A national security regulation that most Americans have never heard of is quietly rewriting the rules of data privacy litigation — and this time it’s not just some of the biggest names in tech who are in the crosshairs but seamless business owners who are unknowingly sending data back to China and violating federal privacy laws. The Department of Justice’s Bulk Sensitive Data Rule, which took full effect in 2025 and we covered the topic in depth to help clients get ahead of the ruling, was designed as a foreign policy tool to keep Americans’ most sensitive personal data out of the hands of adversarial nations. But in courtrooms across the country, plaintiffs’ attorneys have found a creative and powerful way to weaponize it — by pairing it with one of the oldest federal privacy statutes on the books: the Electronic Communications Privacy Act of 1986 (ECPA). The result is a rapidly accelerating wave of class action lawsuits that could reshape the advertising technology industry and corporate data practices for years to come.
What Is the DOJ Bulk Data Rule?
The DOJ’s Data Security Program took effect April 8, 2025, following Executive Order 14117. This regulation prohibits or restricts transfers of American personal information to six “countries of concern”: China (including Hong Kong and Macau), Russia, Iran, North Korea, Cuba, and Venezuela.
The Bulk Rule is designed to restrict the processing and transfer of specified categories of sensitive personal data — including human ‘omic data, biometric data, precise geolocation data, personal health data, and personal financial data — to designated countries of concern, such as China, unless a specific exception applies.
The Rule covers U.S. person sensitive personal data, including personal identifiers such as IP addresses and advertising identifiers, personal health and financial data, human ‘omic data, human biospecimens, biometric identifiers, and geolocation data.
The DOJ can pursue civil enforcement actions with fines up to $368,136, or twice the value of each violating transaction. Companies must also report to DOJ within 14 days if they know or suspect violations of transfer rules.
The rule’s architects framed it explicitly as a national security directive. The DOJ created this framework “to prevent China, Russia, Iran, and other foreign adversaries from using commercial activities to access and exploit Americans’ sensitive personal data to commit espionage,” describing the threat as an “unusual and extraordinary threat to the national security and foreign policy of the United States.”
Why ECPA? The Legal Workaround Explained
Here’s the crux of why these lawsuits are generating so much attention: the Bulk Data Rule does not include a “private right of action” allowing individuals to sue for violations of the law — meaning only the government can enforce the rule directly.
Plaintiffs’ attorneys found a solution in ECPA, the 1986 wiretapping statute. Although the DOJ rule has no private right of action, creative plaintiffs have found a way to bring multiple class action lawsuits alleging illegal wiretapping under the Wiretap Act — part of the larger Electronic Communications Privacy Act of 1986 — based on alleged violations of the DOJ rule. The Wiretap Act generally prohibits the intentional interception of any electronic communication.
The legal pivot hinges on a specific carve-out within ECPA. Most ECPA lawsuits fail early, often at the motion to dismiss stage, because of what is known as the “party exception.” Under the party exception, a party to a communication can legally intercept communications, meaning that a company capturing or monitoring its own website interactions is typically not considered a third-party interceptor under the law.
But plaintiffs have found a way around this too. The “party exception” does not apply if a party intercepts the communication “for the purpose of committing any criminal or tortious act” in violation of federal or state law. Plaintiffs argue that the party exception does not apply because the alleged data transfers were carried out with the intent to violate the DOJ’s Bulk Data Transfer Rule, essentially reframing what would normally be lawful data collection as an unlawful act tied to national security concerns.
The financial stakes are significant. Penalties can vary for violations of the Bulk Rule, but the plaintiffs in these class action complaints allege that the violation of the Bulk Rule also constitutes a violation of the Electronic Communications Privacy Act, which provides for statutory damages of $100 per day per violation or $10,000, whichever is greater. Multiplied across millions of users, these figures become astronomical.
The Cases: Who’s Being Sued and Why
Porcuna v. Xandr, Inc. (Microsoft)
In Porcuna v. Xandr, Inc., filed in the U.S. District Court for the Northern District of California, the complaint alleges that Xandr, a Microsoft subsidiary, used tracking technologies on third-party websites to intercept the contents of users’ interactions with these websites. The complaint details how tools such as JavaScript trackers, Prebid.js adapters and cookie-syncing endpoints allegedly enabled Xandr to capture and share identifiers — such as cookies, device IDs and IP addresses — and contextual information about users’ browsing activities. The ultimate destination of that data, plaintiffs allege, was Temu, a Chinese-owned e-commerce platform — making the transfer a violation of the Bulk Data Rule.
Baker v. Index Exchange
In Baker v. Index Exchange, filed in the U.S. District Court for the Northern District of Illinois, the complaint includes highly similar allegations. Baker alleges that Index Exchange, a supply-side digital advertising platform, violated ECPA by using tracking technologies to capture users’ interactions with third-party websites and transmit them to Temu for the purpose of violating the Bulk Data Transfer Rule. The complaint characterizes real-time bidding as an illegal wiretap under ECPA, presenting the deliberate interception and transmission of communications to Chinese platforms as both privacy violations and rule breaches.
Defendants have moved to dismiss, arguing among other things that the crime-tort theory does not apply, one-party consent is sufficient, the Canadian company is not a “U.S. person,” and plaintiffs improperly assert certain allegations.
