Data Privacy Rights in Illinois

Source: Federal: FTC Act § 5 (15 U.S.C. § 45), HIPAA (42 U.S.C. § 1320d), COPPA (15 U.S.C. §§ 6501–6506), FERPA (20 U.S.C. § 1232g), GLBA (15 U.S.C. §§ 6801–6809). State: California Consumer Privacy Act/CPRA (Cal. Civ. Code § 1798.100 et seq.), Colorado Privacy Act (C.R.S. § 6-1-1301 et seq.), Connecticut Data Privacy Act (Conn. Gen. Stat. § 42-515 et seq.), Virginia Consumer Data Protection Act (Va. Code § 59.1-575 et seq.), Texas Data Privacy and Security Act (Tex. Bus. & Com. Code Ch. 541).

Last reviewed:

Written in plain language for general understanding. This is educational content, not legal advice. Content is researched from federal statutes, state codes, and official government sources. Each article is reviewed for accuracy before publication. Our editorial process

Federal Law

What is this right?

The United States does not have a single comprehensive federal data privacy law like the EU's GDPR. Instead, privacy is protected through a patchwork of federal sector-specific laws and an expanding number of state privacy laws. Several states — led by California — have passed comprehensive consumer privacy laws giving you the right to know what data companies collect about you, to delete it, and to opt out of its sale.

At the federal level, key privacy laws include HIPAA (health data), FERPA (education records), COPPA (children under 13), GLBA (financial data), and the FTC Act (unfair or deceptive practices). For general consumer data — your browsing history, purchase history, location data, and online behavior — state laws provide the most protection.

When does it apply?

Your data privacy rights apply when:

  • A company collects, stores, or sells your personal data — including name, email, phone, location, browsing history, and purchase history
  • You want to know what data a company has about you
  • You want a company to delete your personal data
  • You want to opt out of the sale or sharing of your personal data
  • A company experiences a data breach that exposes your information

State privacy laws (as of 2026):

  • California (CCPA/CPRA): The strongest state privacy law. Right to know, delete, opt out of sale/sharing, correct inaccurate data, and limit use of sensitive data. Applies to businesses with $25M+ revenue, data on 100,000+ consumers, or 50%+ revenue from data sales. Enforced by the California Privacy Protection Agency.
  • Colorado, Connecticut, Virginia, Texas, Oregon, Montana, and 10+ other states have passed comprehensive privacy laws with varying effective dates through 2026. Most include rights to access, delete, correct, and opt out.
  • States without privacy laws: If your state doesn't have a comprehensive privacy law, your primary protection is the FTC's authority to pursue "unfair or deceptive" data practices.

Common misconceptions:

  • "I have no privacy rights because there's no federal privacy law" — While there's no comprehensive federal law, sector-specific federal laws and state laws provide significant protections depending on the type of data and where you live.
  • "If a service is free, they can do anything with my data" — No. Companies must disclose their data practices in a privacy policy, and state laws may give you opt-out rights regardless of whether you paid for the service.
  • "Deleting my account deletes my data" — Not necessarily. Companies may retain data for legal or business reasons. Under state privacy laws, you can submit a specific deletion request that the company must honor.

What should you do?

Step 1: Check whether your state has a comprehensive privacy law. If you are in California, Colorado, Connecticut, Virginia, Texas, or one of the other states with privacy laws, you have specific rights you can exercise.

Step 2: Submit a data access request to any company you want to know about. Most companies have a "Privacy" or "Do Not Sell My Information" link in their website footer. California residents can use the phrase "right to know" in their request.

Step 3: Opt out of data sales. Under California law and similar state laws, companies must provide a clear mechanism to opt out. Look for "Do Not Sell or Share My Personal Information" links.

Step 4: If your data was exposed in a breach, check whether your state requires the company to notify you and offer credit monitoring. Most states have breach notification laws.

Step 5: File complaints with your state attorney general (most state privacy laws are enforced by the AG) or with the FTC at reportfraud.ftc.gov. California residents can also file with the California Privacy Protection Agency.

What should you NOT do?

Don't ignore data breach notifications. If a company tells you your data was compromised, take it seriously. Change passwords, enable two-factor authentication, and monitor your credit.

Don't accept cookies without thinking. Many websites use cookie banners that default to accepting all tracking. Choose "Reject All" or customize your settings to limit data collection.

