On June 3, 2025, Marriott International secured a significant legal victory when the 4th U.S. Circuit Court of Appeals in Richmond, Virginia, overturned a lower court’s decision to certify a class action lawsuit stemming from a 2018 data breach at its Starwood affiliate. The breach, one of the largest in U.S. history, exposed the personal information of nearly 400 million guests, including names, birth dates, and payment card data. The appeals court ruled that a class-action waiver in Marriott’s Starwood Preferred Guest contracts precluded the certification of classes against the hotel giant, effectively dismantling the plaintiffs’ ability to sue collectively. While this decision, reported by Reuters, marks a win for Marriott, it does not signal a reprieve for businesses facing the growing threat of data breach class actions and privacy lawsuits that are absolutely exploding right now with a record amount of litigation happening and not over data breaches but over having tracking technologies, pixels, and cookies on a website.
Companies must remain vigilant, as the legal, financial, and reputational risks of such litigation continue to loom large.
As of today’s piece in June 2025 the last update in the Marriott privacy center is from 2024. In January we’ve had 5 new privacy laws and Tennessee has a new privacy law coming into play in July. A best practice to be safe would be to update the privacy center for each new jurisdiction in which they operate in.
The Marriott Case is a Rare Narrow Escape in Privacy Litigation
Swigart Law is settling thousands of cases through arbitration each year and it’s not in the public eye. The 2018 Starwood breach, undetected from 2014 until its disclosure, triggered a wave of litigation, with plaintiffs alleging Marriott failed to protect sensitive customer data. A Maryland federal judge initially certified eight classes encompassing millions of affected guests, a decision that could have exposed Marriott to substantial damages. However, the 4th Circuit’s ruling on June 3, 2025, reversed this certification, citing the class-action waiver in Marriott’s rewards program terms, which required disputes to be resolved individually. The court found that Marriott’s participation in consolidated legal proceedings did not waive its right to enforce this provision, a stance supported by the U.S. Chamber of Commerce in a brief backing Marriott.
This outcome, hailed by Marriott in a statement, underscores the power of contractual waivers to limit class-action liability. However, as posts on X note, the litigation, described as “seemingly endless,” highlights the persistent legal battles companies face post-breach. The decision does not erase Marriott’s broader legal troubles, including a $52 million settlement with U.S. states in 2024 and a $24 million fine from British authorities in 2020, nor does it shield businesses from the evolving landscape of privacy lawsuits.
Why Businesses Should Stay on Edge
While Marriott’s victory offers a playbook for leveraging class-action waivers, it does not diminish the broader risks of data breach litigation. Companies across industries face an increasingly hostile legal environment, driven by heightened consumer awareness, evolving privacy regulations, and the growing sophistication of cyberattacks. The following factors illustrate why businesses must remain on high alert:
- Rising Frequency and Scale of Data Breaches
Data breaches are becoming more frequent and severe, with hackers targeting vast repositories of personal information. The Marriott breach, affecting nearly 400 million customers, is a stark reminder of the scale of exposure. Recent incidents, such as the 2022 Gunster breach affecting thousands or the 2021 T-Mobile breach impacting 76 million customers, demonstrate that no industry is immune. These breaches fuel class actions, as plaintiffs seek compensation for compromised data, even when direct financial harm is hard to prove. - Evolving Legal Standards and Consumer Protections
The legal landscape for privacy lawsuits is shifting rapidly. While Marriott dodged class certification, courts are increasingly willing to certify classes in data breach cases, as seen in the initial Maryland ruling. States like California, Connecticut, New Jersey, Utah, and then internationally we have privacy laws to worry about like LGPD and the EU’s General Data Protection Regulation (GDPR) impose stringent requirements for data protection, data retention, enabling consumers to sue for statutory damages without proving actual harm. The $52 million Marriott settlement with U.S. states, requiring 20 years of third-party cybersecurity monitoring, signals that regulators are intensifying scrutiny. Posts on X reflect public frustration with corporate data handling, amplifying pressure for accountability. - Financial and Reputational Stakes
