Introduction to Illinois Privacy Rights
Illinois stands as one of the most privacy-protective states in the United States, with groundbreaking legislation that has set national precedents for consumer data protection. Unlike many states that have only recently begun addressing digital privacy concerns, Illinois has maintained robust privacy protections for over a decade, particularly in the realm of biometric data collection and surveillance.
The Illinois privacy landscape is anchored by several critical statutes, most notably the Biometric Information Privacy Act (BIPA), 740 ILCS 14/, which has become a model for similar legislation nationwide. This law, enacted in 2008, provides Illinois residents with some of the strongest protections against unauthorized collection and use of biometric identifiers such as fingerprints, facial geometry, and retina scans. The state also enforces comprehensive data breach notification requirements under the Personal Information Protection Act (PIPA), 815 ILCS 530/, and maintains strict standards for employee monitoring and consumer data handling.
What distinguishes Illinois from other states is not merely the existence of privacy laws, but their enforceability. The Biometric Information Privacy Act includes a private right of action, allowing individuals to sue companies directly for violations without waiting for government enforcement. This has resulted in hundreds of millions of dollars in settlements against major corporations, demonstrating that Illinois privacy rights have real teeth. The state's approach contrasts sharply with states like California, where enforcement primarily rests with the Attorney General, and stands well ahead of states with minimal privacy protections. For residents concerned about protecting their personal information, understanding these Illinois-specific laws is essential for exercising their rights effectively.
Illinois's State Privacy Laws
Illinois has enacted a comprehensive framework of privacy statutes that address various aspects of personal information protection. These laws provide some of the most robust privacy protections in the nation and create specific obligations for businesses, employers, and government entities.
Biometric Information Privacy Act (740 ILCS 14/)
The Biometric Information Privacy Act (BIPA) is Illinois's flagship privacy legislation and arguably the most consequential privacy law in the United States. BIPA regulates the collection, use, and storage of biometric identifiers and biometric information, including fingerprints, voiceprints, retina or iris scans, hand scans, facial geometry, and DNA. Under BIPA, private entities must obtain informed written consent before collecting biometric data, provide written notice of the specific purpose and duration of collection, and establish publicly available retention schedules and destruction guidelines. The law prohibits companies from selling or profiting from biometric data and requires entities to use a reasonable standard of care to protect this information, at least as protective as they use for other confidential information. Violations can result in damages of $1,000 for each negligent violation or $5,000 for each intentional or reckless violation, plus attorneys' fees and costs.
Personal Information Protection Act (815 ILCS 530/)
The Personal Information Protection Act establishes Illinois's data breach notification requirements. Under this statute, any entity that owns or licenses personal information of Illinois residents must notify affected individuals of security breaches involving their data. Personal information is defined as an individual's first name or initial and last name combined with Social Security number, driver's license number, or financial account information. The notification must be made in the most expedient time possible and without unreasonable delay, consistent with law enforcement needs and measures to determine the scope of the breach. Businesses must also notify the Illinois Attorney General if a breach affects more than 500 Illinois residents.
Right to Privacy in the Workplace Act (820 ILCS 55/)
This statute protects employee privacy by prohibiting employers from requesting or requiring employees or job applicants to provide passwords or other account information for social media accounts. Employers cannot require employees to add the employer or employment agency to their social networking contacts, access social media in the employer's presence, or alter privacy settings. Employers also cannot discharge, discipline, or otherwise penalize employees for refusing to disclose this information. Limited exceptions exist for employers investigating employee misconduct or unauthorized transfer of proprietary information.
Employee Credit Privacy Act (820 ILCS 70/)
Illinois law restricts employer use of credit history in employment decisions. Under this Act, employers generally cannot use credit reports or credit history as a basis for employment decisions unless the information is substantially job-related and the employer's reasons for using the information are disclosed in writing. Specific exemptions apply for positions in financial institutions, law enforcement, positions with fiduciary responsibilities, and jobs requiring security clearance.
