Illinois IT Asset Disposition (ITAD), Data Destruction, and Electronics Recycling Compliance
Illinois operates the Biometric Information Privacy Act (740 ILCS 14), the only U.S. statute with a private right of action and statutory damages of $1,000 (negligent) to $5,000 (intentional) per record, which transforms every retired biometric-data-handling device into a class-action vector if destruction cannot be evidenced. Use the Enterprise Compliance Reference below as the Illinois executive briefing; the sections that follow walk every duty, regulator, and penalty band with statute citation and recent Cook County biometric-litigation context.
Illinois Enterprise Compliance Reference
| Compliance Topic | What Illinois Requires | Who Enforces | Penalty Band | What All Green Recycling Provides |
|---|---|---|---|---|
| 1. Breach Notification | Notice to Illinois residents in the most expedient time possible; AG notice within 45 days if 500+ residents affected under 815 ILCS 530/10. | Illinois Attorney General | Up to $50,000 per violation via CFA | Certified media shredding with serialized Certificate of Destruction. |
| 2. Records Disposal | Dispose of materials containing personal information in a manner that renders the personal information unreadable, unusable, and undecipherable under 815 ILCS 530/40. | Illinois AG | Up to $50,000 per violation via CFA | Certified data wiping aligned to NIST Clear / Purge. |
| 3. Biometric Information Privacy Act | Informed-consent, retention-schedule, and destruction-upon-purpose-completion duties on biometric identifiers and information under 740 ILCS 14. | Private right of action | $1,000 (negligent) or $5,000 (intentional/reckless) per violation | Hard drive shredding for biometric-bearing media at retention end. |
| 4. Reasonable Security | Reasonable security measures to protect personal information from unauthorized access, acquisition, destruction, use, modification, or disclosure under 815 ILCS 530/45. | Illinois AG | Up to $50,000 per violation via CFA | Certified data destruction aligned to NIST SP 800-88 Rev. 2. |
| 5. E-Waste Landfill Ban + EPR | Manufacturer takeback for residential CEDs and statewide landfill ban on covered electronic devices since 2012 under 415 ILCS 150 (EPRRA); commercial generators route through certified recyclers. | Illinois EPA | Up to $50,000 per violation + $10,000/day under 415 ILCS 5/42 | Certified electronics recycling with environmental disposition record. |
| 6. Federal Overlay & Audit Posture | HIPAA, FTC Safeguards, GLBA, FAR 52.204-21, DFARS 252.204-7012; documented Certificate of Destruction, chain-of-custody, environmental disposition. | HHS OCR, FTC, federal prime contractors | HIPAA up to $2.067M per identical violation per year (2025) | IT asset reporting packaged for compliance, legal, and audit teams. |
Illinois Compliance Reality
Illinois’s privacy compliance regime is one of the most demanding in the United States, anchored in two statutes that dominate enterprise IT asset retirement decisions: the Personal Information Protection Act (815 ILCS 530) and the Biometric Information Privacy Act (740 ILCS 14). Retirement of a Retired Electronic Asset in Illinois is governed by (1) 815 ILCS 530/10, which requires breach notice in the most expedient time possible and 45-day AG notice for breaches affecting 500+ Illinois residents (and which explicitly enumerates biometric data as personal information per SB 1833, 2016), (2) 815 ILCS 530/40, which establishes the three-fold “unreadable, unusable, and undecipherable” destruction outcome, (3) 815 ILCS 530/45, which requires reasonable security across the data life cycle, (4) BIPA at 740 ILCS 14, which imposes informed-consent, retention-schedule, and destruction-upon-purpose-completion duties and provides a private right of action with $1,000 (negligent) or $5,000 (intentional or reckless) per-violation statutory damages, (5) the Electronic Products Recycling and Reuse Act (EPRRA) at 415 ILCS 150 with the statewide landfill ban on CEDs since 2012, and (6) the Illinois EPA hazardous-waste rules at 35 Ill. Adm. Code 720-733. Audit defensibility is the ability to reconstruct each step of asset retirement across that duty surface on demand.
