GIPA Claims Against Employers On The Rise Following Amendments To BIPA

Most companies are now aware of Illinois's Biometric Information Privacy Act ("BIPA"), a privacy law that regulates the use of biometric data, including fingerprints, eye scans, voiceprints, and facial geometry scans. Despite some extraterritorial limitations, BIPA applies to many companies whose operations and headquarters are located primarily outside Illinois. BIPA's private right of action and hefty statutory damages have led to widespread class action litigation and mass arbitration, and eye-popping settlements.¹ In the heyday of BIPA litigation, exposure was exacerbated by several Illinois Supreme Court cases holding that: (1) an individual is an "aggrieved" person within the meaning of the statute and may assert a cause of action for statutory damages in Illinois state court even without alleging an injury (Rosenbach v. Six Flags),² (2) each time a biometric identifier is collected or disseminated, even if it is the same identifier from the same person, that action constitutes a separate violation (Cothron v. White Castle Systems),³ and (3) claims under the act are subject to a 5-year statute of limitations (Tims v. Black Horse Carriers).⁴

BIPA filings jumped 65% in the two months following the Cothron ruling.⁵This caught the attention of the Illinois legislature. In 2024, heeding the Cothron court's call to address policy concerns about the potential for "excessive damage[s]" under BIPA,⁶ Illinois lawmakers abrogated Cothron and clarified that a private entity that collects or discloses "the same biometric identifier or biometric information from the same person using the same method of collection" only commits a single violation of the act for which the aggrieved person is entitled to, at most, a single damage recovery.⁷ Following this amendment to the act, BIPA filings have dropped from roughly 150 federal cases per year between 2019 and 2024,⁸ to roughly 30 federal cases per year between September 2024 and early October 2025.⁹Nor have BIPA cases recently resulted in nine-figure settlements of the sort seen in 2022 and 2023.

While companies have breathed a sigh of relief at the Illinois's legislature's reigning in of BIPA, many companies have overlooked the "[l]ess known and litigated" Illinois Genetic Information Privacy Act ("GIPA"), 410 Ill. Comp. Stat. 513/1 et seq., which originally went into effect in 1998, ten years before BIPA.¹⁰ GIPA regulates the use of genetic information in most commercial settings, with narrow exceptions, and many companies—especially those whose operations and headquarters are located primarily outside of Illinois—may not be aware that it applies to them.¹¹

Relevant to employers with "employees within" Illinois,¹² Section 25(c)(1) of the act provides that an employer "shall not directly or indirectly...solicit, request, [or] require...genetic information of a person or a family member of the person...as a condition of employment [or] preemployment application."¹³ The statute is therefore broad on its face. Additionally, "the terms, conditions, or privileges of employment [or] preemployment application," including "termin[ation]," cannot be "affect[ed]" "because of...genetic information," and employers cannot "limit, segregate, or classify employees in any way that would deprive or tend to deprive any employee of employment opportunities or otherwise adversely affect the status of the employee as an employee because of...genetic information," or "retaliate...in any other manner" against a person alleging a GIPA violation. Id. at (c)(2)–(4).

GIPA defines "genetic information" broadly by reference to the definition in the Health Insurance Portability and Accountability Act ("HIPAA"), which covers more than one might colloquially think of as "genetic information." 410 Ill. Comp. Stat. 513/10. Such information includes:

• The individual's genetic tests;
• The genetic tests of family members of the individual;
• The manifestation of a disease or disorder in family members of such individual; or
• Any request for, or receipt of, genetic services, or participation in clinical research which includes genetic services, by the individual or any family member of the individual.

45 C.F.R. § 160.103 (2024).

Of late, plaintiffs have focused on the "disease or disorder" category of genetic information, as employers may ask prospective or current employees about their family medical histories without realizing this conduct may be affected by the act. Caselaw is still scant, and courts have construed the "disease or disorder" definition differently. The recent case of Foster v. Service Sanitation, Inc., No. 25 C 2101, 2025 WL 2347857, at *2 (N.D. Ill. Aug. 14, 2025), for example, collects three examples of cases more narrowly construing the definition to mean "family members' diseases or disorders that suggest another family member's genetic predisposition to the condition," and three examples of cases more broadly construing the definition to mean "[a]ny request for family medical history[.]" (quotation marks and citation omitted) (emphasis added). Merely "requesting such information" potentially subjects the employer to liability. Id. at *3 (citing 410 Ill. Comp. Stat. 513/25(c)(1)) (emphasis added). As with BIPA, many employers may be unaware that they are requesting information that could implicate the act, and additional adverse judicial decisions could incentivize plaintiffs' attorneys to spend more resources investigating potential violations.

