A recent Illinois lawsuit claims that the answer is no—at least not for Illinois residents—without the written consent of every individual that provided the genetic information in the first place.
In Hogan v. The Blackstone Group, Inc. (Blackstone), 21-cv-03628 (N.D. Ill.), Hogan (for herself and a putative class) alleges that she is a customer of Ancestry.com, the family history and genetic testing company (Ancestry). Specifically, Hogan contends that she purchased an at-home DNA test kit from Ancestry and provided her saliva and skin cells to Ancestry. Ancestry, in return, provided her with information from her submission, including information about her likely national heritage. So far, so good.
Enter Blackstone, which purchased Ancestry and its assets in 2020. As a result of this purchase, Hogan alleges that Blackstone acquired her and other putative class members’ genetic test results and associated information. Hogan alleges that this acquisition violated two provisions of the Illinois Genetic Information Privacy Act, 410 ILCS 513/1, et seq. (GIPA) because it occurred without her written consent.
First, Hogan alleges that Blackstone’s acquisition violated section 15(a) of GIPA, which states in relevant part:
[G]enetic testing and information derived from genetic testing is confidential and privileged and may be released only to the individual tested and to persons specifically authorized, in writing in accordance with Section 30, by that individual to receive the information . . . .
Second, Hogan alleges that Blackstone’s acquisition violated section 30(a)(2) of GIPA, which states in relevant part:
In other words, Hogan contends that, even though she knowingly and voluntarily provided this information to Ancestry, she only consented to Ancestry’s possession and use of her genetic data—not to any successors or purchasers of Ancestry’s assets.
As a result, Hogan claims entitlement to statutory damages and attorneys’ fees. Section 40 of GIPA allows a prevailing party to collect the greater of $2,500 or actual damages for negligent violations and the greater of $15,000 or actual damages for intentional damages, plus reasonable attorneys’ fees.
Transactional attorneys and litigators should take note. A number of other states have passed or are considering similar bills to GIPA. Moreover, there are other privacy statutes in Illinois and elsewhere that plaintiff’s lawyers may claim limit the sale of certain private information—without consent or, in some cases, even with consent. Depending on the location of a potential seller and its assets, these statutes should be carefully reviewed and considered for purposes of client counseling and due diligence.
While performing due diligence on privacy and cybersecurity matters is prudent in any contemporary transaction, far too often, such review concentrates on data safeguards and the occurrence of any security breach and its remediation. Cases like Hogan emphasize the importance of understanding the types of data acquired in a transaction and the need to consider any contractual or regulatory impediments to the transfer of such specific types of data. Further, purchase agreements should be reviewed to ensure definitions encompass the relevant types of data transferred and reference the specific laws and regulations applicable to such types of data. Finally, it is advisable that purchasers and their counsel endeavor to include a representation and warranty that expressly states the proposed transfer of data will not violate applicable law or any contractual obligation to which the seller is bound.