Illinois and Federal Compliance Interaction
Illinois layers BIPA, PIPA (815 ILCS 530), and the Personal Information Protection Act on top of the HIPAA, GLBA, FTC Safeguards, and DFARS federal regimes, and the binding compliance ceiling for any biometric-touching device is whichever regime imposes the stricter destruction-outcome duty. A regulated enterprise must satisfy the stricter of (1) Illinois statutes including 815 ILCS 530 (PIPA), 740 ILCS 14 (BIPA), and 415 ILCS 150 (EPRRA), (2) federal sector rules including the HIPAA Security Rule, the FTC Safeguards Rule, GLBA, FAR 52.204-21, and DFARS 252.204-7012, and (3) customer or prime-contract clauses. BIPA exposure (private right of action with statutory damages) is not preempted by HIPAA or GLBA; biometric identifiers must be destroyed under the BIPA retention-schedule rules regardless of federal sector status.
Illinois Preemption Matrix (Federal Floor vs. State Posture)
The preemption matrix below states, for each federal regime that touches enterprise IT asset disposition in Illinois, whether Illinois law is preempted by, equal to, or exceeds the federal floor, and where it exceeds, the specific stricter element.
| Federal Regime | Illinois Posture | Stricter Element (if any) |
|---|---|---|
| HIPAA Security Rule (45 CFR Part 164 Subpart C) | equals | Federal regime controls; state law does not exceed the federal floor. |
| GLBA / FTC Safeguards Rule (16 CFR Part 314) | equals | Federal regime controls; state law does not exceed the federal floor. |
| FACTA Disposal Rule (16 CFR § 682.3) | Illinois exceeds | 815 ILCS 530 PIPA imposes specific disposal-method duty and 815 ILCS 530/45 PII Act covers SSN protection. |
| DFARS 252.204-7012 / FAR 52.204-21 / CMMC 2.0 (32 CFR Part 170) | equals | Federal regime controls for federal contractors; CMMC 2.0 effective December 16, 2024 applies through prime-contractor flow-down. |
| RCRA Subtitle C (40 CFR Parts 260-279) | Illinois exceeds | EPRRA imposes landfill ban on covered electronics beyond federal RCRA floor. |
NIST SP 800-171 Revision 3 (May 2024 final) is the operative federal CUI sanitization baseline for federal-contractor environments, and CMMC 2.0 (32 CFR Part 170, effective December 16, 2024) is the operative DoD contractor framework that enforces the NIST 800-171 control set through assessment-based compliance levels. Federal contractors operating in Illinois must satisfy CMMC 2.0 in addition to Illinois state law.
Illinois Data Security, Privacy, and Disposal Obligations
815 ILCS 530/10 — Breach Notification (Biometric Enumerated)
815 ILCS 530/10 requires data collectors to give notice to affected Illinois residents in the most expedient time possible and without unreasonable delay. Public Act 101-343 (SB 1624, 2019) added a 45-day Attorney General notification when a breach affects more than 500 Illinois residents. Public Act 99-606 (2016) added biometric data to the personal-information definition, meaning a breach of biometric identifiers triggers PIPA notification duties in addition to BIPA private rights.
815 ILCS 530/40 — Records Disposal With Three-Fold Outcome
815 ILCS 530/40 requires a data collector that owns or licenses personal information of an Illinois resident to dispose of the materials containing personal information in a manner that renders the personal information unreadable, unusable, and undecipherable. The three-fold outcome (unreadable + unusable + undecipherable) is stricter than the dual-form outcome in most state statutes.
815 ILCS 530/45 — Reasonable Security
815 ILCS 530/45 requires a data collector that owns or licenses personal information of Illinois residents to implement and maintain reasonable security measures to protect those records from unauthorized access, acquisition, destruction, use, modification, or disclosure.
740 ILCS 14 — Biometric Information Privacy Act (BIPA)
BIPA at 740 ILCS 14 is the most litigated state biometric-privacy statute in the United States. Private entities that collect biometric identifiers (fingerprint, retina or iris scan, voiceprint, hand or face geometry) or biometric information must (i) inform the subject in writing of the collection and purpose, (ii) obtain written release, (iii) develop a publicly available written retention schedule and destruction policy under which biometric identifiers and information are destroyed when the initial purpose for collection has been satisfied or within 3 years of the last interaction with the subject, whichever is earlier, and (iv) destroy biometric identifiers when the retention schedule is satisfied. Statutory damages run $1,000 per negligent violation or $5,000 per intentional or reckless violation, plus attorney fees. Cothron v. White Castle (Ill. 2023) clarified per-scan accrual; Public Act 103-769 (effective August 2, 2024) treats multiple violations as a single violation for damages purposes. Major BIPA settlements include Facebook $650M (2021), Google $100M (2022), Snapchat $35M (2022), and TikTok $92M (2021).
