective employer, employment agency, labor organization, or licensing agency, or its employees, agents, or members offering the person employment, labor organization membership, licensure, or any pay or benefit in return for taking a genetic test is prohibited." *410 ILCS 513/25(d).* <https://www.ilga.gov/documents/legislation/ilcs/documents/041005130K25.htm>
+
+[^stat-gipa-25-wellness]: **410 ILCS 513/25(e)** — "An employer shall not use genetic information or genetic testing in furtherance of a workplace wellness program benefiting employees unless (1) health or genetic services are offered by the employer, (2) the employee provides written authorization in accordance with Section 30 of this Act, (3) only the employee or family member if the family member is receiving genetic services and the licensed health care professional or licensed genetic counselor involved in providing such services receive individually identifiable information concerning the results of such services, and (4) any individually identifiable information is only available for purposes of such services and shall not be disclosed to the employer except in aggregate terms that do not disclose the identity of specific employees. An employer shall not penalize an employee who does not disclose his or her genetic information or does not choose to participate in a program requiring disclosure of the employee's genetic information." *410 ILCS 513/25(e).* <https://www.ilga.gov/documents/legislation/ilcs/documents/041005130K25.htm>
+
+[^stat-gipa-25-workers-comp]: **410 ILCS 513/25(f)** — "Nothing in this Act shall be construed to prohibit genetic testing of an employee who requests a genetic test and who provides written authorization, in accordance with Section 30 of this Act, from taking a genetic test for the purpose of initiating a workers' compensation claim under the Workers' Compensation Act." *410 ILCS 513/25(f).* <https://www.ilga.gov/documents/legislation/ilcs/documents/041005130K25.htm>
+
+[^stat-gipa-25-toxic-monitoring]: **410 ILCS 513/25(i)** — "Nothing in this Act shall be construed to prohibit an employer from requesting or requiring genetic information to be used for genetic monitoring of the biological effects of toxic substances in the workplace, but only if (1) the employer provides written notice of the genetic monitoring to the employee; (2) the employee provides written authorization under Section 30 of this Act or the genetic monitoring is required by federal or State law; (3) the employee is informed of individual monitoring results; (4) the monitoring is in compliance with any federal genetic monitoring regulations or State genetic monitoring regulations under the authority of the federal Occupational Safety and Health Act of 1970; and (5) the employer, excluding any health care provider, health care professional, or health facility that is involved in the genetic monitoring program, receives the results of the monitoring only in aggregate terms that do not disclose the identity of specific employees." *410 ILCS 513/25(i).* <https://www.ilga.gov/documents/legislation/ilcs/documents/041005130K25.htm>
+
+[^q7-stat-15b-consent]: **740 ILCS 14/15(b)** — "No private entity may collect, capture, purchase, receive through trade, or otherwise obtain a person's or a customer's biometric identifier or biometric information, unless it first: (1) informs the subject or the subject's legally authorized representative in writing that a biometric identifier or biometric information is being collected or stored; (2) informs the subject or the subject's legally authorized representative in writing of the specific purpose and length of term for which a biometric identifier or biometric information is being collected, stored, and used; and (3) receives a written release executed by the subject of the biometric identifier or biometric information or the subject's legally authorized representative." *740 ILCS 14/15(b).* <https://www.ilga.gov/documents/legislation/ilcs/documents/074000140K15.htm>
+
+[^q7-stat-15a-destruction]: **740 ILCS 14/15(a)** — "establishing a retention schedule and guidelines for permanently destroying biometric identifiers and biometric information when the initial purpose for collecting or obtaining such identifiers or information has been satisfied or within 3 years of the individual's last interaction with the private entity, whichever occurs first" *740 ILCS 14/15(a).* <https://www.ilga.gov/documents/legislation/ilcs/documents/074000140K15.htm>
+
+[^q7-stat-gipa-30-disclosure]: **410 ILCS 513/30** — "No person may disclose or be compelled to disclose the identity of any person upon whom a genetic test is performed or the results of a genetic test in a manner that permits identification of the subject of the test, except to the following persons: (1) The subject of the test or the subject's legally authorized representative. This paragraph does not create a duty or obligation under which a health care provider must notify the subject's spouse or legal guardian of the test results, and no such duty or obligation shall be implied. No civil liability or criminal sanction under this Act shall be imposed for any disclosure or nondisclosure of a test result to a spouse by a physician acting in good faith under this paragraph. For the purpose of any proceedings, civil or criminal, the good faith of any physician acting under this paragraph shall be presumed. (2) Any person designated in a specific written legally effective authorization for release of the test results executed by the subject of the test or the subject's legally authorized representative." *410 ILCS 513/30(a)(1)-(2).* <https://www.ilga.gov/documents/legislation/ilcs/documents/041005130K30.htm>
