The Surge In Privacy Class Action Litigation Continues

Privacy law class action litigation has entered a new phase of heightened activity, with a surge in cases driven by technological advances, legislative changes, and evolving judicial interpretations. Thousands of privacy-related cases were filed in 2024 alone, marking a dramatic increase from 2023. This upward trend continued into 2025 and 2026, with claims spanning nearly every jurisdiction in the country. Organizations now face increasing risks as these legal challenges grow more complex and widespread, reflecting a broader shift in how privacy violations are litigated and enforced.

The statutory landscape for privacy class actions has expanded significantly, with at least 20 states actively enforcing comprehensive privacy laws as of early 2026. Several states, including Delaware (the Delaware Personal Data Privacy Act, Del. Code Ann. tit. 6, § 12D-101, et seq. (DPDPA)), Iowa (the Iowa Consumer Data Protection Act, Iowa Code Ann. § 715D.1, et seq., (ICDPA)), and New Jersey (the New Jersey Data Protection Act, N.J. Stat. Ann. § 56:8-166.4 (NJDPA)), had new laws come into effect in 2025, adding to the existing patchwork of regulations. 

Recent Florida decisions illustrate the potential liability associated with this new landscape. For example, in In re Fortra File Transfer Software Data Security Breach Litigation, No. 1:24-md-03090-RAR (S.D. Fla. Sept. 17, 2025), U.S. District Judge Rodolfo Ruiz granted approval of a non-revisionary, all-cash, $20 million class action settlement arising from a 2023 foreign-linked ransomware attack that exposed the personal health information of millions of individuals. The breach affected approximately 130 organizations, including major health insurers.

Today, laws like California’s Invasion of Privacy Act, Cal. Penal Code § 631(a) (CIPA), and Florida’s Security of Communications Act, Fla. Stat. § 934.03 (FSCA), are now heavily litigated. Courts are increasingly scrutinizing not only data breaches, but also modern digital tracking tools - such as cookies, pixels, and session replay scripts - under wiretapping and similar statutes. 

Just recently, in Bolanos v. VShred, LLC, Case No. CACE-25-001211 (Fla. 17th Cir. Ct. Jan. 28, 2025), the Circuit Court for the Seventeenth Judicial Circuit in Broward County, Florida recently approved a $4 million class action settlement resolving allegations that the defendant disclosed users’ personally identifiable information to third parties (including Meta, TikTok and Datadog) without consent, in violation of the Video Privacy Protection Act, 18 U.S.C. § 2710 (the VPPA) and the FSCA.

These cases often hinge on whether companies adequately informed users and obtained proper consent before data collection. Privacy policies are under attack for misrepresenting practices, and courts are demanding clear, affirmative opt-in mechanisms. The ongoing focus on sensitive data, such as biometric and health information, further underscores the evolving legal standards, with recent rulings and laws increasing the stakes for companies that handle personal and health data.

Finally, a new frontier in privacy litigation involves the use of generative AI and chatbots in customer interactions. The class-action Plaintiffs’ bar is increasingly alleging that AI tools used in call centers and on websites eavesdrop on conversations or unlawfully intercept communications, raising questions about whether these AI-driven tools violate electronic communications laws. As courts begin to evaluate these claims, the legal theories used in tracking cases are now being extended to AI and real-time data collection, signaling that the surge in privacy class action litigation has yet to reach a plateau.

The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.