AI in Illinois: Where Innovation Meets Legal Accountability

Introduction to AI in Illinois

Illinois has emerged as a leading jurisdiction for artificial intelligence (AI) governance. Rather than a comprehensive AI governance statute, Illinois benefits from several targeted laws that apply when AI systems affect protected interests. As a result, AI regulation in Illinois focuses on how automated systems intersect with employment practices, privacy rights, consumer protection, healthcare delivery, and individual likeness rights.

Illinois is an active adopter of AI-adjacent legislation, from requirements governing the use of AI in video interviews (expanding to address AI-related discrimination in employment) to the unauthorised use of digital replicas of an individual’s voice or likeness. These measures operate alongside existing statutes, like the Illinois Biometric Information Privacy Act (BIPA) (740 ILCS 14/1 et seq), and sectoral regimes that shape compliance obligations and litigation risk for organisations developing or implementing AI-driven systems.

Legal exposure in Illinois is shaped less by the novelty of AI technologies and more by their real‑world impact on individuals and regulated activities, positioning enforcement agencies and courts, rather than new regulatory bodies, as the primary drivers of AI oversight.

AI adoption and use in Illinois

Illinois’ AI landscape is shaped by the industries that anchor its economy, particularly healthcare and life sciences, financial services and insurance, manufacturing and logistics, and consumer‑facing enterprises.

Illinois companies implement AI for employment and workforce management, including automated résumé screening and candidate evaluation, performance monitoring, and the generation of employment-related materials. In healthcare and life sciences, AI is commonly used for administrative functions, diagnostic support, and patient engagement. Financial services, insurance, retail, and logistics businesses similarly rely on AI for fraud detection, forecasting and supply chain optimisation, and customer service.

Public-sector adoption has focused on internal efficiency and customer service, often through pilot programmes. Legal exposure typically arises from how automated systems affect employees, consumers, patients, or regulated activities.

A targeted statutory approach to AI

Illinois has passed targeted statutes addressing practical applications and risks of AI, operating within existing legal regimes, and regulating AI based on its real‑world impact. Key examples include employment decision‑making, digital likeness, and mental health and psychotherapy services.

AI in employment

Illinois has approached employment-related uses of AI through incremental regulation focused on transparency and discriminatory impact. The Artificial Intelligence Video Interview Act (820 ILCS 42/1 et seq) established baseline notice, consent, and disclosure expectations for the use of AI to analyse video interviews of applicants for positions in Illinois. The act also requires employers that rely solely on AI analysis to determine whether an applicant advances to an in-person interview to collect and annually report demographic data on those applicants to the Illinois Department of Commerce and Economic Opportunity, a narrower obligation than it may initially appear and one that is often overlooked in practice.

Amendments to the Illinois Human Rights Act (IHRA) (775 ILCS 5), enacted through House Bill (HB) 3773 (Public Act 103-0804) and effective 1 January 2026, materially expand regulatory attention. These amendments prohibit the use of AI (expressly including generative AI) that has the effect of subjecting employees or applicants to discrimination based on protected classes across a broad range of employment decisions – recruitment, hiring, promotion, renewal, selection for training or apprenticeship, discharge, discipline, and tenure – and the terms, privileges, or conditions of employment. The statute separately prohibits the use of ZIP codes as a proxy for protected classes. Failure to provide required notice that AI is being used for covered employment decisions may itself constitute a civil rights violation under the act. The statute applies regardless of whether AI tools are developed internally or sourced from third‑party vendors.

The Illinois Department of Human Rights (IDHR) has released draft implementing rules that clarify the scope and content of the notice obligation. Under those rules, notice is required whenever AI is used “to influence or facilitate” a covered employment decision, regardless of whether unlawful discrimination actually results. Required notice must disclose the AI system, its provider, the specific employment decisions it influences, the categories of personal data the system collects, a point of contact for employee questions, and information about the right to request a reasonable accommodation. Employers must publish the notice in handbooks, in postings, and on internal or public‑facing platforms and must preserve notices and related AI usage records for four years. The draft rules are pending formal notice-and-comment rulemaking. The threshold term “facilitate” is intentionally broad, creating practical uncertainty about whether tools that play an assistive or background role in employment decisions trigger notice obligations. Employers should approach this ambiguity conservatively until the IDHR issues final rules.

