Illinois employers could potentially face millions, if not billions, of dollars in damages under mass class actions if a statute meant to protect individuals’ genetic information follows the same direction that the Illinois Biometric Information Privacy Act has taken in courts.
BIPA is a 2008 statute that in recent years has seen employers, tech companies and other businesses operating in Illinois pay billions in settlements over their alleged mishandling of employees’ biometric identifying data, such as scans of fingerprints, retinas or faces.
Now, courts are starting to see a new wave of class actions rise under a different, even older law. Known as the Illinois Genetic Information Privacy Act, the law was enacted in 1998, and requires businesses to safeguard employees’ genetic information, including family medical histories.
John Ochoa
| Amundsen Davis
“I think BIPA caught a lot of business off guard,” said John Ochoa, an attorney in the cybersecurity and class action practice at the Chicago law firm of Amundsen Davis.
“It (BIPA) was passed over a decade ago, and it sat dormant for a while, so no one really knew about it. Then, suddenly, technologies changed, companies started using new tech, and no one was paying attention except for plaintiffs’ attorneys who realized this provision allows for massive damages to be recovered. That’s what caused it to explode.
“GIPA is in a similar position right now in that it’s an old statute that hasn’t been used,” he added. “I don’t think a lot of companies are aware of it.”
But plaintiffs' lawyers certainly appear to be. And that knowledge appears to be spreading quickly, said Nick Kahlon, attorney with the firm of Riley Safer Holmes & Cancila, in Chicago, whose practice addresses so-called complex litigation and class actions.
"There are now around 25 class action lawsuits that have been filed under GIPA in the last two months, all in Cook County, by the same law firms: Wallace Miller (of Chicago) and Siri and Glimstad LLP (of New York)," said Nick Kahlon, partner at Riley Safer Holmes & Cancila LLP. "The floodgates have now officially opened."
'Potentially ruinous liability' at stake
At their core, BIPA and GIPA were created to provide protection to employees. An anti-discrimination portion of GIPA, for example, is meant to protect people from having their own personal information used against them.
“If you do come into genetic information about employees, you can’t use that information to affect the conditions of the employees adversely or limit their chances at advancement, the same way you can’t use someone’s race against them as an employer,” Ochoa said.
On their face, the statutes may appear to have good intentions, Ochoa said.
“I think what the Illinois legislature was thinking is, biometric or genetic information has enough inherent value to someone that it shouldn’t be disclosed or used by anyone without your permission, so it puts requirements on companies … and wants companies to be incentivized to do that,” Ochoa said. “That’s the incentive for putting large penalties on these statutes.”
But several major decisions affecting BIPA lawsuits have encouraged plaintiffs’ lawyers to file endless class actions resulting in massive payouts – and it may be the reason a flood of GIPA lawsuits could soon follow.
In the landmark 2019 case, Rosenbach v. Six Flags Entertainment Corp., the Illinois Supreme Court ruled a plaintiff did not need to show they had actually been harmed in any way by a scan of their fingerprints or facial geometry to file a potentially massive class action under the BIPA law. They simply need to accuse a company of violating any provison of the BIPA law.
The next year, BIPA class actions made headlines around the country, when Facebook agreed to pay $650 million in damages to settle a BIPA lawsuit accusing the social media giant of improperly scanning the faces of Illinois residents whose images were included in photos uploaded to the platform.
Google followed with a $100 million deal to settle similar BIPA claims against them.
In February 2023, the state high court again altered the landscape, ruling BIPA should have a 5-year statute of limitations.
And just weeks later, the state Supreme Court ruled in Cothron v. White Castle System, Inc., that BIPA calls for damages for every violation of the statute, which can range between $1,000 and $5,000, depending if the violation is intentional or negligent.
In Cothron, that meant multiplying those individual damages across roughly 9,500 employees who allegedly had their fingerprints scanned without consent multiple times per day – a total White Castle estimated could reach $17 billion, instead of the $9.5 million the fast-food chain would have been liable for if the Court had limited the class action to one injury claim per worker.
White Castle has estimated such a judgment could put them out of business.
