Class Action Defense

May 18, 2023 by Class Action Defense

Eleventh Circuit Issues Landmark Ruling That Limits The EEOC’s Subpoena Powers

By Gerald L. Maatman, Jr., Alex W. Karasik, and Nicolette J. Zulli

Duane Morris Takeaways: In EEOC v. Eberspaecher North America Inc. , No. 21-13799, 2023 U.S. App. LEXIS 11466 (11th Cir. May 10, 2023), a split three judge-panel for the U.S. Court of Appeals for the Eleventh Circuit affirmed an Alabama federal district court’s ruling and held that that an EEOC subpoena for nationwide information relative to an investigation over potential disability discrimination was too broad in scope.

Given that the EEOC’s pre-suit subpoena power is rarely limited by courts, this ruling is vitally important and apt to be cited by employers who are confronted with far-reaching EEOC subpoenas, particularly for nationwide employee data.

Case Background

A former employee at Eberspaecher North America Inc.’s (“ENA”) Northport, Alabama facility filed a charge with the EEOC, alleging ADA violations due to disability-related absences and his subsequent termination. Id. at *4. The initial charge listed only the Northport facility’s address and alleged discriminatory practices related to qualified leave. The charge did not advance any nationwide allegations.

In response, the EEOC requested information exclusively pertaining to the charged conduct from ENA’s Northport facility. However, the EEOC later requested nationwide nationwide data on employees terminated for attendance infractions at all of ENA’s locations. ENA declined to provide this information, leading the EEOC to issue a subpoena demanding the nationwide data.

On June 30, 2021, the EEOC filed an application for judicial enforcement of the subpoena with the U.S. District Court for the Northern District of Alabama. ENA moved to revoke the subpoena, arguing that it exceeded the scope of the charge. The District Court ruled in favor of ENA, ordering compliance with the subpoena limited to the Northport facility. The EEOC appealed the decision. Id. at *9.

The Eleventh Circuit’s Decision

The Eleventh Circuit affirmed the District Court’s order that ENA comply with the subpoena, “but only as it applies to [ENA’s] Northport facility.” Id. at *8.

On appeal, the EEOC attempted to argue that (1) because the charge was based on a review of ENA’s company-wide handbook; and (2) because the use of the term “aggrieved employees” in the charge meant “all employees” impacted by ENA’s allegedly unlawful practices, it was entitled to nationwide data. Id. at *16.

The Eleventh Circuit rejected these arguments because it presupposed that the charge targeted ENA facilities worldwide. Specifically, the Eleventh Circuit concluded that the charge, which solely referenced ENA’s Northport facility, constrained the EEOC’s subpoena power. It emphasized that the relevance of the requested information should be tied to the charge against the employer and not future charges. Additionally, the Eleventh Circuit noted that the EEOC never attempted to amend the charge to expand its scope. Id.

Rejecting the EEOC’s broad request for information, the Eleventh Circuit explained that “[t]he relevance that is necessary to support a subpoena for the investigation of an individual charge is relevance to the contested issues that must be decided to resolve that charge, not relevance to issues that may be contested when and if future charges are brought by others.” Id. at *5 (citing EEOC v. Royal Caribbean Cruise, Ltd., 771 F.3d 757, 761 (11th Cir. 2014)). The Eleventh Circuit further explained that the charge did not provide notice of an investigation into ENA’s facilities nationwide. Accordingly, the Eleventh Circuit held that the District Court did not abuse its discretion by enforcing the EEOC’s subpoena of information only as to the Northport facility.

Implications For Employers

The Eberspaecher decision is noteworthy because court rulings that restrict the EEOC’s pre-suit enforcement actions are uncommon, particularly at the appellate level. This decision provides a roadmap for employers to challenge subpoenas or requests for information that exceed the charge’s scope.

While this decision represents a significant blow to the EEOC’s common practice of seeking company-wide data in administrative subpoenas, employers should note that the EEOC may seek to amend charges to include systemic allegations before serving future subpoenas. Accordingly, while this ruling is a rare management-side victory in EEOC subpoena enforcement actions, it remains to be seen whether future charges will be pleaded with an eye towards nationwide discovery in light of this new roadblock.