Illinois Personal Information Protection Act - Social Security Numbers (5 ILCS 179/)
This law specifically restricts the use and display of Social Security numbers by businesses and government entities. It prohibits publicly posting or displaying Social Security numbers, printing them on cards required for access to services, requiring transmission of SSNs over the internet unless encrypted, and printing them on materials mailed to individuals unless required by law. Entities cannot require individuals to use their Social Security numbers to access internet websites unless a password or unique identifier is also required.
Genetic Information Privacy Act (410 ILCS 513/)
Illinois law provides extensive protections for genetic information. This Act prohibits disclosure of genetic testing information without prior written consent and restricts use of genetic information by insurers and employers. Genetic testing can only be performed with informed written consent, and results belong to the individual tested. The law includes criminal penalties for unauthorized disclosure and civil remedies for violations.
Freedom of Information / Open Records in Illinois
The Illinois Freedom of Information Act (FOIA), codified at 5 ILCS 140/, provides public access to government records while balancing privacy interests through specific exemptions. This law applies to all public bodies in Illinois, including state agencies, local governments, school districts, and other governmental entities.
What FOIA Covers
Under Illinois FOIA, any person may request public records from Illinois public bodies. Public records include all records, reports, forms, writings, letters, memoranda, books, papers, maps, photographs, recorded tapes, electronic data, or other documentary materials relating to the transaction of public business. The law presumes that all records are open to inspection unless specifically exempted.
Making a FOIA Request
FOIA requests in Illinois must be submitted in writing to the public body's Freedom of Information officer. While no specific form is required, requests should reasonably describe the records sought. Public bodies must respond to requests within five business days after receipt, either providing the records, denying the request with specific legal justification, or notifying the requester that more time is needed (up to an additional five business days for a total of ten business days). For requests requiring extended search or review, public bodies may take up to an additional 10 business days beyond the initial extension.
Fee Schedules
Illinois public bodies may charge actual costs for copying and certifying records. The first 50 pages of black and white, letter or legal-sized copies are free; additional pages may be charged at no more than 15 cents per page. Charges for electronic records on portable media cannot exceed the actual cost of the media. Public bodies may also charge for actual staff time when requests require more than eight hours of work, but only at the actual salary rate of the personnel performing the work. Commercial requesters may be charged reasonable fees covering actual reproduction and staff costs.
Privacy Exemptions
Illinois FOIA includes numerous exemptions protecting personal privacy. These include exemptions for personal information in records such as social security numbers, driver's license numbers, financial account information, and personal email addresses. Medical records, personnel files, and records identifying individuals in certain contexts (victims of crimes, participants in undercover operations, informants) are also exempt. Law enforcement records are partially exempt, particularly when disclosure would interfere with investigations or endanger individuals. Adoption, juvenile court, and mental health records receive special protections.
Appeals Process
When a public body denies a FOIA request, the requester may appeal to the Illinois Attorney General's Public Access Counselor (PAC) within 60 days. The PAC provides a free, informal review process. The public body must respond to the PAC within seven business days. The PAC then issues a binding opinion within 60 days unless extended. If dissatisfied with the PAC's decision, either party may seek judicial review in circuit court. Courts may award attorneys' fees and costs to requesters who substantially prevail.
HIPAA and Health Privacy in Illinois
Health privacy in Illinois operates under both federal HIPAA regulations and state-specific laws that often provide stronger protections than federal requirements. Understanding both frameworks is essential for Illinois residents seeking to protect their medical information.
The Health Insurance Portability and Accountability Act (HIPAA) applies uniformly across all states, including Illinois, requiring covered entities (healthcare providers, health plans, and healthcare clearinghouses) to protect the privacy and security of protected health information (PHI). However, Illinois law adds significant additional protections through several statutes.
Illinois-Specific Health Privacy Protections
The Illinois Mental Health and Developmental Disabilities Confidentiality Act (740 ILCS 110/) provides exceptionally strong protections for mental health records, exceeding HIPAA standards. This law generally prohibits disclosure of mental health records without explicit written consent from the patient or their guardian. The consent must specify the person to whom disclosure is authorized, the purpose, and an expiration date. Even with consent, therapists may refuse disclosure if they determine it would be harmful to the recipient or therapist. These records are not subject to subpoena or discovery in civil proceedings without patient consent, with very limited exceptions.
