Illinois security and surveillance regulations: what businesses must know

Illinois is the strictest state in the country on biometric privacy under the Biometric Information Privacy Act (BIPA), 740 ILCS 14, which requires written consent before collecting biometric identifiers and creates a private right of action with statutory damages. The eavesdropping statute at 720 ILCS 5/14-2 was rewritten in 2014 and now treats interception as a felony when a party has a reasonable expectation of privacy. Cannabis surveillance is governed by IDFPR rules.

Camera-related state law

The Illinois eavesdropping statute, 720 ILCS 5/14-2, was rewritten by Public Act 98-1142 in 2014 after the Illinois Supreme Court struck down the prior version on First Amendment grounds in People v. Clark and People v. Melongo. The current statute makes it a felony to knowingly use a device to record a private conversation without the consent of all parties, where a private conversation is one in which a party intends the conversation to be private under circumstances reasonably justifying that expectation.

Functionally, IL operates as a two-party consent state for many commercial scenarios because the audio capture in a camera install rarely falls outside the reasonable-expectation zone for the people in the room. Video-only surveillance is treated more permissively: recording video in non-private areas of a commercial property with posted notice is generally lawful. Hidden cameras in spaces with a reasonable expectation of privacy (restrooms, locker rooms, hotel guest rooms) trigger separate criminal exposure under unauthorized video recording statutes.

Practical translation. Commercial IL camera installs default to video-only on the cameras and route audio capture through a documented all-party consent workflow when audio is needed. The bigger compliance lift in IL is BIPA, not the camera placement itself.

Biometric data: BIPA

The Biometric Information Privacy Act (BIPA), 740 ILCS 14, is the strictest US state biometric privacy law. It applies to private entities (not state or local government) operating in IL and requires three things before any biometric capture from an IL resident:

Written, informed consent. The subject must receive written notice of the specific purpose and length of collection, then provide a written release before capture.
Publicly available written retention and destruction policy. The entity must publish a schedule, and biometric data must be destroyed when the initial collecting purpose is satisfied or within three years of the last interaction, whichever is sooner.
No sale, lease, trade, or profit from biometric data. Disclosure to a third party requires consent or a narrow statutory exception.

Biometric identifiers under BIPA include fingerprints, voiceprints, retina or iris scans, and scans of hand or face geometry. Biometric information includes any information based on those identifiers used to identify a person. Damages under 740 ILCS 14/20 are $1,000 per negligent violation and $5,000 per intentional or reckless violation, plus attorneys' fees. The Illinois Supreme Court in Rosenbach v. Six Flags (2019) held that statutory violation alone is sufficient injury for standing.

In Cothron v. White Castle (2023), the IL Supreme Court held that each scan of a fingerprint or face can constitute a separate violation. The legislature responded with a 2024 amendment that addresses some per-scan questions. Practical effect for an IL commercial install: any facial recognition, fingerprint access control, or retina/iris scanning needs a BIPA-compliant consent and retention workflow in place at go-live.

Privacy in the workplace

The Illinois Right to Privacy in the Workplace Act, 820 ILCS 55, restricts certain monitoring and inquiry practices but does not directly govern general workplace video surveillance. The Illinois Personnel Record Review Act (820 ILCS 40) governs employee access to personnel records, which can include surveillance footage in some interpretations. BIPA reaches employee biometric capture in fingerprint timeclocks and biometric access control.

Cameras in employee-only spaces with a reasonable expectation of privacy (changing areas, lactation rooms, employee restrooms) are off-limits. Cameras in production lines, retail floor, loading dock, and warehouse aisles are routine when paired with notice and, where biometric capture is involved, BIPA written consent.

IL employers using fingerprint timeclocks (Kronos, ADP, smaller HR platforms) need a BIPA-compliant onboarding workflow. The largest BIPA settlements to date have come from employer fingerprint timeclocks where the employee never signed a BIPA release.

Public-place and common-area cameras

For commercial real estate, multi-tenant residential, retail, and hospitality, the practical rule set is consistent. Cameras in lobbies, hallways, exterior, parking, retail floor, and other non-private common areas are lawful with posted notice. Cameras in bathrooms, dressing rooms, hotel guest rooms, and any other space where privacy is expected are off-limits.

IL operators using any biometric capture (entry-by-face, age verification by face, customer fingerprint loyalty) layer BIPA consent on top of the standard surveillance posting. Multi-tenant residential operators handle BIPA at lease-up for any biometric access control and document the retention schedule in the building's privacy policy.