Multiple Class Actions Against Google
On February 19, 2026, Google LLC was named in a series of class action complaints alleging violations of numerous California statutes, including the California Invasion of Privacy Act, as well as the DOJ Bulk Rule. Each of these cases alleged improper transfer of sensitive data to covered third-party persons, specifically involving cookie data, IP addresses, other network-level signals, and/or persistent advertising identifiers.
Lenovo and Others
Additional lawsuits have targeted Lenovo and others, with all cases alleging that the defendants violated ECPA by deploying online trackers on their webpages to intercept visitor communications and transmit them to third parties, including in some cases China-based Temu and ByteDance.
The Advertising Technology Industry in the Crosshairs
The practical impact of this litigation is already being felt across the advertising technology sector. The private suits raise the risk profile for any company using trackers for advertising who send data collected by those programs — or are perceived to — to China. The DOJ rule prohibits “U.S. persons” from engaging with a country of concern or covered person in a transaction involving “data brokerage,” defined broadly to include the sale of data, licensing of access to data, or similar commercial transactions where the recipient did not collect or process the data directly from the individuals linked to the data.
This definition sweeps in an enormous swath of the digital advertising ecosystem. Standard practices like real-time bidding, pixel tracking, cookie syncing, and software development kit integrations are all potentially implicated. Data collected for advertising is a prominent concern in the Bulk Sensitive Data Rule, which classifies the use of tracking pixels or software development kits as “data brokerage.”
What the Courts Will Ultimately Decide
Legal experts are divided on whether plaintiffs’ ECPA theory will survive judicial scrutiny. Plaintiffs may take the Bulk Sensitive Data Rule, intended as a national security tool, and “stretch its original intent” as part of a broader litigation strategy as the lawsuits ramp up. One legal analyst noted that “the narrative that the practices would violate the DOJ rule doesn’t necessarily get the plaintiffs very far in terms of proving the underlying claims,” suggesting the cases will likely rise or fall based on whether plaintiffs can sufficiently allege the elements of the cited laws.
Still, even if most cases ultimately fail, the litigation is already changing corporate behavior. Many companies have started to apply more scrutiny and due diligence to the types of partners they’re working with that they allow to have tracking technologies in their app or on their site, and there has been a move to steer clear of companies based in countries of concern.
The National Security Dimension: Why This Is Bigger Than Advertising
It would be a mistake to view this solely as a dispute about digital advertising practices. The DOJ designed the Bulk Data Rule with a far darker threat in mind. Foreign intelligence services cross-reference data points using sophisticated methods. AI algorithms identify government employees with classified roles, track defense contractors, map intelligence personnel networks, and build psychological profiles for blackmail purposes. Bulk data aggregation transforms privacy violations into national security threats.
The DOJ also emphasizes how artificial intelligence makes these risks worse. Countries of concern are increasingly using bulk sensitive personal data to develop and boost AI capabilities that enable “increasingly sophisticated and effective” exploitation of datasets. One notable example shows how AI can cross-reference multiple datasets to find government employees whose links to the federal government would be otherwise obscured in a single dataset and who can then be targeted for espionage or blackmail. The rule also tackles issues about foreign exploitation of genomic data to enhance military capabilities, including facilitating the development of bioweapons.
This framing — of data privacy as a national defense imperative — represents a profound evolution in how the U.S. government thinks about personal information. The Data Security Program creates what amounts to export controls on sensitive data, matching a larger pattern where national security now takes priority over economic factors.
What Comes Next: Government Enforcement on the Horizon
Private litigation is only one front. The lawsuits are only one pressure point, as nine of them came ahead of a March 1 deadline for some companies to file annual reports describing some of their data transactions. Government enforcement is expected to increase significantly in 2026 as the DOJ evaluates those reports.
The rule applies broadly — covering just about any company that handles bulk U.S. sensitive personal data or government-related data and engages internationally. This includes any company that handles biometric identifiers like fingerprints or facial scans; human genomic, geolocation data, personal financial, and health information; and personal identifiers such as names, addresses, Social Security numbers, and IP addresses when used in combination with one another.
Bulk Data Transfer Privacy Lawsuit Defense over ECPA Claims
If you’ve received a demand letter or notice about a lawsuit because of an alleged violation of The Electronic Communications Privacy Act related to bulk data transfer to countries like China . The collision of the DOJ’s Bulk Data Rule with ECPA represents one of the most novel and consequential developments in American privacy law in years. What began as a national security directive aimed at adversarial foreign governments has rapidly become a litigation flashpoint for the entire digital advertising ecosystem. Companies that have long treated the flow of data to third parties as routine business practice are now confronting the possibility that those practices constitute federal wiretapping — and that class-wide damages could run into the billions.
The legal questions are genuinely unsettled. The national security stakes are unambiguously real. And with government enforcement expected to intensify throughout 2026, the pressure on technology companies to overhaul their data practices — particularly around foreign third-party integrations — has never been higher. The era of frictionless, borderless data commerce may be ending, replaced by something that looks far more like a regulated export market. How courts and regulators handle that transition will define the privacy landscape for the next decade.