May 16, 2023 by Class Action Defense

Seventh Circuit Affirms That ERISA Plan Sponsors Do Not Act As Participants’ Fiduciaries And Must Follow The Terms Of The Plan As Written

By Gerald L. Maatman, Jr. and Jeffrey R. Zohn

Duane Morris Takeaways: More than 10 years after Plaintiffs filed suit in Carlson et al. v. Northrop Grumman Severance Plan et al., No. 22-1764, 2023 WL 3299703 (7th Cir. May 8, 2023), the Seventh Circuit put to rest the idea that a sponsor of an ERISA welfare-benefit plan is a fiduciary of the plan’s participants. Instead, per the ruling in Carlson, the sponsor is obligated to follow the terms of the plan as written. When the plan grants the sponsor discretion to determine who qualifies, the sponsor may exercise that discretion and may even change the way it exercises that discretion over time. If the plan does not grant the sponsor any such discretion, the sponsor must abide by the precise terms of the plan. The Seventh Circuit’s decision is well worth a read by corporate counsel, as it provides some bright-line tests for defense of class action claims brought under the ERISA.

Background And Context

Enacted in 1974, the Employee Retirement Income Security Act (“ERISA”) is the culmination of a long line of legislation concerned with the labor and tax aspects of employee benefit plans. In light of the often rapidly evolving retirement and health care needs of employees and their families, the ERISA has been subject to numerous amendments since its enactment nearly 50 years ago. Nonetheless, its primary aim has always been to protect the interests of participants and their beneficiaries in employee benefit plans.

The ERISA sets minimum standards for most voluntarily established retirement plans (such as 401(k) plans) and welfare benefit plans (such as medical benefits). These plans must also meet certain ERISA-based standards in order to qualify for favorable tax treatment.

Importantly, the ERISA explicitly empowers a participant of an employee benefit plan – including former employees in certain circumstances – to bring a civil action to recover benefits due or to clarify rights under the terms of the plan. More often than not, such litigation takes the form of a class action.

Case Background

On April 9, 2013, Plaintiffs filed a class action lawsuit against their former employer – Northrop Grumman (“Northrop”) – seeking payment of severance benefits Plaintiffs alleged Northrop owed them when they were laid off in 2012.

The plain language of Northrop’s Severance Plan (the “Plan”) grants the HR Department discretion to determine who qualifies for benefits under the Plan and may notify recipients of their benefits via an HR Memo. Plaintiffs and the other class members did not receive the HR Memo upon being laid off and, therefore, did not receive benefits under the Plan.

After class certification, the U.S. District Court for the Northern District of Illinois granted Northrop’s motion for summary judgment. It held that the Plan’s language gives the HR Department discretion to choose who, if anyone, gets severance pay on being laid off. Carlson et al. v. Northrop Grumman Severance Plan et al., No. 13-CV-02635, 2022 WL 971873 (N.D. Ill. Mar. 31, 2022). The district court further opined that the ERISA does not prevent an ERISA severance plan from possessing and exercising discretion to determine recipients. Plaintiffs appealed to the Seventh Circuit.

The Seventh Circuit’s Ruling

On May 8, 2023, the U.S. Court of Appeals for the Seventh Circuit affirmed the grant of summary judgment in favor of Northrop.

The Seventh Circuit explained that the terms of ERISA welfare-benefit plans always control. While plan administrators must act in a fiduciary capacity when exercising discretion, the entities that establish the plans do not have the same obligation. Instead, those entities are entitled to act in their own interests and need not provide participants any vesting interests.

“A person possessing discretion may change the way that discretion is exercised,” according to the Seventh Circuit. Id. at 2. As such, if a sponsor is granted discretion in determining who qualifies for plan benefits, it is not required to treat all participants equally, even if “deliberate past practice, [] mistaken past practice, and [] mistaken efforts to describe the benefits in writing” suggest otherwise. Id. at 3.

However, that is only true when the sponsor does possess such discretion. An ERISA sponsor still must apply a pension or welfare plan as written. The terms of the plan itself always control. No administrators or clerical employees can vary its terms.

