The Next Wave of Privacy Litigation: The Illinois Genetic Information Privacy Act
What Is GIPA?
Enacted in 1998, Illinois' Genetic Information Privacy Act (GIPA)[1] governs the confidentiality and use of genetic testing and genetic information by employers and insurers.[2]
The statute was designed to prevent employers and insurers from using genetic testing and information as a means of discrimination.[3] To that end, GIPA prohibits employers and their agents from directly or indirectly soliciting, requesting, requiring, or purchasing genetic testing and genetic information from a person as a condition of employment or from using such information in a discriminatory manner against an employee or applicant. The statute similarly prohibits insurers from seeking information derived from genetic testing for use in connection with a "policy of accident and health insurance."[4]
GIPA adopts the definition of "genetic information" from the Health Insurance Portability and Accountability Act (HIPAA) to cover:
- An individual's genetic tests.
- Genetic tests of the individual's family members.
- The manifestation of a disease or disorder in the individual's family members.
- Any request for, or receipt of, genetic services or participation in clinical research by the individual or the individual's family members.
- Information about a fetus carried by the individual or a family member who is a pregnant woman, and about any embryo legally held by the individual or family member utilizing assisted reproductive technology.[5]
GIPA's definition of genetic information does not include information about the sex or age of any individual.
The statute also covers genetic testing, for which it adopts the definition from HIPAA to mean any analysis of human DNA, RNA, chromosomes, proteins, or metabolites if the analysis detects genotypes, mutations, or chromosomal changes.[6] Generally, genetic testing and information derived from genetic testing is confidential and privileged; it may be released only to the individual tested and to other persons specifically authorized, in writing, by that individual to receive the information.[7]
While GIPA contains many prohibitions,[8] these four are most likely to be relevant to employers:
- First, employers may not, as a condition of employment, solicit, request, require, or purchase genetic testing or genetic information of a person or a family member of the person or administer a genetic test to a person or a family member of the person.
- Second, employers are prohibited from affecting the terms, conditions, or privileges of employment or terminating the employment of any person due to an employee's or an employee's family member's genetic testing or genetic information.
- Third, employers may not retaliate against any person for alleging a GIPA violation or participating in any manner in a GIPA proceeding.
- Fourth, employers cannot use genetic information or genetic testing for workplace wellness programs benefiting employees unless the employee provides written authorization in accordance with GIPA. They also cannot penalize employees who choose not to participate in such programs.
Enforcement
GIPA contains a private right of action, which provides that any individual who is "aggrieved" by a violation of the statute may sue. For each violation, an aggrieved plaintiff may recover against the offending party: (1) liquidated damages of $2,500 or actual damages (whichever is greater) for negligent violations; (2) liquidated damages of $15,000 or actual damages (whichever is greater) for intentional and/or reckless violations; (3) reasonable attorneys' fees and costs (including litigation expenses); and (4) any other relief, including an injunction, that the court deems appropriate.[9] There is no express statute of limitations in GIPA, but as is discussed below, a five-year statute of limitations likely applies under Illinois law.
GIPA and BIPA
In both its requirements and enforcement mechanisms, GIPA resembles another well-known Illinois privacy statute, the Biometric Information Privacy Act (BIPA).[10] BIPA governs biometric identifiers and biometric information (biometric data), and both laws include similarly strict prohibitions on the collection, use, disclosure, and retention of their respective regulated data. BIPA also includes a private right of action, and well over 3,000 class actions have been filed under BIPA, resulting in large settlements and at least one large judgment.[11]
The number of GIPA class action lawsuits is increasing. Whereas only a handful of GIPA cases were filed before 2023, there has been a substantial wave of new class actions alleging GIPA claims in 2023 and beginning in 2024. This trend is likely to continue given the similar statutory prohibitions in both GIPA and BIPA, as well as the large settlements that have resulted from BIPA suits. Notably, GIPA's liquidated damages provisions are two times (for negligent violations) to three times (for intentional/reckless violations) higher than those in BIPA.
