Data Protection Impact Assessment (DPIA) - Illinois

DATA PROTECTION IMPACT ASSESSMENT (DPIA)

State of Illinois

Organization: [________________________________]
Assessment Date: [__/__/____]
Assessment Reference No.: [________________________________]
Prepared By: [________________________________]
Department/Division: [________________________________]

1. Project Overview

Project Name / Identifier: [________________________________]

Project Owner: [________________________________]

Executive Sponsor: [________________________________]

Project Description:
[________________________________________________________________________________]
[________________________________________________________________________________]
[________________________________________________________________________________]

Business Justification:
[________________________________________________________________________________]
[________________________________________________________________________________]

Projected Launch Date: [__/__/____]

Project Phase: [____] (e.g., concept, design, development, deployment, ongoing operations)

Systems / Applications Involved:
| System Name | Vendor | Environment | Data Types |
|---|---|---|---|
| [________________________________] | [________________________________] | [____] | [________________________________] |
| [________________________________] | [________________________________] | [____] | [________________________________] |
| [________________________________] | [________________________________] | [____] | [________________________________] |

2. Scope of Processing

2.1 Data Subjects

☐ Customers / Consumers
☐ Employees / Job Applicants
☐ Vendors / Contractors
☐ End Users (App / Website)
☐ Minors (under 13)
☐ Minors (13-17)
☐ Other: [________________________________]

2.2 Categories of Personal Data Collected

Standard Personal Information (815 ILCS 530/5):
☐ First name or first initial and last name
☐ Social Security number
☐ Driver's license number or Illinois state identification card number
☐ Financial account number, credit card number, or debit card number (with or without security code, access code, or password)
☐ Medical information
☐ Health insurance information
☐ Username or email address in combination with password or security question and answer

CRITICAL -- Biometric Information (740 ILCS 14/10):
☐ Fingerprints
☐ Retina or iris scans
☐ Voiceprints
☐ Scans of hand geometry
☐ Scans of face geometry (facial recognition)
☐ Other unique biometric identifiers
☐ Biometric information derived from the above identifiers

WARNING: If ANY biometric data box is checked above, the full BIPA compliance framework in Section 4 of this DPIA applies. Illinois BIPA imposes the most stringent biometric privacy requirements in the United States, including a private right of action with statutory damages. Failure to comply can result in liquidated damages of $1,000 per negligent violation and $5,000 per intentional or reckless violation (740 ILCS 14/20).

Genetic Information (410 ILCS 513/):
☐ Genetic test results
☐ DNA samples
☐ Family genetic history

2.3 Volume and Retention

• Estimated number of data subjects: [________________________________]
• Estimated records per year: [________________________________]
• Retention period: [________________________________]
• Deletion/destruction triggers: [________________________________]
• BIPA retention schedule (if biometric data collected): Biometric identifiers and information must be permanently destroyed when the initial purpose for collecting or obtaining the data has been satisfied or within three (3) years of the individual's last interaction with the entity, whichever occurs first (740 ILCS 14/15(a)).

2.4 Processing Activities

☐ Collection
☐ Storage / Hosting
☐ Analysis / Profiling
☐ Automated decision-making
☐ Sharing with third parties
☐ Sale of data
☐ Cross-border transfer
☐ Biometric enrollment / authentication
☐ Facial recognition processing
☐ Other: [________________________________]

3. Legal Basis, Notices, and Rights

3.1 Illinois Data Protection Legal Landscape

Illinois does not have a comprehensive consumer privacy law comparable to the CCPA or state laws in Colorado, Connecticut, or Virginia. However, Illinois has one of the most impactful privacy statutes in the country -- the Biometric Information Privacy Act (BIPA) -- and several other targeted privacy and data protection statutes:

3.2 Consumer Rights Under Illinois Law

• No general consumer data rights (no right to access, correct, delete, or opt out under a comprehensive privacy statute)
• BIPA-specific rights: Right to informed consent before biometric collection; right not to have biometric data sold, leased, traded, or otherwise profited from; private right of action for violations (740 ILCS 14/15, 14/20)
• GIPA-specific rights: Informed consent before genetic testing; prohibition on disclosure without written consent (410 ILCS 513/15, 513/20)

3.3 Applicable Federal Overlays

☐ HIPAA (health data)
☐ GLBA (financial data)
☐ FERPA (educational records)
☐ COPPA (children under 13)
☐ FCRA (consumer reports)
☐ ADA / GINA (genetic/disability discrimination)
☐ Other: [________________________________]

4. BIPA Compliance Framework (740 ILCS 14/)

This section is MANDATORY if the project involves ANY biometric identifiers or biometric information. Illinois BIPA is the only state biometric privacy law with a private right of action and statutory damages.

