Likely spurred by plaintiffs’ recent successes in cases under Illinois’s Biometric Information Privacy Act (“BIPA”), a new wave of class actions is emerging under Illinois’s Genetic Information Privacy Act (“GIPA”). While BIPA regulates the collection, use, and disclosure of biometric data, GIPA regulates that of genetic testing information. Each has a private right of action and provides for significant statutory damages, even potentially where plaintiffs allege a violation of the rule without actual damages.[1] From its 1998 enactment until last year, there were few GIPA cases, and they were largely focused on claims related to genetic testing companies.[2] More recently, plaintiffs have brought dozens of cases against employers alleging GIPA violations based on allegations of employers requesting family medical history through pre-employment physical exams. This article explores GIPA’s background, the current landscape and key issues, and considerations for employers.

Key GIPA Provisions

GIPA is intended to prevent employers and insurers from using genetic testing information as a means of discrimination for employment or underwriting purposes. See 410 ILCS 513/1, et seq.

Specifically as to employers, GIPA prohibits:

  • Soliciting, requesting, requiring, or purchasing a person or their family member’s genetic testing as a condition of employment.
  • Using such information for employment decisions.
  • Using genetic information for workplace wellness programs, unless the employee provides GIPA-compliant written authorization.

GIPA also prevents disclosure of the identity of a genetic testing subject or the results of genetic testing to third parties without the subject’s authorization. GIPA provides for the greater of actual damages or $2,500 for a negligent violation and $15,000 for a willful violation—steeper than BIPA’s $1,000 and $5,000 statutory damages, respectively.

Litigation Landscape

Given the dearth of GIPA caselaw, there is little precedent on the application and scope of its provisions. But in a new swath of cases, employees and job applicants assert that employers have requested family medical histories during pre-employment physicals in violation of GIPA.

In April, an Illinois state court dismissed one such case against a hospital, finding that the employee-plaintiff allegedly was asked about her own current medical status—and not her or her family’s genetic history—during a pre-employment physical that occurred after she had been offered a job and that she released the hospital from liability. Mendoza v. Advocate Health and Hosp. Corp., No. 23-CH-7844, (Ill. Cir. Ct. April 24, 2024).

Several other suits have dismissal motions ripe for ruling, so we are likely to see the caselaw develop in the near-term.

Scope of Genetic Information. How courts will interpret the scope of “genetic information” is currently unclear. GIPA adopts the Health Insurance Portability and Accountability Act’s definition of “genetic information,” which includes, among other things, “[t]he manifestation of a disease or disorder in family members of such individual.” 410 ILCS 513/10; 45 CFR § 160.103. Depending on the particular information an employer requests and an employee provides in a pre-employment physical or questionnaire, defendants may be able to argue that such medical histories do not constitute “genetic information.”

Potential Damages. Though GIPA provides for greater damages than does BIPA, which has resulted in significant liability in the tens and even hundreds of millions of dollars, GIPA’s scope is narrower than BIPA’s, and other practical factors may result in lesser overall exposure. The Illinois Supreme Court ruled last year that each repeat violation of BIPA—for example, each time an employer collects an employee’s fingerprint data for building or computer access, which could happen several times per day—can be an individual violation. Cothron v. White Castle Sys., Inc., 216 N.E.3d 918, 929, as modified on denial of reh’g (July 18, 2023). Even if courts determine that the same applies to GIPA, practically, given the limited number of times an employer may request genetic information, the number of violations for which a company may face liability could be significantly lower under GIPA. But the significant statutory damages could present sizeable exposure depending on the class size if a class is certified.

Additionally, given the similar wording of the two statutes’ damages provisions, courts may also determine GIPA damages, like BIPA damages, are discretionary. See id. This also could help cabin liability.

Considerations for Employers

In the meantime, Illinois employers should consider their hiring practices and whether pre-employment physicals are necessary, and if so, whether and how detailed family medical history questionnaires must be. Employers might also consider liability waivers for the collection of genetic information and reviewing their insurance policies for carveouts barring coverage for such litigation.


[1] At least one court has so held with respect to GIPA, relying on the Illinois Supreme Court’s holding relating to a similar provision of BIPA. See Bridges v. Blackstone Grp., Inc., 2022 WL 2643968, at *3 (S.D. Ill. July 8, 2022), aff’d, 66 F.4th 687 (7th Cir. 2023).

[2] See, e.g., Bridges, 2022 WL 2643968; Melvin v. Sequencing, LLC, 344 F.R.D. 231 (N.D. Ill. 2023); see also In re Ambry Genetics Data Breach Litig., 567 F. Supp. 3d 1130, 1150 (C.D. Cal. 2021).

Photo of Thea McCullough Thea McCullough

Thea McCullough counsels national and multinational companies across industries as a member of the Data Privacy and Cybersecurity, Litigation, and Public Policy practice groups.

Thea advises clients on a broad range of privacy issues, such as privacy policies and data practices, responses to…

Thea McCullough counsels national and multinational companies across industries as a member of the Data Privacy and Cybersecurity, Litigation, and Public Policy practice groups.

Thea advises clients on a broad range of privacy issues, such as privacy policies and data practices, responses to regulatory inquiries, and compliance obligations under federal and state privacy regulations, including biometric privacy laws. She also represents clients before the Federal Trade Commission in privacy enforcement actions and in consumer protection litigation.

Thea draws on her past experience across all branches of government to inform her practice and to advise clients on public policy matters. Most recently, Thea served as a clerk for the U.S. District Court for the Eastern District of Texas. Prior to beginning her legal career, Thea served as the communications director for the White House National Space Council, where she spearheaded messaging campaigns for Presidential Space Policy Directives and the administration’s civil, commercial, and defense space policy initiatives, and previously as the communications director for the U.S. House Committee on Science, Space, and Technology, where she managed the communications team and developed messaging strategies for policy and legislation covering several issue areas, including cybersecurity, advanced technologies, space, energy, environment, and oversight. She also served as a national spokesperson for President Trump’s 2020 campaign.

Thea is admitted to the DC Bar under DC App. R. 46-A (Emergency Examination Waiver); Practice Supervised by DC Bar members.

Photo of Kathryn Cahoy Kathryn Cahoy

Kate Cahoy uses her substantial class action experience to help clients develop strategic and innovative solutions to their most challenging litigation matters. She regularly defends clients in complex, high-stakes class action disputes involving privacy, antitrust, and consumer protection claims and has achieved significant victories…

Kate Cahoy uses her substantial class action experience to help clients develop strategic and innovative solutions to their most challenging litigation matters. She regularly defends clients in complex, high-stakes class action disputes involving privacy, antitrust, and consumer protection claims and has achieved significant victories for clients in the technology, entertainment, consumer product, and financial services industries. In addition, Kate has substantial experience litigating cases brought under California’s Section 17200 and other consumer protection, competition, and privacy laws, including the Sherman Act, California Consumer Privacy Act (CCPA), California Invasion of Privacy Act (CIPA), Wiretap Act, Stored Communications Act, Children’s Online Privacy Protection Act (COPPA), Video Privacy Protection Act (VPPA), and common law and constitutional rights of privacy, among others.