The AIDS Confidentiality Act (410 ILCS 305/) specifically protects HIV/AIDS-related information, requiring written consent before disclosure and imposing criminal penalties for unauthorized disclosure. The Genetic Information Privacy Act (410 ILCS 513/) protects genetic testing information beyond HIPAA requirements, giving individuals exclusive property rights in their genetic information and requiring specific written consent for testing and disclosure.
Illinois also maintains strict protections for substance abuse treatment records under the Alcoholism and Other Drug Abuse and Dependency Act (20 ILCS 301/), which incorporates federal confidentiality regulations at 42 CFR Part 2 and extends additional state-level protections.
Protecting Your Medical Records
Illinois residents can take several steps to protect their health information. Under HIPAA, you have the right to access your medical records, request amendments to inaccurate information, receive an accounting of disclosures, and request restrictions on uses and disclosures. In Illinois, you can file complaints about potential violations with both the U.S. Department of Health and Human Services Office for Civil Rights and the Illinois Department of Public Health. For mental health records specifically, the Illinois Department of Human Services oversees compliance with state confidentiality requirements.
Consumer Data Privacy Rights
Illinois consumers possess substantial rights regarding their personal data, derived from both state-specific legislation and federal consumer protection laws. Unlike comprehensive consumer privacy laws recently enacted in states like California, Virginia, and Colorado, Illinois takes a sector-specific approach, with particularly strong protections in certain areas.
Biometric Data Rights
Under the Biometric Information Privacy Act (740 ILCS 14/), Illinois residents have the right to know when biometric data is collected, the specific purpose for collection, how long it will be retained, and to provide informed written consent before any collection occurs. You have the right to refuse biometric data collection in most private sector contexts, and companies cannot make services conditional on biometric data collection unless the biometric identifier is strictly necessary for the service. You also have the right to sue companies directly for BIPA violations without showing actual harm.
Data Breach Rights
When your personal information is compromised in a data breach, Illinois law requires companies to notify you in the most expedient time possible. This notification must describe the breach, the type of information compromised, steps the company is taking to address the breach, and advice on protective measures you can take. If the breach involves Social Security numbers, companies must offer identity theft prevention and mitigation services at no cost for at least 12 months.
Credit Reporting Rights
The Fair Credit Reporting Act (FCRA) provides Illinois residents with the right to free annual credit reports from each major credit bureau through AnnualCreditReport.com. You have the right to dispute inaccurate information, and bureaus must investigate within 30 days. Under Illinois law (815 ILCS 505/2SS), security freeze services must be provided free of charge to all consumers, not just identity theft victims. You can place, lift, or remove a security freeze without fees, and credit bureaus must implement freezes within one business day of electronic or telephone requests, or three business days for mail requests.
Opt-Out and Removal Rights
While Illinois lacks a comprehensive opt-out framework like California's CCPA, residents can exercise opt-out rights under federal law and through individual data brokers. The Direct Marketing Association's (now Data & Marketing Association) opt-out service allows you to reduce unsolicited mail. The National Do Not Call Registry (donotcall.gov) reduces telemarketing calls. For people-search websites and data brokers, Illinois residents must typically submit individual opt-out requests to each service. Major data brokers like Acxiom, Epsilon, and LexisNexis maintain opt-out procedures, though processes vary significantly.
Financial Privacy Rights
Under the Gramm-Leach-Bliley Act, financial institutions must provide privacy notices and allow Illinois residents to opt out of certain information sharing with third parties. Illinois's Employee Credit Privacy Act (820 ILCS 70/) further restricts how employers can use your credit information, generally prohibiting employment decisions based on credit reports unless substantially job-related.
Employment Background Checks & Privacy
Illinois maintains comprehensive regulations governing employment background checks, criminal record access, and employee privacy protections that significantly restrict what employers can consider and how they can use personal information in hiring and employment decisions.
Criminal Background Check Restrictions
The Illinois Human Rights Act (775 ILCS 5/) prohibits employers from inquiring about or considering arrest records that did not result in conviction, with limited exceptions for law enforcement and positions working with vulnerable populations. Employers cannot ask about criminal history on initial employment applications under the Job Opportunities for Qualified Applicants Act (820 ILCS 75/), commonly known as Illinois's "ban-the-box" law. This applies to employers with 15 or more employees and state agencies.