In Carlson, the terms of the Plan granted Northrop’s HR Department the discretion to provide severance benefits to laid off employees, including Plaintiffs, by delivering them an HR Memo. Plaintiffs did not receive severance benefits or an HR Memo. The Seventh Circuit did not find any relevance in Plaintiffs’ position that, prior to October 2011, every laid-off employee who qualified for severance benefits received the HR Memo. Even if Plaintiffs’ position was factually accurate, which Northrop denied, the Seventh Circuit reasoned that Northrop was still entitled to change its approach and select which, if any, laid off employees would receive severance benefits.

The Seventh Circuit was also unpersuaded by Plaintiffs’ argument that Northrop interfered with Plaintiffs’ rights (a position which effectively argues that Northrop’s HR Department is a fiduciary of the Plan’s participants). The Seventh Circuit concluded that it is not. Instead, Northrop’s HR Department was properly exercising the discretion given to it under the plain terms of the Plan.

Implications For Employers

The Carlson decision indicates that courts will continue to honor the terms of an ERISA welfare-benefit plan based on the plain terms of the plan (and not based on past practices or even written plan summaries).

Nonetheless, Carlson is not an invitation for plan sponsors to blindly exercise discretion in determining qualification of ERISA welfare-benefit plans. Instead, it serves as a reminder that sponsors do not have unlimited authority in the execution of the plan. Sponsors must follow the terms of the plan as written. If the plan does not grant discretion in the execution of the plan, then no discretion may be exercised. If discretion is granted, then it must be exercised carefully and within the bounds of the grant.

Therefore, in deciding whether a plan applies to certain employees, employers should carefully review the terms of the plan rather than merely rely on past practices or plan summaries.

May 15, 2023May 16, 2023 by Gerald L. Maatman, Jr.

Tennessee Becomes Eighth State To Enact Comprehensive Privacy Legislation

By Gerald L. Maatman, Jr., Jennifer A. Riley, and Tyler Zmick

Duane Morris Takeaways: As efforts to enact comprehensive privacy protection continue to stall on the federal level, states have stepped up to create a patchwork quilt of protections for those doing business with consumers within their borders. Tennessee recently became the eighth state – following Indiana, California, Colorado, Connecticut, Iowa, Utah, and Virginia – to enact comprehensive privacy legislation. At least 15 other states have introduced similar bills during the current legislative session, and Montana’s comprehensive consumer privacy statute awaits the signature of its Governor. Companies doing business in Tennessee or with Tennessee consumers should take heed of the new law and review their policies and processes for compliance.

Tennessee Legislation

After receiving overwhelming support from both houses of the General Assembly, on May 11, 2023, Governor Bill Lee signed the Tennessee Information Protection Act into law. With this law, Tennessee became the eighth state to institute comprehensive consumer privacy legislation. The law is set to take effect on July 1, 2024.

The act applies to businesses that conduct business in Tennessee or produce products or services that are targeted to Tennessee residents and that: (1) control or possess the personal information of at least 175,000 consumers; or (2) control or process personal information of at least 25,000 consumers and derive more than 50% of their gross revenue from the sale of personal information. The law contains exemptions for certain types of entities, such as governmental entities, certain financial institutions, non-profit organizations, and higher education institutions. The law also exempts certain types of data, such as personal information regulated by the Family Educational Rights and Privacy Act, and protected health information under HIPAA.

Similar to other comprehensive state privacy laws, the Tennessee law grants Tennessee residents certain rights in their personal information. It allows for consumers to confirm whether a company is processing their personal information, to access their personal information, to correct inaccuracies in their personal information, to delete their personal information, to obtain copies of their personal information, and to opt out of future sales or targeted advertising.

The law allows a consumer to invoke his or her rights (and the rights of his or her children) at any time by submitting a request to a controller of the personal information specifying the rights that the consumer wishes to invoke, and it requires the respondent to comply with an authenticated request without undue delay but, in all cases, within 45 days.

The law imposes various requirements on persons and entities who “determine[] the purpose and means” of processing personal information. For example, it requires such persons and entities to limit the collection of personal information to what is adequate, relevant, and reasonably necessary in relation to the purposes for which the data is processed; to establish, implement, and maintain reasonable data security practices; and, if the controller processes or sells personal information for targeted advertising, to clearly and conspicuously disclose the processing, as well as the manner in which a consumer may exercise the right to opt out of the processing.

