April 13, 2024

Illinois Genetic Privacy Law Requires Careful Data Collection

The next frontier of privacy litigation may be the Illinois Genetic Information Privacy Act, which has been hit by a wave of class action lawsuits since 2023.

Companies that hire employees to perform manual labor or work in a potentially hazardous environment may be more susceptible to GIPA claims because they may, directly or indirectly, through third-party medical service providers, request information that plaintiffs claim constitutes genetic data – e.g. example, requiring questionnaires and physical or health interviews.

However, as GIPA litigation continues to gain momentum, Illinois employers must take proactive steps to ensure compliance with the law.

GIPA regulates how employers can use people’s genetic data, including genetic information and testing. In general terms, the law prohibits employers and their agents from making employment conditional on genetic data or from using genetic data in a discriminatory manner.

Covers the same types of genetic data as the Health Insurance Portability and Accountability Act:

  • An individual’s genetic tests
  • Genetic testing of family members
  • Manifestations of disease or disorders in an individual or their family
  • Any use of genetic services that interpret genetic testing, or participation in clinical research, by the individual or his or her family Information about a fetus carried by an individual or family member, or about any embryo lawfully held by the individual or family member using reproductive technology assisted
  • Any analysis of human DNA, RNA, chromosomes, proteins, or metabolites that can detect genotypes, mutations, or chromosomal changes

Among other things, GIPA prohibits employers from:

  • Making employment conditional on obtaining genetic data from a person or their family member
  • Change terms, conditions or privileges of employment or terminate employment due to an employee’s or a family member’s genetic data
  • Retaliate against anyone for alleging a violation of GIPA
  • Using genetic data for workplace wellness programs without the employee’s written authorization or penalizing employees who do not participate in such programs

The GIPA contains a private right of action that allows an injured plaintiff to recover for each violation: liquidated damages of $2,500 or actual damages (whichever is greater) for negligent violations, liquidated damages of $15,000 or actual damages (whichever is greater) greater) for intentional damages and/or reckless violations and reasonable attorneys’ fees and costs. Injunctive relief is also available.

There is no express limitation period in the GIPA, but a five-year limitation period may apply.

GIPA’s requirements and enforcement mechanisms resemble the Illinois Biometric Information Privacy Act, which regulates biometric data. Both laws include equally stringent consent requirements and prohibitions on the collection, use, disclosure, and retention of their respective regulated data.

BIPA also includes a private right of action, and more than 3,000 class actions have been filed under the measure, resulting in large settlements and at least one major trial.

Until now, courts have interpreted GIPA similarly to BIPA. For example, the GIPA recovery right was found to be “substantially identical” to the BIPA, and the court noted that both statutes arose during the same legislative session, suggesting a legislative intent that similar frameworks apply to both.

Plaintiffs are also citing previous BIPA decisions to assert that they are not required to allege or prove actual damages to assert a GIPA claim. Last year’s plaintiff-friendly BIPA rulings—applying a five-year statute of limitations and holding that a separate BIPA claim accrues each time an entity scans or transmits an individual’s biometric data—may soon also be applied to GIPA. This would effectively increase the number of potential violations – and therefore potential damage awards (and settlements).

The growing rise in GIPA class action lawsuits may foreshadow a trend like BIPA. Only a few GIPA cases were filed before 2023, and they typically focused on items like home DNA testing kits. Since 2023, plaintiffs’ attention has turned to pre-employment medical exams and basic family medical history consultations.

GIPA’s liquidated damages provisions are two to three times larger than BIPA’s, so plaintiffs’ class action filings will likely only increase. Although there are currently several pending motions to dismiss GIPA cases (which raise a myriad of defenses), no rulings have yet been issued, and there is minimal case law to date ruling on the viability of such defenses.

To mitigate GIPA liability, employers should consider these steps:

  • Carefully evaluate what information they collect or use (either directly or through a third-party provider) from employees and whether such information could constitute genetic data. Consider whether the usefulness of this information outweighs the administrative burden and enforcement risk
  • Work with attorneys to review and update practices, policies and procedures to ensure full compliance with GIPA, including obtaining consent
  • Consider any additional measures to further protect against potential company liabilities (e.g., liability waivers, review of contracts with third-party medical providers, indemnity provisions, and insurance coverage)
  • Review other genetic privacy laws (state and federal) and ensure compliance, even if those laws do not currently include private rights of shares
  • Stay informed about evolving case law and seek legal advice as needed to ensure continued compliance with the changing legal landscape.

This article does not necessarily reflect the opinion of Bloomberg Industry Group, Inc., publisher of Bloomberg Law and Bloomberg Tax, or their owners.

Information about the author

Michael Bleicher is an attorney at Perkins Coie in Washington, D.C.

Calvin Cohen and Sara Davey are attorneys at Perkins Coie in Chicago.

Arthur Rooney, Debra Bernard and Mylan Traylor contributed to this article.

Write to us: Guidelines for Authors

Leave a Reply

Your email address will not be published. Required fields are marked *