Illinois Eavesdropping Statute A Huge Data Privacy Risk

The Illinois Eavesdropping Statute, codified at 720 ILCS 5/14-1 et seq., is one of the strictest wiretapping and electronic interception laws in the United States. Originally enacted in 1961 and substantially reformed in 2014 following a landmark Illinois Supreme Court ruling, the statute prohibits the unauthorized recording or interception of private conversations — and unlike many states, Illinois requires the consent of all parties to a conversation before it can be recorded.

For decades, the law was understood primarily in the context of law enforcement and traditional wiretapping. That understanding is now dangerously outdated. As digital business operations have expanded to include call recording, chatbot interactions, session replay technology, AI-powered voice agents, and real-time data analytics, the Illinois Eavesdropping Statute has become a serious — and rapidly growing — civil litigation tool. Privacy plaintiffs’ firms are filing cases under it the same way they have weaponized the Illinois Biometric Information Privacy Act (BIPA): at scale, against major employers and consumer-facing companies, often seeking significant statutory damages.

If your company records phone calls, deploys chatbots, operates session replay scripts on Illinois users, or uses AI voice technology, the Illinois Eavesdropping Statute is now part of your data privacy risk profile.

The Statute: Core Provisions

720 ILCS 5/14-2 makes it a criminal offense to use an eavesdropping device to hear, transmit, or record private conversations without the consent of all parties. The statute applies to:

• Oral communications — spoken words intended to be private
• Electronic communications — transmissions over wire, radio, or electromagnetic systems where the speaker has a reasonable expectation of privacy
• Interception in real time — capturing a communication contemporaneously, not simply accessing a stored recording after the fact

The statute provides both criminal penalties and a private right of action under 720 ILCS 5/14-6, allowing aggrieved individuals to sue for actual damages or $10,000 per violation — whichever is greater — plus attorneys’ fees and costs. That statutory floor, similar in structure to BIPA, is what makes the law attractive to plaintiffs’ attorneys pursuing class action litigation.

The all-party consent requirement is the provision that most frequently catches businesses off guard. Many companies are familiar with one-party consent frameworks — the federal Wiretap Act (18 U.S.C. § 2511) and the laws of roughly 38 states permit recording if one party to the conversation consents, which typically means a company can record its own calls unilaterally. Illinois does not permit this.

Under the Illinois Eavesdropping Statute, before a call, chat, or voice interaction with an Illinois resident is recorded or intercepted, affirmative, knowing consent from all parties is required. A standard terms of service provision buried in a website footer does not satisfy that standard. A one-time, ambiguous verbal notice at the start of a call — without clear acknowledgment from the caller — is legally questionable. A continuous recording of a chat session that includes a real-time AI summarization feed almost certainly requires fresh consent analysis.

People v. Melongo: The Constitutional Reset

The statute’s modern form is largely a product of People v. Melongo, 2014 IL 114852, in which the Illinois Supreme Court struck down the prior version of the eavesdropping law as unconstitutionally overbroad. The original statute criminalized the recording of any conversation without all-party consent, including conversations with no reasonable expectation of privacy — such as encounters with on-duty police officers during the performance of their official duties. The court held this was an unconstitutional restriction on protected speech.

In response, the Illinois General Assembly amended the statute in 2014 to focus on conversations in which the parties have a reasonable expectation of privacy. This limitation brought the statute back into constitutional bounds — but it also created a new analytical question for businesses: does a particular recorded communication involve a reasonable expectation of privacy on the part of the customer, patient, or caller?

In most commercial contexts — healthcare calls, financial services calls, customer service interactions, HR conversations, telehealth consultations, and legal consultations — courts have found that callers retain a reasonable expectation of privacy even though they are communicating with a business. The commercial setting does not automatically strip the privacy interest. This is a critical point that companies relying on the “no privacy expectation in a business call” argument frequently get wrong.

Modern Data Privacy Applications: Where the Statute Is Now Being Applied

Call Recording and Contact Center Operations

The most straightforward application of the statute is call recording in contact centers, customer service operations, and sales environments. Any company that records inbound or outbound calls involving Illinois residents must obtain all-party consent before recording begins. “This call may be recorded for quality assurance purposes” is a common disclosure, but the legal adequacy of that statement — particularly whether the caller’s continuation of the call constitutes informed consent — has been challenged in litigation.