Enforcement under the IHRA follows established administrative procedures, with investigation by the IDHR and adjudication by the IHRC (Illinois Human Rights Commission). After exhausting administrative remedies, complainants may file civil actions in circuit court, where available remedies include uncapped compensatory damages, back pay, reinstatement, emotional distress damages, and attorneys’ fees. Unlike the AI employment laws in Colorado and New York City, Illinois’ framework does not expressly mandate bias audits or algorithmic impact assessments, though proactive assessments are advisable given that disparate impact is a basis for liability regardless of intent.

AI and digital likeness

The Digital Voice and Likeness Protection Act (815 ILCS 550), effective 9 August 2024, addresses the contractual dimension of digital replica protection. It renders unenforceable provisions in personal or professional services agreements that permit the creation and use of a digital replica to replace work the individual would otherwise have performed in person unless the agreement includes a reasonably specific description of intended uses and the individual was represented by legal counsel or a labour union.

Separately, amendments to the Illinois Right of Publicity Act (765 ILCS 1075), effective 1 January 2025, prohibit knowingly distributing, transmitting, or making available a sound recording or audiovisual work that contains an unauthorised digital replica of an identifiable individual’s voice, image, or likeness. Statutory damages of USD1,000 per violation are available, along with actual damages and profits. Limited exceptions apply. Together, these laws address both the creation and distribution of digital replicas, particularly in the media and content‑driven industries.

AI in mental health

Illinois enacted the Wellness and Oversight for Psychological Resources Act (WOPRA) (225 ILCS 155) on 1 August 2025, effective immediately. It is the first statute of its kind in the nation to codify direct restrictions on AI in therapy and psychotherapy delivery, enacted amid increasing concern about AI-powered therapy tools that provided inaccurate and, in some cases, harmful recommendations to users.

WOPRA restricts any individual, corporation, or entity (including internet-based AI) from providing, advertising, or offering therapy or psychotherapy services in Illinois unless the services are conducted by a licensed professional. Even when a licensed professional is involved, AI may not make independent therapeutic decisions, directly interact with patients, generate therapeutic recommendations or treatment plans without licensed professional review and approval, or detect emotions or mental states in clinical contexts.

WOPRA expressly permits AI for administrative support (scheduling, billing, logistics, and communications) and supplementary support (notes preparation, anonymised data analysis, and external referral identification). For supplementary support, licensed professionals must first obtain written informed patient consent describing both the AI system and its purpose before any session in which recording or transcription occurs.

The Illinois Department of Financial and Professional Regulation (IDFPR) enforces WOPRA, with civil penalties of up to USD10,000 per violation. WOPRA also expands confidentiality obligations for all therapy-related records (not only those involving AI), governing disclosures by reference to the Illinois Mental Health and Developmental Disabilities Confidentiality Act.

Existing legal regimes governing AI use

The development and implementation of AI systems in Illinois is shaped by existing legal regimes governing how automated systems collect data, influence decisions, or deliver regulated services. Three in particular underpin compliance and litigation risk for organisations: biometric privacy, data protection and security, and consumer protection.

Biometric privacy

Enacted in 2008 and significantly amended in 2024, BIPA regulates the collection, use, storage, and disclosure of biometric identifiers and biometric information, including facial geometry and voiceprints, which are frequently used by AI tools such as facial recognition systems, voice analysis technologies, and certain generative AI applications.

BIPA establishes a private right of action that has prompted extensive class action litigation. The Illinois Supreme Court’s decision in Rosenbach v Six Flags Entertainment Corp. confirmed that a plaintiff need not plead actual harm beyond a statutory violation to qualify as an “aggrieved person”.

In 2024, Illinois amended BIPA in response to Cothron v White Castle System, Inc., clarifying that repeated collection of the same biometric identifier from the same person using the same method constitutes a single violation, limiting recovery to one statutory award per person per method, with a maximum of USD1,000 for negligent violations and USD5,000 for intentional or reckless violations, significantly reshaping the scale of potential exposure. The US Court of Appeals for the Seventh Circuit confirmed in Clay v Union Pacific Railroad Co. that the amendment applies to pending cases, reducing aggregate exposure.

