Illinois occupies a unique position in the U.S. privacy landscape. It already has one of the most powerful and actively enforced privacy laws in the country — the Biometric Information Privacy Act (BIPA) — which has been in force since 2008 and has generated billions of dollars in class action settlements against Facebook, Google, TikTok, Amazon, and hundreds of other companies. BIPA requires explicit written consent before collecting fingerprints, face scans, retina scans, or voice prints, and crucially provides a private right of action. However, BIPA only covers biometric data. For all other personal data — browsing history, purchase records, location data, health information outside of biometrics — Illinois residents have no comprehensive state privacy protections beyond what federal law provides. A proposed comprehensive Illinois privacy bill (HB 3648 / SB 2239) has been introduced to extend protections to all personal data. The bill has received committee hearings but has not advanced to a floor vote. Unlike many other states, Illinois faces the challenge of designing a comprehensive law that complements (rather than contradicts) BIPA's existing provisions and its established litigation framework.
Illinois passes the Biometric Information Privacy Act, the nation's first and strongest biometric data law. Includes private right of action — a provision that would generate billions in litigation.
Facebook pays $650M, Google $100M, TikTok $92M, and scores of other companies settle BIPA class actions. BIPA becomes the most litigated privacy law in U.S. history.
The Illinois legislature amends BIPA to clarify the statute of limitations. Separately, a comprehensive privacy bill covering all personal data is introduced for the first time.
HB 3648 receives a hearing in the House Consumer Protection Subcommittee — significant progress. Business groups lobby against a private right of action in any comprehensive bill.
Privacy advocates continue pushing for a comprehensive bill. The debate over whether to include BIPA-style private right of action in any comprehensive law remains the central obstacle.
Illinois' proposed comprehensive privacy bill would extend data privacy protections to all categories of personal data — not just biometrics. It would provide standard consumer rights (access, correction, deletion, portability, opt-out of sale and targeted advertising) and require opt-in consent for sensitive data. The bill is intended to work alongside BIPA rather than replace it — BIPA's biometric-specific protections and private right of action would remain intact, while the new law would fill the gaps for all other personal data. One of the key debates is whether the comprehensive law should also include a private right of action (as BIPA does) or rely solely on AG enforcement (as most other state privacy laws do).
If enacted as currently drafted, Illinois residents would receive the following privacy rights:
Confirm whether a business processes your personal data and request a copy of it.
Request correction of inaccurate personal data a business holds about you.
Request deletion of personal data that has been collected about you.
Receive your data in a portable, machine-readable format.
Prevent businesses from selling your personal data to third parties.
Stop businesses from using your data for cross-context behavioral advertising.
Opt out of automated decision-making in significant life decisions.
Businesses cannot penalize you for exercising your privacy rights.
The rights listed above are proposed, not enacted. They reflect the bill's current draft language and may change significantly before passage — or the bill may not pass at all. Until Illinois enacts a comprehensive privacy law, residents have limited state-level data privacy rights. Check our Active Laws page to see which states have enacted protections.
Illinois faces a distinctive challenge: the BIPA precedent cuts both ways. Privacy advocates point to BIPA as proof that strong laws with private rights of action work — it has generated enormous enforcement through litigation without costing taxpayers anything for government enforcement. Business groups point to BIPA as proof of why private rights of action are dangerous — the scale of litigation has been enormous, and they argue extending the model to all personal data would expose virtually every business in Illinois to ruinous class action exposure. This debate is more heated in Illinois than anywhere else precisely because Illinois has lived it. Finding compromise language that builds on BIPA's success without repeating what businesses view as its excesses is genuinely difficult, and no legislative session has yet produced a bill that satisfies both camps.
| Feature | Illinois (Proposed) | Virginia (Active) | California (Active) |
|---|---|---|---|
| Comprehensive privacy rights | Proposed | ✅ Yes | ✅ Yes |
| Right to delete | Proposed | ✅ Yes | ✅ Yes |
| Opt out of sale of data | Proposed | ✅ Yes | ✅ Yes |
| Sensitive data protections | Proposed | ✅ Yes | ✅ Yes |
| Enforcement agency | TBD | VA Attorney General | CA Privacy Protection Agency |
| Private right of action | TBD | No | Yes (breach only) |
| Currently enforceable | ❌ No | ✅ Yes | ✅ Yes |
Even though Illinois does not yet have a comprehensive privacy law, you are not without options:
Privacy laws pass because constituents demand them. If you believe Illinois residents deserve strong data privacy rights, contact your state legislature. Find your representatives at OpenStates.org — it takes only a few minutes to send a message that matters.
Use our Opt-Out Guide to see what rights you have today and get direct opt-out links for major companies.
Privacy legislation moves quickly. Subscribe to our newsletter and we'll alert you the moment Illinois passes a new privacy bill, a vote is scheduled, or a major amendment changes the bill's scope. You'll also receive our monthly digest of all U.S. privacy law changes — free, always.