The Tennessee law does not provide for a private right of action and vests exclusive enforcement authority in the Tennessee attorney general. It allows a court to impose civil penalties of up to $7,500 per violation, and allows treble damages for willful or knowing violations. The law requires that, prior to initiating an action, the attorney general must provide a 60-day notice period during which the recipient may cure the noticed violation to avoid an enforcement action. The law also creates an affirmative defense under certain circumstances for a company that creates, maintains, and complies with a written privacy policy that reasonably conforms to documented policies, standards, and procedures designed to safeguard consumer privacy.

Implications for Businesses

Covered persons and entities who do business in Tennessee or who target Tennessee consumers should start reviewing their policies and developing processes to comply with the Tennessee law. Although the law is not set to take effect until July 1, 2024, the law adds another challenge to the already complex compliance landscape for companies seeking to operate on a nationwide basis.

May 12, 2023 by Class Action Defense

The Class Action Weekly Wire – Episode Twelve

Duane Morris Takeaway: This week’s episode of the Class Action Weekly Wire features Duane Morris partners Jerry Maatman and Jennifer Riley with their analysis of the employment discrimination class action litigation trends and developments in 2022 and what to expect in 2023. We hope you enjoy it.

May 11, 2023May 11, 2023 by Class Action Defense

The Duane Morris Class Action Defense Blog’s 100th Post!

Duane Morris Takeaways: Since its inception in September of 2022, the Duane Morris Class Action Defense blog has now recorded its 100^th post!!!!

Since our kick-off post, our data analytics show there have been over 20,000 views to blog posts, with thousands of our loyal subscribers reading about class action litigation developments. There are many highlights from the last 100 posts, but we wanted to provide just a few for you here. Click on the links below to see all the hot trends in class action litigation, and tune in below for a special thank you announcement from the blog’s editor, Jerry Maatman.

Overview Of The Last 100 Posts

We launched the first edition of the Duane Morris Class Action Review, which is a one-of-its-kind publication analyzing class action trends, decisions, and settlements in all areas impacting Corporate America. The Review has been prominently featured in the media and is a must-have for all human resources professionals, business leaders, and corporate counsel.

We also published five mini-books focused on specialized areas of law in class action litigation and on EEOC-Initiated litigation. Here are the links to our blog posts announcing the EEOC-Initiated Litigation Review, the Privacy Class Action Review, the Wage & Hour Class And Collective Action Review, the Private Attorneys General Act Review, and the Consumer Fraud Class Action Review.

The blog also kicked-off the Class Action Weekly Wire Podcast, where experts in the field discuss trends and hot developments. Tune in every Friday for a new episode!

Click here to read our most viewed blog post entitled Massachusetts State Court Rules In Class Action That A Multiple-Choice Promotional Test Discriminated Against Minority Police Officers. Over 2,000 people read this post!

Click here to watch our most viewed Class Action Weekly Wire Podcast, regarding ChatGPT and artificial intelligence and the impact on class action litigation.

Thank you loyal followers for making the Class Action Defense blog your pick for class action litigation related information, trends, and analysis. We truly appreciate it! See below for a special message from the blog’s editor, Jerry Maatman. And please keep coming back, we promise to keep the content fresh!

May 10, 2023 by Gerald L. Maatman, Jr.

Introducing The Duane Morris Consumer Fraud Class Action Review – 2023

By Gerald L. Maatman, Jr., Jennifer A. Riley, and Sharon L. Caffrey

Duane Morris Takeaways: Class action litigation in the consumer fraud area has exponentially increased over the past several years, leaving corporations extremely vulnerable. Additionally, most consumer fraud class actions come with the possibility of excessive payouts for corporations. To that end, the class action team at Duane Morris is pleased to present the inaugural edition of the Consumer Fraud Class Action Review – 2023. We hope it will demystify some of the complexities of consumer fraud litigation and keep corporate counsel updated on the ever-evolving nuances in this area of law. We hope this book, which manifests the experience and expertise of the Duane Morris class action defense group, will assist clients by identifying trends in the case law and offering practical approaches in handing consumer fraud class action litigation.

