ARTICLE
15 July 2026

Federal Court Finds DOJ Bulk Sensitive Data Regulations Open New Avenue For ECPA Suits

KL
Herbert Smith Freehills Kramer LLP

Contributor

Herbert Smith Freehills Kramer is a world-leading global law firm, where our ambition is to help you achieve your goals. Exceptional client service and the pursuit of excellence are at our core. We invest in and care about our client relationships, which is why so many are longstanding. We enjoy breaking new ground, as we have for over 170 years. As a fully integrated transatlantic and transpacific firm, we are where you need us to be. Our footprint is extensive and committed across the world’s largest markets, key financial centres and major growth hubs. At our best tackling complexity and navigating change, we work alongside you on demanding litigation, exacting regulatory work and complex public and private market transactions. We are recognised as leading in these areas. We are immersed in the sectors and challenges that impact you. We are recognised as standing apart in energy, infrastructure and resources. And we’re focused on areas of growth that affect every business across the world.
A federal court in Illinois has ruled that violations of the DOJ's Bulk Sensitive Data rule can serve as the predicate tort to overcome the Electronic Communications Privacy Act's one-party consent defense. This decision creates new litigation exposure for digital advertising platforms and data brokers that transfer sensitive personal data to entities in countries of concern, including China, Russia, Iran, North Korea, Cuba, and Venezuela.
Worldwide Privacy
Herbert Smith Freehills Kramer LLP are most popular:
  • within Wealth Management, Employment and HR and Technology topic(s)
  • with Inhouse Counsel
  • in Africa

On June 16, 2026, the Northern District of Illinois became the first court to consider how the DOJ’s Bulk Sensitive Data (BSD) rule affects privacy claims under the Electronic Communications Privacy Act (ECPA). The BSD rule, enacted in April 2025, prohibits or restricts U.S. entities from transferring sensitive personal data to "countries of concern,” including China, Russia, Iran, North Korea, Cuba and Venezuela.

Unlike many state eavesdropping laws, the ECPA uses a "one-party" consent standard, meaning an individual can legally record or intercept a conversation if one party consents. But under the crime-tort exception in the ECPA, this consent defense is nullified if the interception is done for the purpose of committing an independent crime or tort. 

For years, privacy plaintiffs have attempted to overcome the one-party consent defense by combining alleged violations of other privacy statutes, such as the California Information Privacy Act —a two-party consent statute —as an independent crime along with their ECPA claims. In Baker v. Index Exchange Inc., for the first time a court denied a motion to dismiss an ECPA claim by holding that the crime/tort exception applies where a plaintiff also adequately alleges a violation of the BSD rule.

Index Exchange is a Canadian supply-side advertising platform (SSP) that facilitates the sale of ad space on websites by transmitting information about web users and the content they are viewing to digital advertisers through real-time bidding auctions, sharing details including IP address, cookie data, advertising IDs, and inferred information about the user's location, demographics, interests, and browsing behavior. Through direct data integrations and a "cookie syncing" process, Index Exchange matches its internal user ID with identifiers used by advertisers.

Plaintiff John Baker brought a putative class action alleging Index Exchange intercepted his online communications with BibleGateway.com and transmitted his sensitive personal data to a Chinese-owned e-commerce platform (the Platform). Index Exchange contended that it was exempt from ECPA liability because BibleGateway.com consented to the interception of Baker’s communications, while Baker asserted that such transfer was an independent criminal and tortious act because it violated the BSD rule, nullifying the one-party consent defense under the crime/tort exception. 

The court concluded that an action for damages under the BSD rule is a tort action and that the crime/tort exception to the one-party consent defense applied because Index Exchange’s U.S.-based officers allegedly violated the BSD rule by directing bulk data transactions the Platform. The court declined to address Index Exchange’s argument that the Platform is not in fact a covered person given its corporate structure, finding that this presented a factual dispute not yet ripe for resolution. The Court did not suggest that the platform had done anything wrong. 

Baker signals a new litigation risk for SSPs, demand-side advertising platforms (DSPs), and other digital advertisers that do business with companies based in “countries of concern,” akin to a private right of action under the BSD rule. The decision invites private plaintiffs to assert BSD violations as the predicate "tortious act" to pierce the ECPA's consent defense, a tactic that has become well known recently in privacy circles. 

We will continue to monitor these and other developments related to privacy and data security. Please reach out to HSF Kramer’s Data Protection and Privacy Group for more information.

  1. ^

    Among other restrictions, the BSD rule prohibits U.S. persons from entering into data brokerage transactions with a "covered person" that involves access to personal sensitive data. A “covered person” includes a non-U.S. entity that is organized or has its principal place of business in a country of concern —including China — or is more than 50% owned by a country of concern or covered persons.

The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.

[View Source]

Mondaq uses cookies on this website. By using our website you agree to our use of cookies as set out in our Privacy Policy.

Learn More