class action defense

GIPA Is the New BIPA, and the Damages Are Higher: How Illinois Employers Defend the Genetic Information Privacy Act Wave

May 28, 2026 | Peter S. Lubin and James V. DiTommaso

A clinic across town conducts pre-employment physicals for your company. The clinic’s intake form asks routine medical questions, including a section on family medical history. Two years later a class action arrives, naming your company under a statute most Illinois employers had not heard of three years ago. The complaint says you required disclosure of genetic information by asking, through the clinic, about heart disease, diabetes, and cancer in the applicant’s parents and siblings. The demand letter multiplies $15,000 per intentional violation by the number of applicants over the last several years and arrives at a number that looks like the cost of the lawsuit settling itself.

The statute is the Illinois Genetic Information Privacy Act, 410 ILCS 513, and the wave of cases under it is real. By industry counts, more than fifty putative class actions were filed in 2023 alone, and the filings have continued. The plaintiffs’ bar is treating GIPA as the new BIPA, with one important difference. The damages are higher. GIPA’s private right of action lets a court award $2,500 per negligent violation and $15,000 per intentional or reckless violation, plus attorney fees and costs, two and a half to three times BIPA’s $1,000 and $5,000 amounts. For an employer that screens dozens or hundreds of applicants each year, the math is exactly as alarming as it sounds.

It is also not the math the law has settled on. GIPA litigation is several years younger than BIPA litigation, and the doctrinal walls are still being built. But early defense decisions, statutory text the plaintiffs’ bar tends to underplay, and standard federal-court tools already give Illinois employers more leverage than the demand letter suggests.

Start with what GIPA actually prohibits. Section 25, 410 ILCS 513/25, bars an employer from directly or indirectly soliciting, requesting, requiring, purchasing, or otherwise obtaining genetic information of an individual or a family member as a condition of employment or for use in employment decisions. Section 10 defines genetic information, in language borrowed from federal law, to include the manifestation of a disease or disorder in family members of the individual, which is the legal phrase for family medical history. Section 30 restricts disclosure of genetic testing and information. Section 40 supplies the right of action and the liquidated damages.

The first defense is the one most employers miss. GIPA does not prohibit collection of the applicant’s own personal medical history. It prohibits collection of genetic information, which as a matter of statutory definition is information about the applicant’s genetic tests, the genetic tests of family members, or family medical history, the disease history of family members. An intake form that asks an applicant whether the applicant has had hypertension, diabetes, or back surgery is asking about the applicant. It is not asking about family. The same form that asks whether the applicant’s parents, siblings, or grandparents have had heart disease or cancer is asking about family medical history and is in GIPA’s territory. The distinction is not cosmetic. It can be the difference between liability and a routine occupational-health question.

The second defense comes from the leading appellate decision interpreting GIPA’s reach. In Bridges v. Blackstone, Inc., the Seventh Circuit affirmed the dismissal of a putative class action arising from Blackstone’s all-stock acquisition of the genealogy company Ancestry. The plaintiffs alleged that the acquisition itself was a disclosure of their genetic information in violation of Section 30. The Seventh Circuit disagreed, holding that a run-of-the-mill corporate acquisition, without more, does not result in a compulsory disclosure of genetic information under the statute. Bridges is the first appellate decision to push back on an aggressive reading of GIPA, and its reasoning is portable. It tells defense counsel that the statute’s words mean what they say, that the conduct the plaintiff is challenging must actually fit the statutory verb being invoked, and that the courts will not stretch GIPA into every transaction or every form that touches medical information in a tangential way. Continue reading ›

The Illinois Consumer Fraud Act Class Action You Were Just Served: Five Defenses That Decide Whether the Class Ever Gets Certified

May 28, 2026 | Peter S. Lubin and James V. DiTommaso

The complaint reads like an indictment of your marketing department. A national class. Allegations that a label, a website disclosure, or a price representation deceived consumers. A nationwide class period stretching back five years. A demand for restitution, actual damages, punitive damages, and a permanent injunction against your business practices. The Illinois Consumer Fraud and Deceptive Business Practices Act, 815 ILCS 505, is one of the broadest consumer-protection statutes in the country, and the plaintiffs’ bar treats it that way. The complaint is written to make a settlement feel inevitable long before discovery starts.

