The United States has seen a surge in litigation driven by state-level statutes and consumer empowerment. With nearly 2,529 data privacy lawsuits filed in federal courts in 2024 alone a marked increase from 1,425 in 2020—private right of actions are becoming a primary mechanism for enforcing privacy rights and industrious law firms are using older privacy laws such as the VPPA, ECPA, and CIPA to send out demand notices and file lawsuits.
The Growth of US Data Privacy Litigation
The IAPP’s US Data Privacy Litigation Series, published last quarter underscores how individuals and classes are increasingly turning to courts to address privacy violations, filling gaps left by limited regulatory enforcement from bodies like the Federal Trade Commission (FTC) and state attorneys general.
Covering areas such as breach of contract, website tracking, security breaches, biometrics, data brokers, and shareholder actions.
Key drivers include the proliferation of state privacy laws, with five new comprehensive statutes effective in January 2025 (Delaware, Iowa, Nebraska, New Hampshire, New Jersey) and more in July (Minnesota, Tennessee) and October (Maryland).
Enforcement by agencies like the California Privacy Protection Agency (CPPA) is ramping up, but private right of action litigation over privacy related claims—often through class actions remains the frontline, with 2023 marking a peak in privacy class actions.
Key Statutes Fueling Litigation
Several statutes provide private rights of action, enabling consumers to seek damages without relying on regulators and just now Washington state hit a business with a fine and we expect private right of actions in Washington to heat up in 2026:
- California Consumer Privacy Act (CCPA) and California Privacy Rights Act (CPRA): These allow claims for unauthorized data disclosures, with statutory damages of $100-$750 per consumer. CPRA amendments expand rights, including correction and limits on sensitive data, broadening litigation scope.
- California Invasion of Privacy Act (CIPA): Repurposed for website tracking as “digital eavesdropping,” it imposes $5,000 per violation for wiretapping without consent, fueling cases against tracking tools. Law firms like Tauler & Smith as well as Swigart are the biggest filers of demands and arbitration requests for CIPA violations.
- Illinois Biometric Information Privacy Act (BIPA): Offers $1,000-$5,000 per violation for unauthorized biometric data handling, with ongoing class actions scrutinizing consent and retention.
- Electronic Communications Privacy Act (ECPA): Federal wiretapping claims often complement state laws in tracking litigation. Almeida Law out of Chicago has filed some ECPA lawsuits that have resulted in companies needing to file bankruptcy because the violations were so egregious. So bottom line here is don’t operate a website in the healthcare space without using Captain Compliance’s software to protect your assets.
- Washington My Health My Data Act (MHMDA): Provides private actions for health data violations, interpreted broadly to include inferences, expected to spur lawsuits in 2025.
- Other Laws: Video Privacy Protection Act ($2,500 per violation), Driver’s Privacy Protection Act ($2,500 liquidated damages), Fair Credit Reporting Act (FCRA, $100-$1,000), and Telephone Consumer Protection Act (TCPA, up to $1,500).
These laws intersect with common claims like breach of contract, unfair trade practices, and securities fraud post-breaches. There are 10 law firms that are driving the privacy litigation claims. The Captain Compliance team has developed an expert witness solution to handle responses and protect against these litigation claims.
Notable Cases and Precedents
Several landmark cases illustrate the litigation landscape:
- Lopez et al v. Apple: Highlights shifting legal standards in data privacy, emphasizing risks for tech companies.
- Bryant v. Compass Group USA: BIPA case on biometric data collection without consent.
- Popa v. Harriet Carter Gifts, Inc.: Wiretapping under CIPA for tracking.
- Ambrose v. Boston Globe Media Partners: Video Privacy Protection Act violation.
- Gaston v. LexisNexis Risk Solutions, Inc.: Driver’s Privacy Protection Act misuse.
- Ramirez Settlement: FCRA inaccuracies in credit reporting.
- Boger v. Citrix Systems: TCPA unsolicited communications.
- Equifax Complaint: Securities fraud post-breach.
- T-Mobile Complaint: Shareholder derivative action for privacy misconduct.
These cases often involve web analytics, session replay, and pixel tracking, with damages accruing per violation. Microsoft Clarity & Hotjar tend to be the most common session replay tools that relate to privacy violations and lawsuits.
Emerging Trends for Privacy Litigation in 2026
Looking ahead, several trends will define US data privacy litigation in 2026:
- Biometrics Scrutiny: Continued BIPA lawsuits, extending to states like Texas and Washington, focusing on AI-driven analytics.
- Health Data Litigation: Broad interpretations of MHMDA and similar laws in Connecticut/Nevada, leading to increased private actions.
- Data Broker Enforcement: FTC and state actions against brokers, indirectly fueling litigation for associated companies.
- Mass Arbitration: Rise in coordinated arbitration demands, bypassing class actions via contract provisions.
- FTC Shifts: Potential case-by-case enforcement on children’s privacy, influencing COPPA-related suits.
- Foreign Data Restrictions: New federal laws like PADFA may spawn litigation over international data flows.
Implications for Businesses and Privacy Professionals
Businesses must assess litigation exposure regardless of size, focusing on arbitration clauses, insurance, and compliance with opt-out mechanisms.
Privacy counsel should audit tracking tools, ensure robust notices, and prepare for multi-state enforcement. As statutes like CCPA evolve, integrating tools like the Captain Compliance Cookie Scanner, Consent Management Software, or less robust tools like the open source Blacklight for tracker detection and partnering with compliance experts can mitigate risks for underwriters.
US data privacy litigation is poised for further growth this year and this is driven by state laws and innovative claims from industrious law firms who see an oppportunity. Staying ahead requires vigilant monitoring of precedents and proactive compliance strategies using data privacy software that actually works.