+
+[^stat-pipa-10-notice]: **815 ILCS 530/10** — "Any data collector that owns or licenses personal information concerning an Illinois resident shall notify the resident at no charge that there has been a breach of the security of the system data following discovery or notification of the breach. The disclosure notification shall be made in the most expedient time possible and without unreasonable delay, consistent with any measures necessary to determine the scope of the breach and restore the reasonable integrity, security, and confidentiality of the data system." *815 ILCS 530/10(a).* <https://www.ilga.gov/documents/legislation/ilcs/documents/081505300K10.htm>
+
+[^stat-pipa-5-breach]: **815 ILCS 530/5** — "‘Breach of the security of the system data’ or ‘breach’ means unauthorized acquisition of computerized data that compromises the security, confidentiality, or integrity of personal information maintained by the data collector." *815 ILCS 530/5.* <https://www.ilga.gov/documents/legislation/ilcs/documents/081505300K5.htm>
+
+[^stat-pipa-10e-ag]: **815 ILCS 530/10(e)** — "Any data collector required to issue notice pursuant to this Section to more than 500 Illinois residents as a result of a single breach of the security system shall provide notice to the Attorney General of the breach, including: (A) A description of the nature of the breach of security or unauthorized acquisition or use. (B) The number of Illinois residents affected by such incident at the time of notification. (C) Any steps the data collector has taken or plans to take relating to the incident. Such notification must be made in the most expedient time possible and without unreasonable delay but in no event later than when the data collector provides notice to consumers pursuant to this Section. If the date of the breach is unknown at the time the notice is sent to the Attorney General, the data collector shall send the Attorney General the date of the breach as soon as possible. Upon receiving notification from a data collector of a breach of personal information, the Attorney General may publish the name of the data collector that suffered the breach, the types of personal information compromised in the breach, and the date range of the breach." *815 ILCS 530/10(e)(2).* <https://www.ilga.gov/documents/legislation/ilcs/documents/081505300K10.htm>
+
+[^stat-pipa-20-icfa]: **815 ILCS 530/20** — "A violation of this Act constitutes an unlawful practice under the Consumer Fraud and Deceptive Business Practices Act." *815 ILCS 530/20.* <https://www.ilga.gov/documents/legislation/ilcs/documents/081505300K20.htm>
+
+[^stat-pipa-5-personal-info]: **815 ILCS 530/5** — "‘Personal information’ means either of the following: (1) An individual's first name or first initial and last name in combination with any one or more of the following data elements, when either the name or the data elements are not encrypted or redacted or are encrypted or redacted but the keys to unencrypt or unredact or otherwise read the name or data elements have been acquired without authorization through the breach of security: (A) Social Security number. (B) Driver's license number or State identification card number. (C) Account number or credit or debit card number, or an account number or credit card number in combination with any required security code, access code, or password that would permit access to an individual's financial account. (D) Medical information. (E) Health insurance information. (F) Unique biometric data generated from measurements or technical analysis of human body characteristics used by the owner or licensee to authenticate an individual, such as a fingerprint, retina or iris image, or other unique physical representation or digital representation of biometric data. (2) User name or email address, in combination with a password or security question and answer that would permit access to an online account, when either the user name or email address or password or security question and answer are not encrypted or redacted or are encrypted or redacted but the keys to unencrypt or unredact or otherwise read the data elements have been obtained through the breach of security. ‘Personal information’ does not include publicly available information that is lawfully made available to the general public from federal, State, or local government records." *815 ILCS 530/5.* <https://www.ilga.gov/documents/legislation/ilcs/documents/081505300K5.htm>
+
+[^stat-pipa-10-credential-notice]: **815 ILCS 530/10(a)(2)** — "With respect to personal information defined in Section 5 in paragraph (2) of the definition of ‘personal information’, notice may be provided in electronic or other form directing the Illinois resident whose personal information has been breached to promptly change his or her user name or password and security question or answer, as applicable, or to take other steps appropriate to protect all online accounts for which the resident uses the same user name or email address and password or security question and answer." *815 ILCS 530/10(a)(2).* <https://www.ilga.gov/documents/legislation/ilcs/documents/081505300K10.htm>