The complaint is doing what it is supposed to do. The Illinois Supreme Court and the Seventh Circuit have built five distinct doctrinal walls that most ICFA class actions never finish climbing. An Illinois defendant who learns those walls early often resolves the case at the pleading stage or wins at class certification, not after eighteen months of merits discovery. The settlement number a plaintiff demands on day one is usually the number that fits the case the plaintiff hopes to have. It is not the case Illinois law gives them.

The first wall is the extraterritorial limit, set by the Illinois Supreme Court in Avery v. State Farm Mutual Automobile Insurance Co. The Act does not reach a transaction that occurred outside Illinois. The Court held that there is no bright-line formula, but the inquiry asks whether the circumstances relating to the disputed transaction occurred primarily and substantially within Illinois. In Avery itself, a Louisiana plaintiff whose accident, repair, estimate, and dealings with the insurer all happened in Louisiana had no cause of action under the Illinois statute. The implication for class actions is enormous. A putative nationwide class that includes residents of forty-nine other states, whose purchases occurred everywhere except Illinois, runs straight into Avery. Many of these claims should not survive a motion to dismiss as to the out-of-state plaintiffs, and they almost never survive a contested class certification.

The second wall is choice of law in nationwide classes, illustrated by the Seventh Circuit’s decision in In re Bridgestone/Firestone, Inc. Tires Products Liability Litigation. Judge Easterbrook, writing for the panel, reversed certification of two nationwide classes because the claims would have to be adjudicated under the law of so many different jurisdictions that a single nationwide class was not manageable. The Seventh Circuit explained that the choice-of-law rules of the forum state ordinarily point to the consumer-protection law of each plaintiff’s home jurisdiction, not to a single state’s statute applied across the country. The implication for an Illinois ICFA class action that tries to reach beyond Illinois purchasers is direct. Where the trial court would have to apply Illinois law to some plaintiffs, California law to others, New York law to others, and so on, the predominance and manageability findings that Rule 23 demands collapse. Bridgestone is the case that prevents a single Illinois plaintiff from acting as a national consumer-protection regulator through one complaint. Continue reading ›

Sued Under the TCPA in 2026? The Three Decisions That Have Quietly Rewritten the Defense Playbook

May 28, 2026 | Peter S. Lubin and James V. DiTommaso

The complaint usually starts with a text message that looked perfectly ordinary on the way out the door. Your marketing team uploaded a customer list, the platform sent the campaign, and the response rates were strong. Months later a class action lands in the Northern District of Illinois on behalf of every recipient. The demand letter multiplies the number of texts by $500 per call under the Telephone Consumer Protection Act, then helpfully reminds you that the number can become $1,500 each if the conduct was willful, and the total has a comma in places you did not expect.

That math, like the math in most class action demands, is built to look fixed. It is not. In the last five years three different decisions, two of them issued in 2025, have moved the law harder in the defense’s direction than at any point since Congress passed the TCPA in 1991. An Illinois business defending a TCPA case today is operating in a very different statute than the one its adversaries are still describing.

Start with the statute itself. The TCPA, 47 U.S.C. 227, restricts calls and texts made using an automatic telephone dialing system, an artificial or prerecorded voice, and certain marketing to numbers on the federal do-not-call registry. Section 227(b)(3) lets a private plaintiff recover actual damages or $500 per violation, whichever is greater, with treble damages of $1,500 per call available where a court finds a willful or knowing violation. Multiplied across a putative class, the exposure is the entire point of the statute and the entire point of the demand letter.

The first decision that reshaped this landscape is Facebook, Inc. v. Duguid, decided by the United States Supreme Court in April 2021. The Court read the TCPA’s definition of an automatic telephone dialing system, often called an ATDS, in its plain terms. To qualify, a system must use a random or sequential number generator to store or produce the numbers it dials. Equipment that simply dials from a stored list of customer numbers, the workhorse of modern marketing platforms, does not qualify. The Seventh Circuit had already reached the same result a year earlier in Gadelhak v. AT&T Services, Inc., an opinion authored by then-Judge Amy Coney Barrett that the Supreme Court effectively ratified. The practical consequence in Illinois federal court is significant. A great many of the text and call campaigns that anchored the explosion of TCPA class actions a decade ago no longer involve an ATDS at all. The complaint may still allege one. The technology often does not support the allegation. That mismatch is a defense from the pleading stage forward. Continue reading ›

Sued Under BIPA? An Illinois Biometric Class Action Is Not the Catastrophe the Demand Letter Wants You to Believe

May 24, 2026 | Peter S. Lubin and James V. DiTommaso

The complaint usually arrives with a number attached, and the number is designed to take your breath away. A former employee, now a class representative, says your company scanned her fingerprint every time she punched the clock. Multiply one finger scan by every shift, by every worker, across several years, and the demand letter floats an exposure figure that looks less like a lawsuit and more like a going-out-of-business sale. The message is not subtle. Settle now, settle big, and do not ask too many questions.