Don't assume privacy policies protect you. Most privacy policies are written to maximize what the company can do with your data, not to protect you. Read the sections on data sharing, third parties, and your rights.

Don't pay for data removal services without researching them. Some data removal services charge fees for actions you can take yourself for free under state law. Submit your own requests first.

Illinois Law
IL

How Illinois differs from federal law

Illinois has the nation's strongest biometric privacy law and other key data protections, though it lacks a comprehensive consumer privacy statute:

  • Biometric Information Privacy Act (BIPA, 740 ILCS 14): The strongest biometric privacy law in the country. Requires written consent before collecting biometric data (fingerprints, facial geometry, iris scans, voiceprints). Private right of action: $1,000 per negligent violation, $5,000 per intentional or reckless violation. No harm requirement — violations alone create standing to sue.
  • Personal Information Protection Act (815 ILCS 530): Requires businesses to notify Illinois residents of data breaches involving personal information (SSN, financial account numbers, medical info) in the most expedient time possible.
  • Student Online Personal Protection Act (105 ILCS 85): Prohibits operators of educational technology from selling student data or using it for targeted advertising. Requires data security and deletion when no longer needed.
  • No comprehensive privacy law: Illinois does not yet have a CCPA or CPRA-style comprehensive consumer data privacy law. Data privacy protections are sector-specific rather than broad-based.

Additional Steps in Illinois

For BIPA violations, consult an attorney about filing a private lawsuit — class actions are common and have resulted in substantial settlements. Report data breaches to the Illinois Attorney General at (800) 386-5438. File complaints about student data privacy with the Illinois State Board of Education.

Relevant Law: 740 ILCS 14 (Biometric Information Privacy Act — BIPA), 815 ILCS 530 (Personal Information Protection Act), 105 ILCS 85 (Student Online Personal Protection Act)

Common Questions

When does data privacy rights apply?

Your data privacy rights apply when:A company collects, stores, or sells your personal data — including name, email, phone, location, browsing history, and purchase historyYou want to know what data a company has about youYou want a company to delete your personal dataYou want to opt out of the sale or sharing of your personal dataA company experiences a data breach that exposes your informationState privacy laws (as of 2026):California (CCPA/CPRA): The strongest state privacy law. Right to know, delete, opt out of sale/sharing, correct inaccurate data, and limit use of sensitive data. Applies...

What should I do about data privacy rights?

Step 1: Check whether your state has a comprehensive privacy law. If you are in California, Colorado, Connecticut, Virginia, Texas, or one of the other states with privacy laws, you have specific rights you can exercise.Step 2: Submit a data access request to any company you want to know about. Most companies have a "Privacy" or "Do Not Sell My Information" link in their website footer. California residents can use the phrase "right to know" in their request.Step 3: Opt out of data sales. Under California law and similar state laws, companies must provide a clear mechanism to opt out. Look for...

What mistakes should I avoid with data privacy rights?

Don't ignore data breach notifications. If a company tells you your data was compromised, take it seriously. Change passwords, enable two-factor authentication, and monitor your credit.Don't accept cookies without thinking. Many websites use cookie banners that default to accepting all tracking. Choose "Reject All" or customize your settings to limit data collection.Don't assume privacy policies protect you. Most privacy policies are written to maximize what the company can do with your data, not to protect you. Read the sections on data sharing, third parties, and your rights.Don't pay for da...

More in Consumer Rights

Debt Collector RulesThe Fair Debt Collection Practices Act (FDCPA) is a federal law that limits what debt collectors can do when trying to c...Read more →Credit Report RightsThe Fair Credit Reporting Act (FCRA) gives you the right to see what is in your credit report, dispute mistakes, and hav...Read more →Small Claims CourtSmall claims court is a special court where you can sue someone for a relatively small amount of money without hiring a ...Read more →

Related Topics

Workers' RightsWorkplace HarassmentTax RightsPenalty Abatement
← Browse all Consumer Rights

Legal Resources

We may earn a commission if you use these services — at no extra cost to you. This supports our mission to make legal information free for everyone.

LawDepotSend a formal demand letter to a business or creditor. State-specific financial and consumer documents ready in minutes.Create a Demand LetterCredit KarmaFree credit monitoring, dispute tools, and alerts. Know when your credit report changes.Check Your Credit FreeIdentityGuardIdentity theft protection and monitoring. Get notified if your personal information is misused.Protect Your Identity

You came here to know your rights — help someone else know theirs.

Support This Mission