|

A clinic across town conducts pre-employment physicals for your company. The clinic’s intake form asks routine medical questions, including a section on family medical history. Two years later a class action arrives, naming your company under a statute most Illinois employers had not heard of three years ago. The complaint says you required disclosure of genetic information by asking, through the clinic, about heart disease, diabetes, and cancer in the applicant’s parents and siblings. The demand letter multiplies $15,000 per intentional violation by the number of applicants over the last several years and arrives at a number that looks like the cost of the lawsuit settling itself.

The statute is the Illinois Genetic Information Privacy Act, 410 ILCS 513, and the wave of cases under it is real. By industry counts, more than fifty putative class actions were filed in 2023 alone, and the filings have continued. The plaintiffs’ bar is treating GIPA as the new BIPA, with one important difference. The damages are higher. GIPA’s private right of action lets a court award $2,500 per negligent violation and $15,000 per intentional or reckless violation, plus attorney fees and costs, two and a half to three times BIPA’s $1,000 and $5,000 amounts. For an employer that screens dozens or hundreds of applicants each year, the math is exactly as alarming as it sounds.

It is also not the math the law has settled on. GIPA litigation is several years younger than BIPA litigation, and the doctrinal walls are still being built. But early defense decisions, statutory text the plaintiffs’ bar tends to underplay, and standard federal-court tools already give Illinois employers more leverage than the demand letter suggests.

Start with what GIPA actually prohibits. Section 25, 410 ILCS 513/25, bars an employer from directly or indirectly soliciting, requesting, requiring, purchasing, or otherwise obtaining genetic information of an individual or a family member as a condition of employment or for use in employment decisions. Section 10 defines genetic information, in language borrowed from federal law, to include the manifestation of a disease or disorder in family members of the individual, which is the legal phrase for family medical history. Section 30 restricts disclosure of genetic testing and information. Section 40 supplies the right of action and the liquidated damages.

The first defense is the one most employers miss. GIPA does not prohibit collection of the applicant’s own personal medical history. It prohibits collection of genetic information, which as a matter of statutory definition is information about the applicant’s genetic tests, the genetic tests of family members, or family medical history, the disease history of family members. An intake form that asks an applicant whether the applicant has had hypertension, diabetes, or back surgery is asking about the applicant. It is not asking about family. The same form that asks whether the applicant’s parents, siblings, or grandparents have had heart disease or cancer is asking about family medical history and is in GIPA’s territory. The distinction is not cosmetic. It can be the difference between liability and a routine occupational-health question.

The second defense comes from the leading appellate decision interpreting GIPA’s reach. In Bridges v. Blackstone, Inc., the Seventh Circuit affirmed the dismissal of a putative class action arising from Blackstone’s all-stock acquisition of the genealogy company Ancestry. The plaintiffs alleged that the acquisition itself was a disclosure of their genetic information in violation of Section 30. The Seventh Circuit disagreed, holding that a run-of-the-mill corporate acquisition, without more, does not result in a compulsory disclosure of genetic information under the statute. Bridges is the first appellate decision to push back on an aggressive reading of GIPA, and its reasoning is portable. It tells defense counsel that the statute’s words mean what they say, that the conduct the plaintiff is challenging must actually fit the statutory verb being invoked, and that the courts will not stretch GIPA into every transaction or every form that touches medical information in a tangential way. Continue reading ›

|

The complaint reads like an indictment of your marketing department. A national class. Allegations that a label, a website disclosure, or a price representation deceived consumers. A nationwide class period stretching back five years. A demand for restitution, actual damages, punitive damages, and a permanent injunction against your business practices. The Illinois Consumer Fraud and Deceptive Business Practices Act, 815 ILCS 505, is one of the broadest consumer-protection statutes in the country, and the plaintiffs’ bar treats it that way. The complaint is written to make a settlement feel inevitable long before discovery starts.

The complaint is doing what it is supposed to do. The Illinois Supreme Court and the Seventh Circuit have built five distinct doctrinal walls that most ICFA class actions never finish climbing. An Illinois defendant who learns those walls early often resolves the case at the pleading stage or wins at class certification, not after eighteen months of merits discovery. The settlement number a plaintiff demands on day one is usually the number that fits the case the plaintiff hopes to have. It is not the case Illinois law gives them.