Illinois Public-Sector IT Disposal Posture
Illinois state agencies retire IT assets under Illinois Department of Innovation & Technology (DoIT) policy. The operative controls include Illinois Cybersecurity Strategy; DoIT enterprise policies; Department of Central Management Services surplus; Illinois State Archives Local Records Commission retention schedules. Public-sector retirement requires permanent removal of data before transfer or surplus, documented chain of custody, records-retention-schedule alignment for any records-bearing media, and surplus-property routing through the state’s authorized disposal channel. Private-sector enterprises that contract with the state, that operate in regulated public-sector adjacent industries (higher education, K-12, state-funded healthcare), or that subcontract to state agencies inherit these duties through contract flow-down. See Illinois Department of Innovation & Technology (DoIT) policy guidance.
Illinois Student Online Personal Protection Act (SOPPA) (Student-Data Privacy)
Illinois’s student-data privacy statute at 105 ILCS 85 regulates K-12 ed-tech operators that collect, store, or process covered student information. The statute imposes data-minimization, retention-limit, destruction-on-termination, and prohibition-on-secondary-use duties. School districts, charter schools, higher-education institutions in scope, and ed-tech service providers retiring devices that have held covered student records must verify data destruction under Illinois’s outcome standard and retain the destruction certificate.
Data Destruction and Media Sanitization Expectations
815 ILCS 530/40 prescribes a three-fold outcome (unreadable, unusable, and undecipherable) and remains method-agnostic. The operative method baseline is NIST Special Publication 800-88 Revision 2 (operative September 26, 2025), which categorizes media sanitization as Clear, Purge, and Destroy. Illinois state agencies follow the Illinois Department of Innovation and Technology (DoIT) Enterprise Information Security Policy.
Hard Drive Shredding
Illinois-handled biometric identifiers on fixed media demand a NIST 800-88 Rev. 2 Destroy outcome through physical shredding because BIPA’s private right of action treats any retrievable biometric data as a continuing $1,000-$5,000-per-record statutory damages source. Hard drive shredding reduces magnetic and solid-state media to particles small enough that data reconstruction is forensically impossible.
Certified Data Wiping
Certified data wiping aligned to NIST 800-88 Clear or Purge is appropriate where the asset is being remarketed or redeployed.
Media Degaussing
Media degaussing is the appropriate Purge method for legacy magnetic media. SSDs, NVMe, and modern flash media require cryptographic erase (Purge) or physical destruction (Destroy).
Certified Media Shredding
Certified media shredding covers non-drive media including optical disks, tape cartridges, USB drives, memory cards, smart cards, and any printed material containing personal information subject to 815 ILCS 530/40.
Illinois E-Waste, Hazardous Waste, and Environmental Compliance
Illinois operates the Electronic Products Recycling and Reuse Act (EPRRA) at 415 ILCS 150 (P.A. 95-959, effective January 1, 2010; substantially overhauled by P.A. 100-433, effective 2019). EPRRA imposes manufacturer takeback for residential covered electronic devices (computers, monitors, printers, televisions, video game consoles, and related peripherals) and a statewide landfill ban on CEDs since January 1, 2012 (415 ILCS 150/95). Commercial generators route through certified recyclers and remain subject to RCRA-delegated hazardous-waste characterization under the Illinois Environmental Protection Agency (Illinois EPA) Bureau of Land.
Enterprise / commercial equipment covered by the Illinois e-waste program: PARTIAL. Illinois Consumer Electronics Recycling Act (415 ILCS 151, EPRRA) is manufacturer-funded for households with a landfill ban on covered electronics; enterprise bulk disposal routes through 35 Ill. Adm. Code 720-728 hazardous-waste rules. Illinois is an EPA-authorized state administering its own RCRA Subtitle C hazardous-waste program through 35 Ill. Adm. Code 720-728; the state program operates at the federal floor unless explicitly more stringent.
