Series Overview

The full series in PDF format can be accessed here.

• Breach of contract and warranties litigation
• Website tracking litigation
• Security breach litigation
• Biometrics and consumer health data litigation
• Data brokers and judicial privacy litigation
• Litigating accountability through shareholder action

Privacy actions have become one of the fastest growing types of litigation in the U.S. Supplemented by a growing body of statutory laws, particularly at the state level, U.S. individuals are advancing new legal theories of substantive data privacy violations and finding success in arguing their claims in court or in securing favorable settlements out of court.

Indeed, data privacy litigation in the U.S. is at an all-time high. By one count, nearly 2,000 lawsuits related to data privacy were brought to federal courts by litigants in 2024 alone. Across state and federal courts, class-action lawsuits related to data privacy have been on an upward slope over the past five years.

When thinking about the enforcement of privacy laws, regulators such as the Federal Trade Commission and other agents of the government such as states' attorneys general come to mind. But individuals and certified classes of ordinary citizens have asserted their privacy rights around an assortment of digital issues, from web tracking to data breaches to biometric privacy. And while the enforcement capabilities of regulators and public authorities is capped by the number of such bodies that exist, as well as by their staff and budgetary resources, the number of citizens who may bring private actions in court is vastly greater and is always growing.

Moreover, as courts rule on issues at the emerging frontiers of digital governance, artificial intelligence and data privacy, there are many new precedents to be set that can cascade through the court system. As the court explained in Lopez et al v. Apple, "data privacy law is (a) developing area of law posing inherent risks that a new decision could shift the legal landscape as to the certifiability of a class, liability, and damages."

Thus, this series fills an important gap about how data privacy violations in the U.S. are contested through private litigation and class-action lawsuits. Litigants alleging privacy violations are not only grounding their claims in newer state privacy laws, such as the California Consumer Privacy Act, Washington state's My Health, My Data Act and New Jersey's Daniel's Law, but they are also marshalling long-standing privacy statues like the California Invasion of Privacy Act against modern-day data uses.

Today, understanding how plaintiffs assert their privacy rights, how defendants contest them, and how the courts interpret and apply privacy laws to new and emerging uses of data and technology is essential for organizations of every shape and size.

As the articles in this series demonstrate, the case law emerging from class-action litigation around data privacy violations adds a new dimension of depth to the operationalization of privacy rights by private individuals. Read comprehensively, the cases analyzed in this series articulate an elaborate web of obligations for businesses that collect, store and share personal information. With each new court settlement, dismissal and decision, data privacy continues to be a source of living law, reshaping our understanding of its boundaries, limitations and power.