4.1 BIPA Applicability Determination

Does this project collect, capture, purchase, receive through trade, or otherwise obtain any biometric identifier or biometric information?
☐ Yes -- Complete all of Section 4
☐ No -- Skip to Section 5

Biometric Identifier (740 ILCS 14/10): A retina or iris scan, fingerprint, voiceprint, or scan of hand or face geometry. Does NOT include writing samples, written signatures, photographs, human biological samples used for valid scientific testing or screening, demographic data, tattoo descriptions, or physical descriptions such as height, weight, hair color, or eye color.

Biometric Information (740 ILCS 14/10): Any information, regardless of how it is captured, converted, stored, or shared, based on an individual's biometric identifier used to identify an individual. Does NOT include information derived from items or procedures excluded from the definition of biometric identifiers.

4.2 Written Policy Requirement (740 ILCS 14/15(a))

A publicly available written policy must be developed that establishes:

☐ A retention schedule for biometric identifiers and biometric information
☐ Guidelines for permanently destroying biometric identifiers and biometric information when the initial purpose for collecting or obtaining the data has been satisfied OR within three (3) years of the individual's last interaction with the private entity, whichever occurs first

Written Policy Publication Location: [________________________________]
Date Policy Published: [__/__/____]
Policy Review Schedule: [________________________________]

4.3 Informed Consent Requirements (740 ILCS 14/15(b))

Before collecting any biometric identifier or biometric information, the entity MUST:

☐ Inform the subject (or legally authorized representative) in writing that biometric data is being collected or stored
☐ Inform the subject in writing of the specific purpose and length of term for which the data is being collected, stored, and used
☐ Receive a written release executed by the subject (or legally authorized representative) authorizing collection and storage

Note on Electronic Signatures: Per the 2024 amendments, written releases may be obtained via electronic signature, simplifying digital consent collection.

Consent Mechanism Used: [________________________________]
Consent Language Reviewed by IL Counsel: ☐ Yes ☐ No
Date of Last Consent Form Review: [__/__/____]

4.4 Disclosure and Sale Restrictions (740 ILCS 14/15(c)-(d))

☐ No biometric identifiers or biometric information will be sold, leased, traded, or otherwise profited from
☐ No biometric identifiers or biometric information will be disclosed, redisclosed, or otherwise disseminated unless:
☐ The subject (or legally authorized representative) consents to the disclosure
☐ The disclosure completes a financial transaction requested or authorized by the subject
☐ The disclosure is required by state or federal law or municipal ordinance
☐ The disclosure is required pursuant to a valid warrant or subpoena issued by a court of competent jurisdiction

4.5 Data Security for Biometric Data (740 ILCS 14/15(e))

Biometric identifiers and information must be stored, transmitted, and protected from disclosure using:

☐ A reasonable standard of care within the private entity's industry
☐ A manner that is the same as or more protective than the manner in which the entity stores, transmits, and protects other confidential and sensitive information

Specific Security Measures for Biometric Data:

• Encryption standard: [________________________________]
• Access controls: [________________________________]
• Storage location: [________________________________]
• Transmission security: [________________________________]

4.6 BIPA Damages Exposure Assessment

2024 Amendment (SB 2979, effective August 2, 2024): When a private entity collects or discloses the same biometric identifier or biometric information from the same person using the same method of collection, the entity has committed a single violation for which the aggrieved person is entitled to, at most, a single recovery.

Estimated BIPA Exposure:

• Number of individuals whose biometric data is processed: [________________________________]
• Types of violations possible: [________________________________]
• Estimated maximum damages exposure: $[________________________________]

4.7 BIPA Litigation Risk Assessment

☐ Organization has reviewed recent BIPA case law (Rosenbach v. Six Flags, Cothron v. White Castle)
☐ Organization has confirmed no biometric data is collected without written consent
☐ Organization has confirmed publicly available written retention and destruction policy is in place
☐ Organization has conducted a BIPA-specific audit within the past 12 months
☐ BIPA compliance training provided to relevant personnel

Statute of Limitations: Five (5) years from date of violation (per Tims v. Black Horse Carriers, Inc., 2023 IL 127801)