Data protection and security

While Illinois has not enacted a comprehensive consumer privacy statute, the state’s Personal Information Protection Act (PIPA) (815 ILCS 530/1 et seq) imposes baseline data security and breach notification obligations that affect many AI use cases. PIPA applies to organisations that collect or maintain personal information, including data that may be incorporated into AI systems or datasets used to support automated decision-making.

For organisations deploying AI, risk under PIPA often arises from expanded data collection, secondary uses of personal information, and increased reliance on third‑party vendors.

Consumer protection

The Consumer Fraud and Deceptive Business Practices Act (815 ILCS 505/1 et seq) plays a central role in regulating AI‑enabled consumer interactions. AI systems used in marketing, pricing, customer service, or content generation may give rise to liability where automated outputs are misleading, materially inaccurate, or insufficiently disclosed.

As generative AI tools become more widely integrated into consumer‑facing platforms, regulatory scrutiny increasingly centres on transparency, substantiation of claims, and adequate oversight of automated representations made to the public, including those generated by public-facing chatbots.

Enforcement and regulatory oversight

Office of the Illinois Attorney General

The Office of the Illinois Attorney General has taken an active role in addressing AI‑related risks through consumer protection and privacy enforcement. The office has publicly emphasised AI‑enabled deception, misuse of biometric data, and unfair or misleading automated practices as priority areas, particularly where AI is used to impersonate individuals, mislead consumers, or collect sensitive personal information without adequate disclosure or consent.

Enforcement authority under statutes such as the Consumer Fraud and Deceptive Business Practices Act and BIPA allows the office to pursue AI‑related misconduct without new enforcement powers.

Agency enforcement

The IDHR investigates charges of AI employment discrimination under the IHRA amendments and is developing implementing rules through notice-and-comment rulemaking. The IHRC adjudicates complaints. The department has signalled an intent to apply the new requirements broadly across employer use of AI tools.

The IDFPR is tasked with enforcing WOPRA’s restrictions on AI in mental health and psychotherapy services, with authority to impose civil penalties of up to USD10,000 per violation where AI use exceeds the statute’s limits on clinical involvement. “Therapeutic communication” is defined broadly. These enforcement regimes underscore Illinois’ emphasis on accountability and professional oversight where AI is introduced into regulated services.

Interaction with local regulators

Local governments, particularly the City of Chicago, influence AI governance through procurement standards, technology policies, and oversight of public‑facing systems. While Chicago has not adopted a separate AI enforcement regime for private entities, city‑level initiatives and guidance regarding responsible AI use in government operations have informed broader expectations around transparency, bias mitigation, and accountability.

For organisations operating in Chicago or contracting with municipal entities, these local standards can shape compliance obligations indirectly.

Litigation trends and exposure

Private rights of action

Illinois occupies an outsized position in national AI litigation risk. A defining feature of the landscape is the availability of private rights of action under statutes that frequently intersect with AI deployment. BIPA in particular has fuelled sustained and large‑scale litigation involving AI‑enabled biometric technologies, and Rosenbach confirmed that a plaintiff need not plead actual harm beyond a statutory violation to qualify as an aggrieved person under BIPA.

Beyond BIPA, AI‑related claims are regularly pursued under consumer fraud, civil rights, and common law theories, allowing plaintiffs to challenge AI‑driven conduct even where no AI‑specific cause of action exists.

Class action risk and scale

Class action exposure, particularly under BIPA, remains the most significant source of AI‑related litigation risk in Illinois. In Cothron, the Illinois Supreme Court held that BIPA claims accrue with each unlawful scan or transmission, a ruling the dissent warned could create “annihilative liability”. The 2024 legislative amendment overturned this per-scan accrual rule, and the Seventh Circuit has addressed the retroactive application of that amendment, confirming in Clay that it applies to cases pending at the time of enactment, limiting plaintiffs to at most one recovery per person. Class actions continue to present meaningful aggregate risk where large numbers of employees or customers are affected.

Vendor versus deployer liability

Illinois litigation has highlighted persistent questions regarding the allocation of liability between AI vendors and entities that deploy AI systems. Plaintiffs have frequently targeted deployers that control how AI tools are implemented and used. Courts have generally focused liability on deployers where they retain decision‑making authority or benefit directly from AI‑enabled processes; the allocation of liability between vendors and deployers remains an evolving issue, particularly outside the well-developed BIPA context where outcomes are less predictable.