That message is a negotiating tactic. It is not a legal conclusion. The Illinois Biometric Information Privacy Act, 740 ILCS 14/1 and following, is a real statute with real teeth, and we do not pretend otherwise to our clients. But the law in this area has moved hard over the last three years, and a meaningful share of that movement has favored the defense. The Illinois business that understands the current landscape negotiates from a much stronger position than the business that reaches for the checkbook the day it is served.

Start with what the statute actually requires, because most demand letters blur it. BIPA regulates biometric identifiers and biometric information, which the Act defines to include fingerprints, retina and iris scans, voiceprints, and scans of hand or face geometry. Section 15(b) is the heart of most cases. Before a private entity collects that data, it must tell the person in writing that the data is being collected, state the specific purpose and the length of term for which it will be collected and stored, and obtain a written release. Section 15(a) requires the entity to publish a written retention and destruction policy and to destroy the data when the purpose is satisfied or within three years of the person’s last interaction, whichever comes first. Section 15(c) bars selling or profiting from the data. Section 15(d) restricts disclosure. Section 15(e) requires a reasonable standard of care in storage. Section 20 supplies the damages that make these cases attractive to the plaintiffs’ bar: liquidated damages of $1,000 for each negligent violation and $5,000 for each intentional or reckless violation, or actual damages if greater, plus attorney fees and an injunction.

For several years the Illinois Supreme Court read those provisions in ways that steadily raised the stakes. In Rosenbach v. Six Flags Entertainment Corp., the Court held that a person is aggrieved, and may sue, on the bare violation of the statute, with no need to plead an actual injury. In Tims v. Black Horse Carriers, Inc., the Court held that the generous five-year catch-all limitations period governs every BIPA claim. And in Cothron v. White Castle System, Inc., a divided Court held that a separate claim accrues with every scan and every transmission, not just the first one. Cothron is the decision that produces the eye-watering numbers, because it lets a plaintiff multiply a single fingerprint by years of daily punches.

Here is what the demand letters tend to leave out. The legislature answered Cothron. Effective August 2, 2024, Public Act 103-0769 amended Section 20 so that a private entity that collects or discloses the same biometric identifier from the same person using the same method commits a single violation, for which the aggrieved person is entitled to, at most, one recovery. The same amendment confirmed that an electronic signature satisfies BIPA’s written-release requirement. In plain terms, the per-scan multiplication that drove the catastrophic exposure figures was cut off at the knees for conduct going forward, and the recovery is now anchored to the person, not the punch.

The defense news did not stop there. In Clay v. Union Pacific Railroad Co., one of a set of consolidated appeals the United States Court of Appeals for the Seventh Circuit decided in April 2026, the court held that the 2024 damages amendment applies retroactively to cases that were already pending when it took effect. The court reasoned that the change was remedial rather than substantive, because it altered only the damages available and not the underlying standard of liability, and that Illinois courts apply remedial changes retroactively. For Illinois businesses defending claims premised on years of historical scans, that holding can transform the math the plaintiff has been counting on.

The amendment limits the size of the case. Several established defenses can dispose of it altogether or push it out of the forum the plaintiff wants. Three are worth understanding.

The first is the health care exemption. Section 10 excludes information collected, used, or stored for health care treatment, payment, or operations under HIPAA. In Mosby v. Ingalls Memorial Hospital, the Illinois Supreme Court read that exemption in the disjunctive and applied it to the fingerprints health care workers used to access medication dispensing systems for patient care. A hospital, clinic, or other provider sued over biometrics tied to patient care should look hard at Section 10 before conceding the statute even applies.