Under this law, employers cannot inquire about criminal convictions until after determining the applicant is qualified for the position and notifying them they have been selected for an interview or, if no interview, before making a conditional offer. If an employer decides to take adverse action based on conviction history, they must perform an individualized assessment considering the nature of the offense, time elapsed, and nature of the job. The employer must provide written notification to the applicant, including notice of disqualifying convictions and opportunity to respond.
Expungement and Sealing of Records
Illinois law allows expungement (complete destruction) of certain records and sealing (restricting access) of others under the Criminal Identification Act (20 ILCS 2630/). Arrests not leading to conviction, most supervision completions, and certain minor offenses are eligible for expungement. Many convictions can be sealed after waiting periods: typically three years for misdemeanors and four years for felonies, though violent crimes and sex offenses generally cannot be sealed.
Once records are sealed, they are not accessible to most employers conducting background checks. Expunged records are treated as if they never occurred, and individuals can legally deny the arrest. However, sealed records remain accessible to law enforcement and certain regulated employers (schools, healthcare facilities, positions working with children or vulnerable adults).
Consumer Reporting Agency Requirements
When employers use third-party background check companies (consumer reporting agencies), they must comply with the Fair Credit Reporting Act (FCRA). This requires written authorization from the applicant, pre-adverse action notification with a copy of the report and summary of rights, and opportunity to dispute inaccurate information before final adverse action. Illinois employers must also comply with the Employee Credit Privacy Act (820 ILCS 70/), which restricts use of credit reports unless substantially job-related.
Social Media and Electronic Privacy
The Right to Privacy in the Workplace Act (820 ILCS 55/) prohibits Illinois employers from requesting or requiring access to employees' or applicants' social media accounts. Employers cannot request passwords, require adding the employer to social media contacts, require access in the employer's presence, or retaliate against individuals who refuse these requests.
Protecting Yourself in Illinois
Taking proactive steps to protect your privacy in Illinois requires understanding both available legal mechanisms and practical privacy measures. This section provides actionable guidance for Illinois residents.
Step 1: Freeze Your Credit
Illinois law (815 ILCS 505/2SS) requires credit bureaus to provide free security freezes to all consumers. Contact each major bureau directly: Equifax (800-349-9960 or equifax.com/personal/credit-report-services), Experian (888-397-3742 or experian.com/freeze), and TransUnion (888-909-8872 or transunion.com/credit-freeze). Also freeze with Innovis (800-540-2505 or innovis.com). Credit bureaus must implement freezes within one business day of electronic or phone requests. A freeze prevents new creditors from accessing your credit report, blocking most identity thieves from opening accounts in your name. You receive a PIN to lift the freeze temporarily when needed.
Step 2: Opt Out of People-Search Sites
Data broker websites compile and publish personal information from public records. Major sites require individual opt-out requests: Whitepages.com (opt-out at whitepages.com/suppression-requests), Spokeo (spokeo.com/optout), BeenVerified (beenverified.com/faq/opt-out), MyLife (mylife.com/privacy-policy, scroll to suppression), PeopleFinder (peoplefinder.com/manage), Intelius (intelius.com/opt-out), and TruthFinder (truthfinder.com/opt-out). Each site has different procedures, typically requiring you to find your listing, copy the URL, submit an opt-out form with verification, and wait 24-72 hours for removal. New listings may reappear as data is refreshed, requiring periodic monitoring.
Step 3: Request Record Sealing or Expungement
To seal or expunge criminal records in Illinois, first obtain your criminal history transcript from the Illinois State Police (isp.state.il.us/crimhistory). Review what appears and determine eligibility based on offense type and waiting periods under 20 ILCS 2630/5.2. File a petition in the circuit court where the arrest or conviction occurred. Forms are available through the Illinois Legal Aid website (illinoislegalaid.org). The petition must list all relevant arrests and cases. The court schedules a hearing where the State's Attorney can object. If granted, the court issues an order directing law enforcement agencies to seal or expunge records. You must serve the order on all listed agencies. The process typically takes 3-6 months.