Courts are already interpreting GIPA similarly to BIPA.[12] Indeed, the Illinois Appellate Court found that GIPA "provides for a substantially identical, 'any person aggrieved' right of recovery" standard as in BIPA.[13] The Sekura court noted that GIPA was considered and amended during the same legislative session when BIPA was passed, suggesting that the legislature intended a similar framework to apply to both statutes. Id. And plaintiffs are relying on prior Illinois Supreme Court BIPA decisions to assert that they are not required to allege or prove actual damages to state a claim under GIPA.[14]
Two recent plaintiff-friendly BIPA decisions from the Illinois Supreme Court may provide further support for GIPA claims. First, in Tims v. Black Horse Carriers, the court held that Illinois' five-year catchall limitations period for personal actions governs BIPA claims, not the one-year limitations period applicable to "actions for slander, libel or for publication matter violating the right of privacy."[15] Second, in Cothron v. White Castle Systems, the Illinois Supreme Court held that a separate BIPA claim accrues each time an entity scans or transmits an individual's biometric data; significantly, however, the Illinois Supreme Court also held that BIPA damages are discretionary.[16] Both decisions effectively increased the number of potential BIPA violations—and therefore potential damages awards (and settlements). The rationale and effects of these cases may also be applied in the context of GIPA claims.
The Types of GIPA Class Actions Being Filed
Before 2023, GIPA cases typically focused on what is commonly considered to be genetic information (e.g., at-home DNA test kits).[17] In the cases filed since early 2023, plaintiffs focused on pre-employment physicals and inquiries about basic family medical history, not consumer testing kits. These plaintiffs allege that physicals and inquiries generate "genetic information" under GIPA and that companies (namely, employers) are prohibited from soliciting, requesting, requiring, or purchasing "genetic information" as a condition of employment. Moreover, these plaintiffs claim that family medical history includes the "manifestation or possible manifestation of a disease or disorder in a family member of an individual" and thus falls within GIPA's scope.[18]
How Companies Can Protect Themselves
This trend will be concerning for Illinois businesses that require a physical, the disclosure of family medical history—such as a history of certain diseases or conditions—or both as a condition of employment. Often, companies may request this information when hiring for a position that involves manual labor or a potentially hazardous working environment. Companies may also indirectly require family medical history information from applicants and/or employees through third-party medical providers, which plaintiffs may also argue falls within GIPA's scope.
Plaintiffs' arguments as to what constitutes a GIPA violation are also concerning to the extent they foreshadow attempts to broaden GIPA's scope to any inquiry about family medical history or any submission of health information. If BIPA's history is an indication, plaintiffs may begin to apply GIPA as broadly as possible to characterize a sweeping range of information—not just genetic testing and genetic information, but even generic family history—as being covered by the statute. And while there are likely many defenses companies can raise—based on GIPA's statutory text and requirements, a company's own compliance, and a case's specific facts—there is minimal caselaw to date interpreting GIPA and the viability of such defenses.[19]
To mitigate GIPA liability, companies may wish to consider taking the following steps:
- Carefully evaluate what information they collect (whether directly or through a third-party vendor) as part of the hiring process (e.g., pre-employment physical examinations) or use in any manner that affects the employment relationship (e.g., to determine job assignments or fitness for duty evaluations) and strongly consider whether requests for medical information or family medical history are absolutely necessary.
- Businesses that do not wish to collect genetic data should consider utilizing disclaimers that specifically inform prospective or current employees not to provide any genetic data when responding to requests for medical information. Businesses that do not directly collect such information but utilize third-party medical providers to perform employee screenings should ask such providers to modify their procedures to avoid asking for genetic data and should consider updating the indemnification obligations in their contracts with such providers.
- Businesses that wish to continue to collect genetic data should work closely with counsel to review and update their practices, policies, and procedures, as well as general data collection policies, to ensure that they are fully compliant with GIPA and all other privacy laws, including by obtaining appropriate consent.