The first wall is the extraterritorial limit, set by the Illinois Supreme Court in Avery v. State Farm Mutual Automobile Insurance Co. The Act does not reach a transaction that occurred outside Illinois. The Court held that there is no bright-line formula, but the inquiry asks whether the circumstances relating to the disputed transaction occurred primarily and substantially within Illinois. In Avery itself, a Louisiana plaintiff whose accident, repair, estimate, and dealings with the insurer all happened in Louisiana had no cause of action under the Illinois statute. The implication for class actions is enormous. A putative nationwide class that includes residents of forty-nine other states, whose purchases occurred everywhere except Illinois, runs straight into Avery. Many of these claims should not survive a motion to dismiss as to the out-of-state plaintiffs, and they almost never survive a contested class certification.

The second wall is choice of law in nationwide classes, illustrated by the Seventh Circuit’s decision in In re Bridgestone/Firestone, Inc. Tires Products Liability Litigation. Judge Easterbrook, writing for the panel, reversed certification of two nationwide classes because the claims would have to be adjudicated under the law of so many different jurisdictions that a single nationwide class was not manageable. The Seventh Circuit explained that the choice-of-law rules of the forum state ordinarily point to the consumer-protection law of each plaintiff’s home jurisdiction, not to a single state’s statute applied across the country. The implication for an Illinois ICFA class action that tries to reach beyond Illinois purchasers is direct. Where the trial court would have to apply Illinois law to some plaintiffs, California law to others, New York law to others, and so on, the predominance and manageability findings that Rule 23 demands collapse. Bridgestone is the case that prevents a single Illinois plaintiff from acting as a national consumer-protection regulator through one complaint. Continue reading ›

|

The complaint usually starts with a text message that looked perfectly ordinary on the way out the door. Your marketing team uploaded a customer list, the platform sent the campaign, and the response rates were strong. Months later a class action lands in the Northern District of Illinois on behalf of every recipient. The demand letter multiplies the number of texts by $500 per call under the Telephone Consumer Protection Act, then helpfully reminds you that the number can become $1,500 each if the conduct was willful, and the total has a comma in places you did not expect.

That math, like the math in most class action demands, is built to look fixed. It is not. In the last five years three different decisions, two of them issued in 2025, have moved the law harder in the defense’s direction than at any point since Congress passed the TCPA in 1991. An Illinois business defending a TCPA case today is operating in a very different statute than the one its adversaries are still describing.

Start with the statute itself. The TCPA, 47 U.S.C. 227, restricts calls and texts made using an automatic telephone dialing system, an artificial or prerecorded voice, and certain marketing to numbers on the federal do-not-call registry. Section 227(b)(3) lets a private plaintiff recover actual damages or $500 per violation, whichever is greater, with treble damages of $1,500 per call available where a court finds a willful or knowing violation. Multiplied across a putative class, the exposure is the entire point of the statute and the entire point of the demand letter.

The first decision that reshaped this landscape is Facebook, Inc. v. Duguid, decided by the United States Supreme Court in April 2021. The Court read the TCPA’s definition of an automatic telephone dialing system, often called an ATDS, in its plain terms. To qualify, a system must use a random or sequential number generator to store or produce the numbers it dials. Equipment that simply dials from a stored list of customer numbers, the workhorse of modern marketing platforms, does not qualify. The Seventh Circuit had already reached the same result a year earlier in Gadelhak v. AT&T Services, Inc., an opinion authored by then-Judge Amy Coney Barrett that the Supreme Court effectively ratified. The practical consequence in Illinois federal court is significant. A great many of the text and call campaigns that anchored the explosion of TCPA class actions a decade ago no longer involve an ATDS at all. The complaint may still allege one. The technology often does not support the allegation. That mismatch is a defense from the pleading stage forward. Continue reading ›

|

The resignation lands on a Friday and feels routine until Monday. Your top salesperson is gone, and so, it turns out, is the customer list, the pricing model, and the quarterly pipeline she pulled the week before she left. By the following week your best accounts are getting calls from her new employer, the one across town that competes with you for the same business, and the quotes coming back are suspiciously well aimed. You signed her to an agreement years ago, but you are not sure it still holds, and you do not know whether what she took counts as a trade secret or just as the ordinary knowledge an employee carries out the door. You need answers that are fast and correct, and you need them before the damage hardens.