5. Data Flow and Transfers

5.1 Data Flow Diagram

Data Sources:
| Source | Data Type | Collection Method | Consent Obtained |
|---|---|---|---|
| [________________________________] | [________________________________] | [________________________________] | ☐ Yes ☐ No |
| [________________________________] | [________________________________] | [________________________________] | ☐ Yes ☐ No |
| [________________________________] | [________________________________] | [________________________________] | ☐ Yes ☐ No |

Data Storage Locations:
| System / Platform | Cloud Region / Data Center | Encryption at Rest | Encryption in Transit |
|---|---|---|---|
| [________________________________] | [________________________________] | ☐ Yes ☐ No | ☐ Yes ☐ No |
| [________________________________] | [________________________________] | ☐ Yes ☐ No | ☐ Yes ☐ No |

5.2 Third-Party Recipients

5.3 Cross-Border Transfers

☐ Data remains within the United States
☐ Data transferred internationally -- Transfer mechanism: [________________________________]

5.4 Access Controls

• Role-based access control (RBAC) groups: [________________________________]
• Least privilege principle: ☐ Implemented ☐ Not yet implemented
• Joiner/mover/leaver process: ☐ Documented ☐ Not documented
• Privileged access review cadence: [________________________________]

6. Security and Controls

6.1 Technical Controls

☐ Encryption at rest (standard: [________________________________])
☐ Encryption in transit (TLS version: [________________________________])
☐ Key management system: [________________________________]
☐ Network segmentation / micro-segmentation
☐ Endpoint detection and response (EDR)
☐ Logging and monitoring (SIEM: [________________________________])
☐ Data loss prevention (DLP)
☐ Automated backup and disaster recovery
☐ Vulnerability management and patch cadence: [________________________________]
☐ Intrusion detection / prevention systems
☐ Web application firewall (WAF)

6.2 Organizational Controls

☐ Information security policy (last reviewed: [__/__/____])
☐ Privacy policy (last reviewed: [__/__/____])
☐ BIPA-specific biometric data policy (publicly available)
☐ Employee training cadence: [________________________________]
☐ Vendor due diligence program
☐ Incident response plan (last tested: [__/__/____])
☐ Change management procedures
☐ Data classification framework

6.3 Authentication and Authorization

☐ Multi-factor authentication (MFA) for all privileged access
☐ Single sign-on (SSO) / SAML integration
☐ Session timeout policies: [________________________________]
☐ Privileged access management (PAM) solution: [________________________________]

7. Risk Assessment

7.1 Identified Risks

7.2 Risk Rating Matrix

7.3 BIPA-Specific Risk Factors

• Class action risk: BIPA's private right of action has generated significant class action litigation in Illinois courts
• No injury-in-fact required: Per Rosenbach v. Six Flags Entertainment Corp. (2019 IL 123186), an individual need not allege actual injury or adverse effect beyond a violation of BIPA rights
• Statute of limitations: Five (5) years, creating extended exposure window
• Insurance coverage uncertainty: Many general liability and cyber policies exclude or limit BIPA coverage

8. Mitigations and Residual Risk

8.1 Planned Mitigations

8.2 Validation and Testing

☐ Penetration testing completed (date: [__/__/____])
☐ BIPA compliance audit completed (date: [__/__/____])
☐ Privacy-by-design review completed
☐ Tabletop incident response exercise conducted (date: [__/__/____])
☐ Vendor security assessments completed

8.3 Residual Risk Determination

Overall Residual Risk Rating: ☐ Low ☐ Medium ☐ High ☐ Critical

Decision: ☐ Accept ☐ Mitigate Further ☐ Transfer (Insurance) ☐ Avoid / Block Project

Justification: [________________________________________________________________________________]

9. Incident Response and Breach Notification

9.1 Illinois Personal Information Protection Act -- Breach Notification (815 ILCS 530/)

9.1.1 Triggering Event

A breach is the unauthorized acquisition of computerized data that compromises the security, confidentiality, or integrity of personal information maintained by a data collector (815 ILCS 530/5).

