Illinois Privacy Legislation 2026: Five Bills That Could Make It the Next Major Privacy State
Illinois: The Biometric Privacy Pioneer Eyeing Comprehensive Data Privacy
Illinois is already one of the most privacy-forward states in the nation. Its Biometric Information Privacy Act (BIPA), enacted in 2008, remains the only state biometric privacy law with a private right of action — generating billions of dollars in settlements, including a landmark $650 million Facebook settlement in 2021. You can check your biometric compliance obligations with our Biometric Compliance Checker.
But Illinois still lacks a comprehensive consumer data privacy law covering the full spectrum of personal data, the kind that 20 states (soon to be 21 with Oklahoma) have already enacted. That could change in 2026. The Illinois General Assembly’s 104th session has produced five privacy-related bills that, if passed, would dramatically reshape the state’s data privacy landscape.
Here’s what each bill proposes, how they compare to existing state laws, and what businesses should be preparing for.
SB 2875 — Illinois Consumer Data Privacy Act
Sponsor: Sen. Laura M. Murphy | Introduced: January 16, 2026 | Status: Referred to Senate Committee on Judiciary
SB 2875 is the most comprehensive of the five bills and the one most likely to establish Illinois as a major player in the state privacy law landscape. It would create the Illinois Consumer Data Privacy Act, establishing a framework similar to Virginia’s Consumer Data Protection Act (VCDPA) and Colorado’s Privacy Act (CPA).
Key Provisions of SB 2875
Applicability thresholds: The law would apply to entities that conduct business in Illinois or produce products or services targeted to Illinois residents and satisfy at least one of two conditions: (1) control or process the personal data of 100,000 or more consumers, or (2) control or process the personal data of at least 25,000 consumers and derive more than 25% of gross revenue from the sale of personal data.
Consumer rights: The bill grants Illinois consumers the right to confirm whether their data is being processed, access their personal data, correct inaccuracies, delete their personal data, obtain a portable copy, and opt out of targeted advertising, profiling in furtherance of decisions producing legal or similarly significant effects, and the sale of personal data.
Controller obligations: Data controllers must limit data collection to what is adequate, relevant, and reasonably necessary; implement reasonable data security practices; provide clear privacy notices; conduct data protection assessments for high-risk processing activities; and obtain consent before processing sensitive data (including racial/ethnic origin, religious beliefs, health data, sexual orientation, citizenship status, and precise geolocation).
Enforcement: The Illinois Attorney General would have exclusive enforcement authority. The bill does not include a private right of action for the comprehensive law — a significant departure from Illinois’s BIPA, which is famous for its private right of action. Cure period provisions would allow businesses to address violations before facing penalties.
Use our Privacy Law Calculator to see how thresholds like these would affect your business across multiple states.
HB 5221 — Consumer Data Privacy Act (House Version)
Status: Introduced in the House | Committee: Cybersecurity, Data Analytics & IT
HB 5221 is a House companion bill that mirrors many of SB 2875’s provisions while adding specific language around data processor and controller agreements. The bill establishes requirements for contracts between controllers and processors, including instructions for processing personal data, confidentiality obligations, data security commitments, and return-or-delete provisions upon contract termination.
This bill also includes consumer data rights, including the right to opt out of the processing of personal data for purposes of targeted advertising, profiling, and data sales. If both SB 2875 and HB 5221 advance, they are likely to be reconciled into a single legislative vehicle.
SB 3890 — Data Privacy and AI Governance Framework
Status: Introduced in the Senate
SB 3890 is perhaps the most ambitious of the five bills. Rather than following the Virginia/Colorado model, it establishes a comprehensive data privacy and artificial intelligence governance framework modeled on the leading protections adopted in Minnesota and California.
The bill addresses both traditional personal data privacy and the emerging challenges posed by AI systems, including requirements for transparency in automated decision-making, algorithmic impact assessments, and protections against discriminatory AI outcomes. For businesses already subject to California’s ADMT (Automated Decision-Making Technology) rules, SB 3890 would layer additional Illinois-specific obligations on top. See our guide to automated decision-making under state privacy laws for more context.
SB 3220 — Biometric Data Protections Expansion
Status: Introduced in the Senate
While Illinois already has BIPA, SB 3220 would expand biometric data protections to address new technologies and collection methods that did not exist when BIPA was enacted in 2008. The bill targets advancements in biometric collection including neural data, gait analysis, and other emerging biometric identifiers that may not be explicitly covered under BIPA’s existing definitions.
This is consistent with a broader national trend: several states are expanding their biometric privacy protections, as covered in our guide to biometric privacy laws by state.