Plaintiffs’ firms have filed suits against financial institutions, telecommunications providers, and healthcare companies alleging that call recording disclosures were inadequate, confusing, or only presented after the recording had already begun. Cases have also been filed alleging that companies routed calls through third-party AI transcription services without disclosing the involvement of those third parties to callers — a particularly problematic scenario when the transcription vendor is processing the call in real time.

Session Replay and Website Tracking Technology

This is the fastest-growing area of Illinois Eavesdropping Statute litigation, and it is generating cases at a pace that rivals early BIPA wiretapping litigation.

Session replay technology — tools like Fullstory, QuantumMetric, Microsoft Clarity, and others — captures a user’s interactions with a website in real time, including mouse movements, keystrokes, form entries, and page navigation. Plaintiffs have argued, with increasing success in some jurisdictions, that session replay scripts “intercept” electronic communications contemporaneously as they occur, and that this interception without all-party consent violates state wiretapping statutes including the Illinois Eavesdropping Statute.

The critical legal theory — first developed in cases against healthcare and retail companies — is that when a user types into a web form or engages with a chat widget, that input constitutes an “electronic communication” being intercepted in real time by a third-party session replay vendor. Because the vendor is operating as a separate entity receiving the communication simultaneously, plaintiffs argue this is a classic wiretapping scenario, not mere data collection.

Illinois federal courts have considered these arguments in multiple cases. While the law in this area is still developing, companies deploying session replay tools on Illinois-accessible websites should assume that the Illinois Eavesdropping Statute is in scope and that their current cookie consent infrastructure — which typically addresses CCPA and GDPR, not wiretapping — is likely insufficient standing alone.

AI-Powered Voice Agents and Virtual Assistants

Companies deploying AI voice agents to handle customer calls — increasingly common in retail, financial services, utilities, and healthcare — face a compounded compliance challenge. These systems typically involve real-time speech-to-text transcription, cloud-based processing, and in many cases storage and analysis of call audio by third-party AI vendors. Each stage of that pipeline raises independent consent and interception questions under the Illinois Eavesdropping Statute.

If a consumer calls a number expecting to speak with a human and is instead connected to an AI agent that records and transcribes the call for downstream analysis — without clear, upfront disclosure that the interaction is with an AI and is being recorded — the company faces meaningful exposure. The AI-agent context also creates ambiguity about who “all parties” are: does the AI vendor count as a party to the communication? Is real-time transcription an “interception” even if no human is listening? These questions are not yet fully resolved in Illinois courts, which means they are actively being argued in pending litigation.

Chatbots and Live Chat Interception

Text-based chat interfaces present a parallel issue. When a consumer types into a live chat widget on a company website, that input — if captured by a third-party chat vendor in real time — may qualify as an intercepted electronic communication. Several plaintiffs’ firms have filed suits under state wiretapping statutes alleging exactly this theory against retailers and SaaS companies whose chat interfaces route user messages through third-party platforms before any company employee sees them.

The interception theory turns on timing: if a third party captures the communication contemporaneously with its transmission — before it reaches its intended destination — that is structurally an interception. If the data is only accessed after it has been delivered to the intended recipient, the wiretapping statute typically does not apply. Many live chat systems, particularly those that use third-party AI classification or routing engines, fall on the wrong side of this line.

Workplace Monitoring and Employee Communications

Employer monitoring of employee communications is another active area. The Illinois Eavesdropping Statute applies to private conversations, and while employees generally have reduced privacy expectations in their workplace communications on company systems, the analysis becomes more complicated when:

• Monitoring tools capture personal communications on company devices
• AI ambient monitoring tools record open-office or remote-work audio environments continuously
• Video conferencing platforms record calls that include both business and personal conversation
• Call recording systems capture after-hours calls on company mobile lines

The intersection of the Illinois Eavesdropping Statute with AI-driven employee monitoring tools — including productivity monitoring, AI meeting transcription (Otter.ai, Fireflies, Zoom AI Companion, and similar), and ambient audio capture for safety or quality purposes — is an emerging litigation zone that Illinois employment lawyers and privacy counsel are watching closely.

Recent IL Eavesdropping Cases and Enforcement Trends in Illinois Privacy

While the Illinois Eavesdropping Statute does not generate the volume of public enforcement actions that BIPA does — largely because it has both criminal and civil provisions and plaintiffs’ firms have focused on the civil private right of action — a pattern of civil litigation has been building since approximately 2019, with acceleration in 2022 through 2024.

