The Illinois’ Genetic Information Privacy Act (“GIPA”) has been Illinois law for over twenty years. Yet, only in the last year or two has there been an explosion of lawsuits being filed against companies in various industries, all alleging violations of the statute.

This activity has undoubtedly been spurred on by the success plaintiffs have had bringing cases under Illinois’ Biometric Information Privacy Act. Both lawsuits provide for huge statutory damages and fee-shifting for prevailing plaintiffs (and their counsel), making them very attractive for plaintiffs’ lawyers.

What is GIPA?

Passed in 1998, GIPA protects the genetic information and genetic testing results of individuals. It also prohibits discrimination by employers based on genetic information. Notably, genetic information is broadly defined as not only the results of genetic testing, but also the “manifestation or possible manifestation of a disease or disorder in a family member of an individual.” This broad definition sits at the cornerstone of these lawsuits being filed. The statute provides that companies may not share genetic information without the individual’s written consent, and companies cannot require genetic testing of applicants, or use genetic information to make personnel decisions.

Damages are $2,500 per violation, with the possibility of $15,000 for intentional or reckless violations.

Who is being sued?

Numerous industries are currently being targeted with GIPA claims under differing theories of liability. Particularly:

Insurance sector: Life insurance companies are being sued by policyholders (or potential policyholders), who allege the insurance company is improperly using genetic information in making determinations about eligibility and premiums.

Employers: Employers in all industries are facing GIPA claims alleging that they require applicants to provide genetic information as part of pre-employment health screenings and are using that information to make personnel decisions. Defendants include companies like United Airlines and AbbVie. It may be that this is the area of litigation that gets most traction, but time will tell.

Genetic Testing Companies: Companies that deal directly with the genetic information of individuals are being sued for misuse of individuals’ genetic information. For instance, a company called “Sequencing LLC” is facing a lawsuit in federal court that alleges it shared genetic information of its customers with third-parties without the requisite written consent. In August of last year, the court certified a class against Sequencing LLC. That case is still pending.

Companies that Have Suffered a Data Breach: Companies across all industries, who have fallen victim to a cyberattack by threat actors, may also store what a plaintiff claims is genetic information. So, with the data breach, there have been allegations of violation of GIPA. Healthcare companies, as well as companies that deal directly in genetic information, such as 23andMe, are victims of these cyberattacks, and these breaches are giving rise to GIPA claims.

What’s Next?

While these cases proceed, the courts will be confronted with significant issues of first impression about the scope of GIPA, whether it applies to certain industries (such as the life insurance industry), and the contours of what constitutes “genetic information.” 2024 may also see the first class action settlements, primarily involving GIPA claims, which will inform other litigants on how these claims are being valued.

In the meantime, companies operating in Illinois should consider the following:

• Do you collect any information from your employees, or applicants, that could be considered “genetic information?”
• Do you have written disclosures and consent procedures in place that deal with genetic information?
• How to do you handle and secure genetic information that is in your possession?
• Do you operate “employee wellness” programs, and if so, do you have policies in place concerning genetic information?

Given the recent increase in litigation, now is the time to assess these issues and review your company’s policies and disclosures to determine if you are following best practices.