Click here to download a copy of the Duane Morris Consumer Fraud Class Action Review – 2023 ebook.

Tune in on Fridays to our weekly podcast The Class Action Weekly Wire for more class action analysis and discussion of important trends!

May 8, 2023 by Gerald L. Maatman, Jr.

Class Action Money & Ethics Conference – The State Of Class Action Litigation

By Gerald L. Maatman, Jr. and Jennifer A. Riley

Duane Morris Takeaways: We were honored to present the keynote address today to open the 7th Annual Class Action Money & Ethics Conference in New York City sponsored by Beard Group, Citi Financial, Simpluris, and Pacer Monitor. With over 100 attendees, the program focused on the current state of class action litigation and “white hot” litigation topics for 2023. The discussion points provide an excellent roadmap on what is likely coming down the road for Corporate America for the remainder of 2023.

Class Action Dynamics

The themes of our keystone address focused on the extraordinary developments in class action litigation over the past 12 months.

The plaintiffs’ bar certified class actions at unprecedented levels throughout the country and monetized their cases with the highest settlement values seen in over 25 years. Many of these settlements arose from opioid litigation against manufactures, distributors, and retailers in the pharmaceutical industry. On an aggregate basis, class actions and government enforcement lawsuits garnered more than $71 billion in settlements, with 15 class action cases settling for more than $1 billion. Suffice to say, 2022 was unlike any other year on the class action settlement front. As success often begets copy-cats, corporations can expect the plaintiffs’ class action bar will be equally if not more aggressive in their case filings and settlement positions in 2023.

In 2022, the plaintiffs’ class action bar succeeded in certifying class actions at an exceedingly high rate. Across all major types of class actions, courts issued rulings on over 360 motions to grant or to deny class certification in 2022. Of these, plaintiffs succeed in obtaining or maintaining certification in 268 rulings, with an overall success rate of nearly 75%. The plaintiffs’ class action bar obtained the highest rates of success in securities fraud, ERISA, WARN, and FLSA actions. In cases alleging securities fraud, plaintiffs succeeded in obtaining orders certifying classes in 23 of the 24 rulings issues during 2022, a success rate of 96%. In ERISA litigation, plaintiffs succeeded in obtaining orders certifying class in 18 of 23 rulings issued during 2022, a success rate of 78%. In cases alleging WARN violations, plaintiffs managed to certify classes in 100% of the suits that resulted in decisions this year.

In terms of predictions, we opined that as the volume of class action filings has increased each year for the past decade, and 2023 is likely to follow that trend. As a result, a company’s programs designed to ensure compliance with existing laws and strategies to mitigate class action litigation risks are corporate imperatives. The plaintiffs’ bar is nothing if not innovative and resourceful. Given the massive class action settlement figures in 2022, coupled with the ever-developing case law under Rule 23, corporations can expect more lawsuits, expansive class theories, and an aggressive plaintiffs’ bar in 2023. These conditions necessitate planning, preparation, and decision-making to position corporations to withstand and defend class action exposures. These crucial issues are inevitably posed by any class action litigation. By their very nature, class actions involve decisions on strategy at every turn. The positions of the parties are constantly changing and corporate defendants must always be looking ahead and anticipating issues during every phase of the litigation.

Hot Class Action Topics

Among the topics addressed at the Conference were ESG class actions, PFAS “forever chemicals” litigation, Camp LeJeune mass tort litigation, Talc liability class actions, crypto class actions, and gender discrimination and pay equity class action litigation.

Litigating ESG Consumer Class Actions

Baldassare Vinti, Jeff Warshafsky, and Jennifer Yang of Proskauer Rose LLP led a discussion of class action litigation focusing on ESG environmental marketing claims, which they noted have been an increasing in number in the consumer class action space. These putative class actions challenge “green” claims that products or services are “carbon neutral,” “recyclable,” “non-toxic,” or otherwise beneficial for the environment.