Exclusions from breach definition:

• Good-faith acquisition by an employee or agent for purposes of the data collector, provided the personal information is not used for an unauthorized purpose or subject to further unauthorized disclosure
• Encrypted or redacted data (unless the encryption key has also been compromised)

9.1.2 Protected Personal Information Under PIPA (815 ILCS 530/5)

First name or first initial and last name in combination with any one or more of:

• Social Security number
• Driver's license number or state identification card number
• Financial account number, credit card number, or debit card number in combination with any required security code, access code, or password
• Medical information
• Health insurance information
• Unique biometric data (fingerprint, retina or iris image, or other unique physical or digital representation of biometric data)
• Username or email address in combination with a password or security question and answer

9.1.3 Notification Timeline and Requirements

9.1.4 Penalties for PIPA Violations

• Violation treated as an unlawful practice under the Consumer Fraud and Deceptive Business Practices Act (815 ILCS 505/)
• Civil penalty up to $50,000 per violation
• Up to $50,000 additional for each intentional violation involving fraud
• AG enforcement authority

9.2 Data Disposal Requirements (815 ILCS 530/30)

All materials containing personal information must be disposed of in a manner that renders the data unreadable, unusable, and undecipherable:

☐ Paper documents: redacted, burned, pulverized, or shredded
☐ Electronic media: destroyed or erased so that personal information cannot practicably be read or reconstructed
☐ Third-party disposal: Contracts require compliant disposal by service providers

Penalties for improper disposal: Civil penalty of up to $100 per individual whose data was improperly disposed, with a maximum of $50,000 per instance of improper disposal (815 ILCS 530/40).

9.3 Internal Incident Response Procedures

Incident Response Team Lead: [________________________________]
Legal Counsel (IL-licensed): [________________________________]
BIPA Compliance Officer: [________________________________]

Response Timeline:
| Step | Action | Responsible Party | Target Timeframe |
|---|---|---|---|
| 1 | Identify and contain the incident | [________________________________] | Immediate |
| 2 | Assess whether BIPA data is involved | [________________________________] | Within 24 hours |
| 3 | Determine if breach triggers PIPA notification | [________________________________] | Within 48 hours |
| 4 | Engage Illinois-licensed legal counsel | [________________________________] | Within 48 hours |
| 5 | Prepare notification to affected individuals | [________________________________] | Per counsel guidance |
| 6 | Notify IL Attorney General (if 250+ affected) | [________________________________] | Concurrent with individual notice |
| 7 | Notify CRAs (if 1,000+ affected) | [________________________________] | Concurrent with individual notice |
| 8 | Document incident and remediation | [________________________________] | Ongoing |

10. State Law Overlay Summary -- Illinois

10.1 Key Compliance Obligations

10.2 Illinois-Specific Compliance Checklist

☐ BIPA written retention and destruction policy is publicly available
☐ BIPA written consent obtained from all individuals before biometric data collection
☐ BIPA consent forms reviewed by Illinois-licensed counsel within past 12 months
☐ No biometric data is sold, leased, traded, or otherwise profited from
☐ Biometric data is stored and transmitted with reasonable standard of care
☐ Biometric data destruction schedule is enforced (3-year maximum from last interaction)
☐ PIPA breach notification procedures are documented and tested
☐ AG notification process documented for breaches affecting 250+ IL residents
☐ Data disposal procedures comply with 815 ILCS 530/30
☐ Vendor/processor contracts include BIPA compliance obligations
☐ Employee training on BIPA and PIPA requirements is current
☐ BIPA litigation exposure has been assessed and documented
☐ Cyber and biometric liability insurance coverage reviewed
☐ Genetic data (if any) handled per GIPA requirements
☐ COPPA compliance confirmed for any children's data

11. Approvals and Accountability

Next Review Date: [__/__/____]

12. Attachments

☐ Data flow diagrams and architecture documentation
☐ BIPA written retention and destruction policy (publicly available version)
☐ BIPA consent form templates
☐ Records of processing activities (ROPA) entry
☐ Vendor list and data processing agreements
☐ Biometric data security assessment report
☐ Penetration test reports
☐ Incident response playbook (IL-specific)
☐ Breach notification letter template (IL-specific)
☐ AG notification template
☐ BIPA compliance audit report
☐ Insurance policy summary (cyber / biometric liability)

Sources and References

• Illinois General Assembly, Biometric Information Privacy Act: https://www.ilga.gov/legislation/ilcs/ilcs3.asp?ActID=3004
• Illinois General Assembly, Personal Information Protection Act: https://www.ilga.gov/legislation/ilcs/ilcs3.asp?ActID=2702
• Illinois Attorney General, Data Breach Notification: https://ilag.gov/
• SB 2979 (2024 BIPA Amendment): https://www.ilga.gov/legislation/BillStatus.asp?DocNum=2979&GESSION=103&GA=103&DocTypeID=SB
• Rosenbach v. Six Flags Entertainment Corp., 2019 IL 123186
• Cothron v. White Castle System, Inc., 2023 IL 128004
• Tims v. Black Horse Carriers, Inc., 2023 IL 127801