Ask Reggi Your Question Now

Reggi is the free generative AI assistance for regulatory compliance
Ask a Question

Can I collect personal information from participants in Illinois? What are the requirements?

Yes, you can collect personal information from participants in Illinois, but you must comply with certain requirements.

Personal Information Protection Act (PIPA)

To collect personal information from participants in Illinois, you must comply with the Personal Information Protection Act (PIPA) [1.5]. PIPA requires data collectors to implement and maintain reasonable security measures to protect personal information from unauthorized access, acquisition, destruction, use, modification, or disclosure [1.1]. Additionally, if a data collector experiences a breach of security, they must notify affected Illinois residents without unreasonable delay [1.3]. The notification must include specific information as outlined in Section 12 of the Act [1.3].

Required Consents Prior to Disclosure of Personal Information

If you plan to disclose personal information, you must obtain required consents prior to disclosure [2.2]. However, there are exceptions to notice and opt-out requirements for disclosure of nonpublic personal financial information [3.1].

Notice of Breach

If you own or license personal information concerning an Illinois resident, you must notify the resident at no charge that there has been a breach of the security of the system data following discovery or notification of the breach [1.2]. The disclosure notification shall be made in the most expedient time possible and without unreasonable delay, consistent with any measures necessary to determine the scope of the breach and restore the reasonable integrity, security, and confidentiality of the data system [1.2].

Disposal of Materials Containing Personal Information

You must dispose of the materials containing personal information in a manner that renders the personal information unreadable, unusable, and undecipherable [1.4]. Proper disposal methods include, but are not limited to, redaction, burning, pulverizing, or shredding paper documents containing personal information, and destroying or erasing electronic media and other non-paper media containing personal information [1.4].

Therefore, to collect personal information from participants in Illinois, you must implement reasonable security measures to protect the information, obtain required consents prior to disclosure, notify affected individuals in the event of a breach, and dispose of materials containing personal information properly.

Source(s):
Jurisdiction

Illinois