Step 4: Exercise FOIA Privacy Rights
To prevent disclosure of personal information in government records, submit written requests to relevant public bodies asking them to redact your personal information from publicly available records under FOIA exemptions. For example, request that your home address be redacted from property records when disclosed to requesters, citing the personal privacy exemption (5 ILCS 140/7(1)(b)). While agencies must still maintain accurate records, they can redact private information before public disclosure.
Step 5: Monitor and Protect Biometric Data
Be aware when businesses request biometric information like fingerprints or facial scans. Under BIPA, companies must provide written notice and obtain written consent. Ask employers, gyms, and other businesses about their biometric data policies. You can refuse to provide biometric data in most private sector contexts. If you believe your biometric rights have been violated, consult with an attorney about potential BIPA claims, which include statutory damages and attorneys' fees.
Step 6: Contact Relevant Illinois Agencies
For privacy violations, contact the Illinois Attorney General's Consumer Protection Division (1-800-386-5438 or illinoisattorneygeneral.gov). For FOIA issues, contact the Attorney General's Public Access Counselor (publicaccess@atg.state.il.us). For health privacy concerns, contact the Illinois Department of Public Health (217-782-4977). For employment discrimination based on criminal records, contact the Illinois Department of Human Rights (217-785-5100 or illinois.gov/dhr).
Illinois Data Breach Notification
Illinois's Personal Information Protection Act (815 ILCS 530/) establishes specific requirements for data breach notifications, imposing obligations on any entity that owns or licenses personal information of Illinois residents.
What Triggers Notification Requirements
A breach requiring notification occurs when there is unauthorized acquisition of computerized data that compromises the security, confidentiality, or integrity of personal information. Personal information includes an individual's first name or first initial and last name combined with any one of the following: Social Security number, driver's license number or state identification card number, account number or credit/debit card number in combination with any security code or password that would permit access to the account, medical information, health insurance information, or biometric information.
Notification Timeline and Requirements
Entities must notify affected Illinois residents in the most expedient time possible and without unreasonable delay. The law does not specify a precise timeframe but requires notification consistent with legitimate needs of law enforcement and measures necessary to determine the scope of the breach and restore the reasonable integrity of the system. Notification can be delayed if law enforcement determines notification will impede a criminal investigation, but must proceed once law enforcement determines notification will not compromise the investigation.
Method of Notification
Notice must be provided by written notice, electronic notice (if consistent with E-SIGN Act provisions for electronic records and signatures), or substitute notice if the entity demonstrates that the cost of providing notice would exceed $250,000, the affected class exceeds 500,000 persons, or the entity does not have sufficient contact information. Substitute notice consists of email notice if the entity has email addresses, conspicuous posting on the entity's website, and notification to major statewide media.
Content Requirements
Notifications must include the date or estimated date of the breach, a description of the personal information compromised, information about what the entity has done to protect individuals whose information has been breached, contact information for major credit reporting agencies if the breach involves Social Security numbers or driver's license numbers, and advice on steps individuals can take to protect themselves.
Notice to Attorney General
If a breach affects more than 500 Illinois residents, the entity must notify the Illinois Attorney General's office. This notification should be made in the same timeframe as notice to affected individuals and should include the same information provided to individuals plus the approximate number of Illinois residents affected.
Penalties for Non-Compliance
Violations of the Personal Information Protection Act constitute violations of the Illinois Consumer Fraud and Deceptive Business Practices Act (815 ILCS 505/). The Attorney General can seek civil penalties, injunctive relief, and costs. Additionally, affected individuals may have standing to bring private actions for damages resulting from violations, though the statute does not explicitly create a private right of action.
Children's Privacy in Illinois
Illinois provides multiple layers of protection for children's privacy through federal laws that apply in Illinois and state-specific statutes addressing educational records, biometric data, and online privacy.