Hazardous-waste rules at 35 Ill. Adm. Code 720-733 incorporate federal 40 C.F.R. Parts 260-279, including universal-waste rules at 35 Ill. Adm. Code 733 (batteries, lamps, mercury-containing equipment, mercury thermostats, pesticides). CRT rules at 40 C.F.R. §§ 261.39-261.40 apply. Generator status follows the federal VSQG / SQG / LQG framework; cradle-to-grave generator liability applies. Civil penalties under 415 ILCS 5/42 run up to $50,000 per violation plus $10,000 per day of continuing violation. Enterprise IT asset retirement routes through certified electronics recycling with environmental disposition records and, where applicable, hazardous-waste manifests.
Regulated Asset Types and Enterprise Scenarios
Servers and Storage Arrays
Server hardware and enterprise storage arrays contain operating-system data, application data, log files, configuration files with credentials, and database content. Certified server recycling covers the full asset including drive bays, controller cards, and embedded firmware storage. Every drive in the chassis must be sanitized to the Destroy category under NIST 800-88 Rev. 2 before custody transfer when protected health information, financial-account information, biometric records, or covered defense information was processed.
End-User Computing Assets
Certified laptop recycling and certified computer recycling route through the same chain-of-custody framework. Illinois commercial generators must not direct CEDs to landfill under the § 150/95 ban.
Mobile Devices and Biometric Sensors
Certified cell phone recycling includes verified erase of internal flash, handling of embedded SIM and eSIM material, and destruction of biometric sensor data (face geometry, fingerprint) under the BIPA destruction duty.
Equipment Destruction and Product-Recall Scenarios
Secure equipment destruction covers prototypes, defective products, and regulated equipment. Product recall management, defective product destruction, and classified equipment destruction cover specialized scenarios.
Enforcement, Penalties, and Audit Risk
Illinois enforcement is the most active and consequential of any state biometric privacy regime. BIPA class actions have produced settlements including Facebook $650M (2021), Google $100M (2022), Snapchat $35M (2022), TikTok $92M (2021), and many smaller class settlements. The Illinois Attorney General enforces PIPA via Consumer Fraud Act carryover up to $50,000 per violation. Illinois EPA enforces EPRRA and hazardous-waste violations under 415 ILCS 5/42 (up to $50,000 + $10,000/day continuing). The audit-reconstruction-of-events standard is operative.
Statutory Penalty Schedule
| Statute / Authority | Civil Penalty Band | Private Right of Action | Enforcer |
|---|---|---|---|
| 815 ILCS 530/10 (PIPA breach notice) | Enforceable via CFA up to $50,000 per violation | NO (AG-only) | Illinois AG |
| 815 ILCS 530/40 (records disposal) | Enforceable via CFA | YES (740 ILCS 14/20 – Illinois BIPA private right of action with $1,000 per negligent violation, $5,000 per intentional/reckless violation, plus attorney’s fees) | Illinois AG |
| 740 ILCS 14 (BIPA) | $1,000 (negligent) or $5,000 (intentional/reckless) per violation + attorney fees | NO (AG-only) | Private right of action |
| 415 ILCS 150 (EPRRA + landfill ban) | Civil penalties via Illinois EPA | NO (Illinois EPA enforcement) | Illinois EPA |
| 415 ILCS 5/42 (hazardous waste) | Up to $50,000 per violation + $10,000 per day continuing | NO (Illinois SBOE enforcement) | Illinois EPA |
| HIPAA (federal overlay) | Up to $2,067,813 per identical violation per year (2025 adjusted) | LIMITED (HIPAA private actions) | HHS OCR |
State Sectoral Regulators and Audit Authority
In addition to the Illinois Attorney General and the Illinois environmental agency, state-level sectoral regulators hold audit and inquiry authority over IT-asset-disposition-relevant controls within their regulated populations. The Illinois Department of Financial and Professional Regulation Division of Banking examines banks and credit unions for GLBA-aligned information-security-program controls. The Illinois Department of Insurance examines insurance licensees for the written information security program required by the NAIC Insurance Data Security Act or state-equivalent. The Illinois Department of Public Health examines healthcare entities for HIPAA Security Rule compliance. The Illinois Board of Higher Education oversees FERPA-overlapping records and student-data-privacy duties at state institutions of higher education. The Illinois Commerce Commission examines investor-owned utilities for customer-data-protection controls. Each sectoral regulator can issue document requests, on-site examinations, or consent orders that probe the chain-of-custody, sanitization-certificate, and environmental-disposition records produced during IT asset retirement.