Illinois gives employers real tools in this situation. It also sets traps for the employer who moves on instinct instead of analysis. The rules changed in 2022, the enforceability of restrictive covenants turns on facts most owners overlook, and a clumsy lawsuit can convert a strong case into a fee-shifting loss. The difference between recovering your business and paying the other side’s legal bills usually comes down to choosing the right theory before you fire off a cease and desist letter.

Begin with trade secrets, because they protect you whether or not the employee ever signed anything. The Illinois Trade Secrets Act, 765 ILCS 1065/1 and following, protects information, including customer lists, pricing data, formulas, and business methods, that is sufficiently secret to give it economic value and that the owner has taken reasonable steps to keep secret. Those last two requirements do the work. Information you guarded with passwords, access limits, and confidentiality agreements looks like a trade secret. Information you let every employee see, email home, and discuss freely does not. The Act gives a wronged employer an injunction to stop the misappropriation, damages measured by actual loss plus the wrongdoer’s unjust enrichment or, where those are hard to prove, a reasonable royalty, exemplary damages of up to twice the award when the misappropriation was willful and malicious, and attorney fees in cases of willful and malicious conduct or bad faith. It also displaces overlapping common law theories, so the trade secret claim is usually the centerpiece, not an afterthought.

Illinois courts have gone a step further with the inevitable disclosure doctrine. In PepsiCo, Inc. v. Redmond, the Seventh Circuit, applying Illinois law, allowed an employer to show misappropriation by demonstrating that the departed employee could not perform the new job without inevitably relying on the former employer’s trade secrets. That doctrine will not fit every case, and courts apply it carefully, but where an executive moves into a mirror-image role at a direct competitor, it can support relief even without a smoking-gun document. Continue reading ›

|

The summons rarely feels proportional to what happened. You left an honest review of a contractor. You warned a colleague about a vendor who had burned you. You answered a reporter’s question, or posted what you believed was true, or simply repeated what half the industry already knew. Now a process server is at the door and a complaint accuses you of defamation, demands a sum with a lot of zeros, and frames your words as if they were a calculated act of malice. The plaintiff is betting that the cost and fear of litigation will make you apologize, retract, and pay before anyone tests whether the claim is any good.

Often the claim is not good. Illinois defamation law is far more demanding of plaintiffs than most people sued under it realize, and several of its defenses are designed to end a weak case early, before it drains a year of your life. We tell clients the truth in both directions. A genuinely false and damaging statement of fact can cost you. But a great many defamation suits are built on opinion, on substantially true statements, on words that carry an innocent meaning, or on a theory that runs out of time. Knowing which is which is the whole game.

Begin with what the plaintiff must prove. A defamation claim in Illinois requires a false statement of fact about the plaintiff, an unprivileged publication of that statement to a third party, some level of fault, and damage to the plaintiff’s reputation. Each element is a place where a case can fail. The requirement that the statement be one of fact, and false, is the one defendants underuse. Continue reading ›

|

The warranty rate has been the same for so long that nobody in the store questions it anymore. The service department books warranty labor at a number the factory set years ago, posts parts at the manufacturer’s cost-plus formula, and moves on to the next repair order. Customer-pay work runs at the dealer’s real retail rate, the one the market actually supports, and warranty work runs at something lower because that is simply how it has always been done. Across a busy fixed-operations department, the gap between those two numbers, repeated over thousands of repair orders a year, is not a rounding error. It is a six-figure subsidy the dealer is handing the manufacturer without realizing it.

Illinois law does not require dealers to provide that subsidy. The Illinois Motor Vehicle Franchise Act, at 815 ILCS 710/6, says the opposite. It requires manufacturers to compensate dealers for warranty parts and labor at the dealer’s retail rate, gives the dealer a defined process to establish that rate, and forbids the factory from clawing the increase back through surcharges. Most dealers have the right. Far fewer have exercised it. The store that understands the statute can convert a long-running giveaway into recurring gross profit, and the conversion is built into the law.

