Understanding Illinois Laws That Affect AI Use in Business

A practical guide for leaders who want the benefits of AI without the compliance surprises.

AI has quietly moved from “tool” to “decision influencer.” It screens candidates, summarizes calls, flags “risky” activity, personalizes outreach, and helps teams move faster.

In Illinois, that speed comes with strings attached. Currently, there is no single “Illinois AI Act” that covers every business scenario. Instead, several Illinois laws apply depending on how you use AI, what data it touches, and whether it influences employment, identity, consumer communications, or health services.

This article is educational information, not legal advice. If you’re making policy decisions, involve qualified counsel.

The shortest possible answer

If your organization uses AI in Illinois, you should assume at least one of these categories applies:

• Employment decisions: AI that influences recruiting, hiring, promotions, discipline, or termination is regulated under the Illinois Human Rights Act.
• Video interviews: AI analysis of recorded interviews triggers the Artificial Intelligence Video Interview Act.
• Biometrics: Face geometry, fingerprints, voiceprints, and similar identifiers often trigger BIPA.
• Data breaches: If personal information is exposed, PIPA sets breach notification expectations (and Illinois AG reporting can apply).
• AI voice/likeness in marketing or media: Illinois has laws focused on digital replicas and publicity rights.
• Therapy/psychotherapy claims: Illinois restricts AI use in providing therapy or psychotherapy services.

AI laws at a glance

Use this section like a quick decision map.

• If AI influences employment outcomes (even if a human “reviews” the result): start with the Illinois Human Rights Act AI provisions and related state guidance.
• If you ask candidates to record a video interview and AI evaluates it: follow the Artificial Intelligence Video Interview Act (notice, consent, limits on sharing, deletion workflow).
• If you collect biometric identifiers (fingerprint time clocks, facial recognition access, voice authentication): treat BIPA as a project requirement, not an afterthought.
• If AI creates or imitates a real person’s voice/likeness for commercial use: review the Digital Voice and Likeness Protection Act and Right of Publicity Act updates.
• If your product or service crosses into “therapy” or “psychotherapy” using AI: review the WOPR Act rules and enforcement posture.
• If AI touches personal information and you worry about incidents: make sure your incident response plan matches Illinois breach notice expectations.

The Illinois laws businesses run into most

Illinois Human Rights Act: AI in employment decisions (anti-discrimination + notice)

Illinois amended the Illinois Human Rights Act to address the use of AI in employment-related decisions. In plain English: if AI impacts recruiting, hiring, promotions, renewal, training selection, discipline, termination, or terms/conditions of employment, you’re responsible for ensuring it does not discriminate and for providing required notice.

A few practical implications:

• “We only use it to shortlist” can still matter if it changes who gets seen.
• Proxy inputs can be risky. The law explicitly calls out using zip codes as a proxy for protected classes in this context.
• State agencies have been working on rules/guidance around implementation and enforcement, so keep an eye on updates rather than treating compliance as “one and done.”

What to do operationally:

• Build an inventory of every HR/recruiting feature that “scores,” “ranks,” “recommends,” or “filters.”
• Document inputs, outputs, and who can override the result.
• Put a simple notice workflow into your HR process so you can prove it happened.

Artificial Intelligence Video Interview Act (AIVIA): recorded interviews + AI analysis

If you use AI to analyze recorded video interviews, Illinois' Artificial Intelligence Video Interview Act (AIVIA) requires:

• Notice that AI is being used
• An explanation of how it works and what characteristics it evaluates
• Applicant consent before the interview
• Limits on sharing videos
• A deletion path upon request

Where teams get stuck is not the disclosure. It’s the operational follow-through:

• Who owns deletion requests?
• Where are videos stored (vendor platform, internal HR drive, both)?
• Can you verify deletion, not just “we think it’s gone”?

Biometric Information Privacy Act (BIPA): biometrics used for identity or access

Illinois' Biometric Information Privacy Act (BIPA) is not an “AI law,” but AI-driven systems trigger it all the time because biometrics are commonly used for identification: fingerprints, voiceprints, hand geometry, face geometry, and related biometric information.

BIPA compliance typically includes:

• A publicly available retention and destruction policy
• Written notice and a written release before collection
• Careful limits on disclosure and sharing
• Reasonable safeguards for storage and transmission

Recent amendments to BIPA (Public Act 103-0769) clarified electronic signatures as valid written releases and addressed damages exposure in certain situations.

Where BIPA sneaks up on teams:

• “It’s just a time clock.”
• “It’s a door access feature bundled into our security platform.”
• “It’s voice authentication for the call center.”

Personal Information Protection Act: breach notification and reporting

Illinois’ Personal Information Protection Act (PIPA) sets requirements for notifying people after certain breaches involving personal information.

Separately, Illinois Attorney General guidance emphasizes that some businesses and agencies must report certain breaches to the AG’s office in addition to notifying affected residents.

Why this matters in an AI world:

• Chat transcripts, call summaries, ticket notes, and “smart” knowledge bases can store personal info.
• AI features can increase data sprawl, which increases incident complexity.