Documentation, Chain of Custody, and Audit-Ready Proof
Illinois biometric-litigation discovery and Attorney General enforcement under PIPA both depend on the documentary record an enterprise can produce, and a Retired Electronic Asset without serialized destruction evidence creates BIPA exposure of $1,000-$5,000 per record (Facebook $650M, TikTok $92M, Snapchat $35M precedent).
How All Green Recycling Operationalizes Illinois Compliance
IT Asset Disposition
All Green Recycling operates certified IT asset disposition structured around Illinois’s statutory duty surface. Asset pickup is scheduled with a documented chain of custody, secured transport through IT equipment packaging and transportation, certified data destruction at the receiving facility, environmental disposition through EPRRA-compliant channels, and audit-ready reporting. Asset remarketing recovers residual value while preserving chain of custody.
Secure Data Destruction
All Green Recycling’s secure data destruction service line is structured to satisfy the 815 ILCS 530/40 three-fold “unreadable, unusable, and undecipherable” outcome standard, align to NIST SP 800-88 Rev. 2, and produce attestation documentation appropriate for BIPA retention-schedule fulfillment.
Certified Electronics Recycling
Certified electronics recycling diverts retired electronic assets from landfill (mandated by 415 ILCS 150/95) through Illinois EPA-authorized channels. R2v3, NAID AAA, and e-Stewards frameworks are used as reference frameworks for downstream-handler accountability.
Secure Equipment Destruction
Secure equipment destruction covers product-recall management, defective-product destruction, and classified-equipment destruction.
Reverse Logistics and Chain-of-Custody Tracking
Reverse logistics covers multi-site enterprise pickups, manufacturer return programs, and customer-driven returns.
Audit-Ready Reporting
Every engagement produces a uniform documentation package delivered through IT asset reporting: serialized asset list, chain-of-custody log, Certificate of Data Destruction (with BIPA biometric-destruction attestation where applicable), Certificate of Recycling, environmental disposition record, hazardous-waste manifest where applicable, and HIPAA / GLBA / FTC Safeguards documentation entries where the federal overlay applies.
Frequently Asked Questions
The questions below are the questions enterprise compliance, security, audit, and procurement leaders ask during vendor evaluations, RFP reviews, and breach-response planning when a Retired Electronic Asset is moving through IT Asset Disposition in Illinois.
What is Illinois’s breach-notification deadline?
Notice in the most expedient time possible and without unreasonable delay to affected Illinois residents under 815 ILCS 530/10. Public Act 101-343 (SB 1624, 2019) added a 45-day Illinois Attorney General notice when a breach affects more than 500 Illinois residents.
Why is BIPA exposure material to IT asset retirement?
BIPA at 740 ILCS 14 imposes informed-consent, retention-schedule, and destruction-upon-purpose-completion duties on biometric identifiers, with a private right of action and per-violation statutory damages ($1,000 negligent / $5,000 intentional or reckless). Biometric-bearing media that arrive at retirement without BIPA destruction-policy documentation create direct litigation exposure. Hard drive shredding with attestation is the audit-defensible posture for biometric-bearing media.
Does Illinois’s personal-information definition include biometric data?
Yes. Public Act 99-606 (2016) added biometric data to the 815 ILCS 530/5 personal-information definition, so a breach of biometric identifiers triggers PIPA notification duties in addition to BIPA private rights.
Does 815 ILCS 530/40 prescribe a specific destruction method?
No. 815 ILCS 530/40 requires the three-fold outcome (unreadable, unusable, and undecipherable) but remains method-agnostic. The audit-defensible posture is NIST SP 800-88 Rev. 2 alignment through certified data destruction.
Does Illinois prohibit electronics in landfills?