SB 3548 — Consumer Privacy Fund
Status: Introduced in the Senate
SB 3548 takes a different approach by creating a dedicated Consumer Privacy Fund to support enforcement of privacy laws in Illinois. The fund would provide the Attorney General’s office with dedicated resources for investigating privacy violations, conducting audits, and pursuing enforcement actions.
This is significant because one of the biggest challenges in state privacy enforcement is resource constraints. Even states with strong privacy laws on the books often lack the staffing and funding to enforce them consistently. A dedicated fund would signal that Illinois is serious about active enforcement, not just having a law on paper.
How Illinois Would Compare to Existing State Privacy Laws
If SB 2875 passes, Illinois’s comprehensive privacy law would sit firmly in the middle tier of state privacy laws — stronger than Utah and Iowa, comparable to Virginia and Colorado, but not as expansive as California’s CCPA/CPRA or Maryland’s MODPA.
Key comparisons:
Thresholds: Illinois’s 100,000-consumer threshold matches Virginia, Connecticut, and most other states. The 25,000-consumer + 25% revenue alternative is also standard. Use our State Comparison Tool to see how these thresholds stack up.
Consumer rights: The standard five rights (access, correction, deletion, portability, opt-out) match the Virginia/Colorado model. California remains the most expansive with additional rights like the right to limit use of sensitive information.
Enforcement: AG-only enforcement (no private right of action) for the comprehensive law is the norm — only California currently grants private right of action for data breaches, and Illinois’s own BIPA stands out for private right of action for biometric violations.
AI governance: If SB 3890 also passes, Illinois would join Colorado and California as states with explicit AI/automated decision-making provisions, though SB 3890’s combined privacy-plus-AI approach would be more comprehensive than most.
What Businesses Should Do Now
Even though none of these bills has been signed into law yet, businesses operating in Illinois should start preparing. Here’s a practical action plan:
1. Monitor the legislative session. The Illinois General Assembly’s 104th session runs through 2026. If any of these bills advance past committee, expect movement in the spring and summer.
2. Audit your Illinois data practices. If you serve Illinois consumers, inventory what personal data you collect, how you process it, and who you share it with. Use our Privacy Law Calculator to determine which existing state laws already apply to you.
3. Review your BIPA compliance. If you collect biometric data from Illinois residents, ensure you have written consent policies and proper retention schedules. The Biometric Compliance Checker can help you assess your current posture.
4. Plan for 2027–2028 effective dates. State privacy laws typically include a one- to two-year implementation window between enactment and enforcement. If a comprehensive bill passes in 2026, businesses would likely have until 2027 or 2028 to comply.
5. Build compliance infrastructure now. Don’t wait for Illinois — the 20 states that already have privacy laws share many of the same requirements. Building a compliant program now means you’ll be ready when Illinois (and other states) join the landscape. Review our California compliance checklist as a starting framework.
Frequently Asked Questions
Does Illinois already have a privacy law?
Illinois has the Biometric Information Privacy Act (BIPA), which specifically covers biometric identifiers like fingerprints, facial geometry, and iris scans. BIPA is the nation’s strongest biometric privacy law, featuring a private right of action. However, Illinois does not yet have a comprehensive consumer data privacy law covering all types of personal data — that is what SB 2875, HB 5221, and SB 3890 would create.
When would these laws take effect if passed?
If enacted during the 2026 session, most comprehensive privacy laws include a one- to two-year implementation window. A realistic timeline would be a January 1, 2027 or January 1, 2028 effective date, depending on the final bill language.
Would the new law replace BIPA?
No. SB 2875 and HB 5221 would exist alongside BIPA, creating a layered privacy framework. BIPA’s private right of action for biometric data would remain intact. The comprehensive law would add protections for all other categories of personal data, enforced by the Attorney General rather than through private lawsuits.
What are the potential penalties under SB 2875?
The bill provides for Attorney General enforcement with civil penalties. Specific penalty amounts would be determined through the legislative process, but most comparable state laws set penalties at $7,500–$10,000 per violation. A cure period would give businesses an opportunity to fix violations before penalties apply.
How does the Illinois bill compare to the CCPA?
Illinois’s SB 2875 is narrower than the CCPA/CPRA. California’s law covers all businesses above a $25M revenue threshold (which Illinois doesn’t use), grants a limited private right of action for data breaches, has a dedicated enforcement agency (the CPPA), and includes more expansive consumer rights. Illinois’s approach more closely mirrors the Virginia/Colorado model, which is the template most states have followed.
Last updated: March 29, 2026.Disclaimer: PrivacyLawMap provides general information about US state privacy laws for educational purposes only. This is NOT legal advice. Privacy laws are complex and frequently amended. Consult with a qualified privacy attorney for advice specific to your business. PrivacyLawMap makes no warranties about the accuracy or completeness of this information.