PFAS “Forever Chemical” Class Actions

Michael J. Bisceglia, Brian M. Ledger, Paul T. Nyffeler, and Thomas R. Waskom of Hunton Andrews Kurth LLP presented on PFAS “forever chemical” litigation. Despite stringent regulation, PFAS has been linked to harmful health effects, including cancer. They predicted that after opioid litigation, many in the plaintiffs’ class action bar view this area as the next “big thing” for widespread mass tort and class actions.

Camp LeJeune Litigation & New Theories Of Liability

Mark A. DiCello of DiCello Levitt discussed the state of mass tort litigation with water contamination lawsuits filed against the U.S. Government alleging adverse health effects for affecting nearly 175,000 marines, sailors, their families and civilians at the camp between 1950 and 1985. Those cases were consolidated into MDL No. 2218 and the government successfully obtained dismissal of all of those cases in 2016. Plaintiffs’ lawyers have continued to litigate based on new theories of liability. The amount of advertising about the litigation is also continuing to mount (estimated at a cost of $500,000 to date), as more than 2,000 lawsuits are pending.

Talc Liability Class Actions

Gina Passarella, the editor in chief of American Lawyer, moderated a roundtable discussion with Melanie L. Cyganowski of Otterbourg P.C., Mohsin Meghji of M3 Partners, Robert J. Stark or Brown Rudnick, and Joshua A. Sussberg of Kirkland & Ellis regarding resolution of talc liability. The census of the roundtable was that this remains a hot topic in the class action and corporate restructuring communities, and that 2023 is expected to see various bankruptcy rulings in this sector.

After FTX, Crypto Lawyers And Class Actions

Michael P. Canty of Labaton Sucharow LLP and Graham Newman Chappell, Chappell & Newman provided their insights on crypto class action issues. They agreed that with the collapse of FTX, the crypto industry has endured more scrutiny. In this respect, decades-old laws are apt to provide fertile ground for assertion of class action theories.

Gender Based Discrimination & Pay Inequality

Matthew L. Berman of Valli Kane & Vagnini LLP and Rachel Geman of Lieff Cabraser Heimann & Bernstein LLP led a discussion on gender discrimination and pay equity class-based litigation.

With recent large equal pay cases, such as last year’s Google gender discrimination class action settlement of $118 million, and recent laws regarding pay equity and requiring pay transparency, a spotlight is shining on compensation in the workplace.

Mass Torts & Cases To Watch In 2023

Christopher Ege of Gordon Rees Scully Mansukhani, LLP, Mark Eveland of Verus LLC, Bridie Farrell of Milestone, Neil Kornswiet of Optium Captial LLC, and Edward E. Neiger of Ask LLP closed the Conference with a roundtable discussion of the state of mass tort litigation. They discussed several cases with some of the biggest brands making their way through court MDL proceedings, including Roundup, Tylenol Autism, and Elmiron. Based on key settlements from 2022, they predicted a robust litigation landscape for 2023.

Implications For Corporate America

If 2022 is any indication, 2023 is shaping up to be a signal year of developments in class action litigation.

May 5, 2023 by Class Action Defense

The Class Action Weekly Wire: Mid-Year Review Of EEOC-Initiated Litigation

May 4, 2023December 1, 2023 by Gerald L. Maatman, Jr.

Indiana Joins The Bandwagon In Passing A Comprehensive Privacy Law

By Gerald L. Maatman, Jr., Jennifer A. Riley, Alex W. Karasik, and Shaina Wolfe

Duane Morris Takeaways: The United States currently has no comprehensive data privacy law. Rather, a patchwork quilt of various privacy laws cover different types of data, such as information in credit reports (the Fair Credit Reporting Act), student records (Family Educational Rights and Privacy Act), and consumer financial products (Gramm-Leach-Bliley Act). In an attempt to fill the void of federal legislation, Indiana recently joined six other states – California, Colorado, Connecticut, Iowa, Utah, and Virginia – in enacting a comprehensive privacy statute, the Indiana Consumer Data Protection Act (“ICDPA”). At least nineteen states have introduced similar privacy bills this legislative session. Montana and Tennessee have comprehensive consumer privacy statutes pending signature by their governors. Businesses in Indiana should start immediately reviewing their policies and implementing processes for complying with ICDPA to avoid enforcement litigation by the Indiana Attorney General.