Faced with such potentially ruinous damages - totals that dissenting justices on the Illinois Supreme Court called "absurd" - all but one BIPA defendant has opted to settle rather than face trial. In the lone trial, freight railroad operator BNSF faced a $228 million jury verdict. Ultimately, a federal judge overturned the verdict, and declared the need for a new trial to recalculate the damages. BNSF, however, appears to have reached a settlement. Terms of that settlement have not yet been publicly disclosed.
Ochoa said businesses could face similar threat of potentially catastrophic damages under class actions brought under the GIPA law.
“The Illinois Supreme Court said that statute provides for per-violation damages, so every time someone clocks in or out with their fingerprint, it could yield up to $1,000 to $5,000 per scan,” Ochoa said. “These cases don’t go to trial often – businesses are settling – so we haven’t seen those astronomical damages assessed. And a jury might have discretion to lower the amount of damages. We’ve yet to see a case where a jury makes that decision … but GIPA could go the same way.”
In 2021, Ancestry.com was backhandedly involved in a GIPA lawsuit, when the asset management company Blackrock was sued for allegedly compelling the disclosure of genetic identities when it purchased Ancestry.com in 2020. The case was dismissed in appellate court earlier this year.
However, Bridges v. Blackrock Group, Inc., put GIPA on almost equal footing as BIPA regarding its interpretation of statutory violation.
“The Court concluded that the aggrieved person language in the statute was identical to the words used in BIPA, and therefore the construction of GIPA should follow what the Illinois Supreme Court concluded in Rosenbach with respect of what you need to show for statutory violation,” said Kahn. “Now, you have a federal court deciding that, just like with BIPA, in order to allege a violation under GIPA, all you have to do is show a statutory violation.”
Damages under GIPA could be even higher than those under BIPA, with each violation costing employers $2,500 to $15,000, depending on intent/negligence.
“That right there is enough for plaintiffs’ attorneys to test the outer limits of it,” Ochoa said.
“We have not seen a GIPA settlement in the millions of dollars yet – so far the cases that have been filed are still pending,” Ochoa said. “But maybe in the next couple of years, we might start seeing some and see what the mark is being set at. A multimillion-dollar settlement under GIPA will get everyone’s attention and you’re going to see more of these.”
In July, Reuters reported that nearly 2,000 BIPA lawsuits had come through the system since 2017, and after the White Castle ruling, 122 new BIPA suits were filed in just two months.
“When class actions are brought under BIPA, it is very difficult for a defendant to litigate that kind of case all the way to conclusion because of the potentially ruinous liability,” said Kahlon. “So, I think what will happen under GIPA, as has already happened under BIPA, as class actions are filed, clients will be facing really significant financial settlement demands that will be quite expensive. And if GIPA follows the BIPA path and there are a series of class actions as there have been under BIPA, businesses will face fixed monetary demands … that will be very significant.
"It’s not a good landscape right now.”
Employers the top targets
It might seem logical that the businesses most likely to be affected by GIPA class actions would be genealogy and DNA testing companies like Ancestry.com, 23andMe and others.
But in April, when Kahlon first alerted his peers and clients about the small influx of GIPA lawsuits that were being filed under a nearly 25-year stagnant statute, he noted that’s not always the case.
“If you look at the companies that have been sued to date, Ford and Amazon are not in the genetic information business,” he said. “And yet, they already have been sued under GIPA.”
The new lawsuits appear to seek to expand the scope of who could be liable under the GIPA law, and how to define the "genetic information" at the heart of the law.
The GIPA law, for instance was amended in 2008 to better align with the Federal Genetic Information Nondiscrimination Act of 2008. The adoption of the federal definition of “genetic information” would now include “the manifestation of a disease or disorder in family members of such individual.”
A host of plaintiffs have asserted in their new lawsuits that this definition would also include individual and family medical histories.
“Genetic information is defined very broadly [to include not only the] results of genetic tests, but also [the collection of information regarding] diseases or disorders that not only you have, but any of your family members have, also,” Ochoa said. “That could potentially reach a lot of information about a person or their relatives, and that’s where I think plaintiffs are starting to see [the value in] this statute. Part of an application process might get a company in trouble under the statute.”
