Is Genetic Information the Next Privacy Battleground?

The Legal Intelligencer

Though it has been on the books for over two decades, the Illinois Genetic Information Privacy Act (GIPA) has recently gathered steam; over 40 class actions were filed in 2023 alone.

At its core, GIPA regulates the collection and use of genetic information by employers, employment agencies, labor organizations, licensing agencies, and other entities. According to recent GIPA class-action suits, the mandating of pre-employment physicals or health interviews required potential employees to improperly disclose their family medical history as a condition of employment. GIPA litigation remains in its early stages, but the possibility of exorbitant statutory damages—$2,500 per negligent violation, up to $15,000 per intentional or reckless violation—could make GIPA the next major trend in privacy class action litigation.

GIPA Background

The Illinois legislature first enacted GIPA in 1998. The act was then amended in 2008, in part, in response to the enactment of its federal counterpart—the Federal Genetic Information Nondiscrimination Act of 2008 (GINA). The 2008 GIPA amendment adopted GINA’s definition of “genetic information,” which includes: an individual’s genetic tests; genetic tests of family members of an individual; the manifestation of a disease or disorder in family members of such individual; or the request or receipt of genetic services or participation in the clinical research which includes genetic services, by an individual or their family member. Excluded from the definition is information about the sex or age of the individual. Notably, the inclusion of the “manifestation of disease or disorder in family members” as an individual’s “genetic information” broadens the reach of the statute; it thus extends far beyond a medical or health care setting.

Targeted Industries

GIPA broadly regulates the disclosure and use of genetic information—including in the law enforcement, insurance, employment, and healthcare context. The employment sector has been the main target of the recent wave of GIPA claims, however.

Employers are generally prohibited from doing any of the following under the act: solicit, request, require or purchase genetic testing or genetic information of a person or a family member of the person, or administer a genetic test to a person or a family member of the person as a condition of employment, preemployment application, labor organization membership, or licensure; affect the terms, conditions, or privileges of employment, preemployment application, labor organization membership, or licensure, or terminate any person because of genetic testing or genetic information with respect to the employee or family member; limit, segregate, or classify employees in any way that would deprive or tend to deprive any employee of employment opportunities or otherwise adversely affect the status of the employee because of genetic testing or genetic information with respect to the employee or a family member; and retaliate through discharge or in any other manner against any person alleging a violation of the act or participating in any manner in a proceeding under the act. Though broad, employers are typically targeted in the employee application process. This means alleging the employer requested information about a prospective employee’s family medical history—specifically, the “manifestation of disease or disorder,” claimed to be “genetic information.” Beyond the application process, pre-employment medical exams are also common target for GIPA claims.

While employers have borne the brunt of GIPA litigation thus far, its reach extends much further. For example, Section 20(a) prevents an insurance company from using information derived from genetic testing in a policy of accident or health insurance. Section 20(b) prohibits insurers from disclosing certain genetic information for underwriting purposes. Accordingly, life insurance companies have been named in GIPA class actions for questions regarding family medical history in the insurance application process.

Beyond the employment and insurance industries, GIPA also regulates the disclosure of genetic testing information without consent. Section 30 prevents disclosing the identity of “any person upon whom a genetic test is performed or the results of a genetic test in a manner that permits identification of the subject.” Not only do these limitations apply to healthcare industries performing genetic tests, but also to companies providing commercial genetic testing services. In at least one such case, a court granted class certification over claims alleging a commercial DNA sequencing company improperly disclosed genetic testing information of over 1,500 Illinois consumers.

Key Issues and Defenses

GIPA litigation has been fueled by its broad private right of action and enormous statutory damages. GIPA extends a private right of action for any person “aggrieved” by a violation. In 2022, an Illinois appellate court interpreted the term “aggrieved” as not requiring actual injury. Tellingly, this is the same interpretation reached under the Illinois Biometric Information Privacy Act—which has become a darling of the plaintiff’s bar.

To add fuel to the fire, not only are actual damages not required (at least according to one appellate court), but the statutory damages are extraordinary. Statutory damages of $2,500 (or actual damages, if greater) is authorized for negligent violations. Intentional violations are seven times that amount—i.e., $15,000 per violation. Courts may grant other relief as well, including an injunction. Attorney’s fees and costs are also recoverable.

Although the statutory damages are daunting, GIPA defendants are not without defenses. For example, in the employment context, simply inquiring into a prospective employee’s genetic information, standing alone, is likely insufficient to assert a GIPA claim. Plaintiffs must allege (and ultimately establish) the genetic information was misused, or employment was adversely impacted. Plaintiffs unable to raise such specific facts may be subject to an early dismissal.

A similar defense may involve a challenge to the scope of “genetic information”—merely asking for information about family medical history, as employment questionnaires often do, may not amount to the “manifestation of disease” to fit within GIPA. Moreover, Section 25(g) includes an exception in the employment context, stating “inadvertently requesting family medical history by an employer, employment agency, labor organization, and licensing agency does not violate this act.” Of course, what constitutes “inadvertence” is unclear and will be the subject of contested motion practice in the coming months.

Other industries have likewise raised defenses to the statute’s facial applicability. For example, life insurance companies have contended GIPA’s regulations concerning their conduct does not apply. GIPA makes clear its obligations imposed on insurers extend to “a policy of accident or health insurance.” In other contexts, particularly in the disclosure context, defendants have had success arguing a Section 30 claim involving “compelling the disclosure of genetic information” requires more than just “receipt or obtainment.” The Southern District Court of Illinois reached that result, holding the acquisition of the company Ancestry, and its corresponding receipt of consumer’s genetic information, could not itself support a GIPA violation.

Compliance Measures

GIPA litigation is in its early stages. But the stakes are already high. Compliance measures can put a company ahead of the game and possibly avoid costly class action litigation.

Employers should evaluate whether information collected from employees (and potential employees) can arguably considered “genetic information” under GIPA, and whether such collection is necessary. Companies should also take additional steps to confirm whether its vendors are engaging in conduct that may be considered the collection of “genetic information.” Insurance companies seeking such information from potential insured should likewise take precautions, as should any entity who may “disclose genetic information.” Rather than wait to be hit with a class action litigation under GIPA, companies would be well served to take precautionary action now.

“Is Genetic Information the Next Privacy Battleground?” by Jeffrey N. Rosenthal and Amanda M. Noonan was published in The Legal Intelligencer on April 2, 2024. 

Reprinted with permission from the April 2, 2024, edition of The Legal Intelligencer © 2024 ALM Properties, Inc. All rights reserved. Further duplication without permission is prohibited.