Illinois continues to stand at the forefront of US privacy law, and 2026 is shaping up to be one of its most consequential years yet. Following a period marked by rapidly expanding litigation under the Illinois Biometric Information Privacy Act (BIPA), the resurgence of the Illinois Genetic Information Privacy Act (GIPA) and new AI‑focused regulation affecting employers state-wide, courts and regulators are poised to address several foundational questions that will define the future of privacy compliance and risk in the state. With key appellate decisions pending, courts deepening their divisions and newly enacted AI obligations introducing sweeping operational challenges, Illinois remains a critical – and increasingly complex – jurisdiction for organisations navigating biometric, genetic and automated decision‑making rules. This article explores the pivotal developments shaping that landscape and the implications for businesses operating in or connected to Illinois.

The Illinois Biometric Information Privacy Act (BIPA, 740 ILCS 14/ et seq)

Enacted in 2008, BIPA has long regulated the collection, use and handling of biometric identifiers and information by private entities, but for years it attracted relatively little litigation. That changed dramatically after the Illinois Supreme Court’s 2019 decision in Rosenbach v Six Flags Entertainment Corporation, which held that plaintiffs need not allege actual harm to pursue statutory damages under BIPA. In the wake of Rosenbach, filings surged – now exceeding 1,500 cases – and courts at every level have been pressed to address foundational questions about the scope and operation of the statute.

In the authors’ 2025 Trends and Developments update, they highlighted three issues that were rising to the forefront at that time:

• the applicability of BIPA’s healthcare exemption to employee time‑clock scans;
• the reach of the state‑contractor exemption under BIPA; and
• whether the 2024 amendment limiting damages to a single recovery applies retroactively to cases that were pending when the amendment took effect.

Going into 2026, there has been significant movement with respect to the state-contractor exemption and the retroactivity of the statutory damages amendment – both in state court and in federal court – setting the stage for pivotal developments on both of these fronts.

State-contractor exemption

BIPA contains an often‑overlooked provision exempting any “contractor, subcontractor, or agent of a State agency or local unit of government when working for that State agency or local unit of government”. Historically, the only Illinois appellate decision interpreting that language has been Enriquez v Navy Pier, Inc, where the First District established a three‑part framework for applying the exemption: the entity seeking to avail itself of the exemption must have been a contractor, of a governmental unit, and working for that governmental unit at the time of the alleged biometric collection. Focusing on the ordinary meaning of the statutory text, the court held that the defendant in Enriquez fit comfortably within the exemption because it was performing services under a contract with a unit of government.

Despite the appellate court’s straightforward approach in Enriquez, trial courts have continued to diverge in their approaches. Some – most notably in Miranda v Pexco, LLC – have adopted a strictly temporal view consistent with the court’s plain reading in Enriquez, ruling that the exemption applies so long as the defendant held a government contract during the period that the plaintiff worked for the defendant, regardless of whether the biometric collection related to the governmental work. Other courts have expanded the inquiry, requiring discovery into the scope of the contract, the revenue derived from it, or the degree to which the alleged biometric collection was tied to governmental responsibilities, often deferring any ruling until summary judgment. As a result, the exemption continues to be one of the most inconsistently applied features of the statute.

Further important developments are expected in 2026. In January, the Third District heard oral arguments in a case that is expected to provide the first ruling on the exemption from an Illinois appellate court since Enriquez. Although the discussion in this case touched on whether the exemption should turn on a functional nexus between the biometric activity and the governmental work, the appellate panel also explored the practicality and predictability of a more straightforward temporal framework – an approach that trial courts have already found to be more workable in its application. A written opinion has not yet been issued, but any guidance from the Third District will likely shape how courts state-wide evaluate the exemption and could help bring greater clarity to an area where a consistent, temporally focused analysis would provide both courts and litigants with a clearer path forward. Alternatively, should the Third District hold contrary to the First District, there is little doubt that the trial courts will continue to take inconsistent approaches themselves, and BIPA litigants will look to the Illinois Supreme Court for clarification.

At the same time, the state-contractor exemption is also drawing increased scrutiny in federal court. In late 2025, a Northern District of Illinois judge granted a motion for interlocutory appeal under 28 USC Section 1292(b) after denying a defendant’s attempt to invoke the exemption at the pleadings stage. Specifically, the question for interlocutory appeal is whether the state-contractor exemption imposes a purely temporal test or whether the BIPA violation must occur within the scope of a government contract. The court concluded that the question presents a controlling, unsettled issue of law appropriate for immediate appellate review. The matter was accepted by the Seventh Circuit for review, fully briefed, and oral arguments were heard in mid-February 2026.

Together, the pending Third District and Seventh Circuit decisions make 2026 a year to watch for the state‑contractor exemption under BIPA. Until clearer guidance emerges, entities performing government‑related work should continue to document their contractual roles and the nature of the work performed, as courts remain divided on whether the exemption turns on timing, function or some combination of both.