Start with the rule itself, because it is broader than most service managers assume. Section 6 provides that adequate and fair compensation requires the manufacturer to pay each dealer no less than the amount the retail customer pays for the same services, with regard to both rate and time. That single sentence covers two distinct fights, the labor rate and the labor time, and it ties both to what real customers actually pay rather than to what the factory prefers. The statute reinforces the point at the back end by adding that in no event shall compensation for labor times and labor rates be less than the rates the dealer charges retail customers for like nonwarranty service.

On labor, the statute is specific about how the rate is set. The manufacturer must pay the dealer the same effective labor rate the dealer earns on customer-pay work, calculated from 100 sequential repair orders chosen and submitted by the dealer, less simple maintenance repair orders. Excluding routine maintenance from the sample matters, because oil changes and tire rotations drag the effective rate down, and the law lets the dealer leave them out. The statute also closes the usual factory escape hatches. It requires full compensation for diagnostic work, and it requires that time allowances for warranty work be no less than what is charged to retail customers for the same work. Where no time guide has been agreed for a warranty repair, the manufacturer’s time guide applies multiplied by 1.5. And if a technician has to call a technical assistance center, engineering, or another manufacturer source to complete a warranty repair, the manufacturer must pay for that time, including time on hold.

On parts, the statute defines the markup the dealer is owed and the method to prove it. The dealer is entitled to the prevailing retail price it charges for the same parts, which the Act defines as the dealer’s cost, including shipping, multiplied by one plus the dealer’s average percentage markup. To establish that markup, the dealer submits 100 sequential customer-paid repair orders, or 90 days of customer-paid repair orders, whichever is less, covering repairs made within the prior 180 days, and declares the average percentage markup. The declared markup takes effect 30 days later, subject to the manufacturer’s right to audit the submitted orders within those 30 days and adjust based on the audit. Only retail sales count toward the calculation, not warranty work or routine maintenance parts, and the manufacturer cannot force the dealer into an unduly burdensome part-by-part methodology. There are limits on frequency. A dealer may request a warranty labor rate increase once per calendar year and may seek to change the parts markup no more than twice per calendar year.

The statute also protects the increase once the dealer earns it. Manufacturers are not permitted to impose any cost-recovery fee or surcharge against the dealer for payments made under Section 6. That provision is the difference between a real rate increase and a shell game, because without it a factory could grant the higher warranty rate with one hand and take it back through a parity surcharge with the other. Illinois forecloses that move. The statute likewise bars reductions based on preestablished market norms or averages, and it prohibits manufacturers from limiting customer repair frequency through failure-rate indexes or national averages.

Two related protections are worth keeping in the same conversation, because they put money in the dealer’s pocket on the same ledger. When a manufacturer imposes a recall or stop sale on a new vehicle in the dealer’s inventory that prevents its sale, the Act requires the factory to compensate the dealer for interest and storage until the vehicle is repaired and made ready for sale. And on the audit side, the statute bars any debit reduction or chargeback of an item on a warranty repair order absent a finding of fraud or illegal conduct by the dealer, while limiting the factory’s audit window to one year from the date the claim was paid or the credit issued. A dealer pursuing a rate increase should expect a closer look at claims, and should know that the look has legal boundaries. Continue reading ›

|

The complaint usually arrives with a number attached, and the number is designed to take your breath away. A former employee, now a class representative, says your company scanned her fingerprint every time she punched the clock. Multiply one finger scan by every shift, by every worker, across several years, and the demand letter floats an exposure figure that looks less like a lawsuit and more like a going-out-of-business sale. The message is not subtle. Settle now, settle big, and do not ask too many questions.

That message is a negotiating tactic. It is not a legal conclusion. The Illinois Biometric Information Privacy Act, 740 ILCS 14/1 and following, is a real statute with real teeth, and we do not pretend otherwise to our clients. But the law in this area has moved hard over the last three years, and a meaningful share of that movement has favored the defense. The Illinois business that understands the current landscape negotiates from a much stronger position than the business that reaches for the checkbook the day it is served.