In the session replay context, several class actions filed in Illinois federal courts have survived early dismissal motions, with courts rejecting defendants’ arguments that session replay interception is not a “communication” under the statute or that website users have no reasonable expectation of privacy in their keystrokes and form entries. Courts have been generally receptive to the proposition that data entered into a private form field — such as a patient intake form, a checkout form with payment details, or a health symptom checker — carries a reasonable privacy expectation.

Retailers operating healthcare-adjacent websites — pharmacies, telehealth portals, insurance company self-service portals — have been particularly targeted because plaintiffs can argue that the nature of the information being entered (health status, medications, symptoms) supports a strong reasonable expectation of privacy, which in turn strengthens the argument that interception of that input violates the statute.

In the call recording space, financial services companies have been targeted for alleged failures to disclose AI transcription vendor involvement, particularly where those disclosures were either absent from the initial call flow or buried in a post-call written summary. Companies using third-party AI sales coaching tools — which record and analyze sales calls in real time — have also received litigation attention, particularly where those tools were deployed on calls with Illinois consumers without adequate disclosure.

The Relationship Between the Illinois Eavesdropping Statute and BIPA

Understanding the Illinois Eavesdropping Statute requires understanding its relationship to BIPA. The two statutes are distinct but increasingly overlapping in practice.

BIPA (740 ILCS 14/1 et seq.) governs the collection, use, and storage of biometric identifiers and information — including voiceprints, fingerprints, facial geometry, and retina scans. The Illinois Eavesdropping Statute governs the interception of private communications. Where an AI voice agent records a call, transcribes it, and derives a voiceprint from the audio for authentication or quality analysis purposes, both statutes may be triggered simultaneously — the eavesdropping statute for the interception and the recording, and BIPA for the collection of biometric data from the voice recording without the required written consent and public policy disclosure.

Plaintiffs’ firms that are sophisticated in BIPA litigation — including firms like Siri & Glimstad, Carney Bates & Pulliam, and Wites Law Firm — are increasingly pairing BIPA and eavesdropping theories in the same complaints, creating compounded exposure for defendants. A single AI voice call can generate potential liability under both statutes, plus common law claims, plus potential HIPAA-adjacent theories if the call involves health information.

Companies that have already conducted BIPA compliance audits should not assume that exercise covers their eavesdropping statute exposure. The consent standards are different, the triggers are different, and the damages frameworks, while structurally similar, are legally independent.

What All-Party Consent Actually Requires in Practice

The practical challenge of all-party consent compliance under the Illinois Eavesdropping Statute is not just legal — it is operational. Many companies deploy call recording, session replay, and AI monitoring tools at scale across geographically diverse user bases, making state-by-state consent management genuinely complex. The following principles reflect the consensus view among Illinois privacy practitioners:

• Disclosure before recording begins. The consent notice must be presented before any recording or interception starts. A disclosure that plays after the call connects, but after the call has already begun recording, does not satisfy the statute. Call flow design matters.
• Affirmative acknowledgment is preferred over implied consent. While the statute does not explicitly require an affirmative “I agree” from every caller, the practical litigation risk of relying on implied consent from continued call participation is substantial. Where technically feasible, an affirmative keypress or verbal acknowledgment creates a stronger record.
• Third-party vendor identity should be disclosed. Where a third-party AI transcription or analytics vendor is receiving the communication in real time, the strongest consent frameworks identify that involvement — at minimum, disclosing that the call “may be processed by our third-party service providers.” Not disclosing vendor involvement is increasingly indefensible in litigation.
• Web session disclosures require specificity. A general “we use cookies and analytics” disclosure in a cookie banner does not constitute informed consent to session replay interception under a wiretapping statute. If session replay is deployed, a specific disclosure identifying real-time interaction recording — preferably in a prominent cookie consent tool — is advisable.
• Employee monitoring requires a written policy with acknowledgment. For workplace monitoring applications, a written acceptable use and monitoring policy, acknowledged by employees at onboarding and upon material updates, is the baseline. Ongoing AI-powered monitoring that materially changes the surveillance landscape after initial consent was obtained should trigger fresh disclosure and acknowledgment.