Retroactivity of statutory damages amendment

The question of whether the 2024 amendment to BIPA’s damages provision applies retroactively remains one of the most unsettled – and consequential – issues in this space. The amendment, enacted in response to the Illinois Supreme Court’s warning in Cothron v White Castle System, Inc that a per scan accrual theory could yield “potentially excessive damage awards”, limits an individual to a single recovery for the same method of collection. Whether that limitation governs only post amendment lawsuits or also applies to cases based on conduct that occurred before the amendment went into effect has sharply divided courts.

When the authors last wrote about this, the federal courts were already split. That divide has since deepened and in some respects shifted. One notable development is the court’s reversal of its previous position in Gregg v Central Transport LLC. In late 2024, this court had been one of the few to deem the amendment a mere clarification of existing statutory language, meaning that it should apply retroactively under Illinois precedent governing the issue. However, in March 2025, the same judge revisited the issue and reached the opposite conclusion. After examining the statutory text and its conflict with Cothron’s interpretation of what constitutes a “violation”, the court determined that the amendment substantively changed the statute and therefore could not be applied to conduct or lawsuits predating its enactment under Illinois law. This reversal both underscores the difficulty that courts face in distinguishing “statutory clarification” from “substantive change” and highlights how rapidly views on retroactivity have evolved.

At the same time, another federal court confronted the same question and concluded – consistent with much of the emerging authority – that the amendment is not retroactive. In that case, the court emphasised that determining whether an individual was injured once or hundreds of times goes to the substance of the right itself, squarely placing the amendment on the substantive side of Illinois’ retroactivity framework. The court denied the defendant’s attempt to limit damages to a single recovery and, recognising the significance of the issue, certified its order for interlocutory appeal. In late 2025, the Seventh Circuit agreed to review this matter and accepted the request for interlocutory appeal. In doing so, the Seventh Circuit further consolidated this issue with the state contractor exemption above, in an attempt to determine both issues at the same time. As a result, the Seventh Circuit’s pending decision will be the first federal appellate guidance on this question – guidance that could meaningfully shape the trajectory of pending and future BIPA cases.

As courts continue to reassess the retroactivity issue – and even reverse themselves, as in Gregg – the landscape remains in flux. Until the Seventh Circuit or the Illinois Supreme Court weighs in, litigants should expect continued inconsistency across trial courts, with high‑stakes consequences for exposure and strategy.

The Illinois Genetic Information Privacy Act (GIPA, 410 ILCS 513/ et seq)

Enacted a decade before BIPA, GIPA remained largely dormant for years, though the landscape began changing considerably in 2023. Since then, more than 100 class actions have been filed, many targeting employers whose pre‑employment forms, post‑offer medical exams or onboarding processes allegedly solicited genetic information in violation of the statute. GIPA’s core purpose has always been to protect individuals from discriminatory use or unauthorised disclosure of genetic information, and its definitions – harmonised with the Health Insurance Portability and Accountability Act  (HIPAA) and the Genetic Information Nondiscrimination Act (GINA) – sweep far beyond laboratory DNA tests to include family medical history, requests for genetic services, and information related to genetic research participation. The statute prohibits requesting or using genetic information as a condition of employment and provides for liquidated damages of USD2,500 for each negligent violation and USD15,000 for each reckless or intentional violation.

To date, most GIPA litigation has focused on employment‑related claims, particularly those arising from pre‑employment physicals or questionnaires that allegedly probed into an applicant’s family medical history. Courts have permitted claims to proceed past the pleading stage where allegations plausibly involved “genetic information” as defined under HIPAA and incorporated into GIPA; at the same time, some decisions have narrowed the scope of viable claims by distinguishing between enquiries about a plaintiff’s personal medical condition – rather than familial conditions – or by finding Employment Retirement Income Security Act of 1974 (ERISA) pre-emption in wellness‑programme contexts. Plaintiffs have also pushed to broaden the statute’s reach, bringing cases against genetic‑testing companies and tech platforms based on tracking‑pixel activity and other alleged disclosures of genetic‑related data to third‑party analytics tools.

Going into 2026, the most significant developments will centre on class certification and merit‑based summary‑judgment rulings – neither of which have courts yet addressed in a meaningful way, but both of which are expected this year. Several of the earliest‑filed 2023 cases are now reaching the procedural point where class certification briefing is imminent. Based on the issues raised in those cases and the dynamics already visible in the litigation, courts are likely to scrutinise Federal Rule of Civil Procedure 23(a) and 23(b)(3) requirements closely. Plaintiffs will emphasise uniformity: standardised forms, common onboarding protocols and employer‑wide practices that allegedly required disclosure of family medical history. Defendants, by contrast, will point to variations in how oral medical‑exam questions were asked, differences across examiners, job sites and time periods, and the threshold questions of whether the information requested qualifies as “genetic information” at all – elements that cut against commonality and predominance.

Typicality and adequacy challenges are also expected, particularly where named plaintiffs underwent different screening processes or answered different medical enquiries than absent class members. Ascertainability concerns will likely be central as well; because many alleged violations involve oral exchanges during medical exams with no written record, identifying who was actually asked a family‑history question may prove difficult.

