Resource Center / Resource Articles / US Data Privacy Litigation

US Data Privacy Litigation

This article series covers how data privacy violations in the U.S. are being contested through private litigation and class-action lawsuits.

Published: March 2025

Contributors:

Müge Fazlioglu

Cheryl Saniuk-Heinig

Kayla Bushey

C Kibby

Privacy actions have become one of the fastest growing types of litigation in the U.S. Supplemented by a growing body of statutory laws, particularly at the state level, U.S. individuals are advancing new legal theories of substantive data privacy violations and finding success in arguing their claims in court or in securing favorable settlements out of court.

Indeed, data privacy litigation in the U.S. is at an all-time high. By one count, nearly 2,000 lawsuits related to data privacy were brought to federal courts by litigants in 2024 alone. Across state and federal courts, class-action lawsuits related to data privacy have been on an upward slope over the past five years.

US data privacy litigation, 2020-2024

Source: Thomson Reuters/Westlaw Edge - Litigation Analytics, January 2025

When thinking about the enforcement of privacy laws, regulators such as the Federal Trade Commission and other agents of the government such as states' attorneys general come to mind. But individuals and certified classes of ordinary citizens have asserted their privacy rights around an assortment of digital issues, from web tracking to data breaches to biometric privacy. And while the enforcement capabilities of regulators and public authorities is capped by the number of such bodies that exist, as well as by their staff and budgetary resources, the number of citizens who may bring private actions in court is vastly greater and is always growing.

Moreover, as courts rule on issues at the emerging frontiers of digital governance, artificial intelligence and data privacy, there are many new precedents to be set that can cascade through the court system. As the court explained in Lopez et al v. Apple, "data privacy law is (a) developing area of law posing inherent risks that a new decision could shift the legal landscape as to the certifiability of a class, liability, and damages."

Thus, this series fills an important gap about how data privacy violations in the U.S. are contested through private litigation and class-action lawsuits. Litigants alleging privacy violations are not only grounding their claims in newer state privacy laws, such as the California Consumer Privacy Act, Washington state's My Health, My Data Act and New Jersey's Daniel's Law, but they are also marshalling long-standing privacy statues like the California Invasion of Privacy Act against modern-day data uses.

Today, understanding how plaintiffs assert their privacy rights, how defendants contest them, and how the courts interpret and apply privacy laws to new and emerging uses of data and technology is essential for organizations of every shape and size.

Series overview

This series is divided into six parts.

The first part, "Breach of contract and warranties litigation" by IAPP Research and Insights Analyst Cheryl Saniuk-Heinig, CIPP/E, CIPP/US, analyzes breach of contract and breach of warranty claims in the context of privacy. It examines when courts have allowed complaints to proceed and granted defendants' motions to dismiss, as well as when and how individuals have asserted privacy violations by leveraging a company's privacy notice, terms of service or other contractual arrangements.

The second part, "Website tracking litigation" by IAPP Westin Fellow Kayla Bushey, analyzes litigation under the long-standing CIPA, originally passed to protect citizens against illegal wiretapping. The decades-old statute is now being repurposed by individuals to claim website tracking by third parties amounts to a form of digital eavesdropping.

The third part, "Security breach litigation" by IAPP Westin Fellow C. Kibby, analyzes the private right of action under the CCPA, which can be brought for unauthorized disclosures that are not cured and carries statutory damages between USD100-750 per consumer.

The fourth part, "Biometrics and consumer health data litigation" by IAPP Principal Researcher, Privacy Law and Policy, Müge Fazlioglu, CIPP/E, CIPP/US, examines litigation under the Illinois Biometric Information Privacy Act and the PRA in recently enacted and proposed consumer health data privacy laws like Washington state's MHMDA.

The fifth part, "Data brokers and judicial privacy litigation" by Bushey, focuses on lawsuits filed under Daniel's Law, a New Jersey privacy statute that protects the personal information of judges and other public officials, as well as the First Amendment challenges defendants have raised against it.

Finally, the sixth part, "Litigating accountability through shareholder action" by Saniuk-Heinig, examines how shareholders have sought to hold organizations accountable, through private litigation, for alleged misconduct or inaction around data privacy issues.

As the articles in this series demonstrate, the case law emerging from class-action litigation around data privacy violations adds a new dimension of depth to the operationalization of privacy rights by private individuals. Read comprehensively, the cases analyzed in this series articulate an elaborate web of obligations for businesses that collect, store and share personal information. With each new court settlement, dismissal and decision, data privacy continues to be a source of living law, reshaping our understanding of its boundaries, limitations and power.

Additional resources