The second is federal labor preemption. In Walton v. Roosevelt University, the Illinois Supreme Court held that Section 301 of the Labor Management Relations Act preempts BIPA claims brought by union employees when the collective bargaining agreement contains a broad management-rights clause, because the dispute belongs in the grievance and arbitration process, not in court. For employers with a unionized workforce, and a management-rights clause is common, Walton can move the entire fight to a different arena. Continue reading ›

Illinois Has No Common Law “Duty to Safeguard Data,” and the Moorman Doctrine Closes the Door on Most Negligence Damages

April 30, 2026 | Peter S. Lubin and James V. DiTommaso

Every data incident in 2026 produces the same playbook. A plaintiffs’ firm files a class action. The complaint pleads breach of contract. It pleads invasion of privacy. It pleads a federal statutory claim. And, almost always, it pleads negligence.

The negligence count usually says some version of the same thing. The defendant owed a duty to safeguard the plaintiff’s personal information, the defendant breached that duty by allowing the data to be exposed or transmitted, and the plaintiff suffered damages including diminished data value, anxiety, lost time, and lost benefit of the bargain.

Illinois law has a problem with this count. Two problems, actually.

The first problem is that there is no freestanding common law duty in Illinois to safeguard another person’s data. The second problem is that even if there were such a duty, Illinois’s economic loss doctrine, known as the Moorman doctrine, would bar recovery for the kinds of damages plaintiffs typically plead.

Both problems are dispositive at the motion to dismiss stage when the defense is built carefully.

The duty problem is settled by the Seventh Circuit. In Community Bank of Trenton v. Schnuck Markets, Inc., the court held that the Illinois Supreme Court has not recognized an independent common law duty to safeguard personal information. The court applied that holding to a data breach class action and dismissed the negligence claim. The Illinois Appellate Court reached the same conclusion in Cooney v. Chicago Public Schools, where the court rejected an attempt to use HIPAA, the federal medical privacy statute, as the source of a state law duty to safeguard data.

These holdings are not technicalities. They are reflections of how the duty element works in Illinois negligence law. A duty does not arise from a vague feeling that information should be protected. A duty arises from a relationship recognized by law, a statute that creates a private cause of action, or a common law rule the Illinois Supreme Court has actually adopted. When none of those exists, there is no duty, and there is no negligence.

Plaintiffs sometimes argue that the physician patient relationship, the merchant customer relationship, or the employer employee relationship is enough. Federal courts in Illinois have rejected those arguments in the data context. In Doe v. Genesis Health System, decided in 2025, the Central District of Illinois applied Community Bank and Cooney directly to a healthcare website tracking case and dismissed the negligence count. The court explained that the relationship based theory does not change the rule. If the Illinois Supreme Court has not recognized the duty, a federal court sitting in diversity will not invent it.

The second problem is the Moorman doctrine.

Moorman Manufacturing Co. v. National Tank Co. is one of the most cited cases in Illinois law. The Illinois Supreme Court held in 1982 that a plaintiff cannot recover in negligence for purely economic loss. Economic loss means losses that are not personal injury and are not damage to other property. Diminished data value is economic loss. Lost benefit of the bargain is economic loss. Lost time is economic loss. Anxiety and emotional distress are not personal injuries in this context. Each of those theories runs into the Moorman bar.

The reason this matters is that data class action complaints almost always allege economic loss as the principal damage theory. Without economic loss damages, the negligence count loses most of its monetary value. Without an actual breach of contract or a separate statutory cause of action, the case shrinks dramatically.

Three points are worth highlighting for any Illinois business defending a data related lawsuit. Continue reading ›

When Your Own Website Becomes the “Wiretap”: Defending Illinois Businesses Against Pixel Tracking Class Actions Under the Federal Wiretap Act

April 30, 2026 | Peter S. Lubin and James V. DiTommaso

A new wave of class action lawsuits is sweeping into the Northern District of Illinois. The defendants are not telecom companies. They are healthcare practices, retailers, fintech companies, telehealth platforms, employers running candidate portals, and any business with a website that uses analytics or advertising tools.

The legal theory is the same in almost every case. The plaintiff alleges that a tracking pixel, often the Meta pixel, the TikTok pixel, or the Google tag, captured information the user typed into the defendant’s website and quietly transmitted that information to a third party advertising platform. The plaintiff then alleges that this transmission violated the federal Electronic Communications Privacy Act, also known as the Wiretap Act, 18 U.S.C. section 2511.

The financial pressure of these cases is enormous. The Wiretap Act allows statutory damages of the greater of $100 per day or $10,000 per plaintiff, plus attorney fees. Multiplied across a putative class of website visitors, the demand letter is designed to force a settlement. That math is the plaintiffs’ bar’s business model.