In McDonald v Symphony Bronzeville Park, LLC, the Illinois Supreme Court held that employment‑related statutory privacy claims were not barred by the Workers’ Compensation Act, reinforcing that liability follows the use and control of regulated systems rather than the context in which they operate.

Organisations risk litigation regardless of whether AI tools are developed internally or sourced from third parties, placing pressure on contractual risk allocation, indemnification provisions, and governance practices.

Use of existing causes of action for AI‑related harms

A recurring feature of AI litigation in Illinois is the use of established causes of action to address alleged AI harms. Plaintiffs have advanced claims grounded in privacy, consumer protection, discrimination, negligence, and unjust enrichment, framing AI not as a novel legal category but as a mechanism through which traditional legal injuries occur.

Illinois courts have also applied ordinary principles of statutory interpretation to technology-driven claims, including applying a five-year limitation period to BIPA privacy claims in Tims v Black Horse Carriers, Inc., extending the window for class action exposure across historical biometric data collections. As a result, Illinois remains a bellwether jurisdiction for how existing legal doctrines are applied to AI‑enabled activity, with implications extending well beyond the state.

Practical considerations for organisations deploying AI

Risk management in Illinois has pragmatically shifted from whether or not AI may be used to how it is governed. Organisations are expected to exercise active oversight of AI‑enabled systems, whether developed internally or procured from third parties.

Effective governance requires clear internal ownership for AI‑related decisions, defined escalation paths, and periodic review of how automated tools operate in practice. In Illinois, where liability frequently turns on outcomes rather than intent, the absence of such governance can materially increase exposure when AI affects employment, consumers, or sensitive data.

Vendor diligence remains a recurring pressure point. Because Illinois law treats deployers as responsible for AI outcomes regardless of whether tools are vendor‑supplied, organisations are scrutinising vendor representations regarding data sources, system functionality, and compliance support and revisiting contractual provisions on data use, audit rights, indemnification, and co-operation in regulatory inquiries or litigation.

Documentation and notice practices have taken on heightened importance. Several Illinois statutes emphasise transparency and record-keeping, particularly when AI influences employment decisions or processes sensitive information. Under the IDHR’s draft implementing rules for HB 3773, employers must retain AI-related notices and usage records for four years. These records regularly become central in regulatory reviews and litigation, where contemporaneous documentation carries more weight than after‑the‑fact explanations.

Human review and accountability remain consistent themes across Illinois’ AI framework. Regulators and courts have emphasised that automated systems should not operate without meaningful human involvement, particularly in regulated or high‑impact contexts. Organisations are focusing on defining when human review is required and ensuring that AI outputs inform, rather than replace, decision‑making.

Outlook

Illinois’ approach to AI governance is expected to continue developing through targeted rulemaking rather than comprehensive reform.

The IDHR’s implementing rules for the IHRA’s AI employment provisions are pending formal notice-and-comment rulemaking and will further define notice content, timing, and record-keeping obligations for employers; the IDFPR is expected to build enforcement practice under WOPRA as the behavioural health sector adapts. Enforcement priorities will remain concentrated where AI use intersects with established protections: discrimination, biometric privacy, consumer deception, and regulated services. These are areas where Illinois regulators and courts have consistently applied existing legal frameworks to AI‑enabled conduct.

One open question with significant implications for Illinois’ state-level AI framework is federal pre-emption. Recent federal policy developments and executive actions aimed at establishing a national AI framework and limiting state and local AI regulation introduce uncertainty about the durability of statutes like HB 3773. No court has yet invalidated an Illinois AI law on pre-emption grounds, but this remains an active issue that practitioners and organisations should monitor.

More broadly, Illinois is unlikely to abandon its incremental model. The state has repeatedly addressed AI risk through discrete legislative action layered onto long‑standing regimes rather than a unified AI code. The practical implication for organisations operating in Illinois is clear: Illinois is, in practice, a litigation-forward AI risk environment, and companies that treat AI governance as a siloed technology initiative rather than as an extension of their employment, privacy, and consumer protection compliance functions will consistently find themselves behind. Risk in Illinois is driven less by technological novelty and more by impact on protected interests, and the compliance frameworks to manage that risk are already in place.