COPPA Compliance in Illinois
The federal Children's Online Privacy Protection Act (COPPA) applies to operators of websites and online services directed to children under 13 or that knowingly collect information from children under 13. Operators must obtain verifiable parental consent before collecting, using, or disclosing personal information from children. Illinois businesses and schools operating websites or services targeting children must comply with COPPA's requirements, including posting clear privacy policies, providing notice to parents, obtaining consent, allowing parents to review information collected, giving parents opportunity to prevent further use, maintaining reasonable data security, and retaining information only as long as reasonably necessary.
Student Online Personal Protection Act
Illinois enacted the Student Online Personal Protection Act (105 ILCS 85/), known as SOPPA, which regulates operators of websites, online services, or mobile applications used primarily for K-12 school purposes. Under SOPPA, operators cannot engage in targeted advertising to students, create profiles of students except for school purposes, sell or rent student information, or disclose covered information unless for legitimate educational purposes. Operators must implement reasonable security procedures, delete student information when requested by schools, and provide clear privacy policies. Schools must enter into written agreements with operators containing specific privacy protections before students use the services.
FERPA and Educational Records
The Family Educational Rights and Privacy Act (FERPA) protects the privacy of student education records and applies to all Illinois schools receiving federal funding. Under FERPA, parents have the right to inspect and review their children's education records, request corrections to inaccurate records, and consent to disclosure of personally identifiable information (with specific exceptions). Rights transfer to students when they turn 18 or attend postsecondary institutions. Illinois schools must provide annual notification of FERPA rights and comply with requests for access within 45 days.
Illinois School Student Records Act
The Illinois School Student Records Act (105 ILCS 10/) provides additional protections beyond FERPA. This law classifies student records as either permanent (records of minimum information necessary to reflect student's educational progress including grades, attendance, and test scores) or temporary (all other information including health records, family background, intelligence tests, and psychological evaluations). Temporary records must be destroyed within five years after the student graduates or permanently withdraws. The law restricts access to student records to parents, students over 18, school personnel with legitimate educational interest, and others only with consent or as specifically permitted by law.
Biometric Privacy for Students
The Biometric Information Privacy Act applies to biometric data collection in schools, though schools are governmental entities and some BIPA provisions may not apply. However, private vendors providing services to schools involving biometric collection must comply with BIPA. Additionally, Illinois law specifically addresses biometric data collection in schools through provisions requiring parental consent before collecting student biometric information for identification or tracking purposes.
Frequently Asked Questions
Can I sue a company for violating my biometric privacy rights in Illinois?
Yes. The Biometric Information Privacy Act (740 ILCS 14/) includes a private right of action, meaning individuals can sue companies directly for violations without waiting for government enforcement. You can recover $1,000 for each negligent violation or $5,000 for each intentional or reckless violation, plus attorneys' fees and costs. You do not need to prove actual harm or damages to bring a BIPA claim; the violation itself creates standing to sue. The statute of limitations is five years for written contract claims and one year for other violations, though courts have interpreted this differently. Major BIPA settlements have included Facebook's $650 million settlement and multiple settlements against employers for fingerprint time clocks.
How do I get my arrest record expunged in Illinois if charges were dropped?
Arrests not leading to conviction are generally eligible for immediate expungement in Illinois. First, obtain your Illinois criminal history transcript from the Illinois State Police (ISP) to verify what appears in their records. File a petition for expungement in the circuit court where the arrest occurred, using forms available through Illinois Legal Aid (illinoislegalaid.org) or the circuit court clerk. The petition must list the arrest and all related information. Serve the petition on the State's Attorney and ISP. The court will schedule a hearing, though many expungements for arrests without conviction are granted without objection. If granted, the court issues an order directing all agencies to expunge the record. Serve the order on all listed agencies. The entire process typically takes 2-4 months. Once expunged, you can legally deny the arrest occurred, and the record should not appear on background checks.
What should I do if I receive a data breach notification letter?