Like BIPA, GIPA provides a private right of action to "[a]ny person aggrieved by a violation of this Act." 410 Ill. Comp. Stat. 513/40(a). Guided by the Illinois Supreme Court's Six Flags decision granting broad standing rights to BIPA plaintiffs in Illinois state court, courts have held that the mere allegation that an employer "requested or solicited" genetic information is sufficient to state a claim. Taylor v. Union Pac. R.R. Co., 2024 WL 3425751, at *3 (N.D. Ill. July 16, 2024). As in the BIPA context in Black Horse Carriers, courts have also held that GIPA claims are subject to a 5-year statute of limitations. Taylor, 2024 WL 3425751, at *8.

Statutory damages are even higher for GIPA than for BIPA, ranging from $2,500 to $15,000. 410 Ill. Comp. Stat. 513/40(a)(1)–(2). As with BIPA, GIPA damages can quickly multiply, especially in the class action or mass arbitration context for major employers.

In light of the plaintiff-friendly GIPA caselaw, the relatively defendant-friendly recent BIPA amendment, and companies' greater awareness of BIPA, GIPA litigation is on the rise. Few GIPA cases were filed in the first 25 years of the act's existence. But that is quickly changing. More than 100 GIPA class actions were filed just between 2023 and March 2025,¹⁴ even while BIPA filings have fallen.

Companies should not become lax about BIPA compliance. Exposure is still high, and violations can easily result in millions of dollars in damages. But employers should not neglect GIPA, either. To protect themselves from GIPA liability, employers should:

• Review under what conditions, and for what reasons, prospective or current employees may be being asked about their or their family's medical histories or conditions. Many employers may be unaware that they still have legacy procedures in place that call for questioning prospective or current employees about this information.
• Exercise extreme caution in asking prospective or current employees about such information. Caselaw is still developing, and prudence dictates that a company should assume a court could construe GIPA's definition of "genetic information" broadly to encompass any questions about family health history.
• Do not count on "outsourcing" these questions, as that may be insufficient to defeat GIPA liability. See Collins v. NTN Bearing Corp. of Am., No. 1:24-CV-6726, 2025 WL 552465, at *2 (N.D. Ill. Feb. 19, 2025). Companies should also ensure their third-party contractors and vendors are aware of, and take steps to comply with, GIPA.
• Consult with an attorney before implementing any program in which employee familial medical history is addressed.

Footnotes

1. See, e.g., In re Facebook Biometric Info. Priv. Litig., 326 F.R.D. 535 (N.D. Cal. 2018) ), aff'd sub nom. Patel v. Facebook, Inc., 932 F.3d 1264 (9th Cir. 2019) (~$650 million class settlement); Rogers v. BNSF Ry. Co., 680 F. Supp. 3d 1027 (N.D. Ill. 2023) ($228 million dollar judgment, later vacated and settled for $75 million).

2. Rosenbach v. Six Flags Ent. Corp., 129 N.E.3d 1197, 1205–06 (Ill. 2019).

3. Cothron v. White Castle Sys., Inc., 216 N.E.3d 918, 924 (Ill. 2023).

4. Tims v. Black Horse Carriers, Inc., 216 N.E.3d 845, 847 (Ill. 2023).

5. Stephen Joyce, Skye Witley, Illinois Biometric Privacy Cases Jump 65% After Seminal Ruling, Bloomberg Law (May 2, 2023 4:15 AM CDT), https://news.bloomberglaw.com/privacy-and-data-security/illinois-biometric-privacy-cases-jump-65-after-seminal-ruling.

6. Cothron, 216 N.E.3d at 929.

7. 740 Ill. Comp. Stat. 14/20(b) (eff. Aug. 2, 2024).

8. Blake Fensom, et al., The Who, Why, and Where of Biometric Privacy Litigation: An Empirical Analysis of BIPA Cases 2015-2024, The Antitrust Source (2025), at 3 fig. 1, https://www.americanbar.org/content/dam/aba/publications/antitrust/source/2025/june/biometric-privacy-litigation.pdf.

9. According to search for "BIPA" or "Biometric Information Privacy Act" of Westlaw Federal Dockets for cases filed from September 1, 2024 through October 3, 2025.

10. Bridges v. Blackstone, Inc., 66 F.4th 687, 688 (7th Cir. 2023).

11. This article focuses on GIPA compliance and litigation issues faced by employers in connection with employment decisions and does not address non-employment related GIPA compliance issues that may arise in the medical, insurance, or other spaces.

12. 410 Ill. Comp. Stat. 513/10.

13. 410 Ill. Comp. Stat. 513/25(c)(1).

14. Paul Yovanic, et al., Illinois Privacy Trends and Developments for 2025, Chambers & Partners (March 11, 2025), https://practiceguides.chambers.com/practice-guides/data-protection-privacy-2025/usa-illinois/trends-and-developments#:~:text=The%20Illinois%20Genetic%20Information%20Privacy%20Act%20(GIPA)%2C%20enacted%20a,have%20been%20filed%20under%20GIPA.

The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.