Everything You Need to Know About Illinois Privacy Laws and Data

Data is one of the most valuable currencies in the world. This is partially why so many states are implementing laws around the use, access, and distribution of data. If you want to do business in the Land of Lincoln this article overviews everything you need to know about Illinois data privacy laws.

In general, data privacy laws are established in order to protect consumers, and to limit the damage caused from cyberattacks on larger organizations and institutions. Below we’ll cover the Personal Information Protection Act (PIPA), the Protecting Household Privacy Act (PHPA), the Biometric Information Privacy Act (BIPA), and the recently introduced Illinois Data Privacy and Protection Act.

Cybersecurity is an ever-evolving field. In order to stay up to date with the latest trends and best practices, download DOT Security’s report, The State of Cybersecurity for Small Businesses.

The Personal Information Protection Act (PIPA)

This act was first signed into Illinois law in 2005, first taking effect at the top of January 2006. A little over a decade later, the privacy law was then updated to reflect modernized technology and data collection tactics such as biometrics and big-data mining.

PIPA’s main purpose is to protect Illinois residents from the mishandling and misuse of their personal and sensitive information. More than that, the act requires businesses and organizations that collect certain categories of information to implement reasonable security measures specifically designed to protect data from unauthorized access, misuse, and modification.

Taking this a step further, the act also requires organizations to write data privacy provisions into contracts with third parties when data is going to be accessed or transferred.

There are a variety of data categories considered sensitive under PIPA including social security numbers, driver's license and state ID numbers, passport numbers, medical and financial account numbers, credit and debit card numbers, and finally account passwords and security codes.

The Three Main Components of PIPA

There are three major components in PIPA that help organizations protect the sensitive information of their consumers. First, PIPA requires organizations to notify consumers who have had their data compromised. Notification is expected to happen “without reasonable delay” and should come through the most expedited avenue available.

Secondly, PIPA addresses data disposal. Information and data that isn’t necessary to the operations of the business need to be disposed, in accordance with PIPA. This means that written records need to be shredded and electronic records should be rendered unreadable and unrecoverable.

Finally, PIPA puts the responsibility of security on the shoulders of businesses and organizations in Illinois by requiring they practice reasonable security measures to protect data and sensitive information.

Industry compliance and cybersecurity are close-knit concepts. By partnering with a managed security service provider (MSSP) like DOT Security, you can let the experts worry about compliance and data protection while you focus on the nuts and bolts of your business.

Protecting Household Privacy Act (PHPA)

The Protecting Household Privacy Act is one that might not directly impact a ton of businesses, but it’s certainly worth knowing about in the realm of Illinois data protection and privacy. That’s because the PHPA limits the ability of law enforcement agencies and representatives accessing household electronic data or partnering with a third-party company to access the same data without warrant, consent, or a justified emergency situation.

Interestingly, the PHPA isn’t aimed at protecting the data found on smartphones and personal laptops as much as it is geared to protect data gathered and stored on other home smart devices like virtual assistants, video doorbells, security cameras, and other smart appliances.

“Given the exceptions and exclusions, it seems the PHPA's focus is virtual assistants, video doorbells, smart speakers, security cameras, and smart appliances that connect to the internet, allowing for audio commands or video images to generate specific actions in homes.”

The PHPA will mostly impact organizations in Illinois that facilitate the aggregation and transfer of large pools of data.

The Biometric Information Privacy Act (BIPA)

BIPA is significant because it was genuinely the first piece of state legislation to address the collection and distribution of consumers’ biometric information. The Illinois Biometric Information Privacy Act was passed in 2008. While Texas followed suit only a year later, it took Washington state until 2017 to pass similar laws.

Now, another six years later, at least a dozen other states are introducing privacy legislation attempting to address the collection and distribution of consumers’ biometric data. Not only did Illinois lead the way in biometric privacy almost two decades ago, but as more states adopt similar legislation, they’re looking to BIPA as their go-to model.

“However, the Illinois law has quickly become the go-to model for the new crop of states trying to shore up biometric privacy legislation. Advocates for new biometric privacy laws say that it’s because BIPA is so successful.”

The twelve states introducing biometric privacy laws in 2023 include: Arizona, Hawaii, Maryland, Massachusetts, Minnesota, Mississippi, Missouri, New York, Tennessee, Vermont, Washington, and Kentucky.

The Illinois Data Privacy and Protection Act

The Illinois Data Privacy and Protection Act is the latest of acts introduced into the state aimed at offering additional protections to residents of Illinois and their data. This bill is modeled after the larger national American Data Privacy and Protection Act and has not officially been signed into law yet as of this article’s date of publish.

However, if it were to become law, this act would legally restrict a company's collection and use of consumer data to necessary information for the delivery of the expected service. The law would also prohibit companies from using consumer data beyond this purpose.

If passed, this will be one of the strongest pieces of consumer privacy protections in the nation and will cement Illinois as a leader in consumer and data privacy.

Wrapping up on Illinois Privacy Laws

Illinois is leading the way in resident data protection. If you’re doing business in the state of Illinois, you need to be aware of the different data and information protections, and which of these laws specifically apply to your organization.

Getting your compliance strategy in place will help you avoid major data breaches and consumer lawsuits based on data collection and distribution. If getting into the legal weeds isn’t for you, consider partnering with an MSSP to cover you and all your compliance needs.

For more information on modern cybersecurity best practices, download DOT Security’s report, The State of Cybersecurity for Small Businesses.