Start with what the statute actually requires, because most demand letters blur it. BIPA regulates biometric identifiers and biometric information, which the Act defines to include fingerprints, retina and iris scans, voiceprints, and scans of hand or face geometry. Section 15(b) is the heart of most cases. Before a private entity collects that data, it must tell the person in writing that the data is being collected, state the specific purpose and the length of term for which it will be collected and stored, and obtain a written release. Section 15(a) requires the entity to publish a written retention and destruction policy and to destroy the data when the purpose is satisfied or within three years of the person’s last interaction, whichever comes first. Section 15(c) bars selling or profiting from the data. Section 15(d) restricts disclosure. Section 15(e) requires a reasonable standard of care in storage. Section 20 supplies the damages that make these cases attractive to the plaintiffs’ bar: liquidated damages of $1,000 for each negligent violation and $5,000 for each intentional or reckless violation, or actual damages if greater, plus attorney fees and an injunction.

For several years the Illinois Supreme Court read those provisions in ways that steadily raised the stakes. In Rosenbach v. Six Flags Entertainment Corp., the Court held that a person is aggrieved, and may sue, on the bare violation of the statute, with no need to plead an actual injury. In Tims v. Black Horse Carriers, Inc., the Court held that the generous five-year catch-all limitations period governs every BIPA claim. And in Cothron v. White Castle System, Inc., a divided Court held that a separate claim accrues with every scan and every transmission, not just the first one. Cothron is the decision that produces the eye-watering numbers, because it lets a plaintiff multiply a single fingerprint by years of daily punches.

Here is what the demand letters tend to leave out. The legislature answered Cothron. Effective August 2, 2024, Public Act 103-0769 amended Section 20 so that a private entity that collects or discloses the same biometric identifier from the same person using the same method commits a single violation, for which the aggrieved person is entitled to, at most, one recovery. The same amendment confirmed that an electronic signature satisfies BIPA’s written-release requirement. In plain terms, the per-scan multiplication that drove the catastrophic exposure figures was cut off at the knees for conduct going forward, and the recovery is now anchored to the person, not the punch.

The defense news did not stop there. In Clay v. Union Pacific Railroad Co., one of a set of consolidated appeals the United States Court of Appeals for the Seventh Circuit decided in April 2026, the court held that the 2024 damages amendment applies retroactively to cases that were already pending when it took effect. The court reasoned that the change was remedial rather than substantive, because it altered only the damages available and not the underlying standard of liability, and that Illinois courts apply remedial changes retroactively. For Illinois businesses defending claims premised on years of historical scans, that holding can transform the math the plaintiff has been counting on.

The amendment limits the size of the case. Several established defenses can dispose of it altogether or push it out of the forum the plaintiff wants. Three are worth understanding.

The first is the health care exemption. Section 10 excludes information collected, used, or stored for health care treatment, payment, or operations under HIPAA. In Mosby v. Ingalls Memorial Hospital, the Illinois Supreme Court read that exemption in the disjunctive and applied it to the fingerprints health care workers used to access medication dispensing systems for patient care. A hospital, clinic, or other provider sued over biometrics tied to patient care should look hard at Section 10 before conceding the statute even applies.

The second is federal labor preemption. In Walton v. Roosevelt University, the Illinois Supreme Court held that Section 301 of the Labor Management Relations Act preempts BIPA claims brought by union employees when the collective bargaining agreement contains a broad management-rights clause, because the dispute belongs in the grievance and arbitration process, not in court. For employers with a unionized workforce, and a management-rights clause is common, Walton can move the entire fight to a different arena. Continue reading ›

|

Every data incident in 2026 produces the same playbook. A plaintiffs’ firm files a class action. The complaint pleads breach of contract. It pleads invasion of privacy. It pleads a federal statutory claim. And, almost always, it pleads negligence.

The negligence count usually says some version of the same thing. The defendant owed a duty to safeguard the plaintiff’s personal information, the defendant breached that duty by allowing the data to be exposed or transmitted, and the plaintiff suffered damages including diminished data value, anxiety, lost time, and lost benefit of the bargain.

Illinois law has a problem with this count. Two problems, actually.

The first problem is that there is no freestanding common law duty in Illinois to safeguard another person’s data. The second problem is that even if there were such a duty, Illinois’s economic loss doctrine, known as the Moorman doctrine, would bar recovery for the kinds of damages plaintiffs typically plead.