The cases against Ford and Amazon alleged exactly that: the companies unlawfully requested and obtained family medical histories during the job application process. Those lawsuits against Ford and Amazon have been followed with lawsuits against a host of other employers, including other large companies like Caterpillar and FedEx, as well as hospitals, financial services firms and building contractors, among others.
All are accused of violating GIPA by asking job applicants to divulge information about their families' medical histories.
“That is the concern: You’re seeing, already, class action litigation brought against businesses that aren’t even operating in the genetic information space based on seemingly ordinary business [hiring] practices,” Kahlon said. “That is the alarm that is starting to ring for businesses.”
In fact, there are four main industries that could largely be affected by GIPA: the logistics, warehouse, manufacturing and healthcare/hospital industries, said John Ruskusky, an attorney at Nixon Peabody, who also co-leads the firm's Biometric Information Privacy Act team.
The sheer volume of new hires in those industries – many of which request physicals or health care information for the protection of the potential employee, Ruskusky noted – is enough to make these target industries for GIPA lawsuits.
“We are recommending – and it’s not a secret – that policies and practices be reviewed to consider what is genetic testing and genetic information under GIPA, and [that] companies make directions on what questions they’re asking and how they’re asking them, and [look into] what sort of consensus and authorization should be considered,” said April Schweitzer, an attorney at Nixon Peabody. “Those are all good [ideas] that we think is good practice.”
For its part, trade group Illinois Manufacturers’ Association, which represents the interests of thousands of Illinois employers, “is monitoring cases and making sure employers are aware of the law,” said Mark Denzler, president and CEO of the IMA.
Denzler also noted the IMA recognizes that the small number of class action lawsuits that have been filed are primarily in Cook County, and that they are similar in nature to BIPA.
Still, Ochoa hasn’t seen word spread very quickly.
“I did a talk on this the other week, and I asked everyone, ‘Who has heard of BIPA?’ most hands went up,” he said. “When I asked about GIPA, no one put their hand up.”
“No one knows about the statute right now, but it is something they should be paying attention to, especially with Covid and the way companies have health and wellness programs, and the way companies screen their employees for illnesses,” Ochoa said. “They need to know what they can and can’t do with that information and have the appropriate disclosures in place if they do collect it. You wouldn’t think whether my grandmother has diabetes [is] genetic information, but it very well could be under this statute.
"Right now, the law is being tested in the courts. There aren’t a ton of cases, maybe a dozen opinions written since 2020, but if these cases gain some success, I can see plaintiffs testing the outer limits of this law.”
“I think the first step is to be aware of the statute and to know what it requires, which I don’t think a lot of companies in Illinois have taken yet,” Ochoa said. “I think collecting written consent and waivers to receive this type of information and perhaps share it with third parties would be a good idea, because getting those written disclosures provides some protection from parts of the statute.”
Illinois stands alone
BIPA and GIPA are the only two statutes in the country that allow potential monetary damages purely for statutory violations without any show of injury or any way to cure, Kahlon said.
California has a similar statute – the California Privacy Act of 2018, which was amended in 2022 – but there’s a distinct difference: the California statute allows defendants to cure, he said.
“Lawyers in other parts of the country, clients in other parts of the country, are troubled by BIPA,” Kahlon said. “BIPA, and by extension GIPA, presents one issue that has never been fully litigated by any court, which is the issue of due process.”
Both acts allow class actions for statutory violations without any allegation of actual harm to a person, monetarily or otherwise, he said.
“And yet you’re imposing financial ruin on businesses for that,” he said. “I think there are some significant due process [questions] there that have been raised in some cases, but never litigated. That may be the ultimate question that needs to be resolved in regard to both statutes.”
While there have been calls for change in BIPA legislation, nothing has been enacted thus far, Kahlon said.
“There have been efforts over the years to amend BIPA in the wake of all of this litigation, but unfortunately, so far, there hasn’t seemed to be much appetite at the state legislative level to amend BIPA,” he said. “As a lawyer representing businesses, you then have to navigate a difficult statute the best you can.”