On the merits, early summary judgment decisions will likely address several recurring questions:

• whether particular enquiries constitute “genetic information” under HIPAA’s definitions;
• whether requests were truly made as a condition of employment;
• whether inadvertent or stray references fall within GIPA’s prohibitions; and
• whether defences such as ERISA pre-emption, extraterritoriality, OSHA‑driven compliance or consent/authorisation defeat liability.

Defendants are also expected to push arguments that the statutory scheme – like BIPA’s – requires courts to apply discretion in awarding damages, particularly in cases involving large putative classes and minimal actual harm.

Altogether, 2026 is shaping up to be a pivotal year for GIPA litigation. With class certification and summary judgment decisions on the horizon, courts will finally begin resolving the threshold issues that have thus far only been previewed at the motion‑to‑dismiss stage. These rulings will determine not only the viability of the earliest GIPA cases but also the trajectory of the statute as a potential parallel to BIPA – or, alternatively, as a narrower, more context‑specific privacy statute that resists broad class treatment.

Illinois Privacy Legislative Developments

At the outset of 2026, the Illinois legislature considered approximately seven bills addressing privacy and technology regulation. Notably, the proposed Illinois Personal Information Privacy Act failed to pass, leaving the state without a comprehensive privacy framework comparable to the California Consumer Privacy Act (CCPA) or the Virginia Data Protection Act (VDPA). That said, Illinois continues to pursue a targeted regulatory approach, focusing on discrete categories of sensitive information, as seen with BIPA and GIPA, as well as recent legislative efforts that have sought to regulate the collection and use of precise geolocation data (eg, SB 2121 and HB 3712).

Of particular significance for Illinois – and for employers operating locally and nationally with Illinois personnel or job applicants – are new restrictions governing the use of artificial intelligence (AI) in employment-related decision-making. Illinois now joins jurisdictions such as California, Colorado and New York City in imposing stringent requirements on AI-driven hiring, performance evaluation and job-related assessments.

Effective January 2026, House Bill 3773 amended the Illinois Human Rights Act to regulate AI use in employment contexts (Illinois Human Rights Act, 775 ILCS 5/2-102, 2026). The statute defines AI broadly, encompassing both generative AI (content creation) and predictive AI (tools generating scores, rankings, classifications or recommendations). Employers must provide written notice to applicants and employees whenever AI is utilised for decisions related to recruitment, hiring, promotion, training, discharge, discipline, tenure or other employment conditions.

The law also prohibits AI applications that result in discriminatory outcomes based on protected characteristics. While this prohibition is noteworthy, it largely reiterates existing anti-discrimination provisions under 775 ILCS 5/2-102.

The Illinois Department of Human Rights (IDHR) was granted authority to promulgate rules governing notice requirements, timing and delivery methods. However, the text of the IDHR draft regulations under consideration expands the statutory scope and requirements significantly.

For example, where the statute refers to AI “use”, the draft rules extend coverage to any AI that “influences or facilitates” an employment decision, even in the absence of automated decision-making. This interpretation potentially encompasses a wide array of applications, including generative AI tools used for drafting job postings.

There are also disclosure requirements in the draft rules. Under the proposed framework, employers must disclose:

• the name of each AI product, along with its developer and vendor;
• the employment decisions that the AI influences or facilitates;
• the purpose of the AI system and categories of personal data processed, described in practical terms;
• the job positions for which the AI is deployed;
• a designated point of contact for enquiries; and
• information regarding the right to request reasonable accommodation (effectively an opt-out mechanism).

According to the draft regulations, AI notices to personnel must be posted in multiple locations, including:

• the employee handbook;
• a conspicuous physical location where workplace notices are displayed;
• the employer’s internal and external websites; and
• text of all job postings.

Employers must also update these disclosures within 30 days of adopting any new AI technology. As AI technology develops and evolves, it is easy to imagine significant hours being spent updating the Illinois disclosures in order to confirm that each publication version is current, and that the technology use and descriptions are correct – not to mention the creation and management of the alternative opt-out process. 

The statute’s explicit ban on using zip codes as proxies for protected characteristics reflects concerns about geographic segregation in Illinois. However, the law does not prohibit reliance on other location-based data, such as city or county identifiers, creating potential ambiguity. That said, employers would be well advised to avoid incorporating any identifier or variable into AI-driven decision-making intended for use as a proxy aligned with a protected class or identifying characteristic.

While the state’s attempt at an omnibus privacy law to regulate all categories of “personal information” has essentially stalled, the recent regulations concerning the collection and processing of discrete categories of sensitive personal information and the use of AI in employment are worthy of close attention. The framework for the regulation of AI for employment and hiring emphasises transparency and anti-discrimination. However, the expansive interpretation proposed by the IDHR introduces operational complexity (and potentially a practical impossibility) for employers. Organisations should monitor rule-making developments closely and consider steering clear of the state for AI personnel technology deployment until specific requirements are sorted out.