+
+[^stat-pipa-15-waiver]: **815 ILCS 530/15** — "Any waiver of the provisions of this Act is contrary to public policy and is void and unenforceable." *815 ILCS 530/15.* <https://www.ilga.gov/documents/legislation/ilcs/documents/081505300K15.htm>
+
+[^stat-icfa-10a-actual]: **815 ILCS 505/10a** — "Any person who suffers actual damage as a result of a violation of this Act committed by any other person may bring an action against such person." *815 ILCS 505/10a(a).* <https://www.ilga.gov/documents/legislation/ilcs/documents/081505050K10a.htm>
+
+[^q9-stat-15d-disclosure]: **740 ILCS 14/15(d)** — "No private entity in possession of a biometric identifier or biometric information may disclose, redisclose, or otherwise disseminate a person's or a customer's biometric identifier or biometric information unless: (1) the subject of the biometric identifier or biometric information or the subject's legally authorized representative consents to the disclosure or redisclosure; (2) the disclosure or redisclosure completes a financial transaction requested or authorized by the subject of the biometric identifier or the biometric information or the subject's legally authorized representative; (3) the disclosure or redisclosure is required by State or federal law or municipal ordinance; or (4) the disclosure is required pursuant to a valid warrant or subpoena issued by a court of competent jurisdiction." *740 ILCS 14/15(d).* <https://www.ilga.gov/documents/legislation/ilcs/documents/074000140K15.htm>
+
+[^stat-pipa-10b-vendor]: **815 ILCS 530/10(b)** — "Any data collector that maintains or stores, but does not own or license, computerized data that includes personal information that the data collector does not own or license shall notify the owner or licensee of the information of any breach of the security of the data immediately following discovery, if the personal information was, or is reasonably believed to have been, acquired by an unauthorized person. In addition to providing such notification to the owner or licensee, the data collector shall cooperate with the owner or licensee in matters relating to the breach. That cooperation shall include, but need not be limited to, (i) informing the owner or licensee of the breach, including giving notice of the date or approximate date of the breach and the nature of the breach, and (ii) informing the owner or licensee of any steps the data collector has taken or plans to take relating to the breach. The data collector's cooperation shall not, however, be deemed to require either the disclosure of confidential business information or trade secrets or the notification of an Illinois resident who may have been affected by the breach." *815 ILCS 530/10(b).* <https://www.ilga.gov/documents/legislation/ilcs/documents/081505300K10.htm>
+
+[^q9-stat-20c-single-disclosure]: **740 ILCS 14/20(c)** — "For purposes of subsection (d) of Section 15, a private entity that, in more than one instance, discloses, rediscloses, or otherwise disseminates the same biometric identifier or biometric information from the same person to the same recipient using the same method of collection in violation of subsection (d) of Section 15 has committed a single violation of subsection (d) of Section 15 for which the aggrieved person is entitled to, at most, one recovery under this Section regardless of the number of times the private entity disclosed, redisclosed, or otherwise disseminated the same biometric identifier or biometric information of the same person to the same recipient." *740 ILCS 14/20(c), added by P.A. 103-0769 (eff. Aug. 2, 2024).* <https://www.ilga.gov/documents/legislation/ilcs/documents/074000140K20.htm>
+
+[^fed-glba-safeguards]: **GLBA Safeguards Rule** — "Requiring your service providers by contract to implement and maintain such safeguards" *16 C.F.R. § 314.4(f)(2).* <https://www.law.cornell.edu/cfr/text/16/314.4#:~:text=Requiring%20your%20service%20providers%20by,implement%20and%20maintain%20such%20safeguards>
+
+[^fed-hipaa-baa]: **HIPAA Business Associate Contracts** — "A contract between the covered entity and a business associate must: (i) Establish the permitted and required uses and disclosures of protected health information by the business associate. The contract may not authorize the business associate to use or further disclose the information in a manner that would violate the requirements of this subpart, if done by the covered entity, except that: (A) The contract may permit the business associate to use and disclose protected health information for the proper management and administration of the business associate, as provided in paragraph (e)(4) of this section; and (B) The contract may permit the business associate to provide data aggregation services relating to the health care operations of the covered entity. (ii) Provide that the business associate will: (A) Not use or further disclose the information other than as permitted or required by the contract or as required by law; (B) Use appropriate safeguards and comply, where applicable, with subpart C of this part with respect to electronic protected health information, to prevent use or disclosure of the information other than as provided for by its contract;" *45 C.F.R. § 164.504(e)(2).* <https://www.law.cornell.edu/cfr/text/45/164.504#:~:text=A%20contract%20between%20the%20covered,provided%20for%20by%20its%20contract%3B>