Yes. 415 ILCS 150/95 imposes a statewide landfill ban on covered electronic devices since January 1, 2012. Manufacturer takeback under EPRRA covers residential CEDs. Commercial generators route through certified electronics recycling with environmental disposition records.
Does our enterprise carry generator liability for hazardous fractions of retired electronics?
Yes. 35 Ill. Adm. Code 720-733 implements federal RCRA with cradle-to-grave generator liability. Universal-waste streams are governed by 35 Ill. Adm. Code 733. Civil penalties under 415 ILCS 5/42 run up to $50,000 per violation plus $10,000 per day of continuing violation.
Which media-sanitization standard does Illinois accept as audit-defensible?
NIST Special Publication 800-88 Revision 2 (operative September 26, 2025) is the federal civilian baseline. Illinois state agencies follow the Illinois Department of Innovation and Technology (DoIT) Enterprise Information Security Policy, which references NIST 800-88.
What is the maximum penalty for an Illinois privacy violation?
PIPA violations are enforceable through the Consumer Fraud Act up to $50,000 per violation. BIPA private actions carry $1,000 per negligent or $5,000 per intentional or reckless violation. Public Act 103-769 (effective Aug 2, 2024) treats multiple BIPA violations as a single violation for damages purposes, materially recalibrating Cothron-style accrual.
What is All Green Recycling’s certification posture for Illinois enterprise engagements?
All Green Recycling holds ISO 14001:2015 and ISO 45001:2018 certifications and operates with alignment to R2v3, NAID AAA, and e-Stewards as reference frameworks for downstream-handler accountability and certified data destruction. NIST SP 800-88 Rev. 2, HIPAA, GLBA, FTC Safeguards, FAR 52.204-21, and DFARS 252.204-7012 are operative baselines that certified IT asset disposition engagements are structured to satisfy.
What documentation should we expect on AG or EPA examination?
Every engagement produces a documentation packet delivered through IT asset reporting: serialized asset list, chain-of-custody log, Certificate of Data Destruction per device (with BIPA biometric attestation where applicable), Certificate of Recycling, environmental disposition record, hazardous-waste manifest where applicable, and the contracted-service safeguard terms.
How does the federal HIPAA / GLBA baseline interact with Illinois law?
A regulated enterprise must satisfy the stricter of (1) Illinois statutes including 815 ILCS 530 (PIPA), 740 ILCS 14 (BIPA), and 415 ILCS 150 (EPRRA), (2) federal sector rules such as the HIPAA Security Rule and the FTC Safeguards Rule, and (3) customer or prime-contract clauses. BIPA exposure is not preempted by federal sector rules.
Is missing unencrypted media a reportable breach event under the Illinois PIPA?
Yes. 815 ILCS 530/10 (PIPA) covers unauthorized acquisition of personal information which extends to physical loss of unencrypted media.
Does the Illinois PIPA recognize NIST 800-88 verified sanitization as a breach safe harbor?
Yes. PIPA excludes encrypted data; NIST SP 800-88 Revision 2 verified sanitization removes personal information from the breach trigger.
Illinois Compliance as Risk Management
Illinois IT asset retirement is a layered risk-management discipline, not a recycling transaction. Compliant retirement is the ability to prove, under scrutiny, that data was rendered unreadable, unusable, and undecipherable before custody transfer, that biometric identifiers were destroyed under BIPA retention-schedule documentation, that breach notice surfaced in the most expedient time possible (with 45-day AG notice when 500+ residents were affected), that downstream processing routed through EPRRA-aligned channels and not to landfill, and that hazardous fractions were handled under the universal-waste rules. CFA per-violation civil penalties (up to $50,000), BIPA statutory damages with private right of action, Illinois EPA daily penalties, HIPAA federal overlay, FTC Safeguards Rule, and audit-driven counterparty review converge on the same set of records.
Illinois compliance is best treated as a continuous control posture rather than a periodic disposal event. All Green Recycling, LLC operationalizes that posture through IT asset disposition, secure data destruction, certified electronics recycling, secure equipment destruction, reverse logistics, and audit-ready reporting. Compliance, security, and procurement teams that need an Illinois-specific audit walkthrough or an RFP-ready compliance package reach the All Green Recycling response desk at (800) 780-0347.