Digital Voice and Likeness Protection Act: “digital replicas” and contracts

Illinois has a Digital Voice and Likeness Protection Act that addresses digital replicas in certain agreements and contexts, with its own applicability and effective date structure as reflected in the statute.

If your marketing or media workflow uses “AI voice” or creates realistic replicas of real people, you need clear permission, documented approvals, and a plan for takedowns.

Right of Publicity Act updates: commercial use of identity, including digital replicas

Illinois’ Right of Publicity Act governs commercial use of an individual’s identity, and recent updates address “digital replicas” and related enforcement concepts.

For most businesses, the practical takeaway is simple:

• If content is commercial and uses a real person’s likeness or voice, treat it like a formal rights-and-releases process, even if it was “AI-generated.”

WOPR Act: therapy/psychotherapy is not an “AI feature”

Illinois enacted the Wellness and Oversight for Psychological Resources Act, aimed at restricting the provision, advertising, or offering of therapy or psychotherapy services unless conducted by licensed professionals. State communications have framed this as limiting AI-driven therapy practices and protecting patients.

If you sell wellness tools, employee support tools, or patient-facing guidance:

• Review your marketing language first.
• Make sure escalation to a human professional is real, accessible, and documented.

What this means for common AI use cases

HR and recruiting

High-risk patterns include:

• Automated ranking or “fit scoring”
• Filtering based on proxies for protected classes
• AI-generated interview guidance that effectively standardizes decisions without oversight

Your goal is not “never use AI.” Your goal is clear ownership, notice, and defensible process.

IT and security

High-risk patterns include:

• Biometrics for access control and timekeeping
• Voice authentication
• Facial recognition features turned on by default

Treat biometric compliance like you treat financial controls: documented and repeatable.

Customer support and chatbots

Even without a single, universal Illinois “chatbot law” today, deceptive or confusing AI communications can create consumer trust issues and invite legal scrutiny. There are also active proposals in Illinois that would require disclosure when consumers are interacting with AI.

Practical stance:

• Be transparent that automation is being used.
• Keep a clean handoff path to a human for high-stakes issues.

Marketing and comms

If your team uses AI to generate voiceovers, testimonials, endorsements, or a “CEO voice” for content:

• Have a rights process.
• Store approvals.
• Define what is allowed and what is not.

Common mistakes businesses make

These are the problems that create avoidable exposure:

• Assuming “the vendor handles compliance.” Your organization still owns the outcome and the process.
• Only tracking “AI products,” not AI features. Many platforms add AI quietly, and the feature is what triggers the law.
• No deletion workflow. If a law requires deletion on request, “we’ll figure it out” is not a process.
• No retention policy for biometrics. BIPA expects a retention and destruction policy, not an assumption.
• Marketing moves faster than approvals. AI-generated replicas can turn a creative experiment into a rights issue.

A practical compliance checklist you can start this week

Use this to create momentum without boiling the ocean:

1. Inventory AI and automation: tools, features, plugins, and “smart” settings.
2. Map use cases to legal lanes: employment, interviews, biometrics, consumer comms, content, therapy-like services.
3. Map data flows: inputs, outputs, storage locations, who can access, who can export.
4. Add notices and consent points where required (especially hiring and video interviews).
5. Review vendor contracts: breach notice timing, deletion obligations, subcontractors, security standards.
6. Create retention + deletion rules for AI artifacts: transcripts, summaries, interview videos, model logs.
7. Document oversight for employment AI: who reviews, how you test for impact, how you handle exceptions.
8. Train the owners: HR, IT, marketing, compliance, and whoever approves tooling.
9. Update incident response to include AI-specific events (impersonation, leaked transcripts, rogue AI features).

Want a fast reality check on your AI risk in Illinois?

AI compliance problems usually come from small choices: a screening feature turned on in HR, a “helpful” video interview score, a biometric time clock, or marketing that uses AI voice without a clean permission trail.

If you want clarity without a months-long project, Reintivity can help you:

• Inventory where AI is actually being used (including hidden features)
• Map use cases to Illinois laws (employment, interviews, biometrics, privacy, content)
• Tighten vendor contracts, retention, and deletion workflows
• Set simple notices, policies, and owner responsibilities your team will follow

FAQ

Does “human in the loop” avoid AI requirements?
Not automatically. If AI materially influences the process or outcome, treat it as covered and document oversight.

Does BIPA apply if we store photos?
BIPA is about biometric identifiers/information used to identify a person (like scans of face geometry), not ordinary photos, but many “face recognition” features can create biometric data. Confirm what your system actually captures and stores.

Do we have to stop using AI in recruiting?
Not necessarily. The practical path is transparency, testing for discriminatory outcomes, clear policies, and reliable notice and documentation.

What about upcoming Illinois AI bills?
There are active proposals that would require consumer disclosure when AI is used in communications that could mislead someone into thinking they’re talking to a human. Track bills like SB2995 if customer-facing AI is on your roadmap.