Indiana Legislation

On May 1, 2023, Indiana Governor Holcomb signed Senate Bill 5, known as the ICDPA. This new law will take effect on January 1, 2026.

The ICDPA applies to companies that conduct business in Indiana or produce products or services that are targeted to residents of Indiana and during a calendar year: (1) control or process the personal data of 100,000 consumers (who are Indiana residents) or (2) control or process personal data of at least 25,000 consumers (who are Indiana residents) and more than 50% of gross revenue from the sale of personal data. Significantly, the ICDPA does not apply to data processed or maintained in the course of applying to or being employed by a business. Moreover, the ICDPA does not apply to government entities, non-profit organizations or higher education institutions.

The ICDPA provides consumers with rights to their personal data, including:

– opt-out rights related to the sale of personal data, targeted marketing and profiling (automated decision making that could have significant legal effects, such as those related to employment and benefits);
– access rights, including a right to confirm whether a company is processing any data at all;
– deletion rights;
– correction rights, limited to data the consumer previously provided;
– appeal rights; and
– data portability rights (summary of the personal data sent to the consumer must be in a portable and readily usable format).

“Personal data” is broadly defined as information that is “linked or reasonably linkable to an identified or identifiable individual.” Personal data does not include de-identified data, publicly available information, or data related to a group or category of customers that is not linked or reasonably linked to an individual customer. The ICDPA also provides consumers the right to opt-out of the collection and processing of their sensitive personal data. “Sensitive personal data” includes: (1) personal data revealing racial or ethnic origin, religious beliefs, a mental or physical health diagnosis made by a healthcare provider, sexual orientation, or citizenship or immigration status; (2) genetic or biometric data that is processed for the purpose of uniquely identifying a specific individual; (3) personal data collected from a known child; and (4) precise geolocation data. Certain personal data that is covered by other statutes like the Fair Credit Reporting Act or Family Educational Rights and Privacy Act is exempt.

Once the ICDPA takes effect, companies must respond to a consumer personal data request within 45 days of receipt of the request. Companies may also seek a 45-day extension to respond. If a consumer appeals a company’s decision to deny the consumer’s request, the appeal response must be delivered within 60 days. If the appeal is denied, the company must provide the consumer with a method for contacting the state attorney general.

Importantly, the ICDPA does not provide individuals with a private right of action against businesses that violate the Indiana Law. Rather, the Indiana Attorney General will have exclusive enforcement authority. Prior to any enforcement action, the business will be allowed 30 days to cure the alleged violation. Only after the thirty days pass will the Indiana Attorney General be permitted to bring an enforcement action for the alleged violation. If the Indiana Attorney General decides to bring an enforcement action, the business may be fined up to $7,500 per violation.

Implications for Businesses

The ICDPA does not take effect until January 1, 2026. Covered businesses should start reviewing their policies and implementing processes for complying with the ICDPA to avoid enforcement by the Indiana Attorney General.

May 4, 2023 by Gerald L. Maatman, Jr.

Seventh Circuit Affirms Dismissal Of “Bare Bones” Lawsuit Brought Under Illinois Genetic Information Privacy Act

By Gerald L. Maatman, Jr., Jennifer A. Riley, and Tyler Z. Zmick

Duane Morris Takeaways: On May 1, 2023, the U.S. Court of Appeals for the Seventh Circuit issued one of only a handful of decisions that have been released regarding the Illinois Genetic Information Privacy Act (“GIPA”). In Bridges v. Blackstone, Inc., No. 22-2486, 2023 WL 3165218 (7th Cir. May 1, 2023), the Seventh Circuit affirmed the District Court’s dismissal of Plaintiffs’ GIPA claims based on Plaintiffs’ failure to allege that Defendant “disclosed” or was “compelled to disclose” their statutorily-protected genetic information. Similar to its more well-known counterpart – the Illinois Biometric Information Privacy Act (“BIPA”) – liability under the GIPA could potentially result in “astronomical” damages awards and may represent an increasingly important Illinois law in the privacy space.

GIPA Background

Enacted in 1998, the GIPA was designed to prevent employers and insurers from using genetic testing data as a means to discriminate for employment or insurance underwriting purposes.