- Businesses should closely evaluate the continued collection, use, or disclosure of any data that could even potentially be considered "genetic information" under GIPA. For some companies, the administrative burden and risk of compliance with GIPA may outweigh any benefits.
- Illinois is not the only state that regulates genetic data. For example, Nevada also provides a private right of action for violations of its genetic information privacy law, as does the federal Genetic Information Nondiscrimination Act (GINA).[20] Several other states also have similar genetic information privacy laws but no private right of action. Businesses should also review these other laws, to the extent they apply to their operations, in order to ensure that they are compliant with all laws regulating genetic data.
- Businesses should carefully review their current insurance policies and determine whether inadvertent violations of GIPA and privacy laws are covered and if not, consider purchasing additional insurance coverage.
[2] GIPA is largely based on the federal Genetic Information Nondiscrimination Act, 110 P.L. 233; 42 U.S.C. § 2000ff (GINA), and incorporates several terms and concepts from the Privacy Rule under the Health Insurance Portability and Accountability Act (HIPAA).
[3] See, e.g., 410 ILCS 513/5(3) ("The public health will be served by facilitating voluntary and confidential nondiscriminatory use of genetic testing information."); id. 513/20 (restricting insurers from seeking genetic testing for underwriting purposes); id. 513/25 (restricting employers from requesting genetic testing or genetic testing information from employees and applicants or their family members).
[6] 410 ILCS 513/10. "Genetic testing" does not include an analysis of proteins or metabolites that is directly related to a manifested disease, disorder, or pathological condition.
[8] See generally 410 ILCS 513/25.
[11] The judgment in Rogers v. BNSF Railway Co., No. 1:19-cv-03083 (N.D. Ill.), was later vacated, and a new trial was ordered, limited to the issue of the damages award; the parties recently agreed to a $75 million settlement for a class size of 46,500. Prior to this judgment and settlement, settlements for similar class sizes were generally under $10 million.
[12] See Bridges v. Blackstone Grp., Inc., No. 21-CV-1091-DWD, 2022 WL 2643968, at *3 (S.D. Ill. July 8, 2022), aff'd sub nom. Bridges v. Blackstone, Inc., 66 F.4th 687 (7th Cir. 2023) ("Here, the Court finds it appropriate to apply the definition of 'aggrieved person' used by the Rosenbach court to GIPA").
[13] Sekura v. Krishna Schaumburg Tan, Inc., 2018 IL App (1st 180175) (cleaned up).
[14] E.g., Rosenbach v. Six Flags Enter. Corp., 2019 IL 123186.
[15] Tims v. Black Horse Carriers, Inc., 2023 IL 127801.
[16] Cothron v. White Castle Sys., Inc., 2023 IL 128004.
[17] See, e.g., Melvin v. Sequencing, LLC, 344 F.R.D. 231 (N.D. Ill. 2023) (plaintiff alleged GIPA violations because defendant offered consumers DNA analysis reports but sold consumers' information to third parties); Bridges, 66 F.4th 687 (plaintiffs alleged GIPA violations because their genetic information—at-home DNA test kits purchased from Ancestry.com—was disclosed to defendant after it acquired Ancestry.com); see also In re Ambry Genetics Data Breach Litig., 567 F. Supp. 3d 1130, 1151 (C.D. Cal. 2021) (alleging violations of GIPA by a genetic testing company); Tracy v. Elekta, Inc. et al, Case No. 1:21-cv-02851, 2022 WL 1489343 (N.D. Georgia) (alleging violations of GIPA as a result of a data breach).
[18] See, e.g., Page v. Ford Motor Co., No. 2023-CH-00878 (Cook Cnty, Jan. 27, 2023); Bailey v. Tyson Foods, Inc., No. 1:23-CV-01537 (N.D. Ill. Mar. 13, 2023).
[19] A number of GIPA cases involving employees have fully briefed motions to dismiss. Accordingly, courts may begin issuing rulings interpreting GIPA in the employment context in the near future.
[20] 42 U.S.C. § 2000ff; NRS 629.101 & 629.201.
© 2024 Perkins Coie LLP