Video retention requirements

IL has no single statewide video retention statute that applies to all commercial cameras. Retention is set by the regime that governs the industry.

Cannabis. The Illinois Department of Financial and Professional Regulation (IDFPR) publishes camera coverage and retention rules for adult-use retail and cultivation. Pull the current IDFPR rules before designing the install.
Healthcare. HIPAA Security Rule (45 CFR Part 164) governs PHI-touching footage. Retention is typically 30 to 90 days at the facility, longer when an investigation is open.
Retail and hospitality with card data. PCI-DSS Requirement 9 specifies camera coverage of the cardholder data environment with 90-day retention.
Banks and financial institutions. Federal banking regulators set surveillance and retention expectations through bank examination. IL Department of Financial and Professional Regulation supervises state-chartered institutions.
Schools. FERPA reach for K-12 districts and higher education. Illinois School Code district policies apply.
Federal contractors and grantees. NDAA Section 889 controls vendor selection. Retention is contractor-driven through the SSP or grant award terms.
Biometric data destruction. BIPA requires destruction when the initial purpose ends or within three years of the last interaction, whichever is sooner. This is data destruction, not video retention, but it lives in the same retention schedule.

Default video retention for IL commercial systems with no specific industry rule is 30 days. Operators in higher-risk industries set longer retention with explicit written retention policies in the WISP, facility security plan, or IDFPR SOP.

Notable enforcement examples

BIPA class-action volume is the largest of any US state biometric privacy statute. Notable cases include Rosenbach v. Six Flags Entertainment (Illinois Supreme Court 2019, statutory injury), Cothron v. White Castle (Illinois Supreme Court 2023, per-scan accrual), and a long list of class-action settlements involving employer fingerprint timeclocks, retail facial recognition, and biometric loyalty programs. The pattern across cases: a private entity captured biometric data from employees or consumers without a written release and a published retention schedule, and the class action followed.

IDFPR has issued sanctions against IL cannabis licensees for surveillance and retention failures. The Illinois Attorney General has brought consumer protection actions involving electronic surveillance and data handling. Federal HIPAA settlements have reached IL-based defendants where physical safeguards were a documented part of the breach. Real settlements are searchable on the IL AG, IDFPR, and HHS OCR enforcement pages.

What Tec-Tel does to comply with Illinois regulations

Tec-Tel installs across Illinois for retail, manufacturing, healthcare, multi-tenant residential, financial, and licensed cannabis customers. The default install pattern for an IL commercial site:

Video-only on cameras unless audio is documented with all-party consent under 720 ILCS 5/14-2.
Posted surveillance notice at every public entrance.
No cameras in restrooms, locker rooms, dressing rooms, or any space where privacy is reasonably expected.
BIPA-compliant written consent and retention workflow coordinated with the customer's privacy team for any facial recognition, fingerprint access control, or retina/iris scanning.
Retention configured to the regime that governs the industry (HIPAA, PCI, IDFPR, NDAA), with the facility's written retention policy attached.
NDAA Section 889-compliant vendor selection on any federal-touching install. No Hikvision, Dahua, Hytera, Huawei, ZTE, or covered OEM relabels.
Multi-vendor architecture so the customer is not locked into one camera or VMS line as state and federal rules evolve.

This is a buyer-facing reference, not legal advice. For a specific IL regulatory question or a BIPA-compliance opinion, work with your privacy counsel.

Security service in Illinois

Tec-Tel deploys AI-era security across Illinois with one accountable project manager owning design, install, and service to one standard. The cities below have local service detail, deal sizing, and a free consultation. Don't see yours? We cover the whole state.

Security in Chicago, IL

Or browse the full city directory and nationwide coverage map.

Frequent buyer questions

Is Illinois a one-party or two-party consent state for audio recording?

Illinois is functionally a two-party consent state for many private conversations. The eavesdropping statute at 720 ILCS 5/14-2 was rewritten by Public Act 98-1142 (2014) after the Illinois Supreme Court struck down the prior statute in People v. Clark and People v. Melongo. Under the current statute, knowingly recording a private conversation without the consent of all parties is a felony when there is a reasonable expectation of privacy. Most IL commercial camera installs go video-only on the cameras to keep audio out of scope.

What does the Illinois BIPA require for cameras and access control?