There is a powerful defense to most of these cases. It is called the party exception, and Illinois federal courts are increasingly willing to enforce it.

The party exception is not buried in a regulatory annex. It is in the statute itself. 18 U.S.C. section 2511(2)(d) provides that the prohibition on intercepting electronic communications does not apply where one of the parties to the communication has consented, or where the defendant is itself a party to the communication. When a customer or patient fills out a form on your website, the customer’s communication is being directed at you. You are not eavesdropping on someone else. You are the recipient.

That sounds obvious. It is also dispositive in most pixel cases when the defense is properly pleaded.

The Northern District of Illinois has issued a series of decisions applying this exact logic. In Kurowski v. Rush System for Health, the court held that Rush, not Facebook or Google or a downstream ad platform, was the intended recipient of the patient communications submitted through Rush’s website and patient portal. Sloan v. Anker Innovations Ltd. went further, holding that even where a defendant later uploads information to a third party server, the defendant remains a party to the original communication, not a non party interceptor. The Zak v. Bose Corp. line of cases rejected the plaintiffs’ bar’s relabeling tactic of recasting the website operator as a redirector of someone else’s data flow. And in Doe v. Genesis Health System, the court explained the principle in plain language. The communications could not have occurred without the plaintiff communicating with the defendant as the intended recipient and party.

What this means in practice is that when a plaintiff sues your business for embedding analytics on your own website that collected information the plaintiff voluntarily submitted to your business, you have a real defense at the motion to dismiss stage. The defense does not require discovery. It does not require expert testimony. It requires careful pleading and an early motion that frames the issue correctly. Continue reading ›

The Tracking Pixel Lawsuit Wave Hits Illinois: Why the “Crime or Tort” Exception Argument Is Splitting the Federal Courts

April 30, 2026 | Peter S. Lubin and James V. DiTommaso

If you operate a healthcare practice, a telehealth platform, a behavioral health clinic, a fertility center, an addiction treatment facility, a dental or optometry chain, or any consumer facing business that handles sensitive information online, you have probably heard about the new generation of class action lawsuits over tracking pixels.

The lawsuits target businesses that embed third party tools like the Meta pixel, the TikTok pixel, or Google Analytics on their websites. The complaints allege that the tools captured information about a user’s interactions and transmitted that information to advertising platforms without consent.

In most of these cases, the defendant has a strong defense built into the federal Wiretap Act itself. When a user submits information to your website, you are a party to the communication, and 18 U.S.C. section 2511(2)(d) excludes parties from liability under the statute.

Plaintiffs know about that defense, so they have a workaround. They invoke the same subsection’s other clause, the so called crime tort exception. It provides that the party exception does not apply if the communication was intercepted for the purpose of committing any criminal or tortious act. Plaintiffs typically plead a HIPAA violation, an invasion of privacy claim, or both, as the predicate.

The question is whether this workaround survives.

That question is now actively splitting the federal courts in Illinois. The split is real, current, and important enough that one judge has already certified it for interlocutory appeal.

In the defense friendly camp, Doe v. Genesis Health System, decided by the United States District Court for the Central District of Illinois in 2025, held the answer is no. The court read the statute carefully and concluded that the defendant must have intercepted the communication for the purpose of committing a crime or a tort. Marketing and advertising purposes, the court held, do not satisfy that standard, because lawful commercial activity, even when it ultimately runs afoul of HIPAA’s regulatory scheme, is not the same as acting in order to commit a crime or tort. The Seventh Circuit articulated a similar principle years earlier in Thomas v. Pearl and again in Desnick v. American Broadcasting Cos. The recorder must intend to break the law or commit a tort. That intent is the heart of the carve out.

Doe 1 v. Chestnut Health Systems, Inc., decided in 2025, took the same path and dismissed a complaint that recited criminal or tortious purpose in conclusory terms. The court held that a conclusory recital will not do.

In the plaintiff friendly camp, Stein v. Edward-Elmhurst Health, decided in 2025, went the other way. The court held that a HIPAA violating disclosure can satisfy the carve out even when the defendant’s overall purpose was lawful commercial advertising. The same court later denied reconsideration but explicitly certified the question for interlocutory appeal, finding substantial ground for difference of opinion. That certification is itself a tell. When a federal trial court is comfortable enough with the strength of the opposing view to permit an immediate appeal, the law is genuinely unsettled.

What does this mean for Illinois businesses? Three things. Continue reading ›