US Data Privacy Litigation

This series fills an important gap about how data privacy violations in the U.S. are contested through private litigation and class-action lawsuits. Litigants alleging privacy violations are not only grounding their claims in newer state privacy laws, such as the California Consumer Privacy Act, Washington state's My Health, My Data Act and New Jersey's Daniel's Law, but they are also marshalling long-standing privacy statues like the California Invasion of Privacy Act against modern-day data uses.

Today, understanding how plaintiffs assert their privacy rights, how defendants contest them, and how the courts interpret and apply privacy laws to new and emerging uses of data and technology is essential for organizations of every shape and size.

As the articles in this series demonstrate, the case law emerging from class-action litigation around data privacy violations adds a new dimension of depth to the operationalization of privacy rights by private individuals. Read comprehensively, the cases analyzed in this series articulate an elaborate web of obligations for businesses that collect, store and share personal information. With each new court settlement, dismissal and decision, data privacy continues to be a source of living law, reshaping our understanding of its boundaries, limitations and power.

Series Overview

Breach of contract and warranties litigation
This article examines how plaintiffs increasingly rely on breach of contract and breach of warranty theories in privacy lawsuits, using companies’ privacy notices, terms of service, and public statements as enforceable commitments in court. It outlines the strategies and legal arguments used to advance express and implied contract and warranty claims.
View article

Website tracking litigation
This article explores the surge in website tracking litigation, where plaintiffs use state wiretapping statutes to challenge session replay tools, pixels, chat widgets, and other tracking technologies embedded on consumer‑facing sites. It highlights how decades‑old wiretap laws are being applied to modern web analytics practices, creating significant litigation exposure for businesses.
View article

Security breach litigation
This article analyzes litigation arising from data breaches, focusing on the California Consumer Privacy Act’s private right of action and how plaintiffs use it to sue businesses for alleged failures to implement reasonable security. It explains which consumers may sue, under what circumstances, and how the CCPA compares with other state laws that enable similar claims.
View article

Biometrics and consumer health data litigation
This article reviews biometric and health‑data litigation, explaining how plaintiffs leverage statutes like Illinois’ Biometric Information Privacy Act (BIPA) and Washington’s My Health My Data Act to challenge the collection, storage, and use of sensitive personal and biometric data. It discusses notable settlements and the legal requirements that organizations must meet when handling biometric identifiers or consumer health information.
https://iapp.org/resources/article/us-litigation-series-biometrics-consumer-health-data/

Data brokers and judicial privacy litigation
This article discusses litigation risks for data brokers and consumer‑facing companies under New Jersey’s Daniel’s Law, which restricts publication of personal information about judges, law enforcement personnel and other public officials. It examines how the law has driven a wave of lawsuits, constitutional challenges and heightened obligations for entities handling public‑official data.
View article

Litigating accountability through shareholder action
This article explores how shareholders pursue derivative actions after privacy incidents to hold corporate leadership accountable for alleged failures in data governance, security practices or oversight. It explains the legal standards for derivative suits, challenges plaintiffs face and how such actions can prompt changes in corporate policies even without trial victories.
View article

Further Info

Privacy actions have become one of the fastest growing types of litigation in the U.S. Supplemented by a growing body of statutory laws, particularly at the state level, U.S. individuals are advancing new legal theories of substantive data privacy violations and finding success in arguing their claims in court or in securing favorable settlements out of court.

Indeed, data privacy litigation in the U.S. is at an all-time high. By one count, nearly 2,000 lawsuits related to data privacy were brought to federal courts by litigants in 2024 alone. Across state and federal courts, class-action lawsuits related to data privacy have been on an upward slope over the past five years.

When thinking about the enforcement of privacy laws, regulators such as the Federal Trade Commission and other agents of the government such as states' attorneys general come to mind. But individuals and certified classes of ordinary citizens have asserted their privacy rights around an assortment of digital issues, from web tracking to data breaches to biometric privacy. And while the enforcement capabilities of regulators and public authorities is capped by the number of such bodies that exist, as well as by their staff and budgetary resources, the number of citizens who may bring private actions in court is vastly greater and is always growing.

Moreover, as courts rule on issues at the emerging frontiers of digital governance, artificial intelligence and data privacy, there are many new precedents to be set that can cascade through the court system. As the court explained in Lopez et al v. Apple, "data privacy law is (a) developing area of law posing inherent risks that a new decision could shift the legal landscape as to the certifiability of a class, liability, and damages."