The Biometric Information Privacy Act, 740 ILCS 14, requires private entities to obtain a written release before collecting, capturing, or otherwise obtaining a person's biometric identifier or biometric information. The statute also requires a written, publicly available retention and destruction schedule. Biometric identifiers include fingerprints, voiceprints, retina or iris scans, and scans of hand or face geometry. Coverage of fleeting incidental capture in routine video is litigated, but any IL deployment of facial recognition, fingerprint access, or retina scanning needs a documented written-consent workflow before go-live.

What are the BIPA damages?

BIPA at 740 ILCS 14/20 provides $1,000 per negligent violation and $5,000 per intentional or reckless violation, plus attorneys' fees. The Illinois Supreme Court in Cothron v. White Castle (2023) held that each scan of a fingerprint or face can constitute a separate violation, and the state legislature later amended BIPA in 2024 to address the per-scan damages question for some scenarios. Class-action settlements have run from low millions for small employer fingerprint timeclock cases to nine figures for the largest tech defendants. The cost of a BIPA-noncompliant install is much higher than the cost of compliance.

What's the video retention requirement for Illinois cannabis dispensaries?

Illinois cannabis surveillance is governed by the Illinois Department of Financial and Professional Regulation (IDFPR) for adult-use retail and cultivation. The published rules cover camera coverage, resolution, retention, and limited-access-area surveillance. Retention requirements are in the IDFPR rules and operators should pull the current text before designing the install, because IDFPR has revised rules during the buildout of the IL cannabis program. Most IL licensed operators retain at least the IDFPR minimum and configure VMS retention with a buffer.

Can I put cameras in employee break rooms or restrooms in Illinois?

Restrooms, locker rooms, and changing areas are off-limits under common-law privacy standards and the Illinois eavesdropping statute when audio is involved. Employee break rooms are a closer call: posted notice and limited coverage of common-area entry-exit points are routine, but the more a space resembles a private personal-use area, the more exposure the employer takes. IL employers also need to layer BIPA consent on top of any biometric timeclock or fingerprint-based access used by employees.

Are there other Illinois statutes besides BIPA that apply to surveillance?

Yes. The Illinois Personal Information Protection Act (PIPA, 815 ILCS 530) governs notification of data breaches involving personal information and reaches biometric data. The Illinois Workplace Transparency Act (820 ILCS 96) restricts employer agreements but does not directly govern cameras. The Illinois Right to Privacy in the Workplace Act (820 ILCS 55) restricts certain monitoring practices. The Genetic Information Privacy Act (410 ILCS 513) covers a separate biometric-adjacent category. Cook County and Chicago add local consumer protection ordinances for some industries.

Are there notable BIPA enforcement cases I should know about?

BIPA class-action volume is the largest of any US state biometric privacy statute. Notable cases include Rosenbach v. Six Flags Entertainment (Illinois Supreme Court 2019, holding that an actual injury beyond statutory violation is not required), Cothron v. White Castle (Illinois Supreme Court 2023, per-scan accrual), and a long list of major settlements with technology and consumer brands. The pattern across cases: a private entity captured biometric data from employees or consumers without a written release and a published retention schedule, and the class action followed.

What about Cook County or Chicago-specific surveillance ordinances?

Chicago and Cook County add local consumer protection and human rights ordinances on top of state law, but the operative state-level statutes for commercial surveillance are BIPA, the eavesdropping statute, PIPA, and the Right to Privacy in the Workplace Act. Local ordinances primarily reach hiring and employment practices rather than camera placement. Chicago alarm and burglar-alarm ordinances regulate alarm permitting but not surveillance architecture. Operators in Chicago should still check with corporation counsel for the latest local-ordinance changes before any large install.

Start with a free consultation.

Tell us what you're protecting and what's already in place. The Tec-Tel team reviews it and comes back with a written plan.

Tell us how many sites you run and what's already in place. We'll show you what a build or upgrade looks like.

Straight answers from the team that does the work. We're platform-agnostic, so you get the system that fits your sites, not one brand's catalog.

Since 2010 · 1,000+ deployments nationwide · ISN-accredited

Book a free consultation 855-577-0400

Illinois security and surveillance regulations: what businesses must know

Camera-related state law

Biometric data: BIPA

Privacy in the workplace

Public-place and common-area cameras

Video retention requirements

Notable enforcement examples

What Tec-Tel does to comply with Illinois regulations

Security service in Illinois

Frequent buyer questions

Compliance reference

NDAA Section 889

California regulations

Cannabis security

Manufacturing security

Start with a free consultation.

How can we help?