Take immediate action: First, carefully read the notification to understand what information was compromised. If the breach involved Social Security numbers, accept any offered free credit monitoring and identity theft protection services. Place fraud alerts with the three major credit bureaus (Equifax, Experian, TransUnion) by contacting one bureau, which will notify the others. Consider placing a full security freeze on your credit reports, which is free in Illinois. Monitor your credit reports closely for unauthorized accounts. If financial account information was breached, contact your bank or credit card issuer to discuss closing accounts and opening new ones. Monitor account statements for fraudulent charges. Change passwords for any affected accounts and enable two-factor authentication. Document all notifications and actions taken. If you experience identity theft resulting from the breach, file a report with the Federal Trade Commission at IdentityTheft.gov and file a police report with your local law enforcement. You may have legal claims against the breached entity, particularly if they failed to comply with Illinois notification requirements or unreasonably failed to protect your information.
Can my employer in Illinois require me to provide my social media passwords?
No. The Right to Privacy in the Workplace Act (820 ILCS 55/) explicitly prohibits Illinois employers from requesting or requiring employees or job applicants to provide usernames, passwords, or other account information for personal social media accounts. Employers cannot require you to add the employer to your social media contacts, access your social media in the employer's presence, or change your privacy settings. They also cannot discharge, discipline, or otherwise penalize you for refusing to provide this information. Limited exceptions exist when employers need to investigate employee misconduct or unauthorized transfer of proprietary information to personal accounts, access employer-provided devices or accounts, or comply with legal requirements. If your employer violates this law, you can file a complaint with the Illinois Department of Labor or pursue legal action for damages.
How long does an Illinois employer have to wait before asking about criminal history?
Under the Job Opportunities for Qualified Applicants Act (820 ILCS 75/), Illinois employers with 15 or more employees cannot inquire about criminal history until after they have determined the applicant is qualified for the position and either (1) selected the applicant for an interview, or (2) if no interview is conducted, made a conditional offer of employment. This means employers cannot ask about criminal history on initial applications or during initial screening. Once permitted to inquire, employers cannot automatically disqualify based on conviction history but must conduct an individualized assessment considering the nature and gravity of the offense, time elapsed since the offense, and nature of the job sought. Certain positions are exempt from ban-the-box requirements, including law enforcement, positions working with vulnerable populations, and jobs where criminal background checks are required by law. Employers can still conduct criminal background checks after the appropriate stage, but cannot base decisions solely on arrests that did not lead to conviction.
What are my rights if I want to access my medical records in Illinois?
Under both federal HIPAA regulations and Illinois law, you have the right to access your medical records. Healthcare providers must provide access within 30 days of your written request, though they can extend this one time by 30 days with written notice explaining the delay. Providers can charge reasonable copying fees: in Illinois, these are typically limited to $1 per page for the first 25 pages, 50 cents per page for pages 26-50, and 25 cents per page thereafter, plus actual costs for postage and supplies. For electronic records, fees cannot exceed $150 for electronic copies. If records are maintained electronically, you can request electronic copies. Providers can deny access in limited circumstances, such as when disclosure would endanger you or others, but must provide written explanation and opportunity for review by another professional. For mental health records specifically, the Mental Health and Developmental Disabilities Confidentiality Act (740 ILCS 110/) gives therapists discretion to deny access if they determine disclosure would be harmful, though you can seek court review of denials. To access records, submit a written request to your provider's medical records department specifying which records you want and your preferred format.
How do I remove my information from people-search websites?
Removing information from people-search sites requires individual opt-out requests to each site, as Illinois does not currently have a comprehensive data broker opt-out law. The process varies by site but generally involves: (1) searching the site to find your listing, (2) copying the URL of your profile, (3) locating the opt-out or privacy page (often linked in the site footer), (4) submitting an opt-out request with your information and profile URL, (5) verifying your identity (often requiring email confirmation or submission of ID), and (6) waiting 24-72 hours for removal. Major sites include Whitepages, Spokeo, BeenVerified, MyLife, PeopleFinder, Intelius, and TruthFinder, each with different procedures. Be aware that information may reappear as sites refresh their databases from public records, requiring periodic re-submission of opt-outs. Some services charge fees for expedited removal. For more permanent solutions, you can request that your information be flagged as confidential in underlying public records where legally permissible, such as participating in Illinois's Address Confidentiality Program if you're a victim of domestic violence, sexual assault, or stalking (administered by the Illinois Secretary of State).
What happens if a company violates Illinois's data breach notification law?
Violations of the