The financial risks of data breach litigation are staggering. The T-Mobile settlement, for instance, reached $350 million, with attorneys’ fees alone sparking disputes over their $78 million share. Marriott’s $52 million state settlement and ongoing litigation costs highlight the potential for multimillion-dollar liabilities, even without class certification. Beyond financial costs, breaches erode consumer trust, as seen in public sentiment on X describing Marriott’s litigation as a “big loss for the plaintiffs’ bar” but a warning for companies. Reputational damage can lead to lost business, particularly for consumer-facing industries like hospitality. - Challenges in Proving Standing and Harm
While Marriott’s waiver strategy succeeded, plaintiffs are finding new ways to establish standing in data breach cases. Courts have historically dismissed lawsuits where plaintiffs could not prove concrete harm, as in a 2021 Marriott case involving a smaller 5.2 million-guest breach. However, evolving judicial interpretations, such as the Maryland judge’s initial certification in the Starwood case, suggest that courts may accept broader definitions of harm, like the risk of future identity theft. This trend increases the likelihood of successful class actions, even against companies with strong defenses. - Global Litigation Risks
Marriott’s legal battles extend beyond the U.S., with a London class action filed in 2020 by millions of former guests under a U.K. opt-out framework. This global exposure underscores the cross-border nature of privacy risks, particularly for multinational corporations. The GDPR’s strict penalties, as evidenced by Marriott’s $24 million U.K. fine, amplify the stakes for businesses operating internationally.
Lessons from Marriott and Broader Implications
Marriott’s reliance on a class-action waiver offers a critical lesson: proactive legal strategies, such as clear contractual terms, can mitigate litigation risks. The 4th Circuit emphasized that courts must address waivers before certifying classes, reinforcing their enforceability. However, this defense is not foolproof. The Maryland judge’s finding that Marriott’s litigation conduct was “wholly inconsistent” with its waiver argument suggests that companies must consistently uphold such provisions to avoid judicial skepticism.
Moreover, the Marriott case highlights the need for robust cybersecurity measures. The FTC’s 2024 mandate for Marriott to implement a comprehensive security program after breaches from 2014 to 2020 underscores regulatory expectations for proactive data protection. Businesses must invest in encryption, access controls, and incident response plans to minimize vulnerabilities and demonstrate due diligence in court.
The Bigger Picture: Privacy Lawsuits and Emerging Technologies
The Marriott ruling intersects with broader privacy concerns, such as those surrounding connected cars, mobile driver’s licenses (mDLs) and AI-driven data processing. The No Phone Home campaign, for instance, warns of surveillance risks in mDL standards that enable tracking via centralized databases. Similarly, ambient AI listening in healthcare raises fears of unauthorized data collection. These technologies, like Marriott’s reservation systems, rely on vast datasets, making them prime targets for breaches and lawsuits. Companies adopting such innovations must anticipate heightened scrutiny, as public awareness of privacy issues grows, fueled by discussions on X and advocacy from groups like the ACLU.
What Businesses Must Do
To navigate this treacherous landscape, companies should:
- Strengthen Cybersecurity: Invest in state-of-the-art encryption, regular audits, and employee training to prevent breaches.
- Leverage Contractual Protections: Include enforceable class-action waivers in user agreements, ensuring consistent legal strategies.
- Enhance Transparency: Clearly communicate data practices to consumers to build trust and reduce litigation risks.
- Monitor Regulatory Changes: Stay ahead of evolving privacy laws like the CCPA and GDPR to ensure compliance.
- Prepare for Global Risks: Anticipate international litigation and regulatory penalties, particularly for multinational operations.
Marriott’s Victory May Be Short Lived in the Privacy Litigation World
Marriott’s victory in the 4th Circuit is a tactical win, but it does not signal a broader retreat from data breach class actions and we are seeing new privacy fines and lawsuits each week so the win is short lived especially for those who are not following great privacy hygiene. The ruling underscores the efficacy of class-action waivers but also highlights the relentless legal and regulatory pressures facing businesses. With cyberattacks on the rise, privacy laws tightening, and public sentiment reflected on social media demanding accountability, companies must remain on edge. The risks of multimillion-dollar lawsuits for privacy violations is a thing that is here to stay no matter how small or large the organization is.