Exemptions and Defenses

The Illinois Eavesdropping Statute contains several exemptions worth understanding, though none of them broadly exempt ordinary commercial recording practices:

• Law enforcement exemption. Authorized law enforcement interception pursuant to court order is explicitly exempted. This does not apply to private parties.
• Public official/public duty exemption. As discussed in Melongo, recording of on-duty public officials performing public functions does not trigger the statute, because such conversations do not carry a reasonable expectation of privacy.
• Provider of communication service exemption. Providers of wire or electronic communication services may monitor their own networks for operational purposes without violating the statute. This exemption has been argued — with mixed success — by companies that characterize their session replay and analytics tools as part of their own “communication service.” Courts have generally been skeptical of this argument when it is deployed to cover the operations of separate, third-party analytics vendors.
• Emergency exemption. Certain emergency communications are exempt. This exemption is narrow and context-specific.

On the defense side, the most frequently litigated arguments in civil cases include: (1) the plaintiff had no reasonable expectation of privacy in the communication at issue; (2) the communication was not “intercepted” contemporaneously but was only accessed after transmission was complete; (3) the plaintiff consented through conduct or through terms of service; and (4) federal preemption under the Wiretap Act or the Electronic Communications Privacy Act bars the state law claim. None of these defenses has proven reliably successful across the board, though specific fact patterns can support viable dismissal arguments.

Compliance Priorities for Data Privacy Officers

For privacy officers and compliance counsel who are scoping their Illinois Eavesdropping Statute exposure, the following represents a practical starting audit framework:

1. Map your recording footprint. Identify every system, application, or vendor that captures voice, text, or user interaction data from Illinois residents in real time. This includes call recording platforms, IVR systems, AI voice agents, session replay tools, live chat platforms, AI meeting transcription services, and employee monitoring tools.
2. Assess each recording stream for all-party consent compliance. For each system identified, evaluate whether a legally adequate all-party consent mechanism exists and is functioning correctly in the call or session flow. Evaluate whether third-party vendor involvement is disclosed.
3. Review your session replay deployment. If session replay tools are deployed on websites accessible to Illinois residents — which for most consumer-facing companies means most of their web properties — evaluate whether any existing consent mechanism covers the specific practice of real-time interaction recording. Cookie banners addressing analytics cookies are generally insufficient.
4. Assess BIPA/eavesdropping overlap. For any AI-powered audio or voice application, determine whether the eavesdropping statute exposure and BIPA exposure have both been analyzed. Do not assume a BIPA-compliant consent framework also satisfies the eavesdropping statute’s all-party consent requirement — they have different triggers and different standards.
5. Evaluate call flow design with litigation risk in mind. Work with your telephony or contact center team to confirm that disclosure notices precede, rather than accompany or follow, the initiation of recording. Consider IVR-based affirmative acknowledgment mechanisms where technically feasible.
6. Update vendor contracts. Ensure that call recording, AI transcription, session replay, and workplace monitoring vendor contracts include appropriate representations about their interception and data handling practices, and that your indemnification provisions appropriately allocate risk for third-party wiretapping statute exposure.

Why This Matters More Than It Did Two Years Ago

The Illinois Eavesdropping Statute has existed for decades, but two developments have made it materially more dangerous for businesses in the last two years. The first is the proliferation of AI-powered recording and transcription tools that are now embedded in routine business operations at a scale that was not true even in 2021. Every AI meeting transcription tool, every AI customer service agent, every AI coaching tool deployed in a sales environment, and every session replay analytics platform is a potential statutory trigger.

The second development is the organized attention of the plaintiffs’ bar. Firms that built their practices on BIPA class actions are now actively looking at wiretapping statutes — in Illinois and in other all-party consent states like California, Pennsylvania, and Washington — as the next durable source of privacy class action volume. They are filing cases, testing theories, and building the litigation infrastructure to pursue these claims at scale.

The combination of AI tool proliferation and organized plaintiffs’ bar attention is the same dynamic that produced the BIPA litigation wave. Companies that respond early — conducting audits, remediating consent gaps, and updating vendor agreements before litigation arrives — are in a materially better position than those who wait for the first demand letter.

Captain Compliance works with businesses operating in Illinois and across the United States to assess eavesdropping statute exposure, design all-party consent frameworks, and build defensible data privacy programs across state and federal regulatory requirements. Contact our team to discuss your organization’s recording and interception compliance posture.