Both problems are dispositive at the motion to dismiss stage when the defense is built carefully.

The duty problem is settled by the Seventh Circuit. In Community Bank of Trenton v. Schnuck Markets, Inc., the court held that the Illinois Supreme Court has not recognized an independent common law duty to safeguard personal information. The court applied that holding to a data breach class action and dismissed the negligence claim. The Illinois Appellate Court reached the same conclusion in Cooney v. Chicago Public Schools, where the court rejected an attempt to use HIPAA, the federal medical privacy statute, as the source of a state law duty to safeguard data.

These holdings are not technicalities. They are reflections of how the duty element works in Illinois negligence law. A duty does not arise from a vague feeling that information should be protected. A duty arises from a relationship recognized by law, a statute that creates a private cause of action, or a common law rule the Illinois Supreme Court has actually adopted. When none of those exists, there is no duty, and there is no negligence.

Plaintiffs sometimes argue that the physician patient relationship, the merchant customer relationship, or the employer employee relationship is enough. Federal courts in Illinois have rejected those arguments in the data context. In Doe v. Genesis Health System, decided in 2025, the Central District of Illinois applied Community Bank and Cooney directly to a healthcare website tracking case and dismissed the negligence count. The court explained that the relationship based theory does not change the rule. If the Illinois Supreme Court has not recognized the duty, a federal court sitting in diversity will not invent it.

The second problem is the Moorman doctrine.

Moorman Manufacturing Co. v. National Tank Co. is one of the most cited cases in Illinois law. The Illinois Supreme Court held in 1982 that a plaintiff cannot recover in negligence for purely economic loss. Economic loss means losses that are not personal injury and are not damage to other property. Diminished data value is economic loss. Lost benefit of the bargain is economic loss. Lost time is economic loss. Anxiety and emotional distress are not personal injuries in this context. Each of those theories runs into the Moorman bar.

The reason this matters is that data class action complaints almost always allege economic loss as the principal damage theory. Without economic loss damages, the negligence count loses most of its monetary value. Without an actual breach of contract or a separate statutory cause of action, the case shrinks dramatically.

Three points are worth highlighting for any Illinois business defending a data related lawsuit. Continue reading ›

|

A new wave of class action lawsuits is sweeping into the Northern District of Illinois. The defendants are not telecom companies. They are healthcare practices, retailers, fintech companies, telehealth platforms, employers running candidate portals, and any business with a website that uses analytics or advertising tools.

The legal theory is the same in almost every case. The plaintiff alleges that a tracking pixel, often the Meta pixel, the TikTok pixel, or the Google tag, captured information the user typed into the defendant’s website and quietly transmitted that information to a third party advertising platform. The plaintiff then alleges that this transmission violated the federal Electronic Communications Privacy Act, also known as the Wiretap Act, 18 U.S.C. section 2511.

The financial pressure of these cases is enormous. The Wiretap Act allows statutory damages of the greater of $100 per day or $10,000 per plaintiff, plus attorney fees. Multiplied across a putative class of website visitors, the demand letter is designed to force a settlement. That math is the plaintiffs’ bar’s business model.

There is a powerful defense to most of these cases. It is called the party exception, and Illinois federal courts are increasingly willing to enforce it.

The party exception is not buried in a regulatory annex. It is in the statute itself. 18 U.S.C. section 2511(2)(d) provides that the prohibition on intercepting electronic communications does not apply where one of the parties to the communication has consented, or where the defendant is itself a party to the communication. When a customer or patient fills out a form on your website, the customer’s communication is being directed at you. You are not eavesdropping on someone else. You are the recipient.

That sounds obvious. It is also dispositive in most pixel cases when the defense is properly pleaded.

The Northern District of Illinois has issued a series of decisions applying this exact logic. In Kurowski v. Rush System for Health, the court held that Rush, not Facebook or Google or a downstream ad platform, was the intended recipient of the patient communications submitted through Rush’s website and patient portal. Sloan v. Anker Innovations Ltd. went further, holding that even where a defendant later uploads information to a third party server, the defendant remains a party to the original communication, not a non party interceptor. The Zak v. Bose Corp. line of cases rejected the plaintiffs’ bar’s relabeling tactic of recasting the website operator as a redirector of someone else’s data flow. And in Doe v. Genesis Health System, the court explained the principle in plain language. The communications could not have occurred without the plaintiff communicating with the defendant as the intended recipient and party.