To further that goal, the statute places restrictions on the ability to release “genetic testing and information derived from genetic testing.” Specifically, the GIPA provides that “genetic testing and information derived from genetic testing is confidential and privileged and may be released only to the individual tested and to persons specifically authorized, in writing in accordance with Section 30, by that individual.” 410 ILCS 513/15(a). Section 30, in turn, states that subject to certain exceptions, “[n]o person may disclose or be compelled to disclose the identity of any person upon whom a genetic test is performed or the results of a genetic test in a manner that permits identification of the subject of the test, except to . . . the subject of the test.” 410 ILCS 513/30(a).

Like the BIPA, the more widely-known privacy statute, the GIPA allows “[a]ny person aggrieved by a violation” of the statute to collect liquidated damages “for each violation” in the following amounts: (1) for negligent violations, $2,500 or actual damages, whichever is greater; or (2) for intentional or reckless violations, $15,000 or actual damages, whichever is greater. 410 ILCS 513/40. Like the BIPA, prevailing GIPA plaintiffs can also recover reasonable attorneys’ fees and costs.

Case Background

In Bridges, the Plaintiffs sent their DNA samples (obtained through at-home test kits) to Ancestry.com, a genealogy company. Years later, Defendant Blackstone, Inc. purchased Ancestry.com for $4.7 billion in an all-stock acquisition. Plaintiffs subsequently filed a putative class action against Blackstone in July 2021, alleging that its acquisition of Ancestry.com resulted in a violation of the GIPA.

After removing the complaint to the U.S. District Court for the Southern District of Illinois, Blackstone moved to dismiss on the basis that Plaintiffs failed to sufficiently allege a claim for relief under the GIPA.

The District Court agreed, holding that Plaintiffs failed to state a GIPA claim because they did not adequately allege that Blackstone “compelled” Ancestry.com to disclose Plaintiffs’ genetic data under Section 30 of the GIPA. The District Court agreed with Blackstone that “compel[ing]” the disclosure of genetic information necessarily requires something more than receipt or obtainment, yet Plaintiffs alleged only that Blackstone “may have been entitled to request or receive information from Ancestry in connection with the[] acquisition.” Bridges v. Blackstone Grp., Inc., No. 21-CV-1091, 2022 WL 2643968, at *4 (S.D. Ill. July 8, 2022).

The Seventh Circuit’s Decision

The Seventh Circuit affirmed the District Court’s dismissal of Plaintiffs’ GIPA claim under Rule 12(b)(6).

Regarding the District Court’s reason for granting Blackstone’s motion to dismiss, the Seventh Circuit held that it need not answer the question “over whether GIPA liability can attach to a company like Blackstone that allegedly receives protected information, rather than discloses that information,” because Plaintiffs “have failed to state a claim regardless.” Id. at *2.

The Seventh Circuit agreed with the District Court that it is not plausible to infer that “a run-of-the-mill corporate acquisition, without more alleged about that transaction, results in a compulsory disclosure within the meaning of Section 30.” Bridges v. Blackstone Grp., Inc., No. 22-2486, Order at 4 (7th Cir. May 1, 2023) (“All we can say with certainty about Blackstone’s all-stock acquisition of Ancestry is that a change in ownership occurred – nothing more.”).

Implications for Employers

One of only a few cases to have interpreted the statute, the Bridges decision indicates that a company is not subject to liability under the GIPA based solely on its acquisition of another company that may be in possession of genetic data.

Nonetheless, Bridges serves as a reminder to Illinois employers that collect genetic information, medical histories, and/or conduct “health screenings” as part of their application processes about the importance of complying with the GIPA.

The GIPA’s statutory text mirrors the BIPA’s text in important (and potentially concerning) ways, including that (i) a plaintiff can likely sue under the GIPA regardless of whether an actual injury is alleged; and (ii) following the Illinois Supreme Court’s logic as applied to the BIPA in Cothron v. White Castle, 2023 IL 128004 (Ill. Feb. 17, 2023) (see here), statutory damages may accrue under the GIPA each separate time a company “disclose[s] or [is] compelled to disclose” genetic data protected by the GIPA. Thus, it is possible that plaintiffs will file increased numbers of GIPA class actions in Illinois courts in the coming months and years.