What this means in practice is that when a plaintiff sues your business for embedding analytics on your own website that collected information the plaintiff voluntarily submitted to your business, you have a real defense at the motion to dismiss stage. The defense does not require discovery. It does not require expert testimony. It requires careful pleading and an early motion that frames the issue correctly. Continue reading ›

|

If you operate a healthcare practice, a telehealth platform, a behavioral health clinic, a fertility center, an addiction treatment facility, a dental or optometry chain, or any consumer facing business that handles sensitive information online, you have probably heard about the new generation of class action lawsuits over tracking pixels.

The lawsuits target businesses that embed third party tools like the Meta pixel, the TikTok pixel, or Google Analytics on their websites. The complaints allege that the tools captured information about a user’s interactions and transmitted that information to advertising platforms without consent.

In most of these cases, the defendant has a strong defense built into the federal Wiretap Act itself. When a user submits information to your website, you are a party to the communication, and 18 U.S.C. section 2511(2)(d) excludes parties from liability under the statute.

Plaintiffs know about that defense, so they have a workaround. They invoke the same subsection’s other clause, the so called crime tort exception. It provides that the party exception does not apply if the communication was intercepted for the purpose of committing any criminal or tortious act. Plaintiffs typically plead a HIPAA violation, an invasion of privacy claim, or both, as the predicate.

The question is whether this workaround survives.

That question is now actively splitting the federal courts in Illinois. The split is real, current, and important enough that one judge has already certified it for interlocutory appeal.

In the defense friendly camp, Doe v. Genesis Health System, decided by the United States District Court for the Central District of Illinois in 2025, held the answer is no. The court read the statute carefully and concluded that the defendant must have intercepted the communication for the purpose of committing a crime or a tort. Marketing and advertising purposes, the court held, do not satisfy that standard, because lawful commercial activity, even when it ultimately runs afoul of HIPAA’s regulatory scheme, is not the same as acting in order to commit a crime or tort. The Seventh Circuit articulated a similar principle years earlier in Thomas v. Pearl and again in Desnick v. American Broadcasting Cos. The recorder must intend to break the law or commit a tort. That intent is the heart of the carve out.

Doe 1 v. Chestnut Health Systems, Inc., decided in 2025, took the same path and dismissed a complaint that recited criminal or tortious purpose in conclusory terms. The court held that a conclusory recital will not do.

In the plaintiff friendly camp, Stein v. Edward-Elmhurst Health, decided in 2025, went the other way. The court held that a HIPAA violating disclosure can satisfy the carve out even when the defendant’s overall purpose was lawful commercial advertising. The same court later denied reconsideration but explicitly certified the question for interlocutory appeal, finding substantial ground for difference of opinion. That certification is itself a tell. When a federal trial court is comfortable enough with the strength of the opposing view to permit an immediate appeal, the law is genuinely unsettled.

What does this mean for Illinois businesses? Three things. Continue reading ›

Contact Information
Chicago Office
19 S LaSalle St #702
Chicago, IL 60603
Phone: 630-333-0333
Mailing Address
17W220 22nd St #410
Oakbrook Terrace, IL 60181
Phone: 630-333-0333 Please direct all mail correspondence to our Oakbrook Terrace address office.
Highland Park Office
189 Whistler Rd
Highland Park, IL 60035
Phone: 630-710-4990
We accept the following credit cards
Credit Cards Accepted
We accept payment via Venmo at: @L-A-LAW
Phone: 603-333-0333
Visit our site: chicagobusinesslawfirm.com

Please do not include any confidential or sensitive information in a contact form, text message, or voicemail. The contact form sends information by non-encrypted email, which is not secure. Submitting a contact form, sending a text message, making a phone call, or leaving a voicemail does not create an attorney-client relationship.

Copyright © 2026, DiTommaso Lubin, PC
JUSTIA Law Firm Blog Design