-
October 01, 2025
WASHINGTON, D.C. — Federal government agencies and their heads are violating U.S. citizens’ privacy rights and opening millions to “massive cybersecurity risks” by creating centralized records systems at the U.S. Department of Homeland Security, a Sept. 30 putative class complaint filed by the League of Women Voters (LWV) and others alleges.
-
September 30, 2025
LOS ANGELES — California-based Iconic Hearts Holdings Inc. was sued by the U.S. government for violating children’s privacy and for engaging in deceptive practices related to the popular Sendit app, including gathering children’s data without parental consent, inadequate disclosure of automatic renewals for memberships and misrepresenting the identity of the senders of purported personal messages sent to app users.
-
September 30, 2025
SAN DIEGO — A federal judge in California dismissed without prejudice a putative privacy class action against Zillow Group Inc. for purportedly sharing the video-viewing history of users of its app and website after the plaintiffs and online real estate platform operator filed a joint motion and stipulation to dismiss.
-
September 30, 2025
ROCK ISLAND, Ill. — A putative class action over a hospital’s purported sharing of the private information of its website’s users was partially dismissed, with an Illinois federal judge disposing of breach of contract, bailment, eavesdropping and computer fraud claims, with leave to amend.
-
September 26, 2025
The U.S. Department of Justice (DOJ), on behalf of the United States, filed lawsuits against six states in corresponding federal district courts, seeking orders requiring each state to submit a computerized statewide voter registration list in compliance with the Help America Vote Act (HAVA) for the purpose of “safeguard[ing] American elections in compliance with Federal laws.”
-
September 25, 2025
FORT MYERS, Fla. — A Florida health care provider that is a political subdivision of the state is entitled to sovereign immunity from putative class claims by a patient who alleged that patients’ privacy rights were violated when their medical information was transmitted to Facebook, a federal judge in Florida ruled Sept. 24.
-
September 24, 2025
SAN FRANCISCO — Three men who claimed that an erectile dysfunction (ED) treatment website improperly shared their protected health information (PHI) with Google LLC and Meta Platforms Inc. failed to demonstrate that they did not consent to this sharing by agreeing to terms in the operative version of the website operator’s privacy policy, a California federal judge ruled Sept. 23.
-
September 23, 2025
SAN FRANCISCO — A group of states successfully stopped, at least for now, the U.S. Department of Agriculture from enforcing its demand that each state submit the personal data of its residents who receive benefits under the Supplemental Nutrition Assistance Program (SNAP), with a California federal judge issuing a temporary restraining order (TRO) and finding the states likely to succeed on their claim, under the Administrative Procedure Act (APA), that the data demand was contrary to law.
-
September 23, 2025
RICHMOND, Va. — An organ donor whose personally identifiable information (PII) was potentially exposed in an unencrypted state for 16 years adequately alleged negligence and breach of contract claims against the donor administration organization, a Virginia federal judge concluded, mostly denying the defendant’s motion to dismiss.
-
September 22, 2025
LOS ANGELES — Three minors filed a putative class action in California state court accusing two Disney companies of violating California’s unfair competition law (UCL) and other laws by failing to designate certain YouTube videos as “for kids” and collecting information about those viewers, which was also the subject of a recent $10 million settlement by Disney with the Federal Trade Commission.
-
September 19, 2025
MIAMI — Five months after a Florida federal judge preliminarily approved a $20 million global settlement of a multidistrict litigation over a 2023 data breach experienced by users of a file-transfer program, he granted final approval to the settlement, thus resolving all remaining claims against software firm Fortra LLC, its customers and their clients by class members who claim that their personally identifiable information (PII) was compromised in the cyberattack.
-
September 18, 2025
SAN FRANCISCO — Rejecting an attempt by Meta Platforms Inc. “to overturn just about everything related to the verdict” in a trial over its purported eavesdropping and data collection from an ovulation-tracking app in violation of the California Invasion of Privacy Act (CIPA), a California federal judge denied the social media operator’s motions for judgment as a matter of law (JMOL) and to decertify the class of app users.
-
September 17, 2025
LAS VEGAS — The operator of a casino that was hit by a data breach in 2024 saw its motion to dismiss putative class privacy, negligence and unfair competition claims mostly denied by a Nevada federal judge, who found that a group of customers and former employees adequately alleged most of their claims and supported them with assertions of cognizable injuries.
-
September 16, 2025
SAN DIEGO — A federal court in California on Sept. 15 reported that following an early neutral evaluation conference, a cyber liability insurer and a defendant insurer did not reach a settlement of the cyber liability insurer’s lawsuit seeking equitable contribution and indemnification for an underlying lawsuit alleging that their mutual insured intentionally failed to disclose that hidden cameras were installed in operating rooms and recorded patient procedures in an effort to investigate drug theft.
-
September 16, 2025
LOS ANGELES — Although a California federal judge dismissed as insufficiently pleaded a California woman’s bailment claim against a relocation service provider related to a 2024 data breach, the plaintiff’s contract, privacy and negligence putative class claims were deemed adequately alleged to withstand the defendant's dismissal motion.
-
September 16, 2025
OAKLAND, Calif. — A California federal judge gave a final OK to a $95 million settlement of a six-year-old class action accusing Apple Inc. of collecting unauthorized recordings of Apple device users via its Siri digital assistant, deeming the settlement “fair, adequate, and reasonable.”
-
September 15, 2025
WEST PALM BEACH, Fla. — More than five months after he preliminarily approved a $1.5 million settlement between a security company and a group of employees that sued it over the theft of their personally identifiable information (PII) in a 2023 data breach, a Florida federal magistrate judge granted final approval, deeming the deal in compliance with federal rules and, as such, “fair, adequate and reasonable.”
-
September 12, 2025
NEW YORK — A federal judge dismissed investors’ securities fraud class action against a global technology company, finding the investors failed to allege the company and its officers and directors made material misstatements about its internal securities controls before and after a data breach and failed to allege scienter with respect to their fraud claims.
-
September 12, 2025
WASHINGTON, D.C. — A debt collection firm, which asked the U.S. Supreme Court to clarify whether a single errantly sent letter is sufficiently comparable to the tort of intrusion upon seclusion to establish jurisdiction for a claim under the Fair Debt Collection Practices Act (FDCPA), filed a supplemental brief telling the high court that a recent Eighth Circuit U.S. Court of Appeals ruling, which conflicted with the ruling it appeals, further supports the need for a grant of certiorari on the matter.
-
September 12, 2025
PHILADELPHIA — Two months after hearing oral arguments in a dispute over the constitutionality of a New Jersey law that provides for deletion of public officials’ private information from data brokers’ records, a Third Circuit U.S. Court of Appeals panel certified two questions to the New Jersey Supreme Court, asking it to clarify whether a finding of liability under the statute requires a determination of a defendant’s mental state.
-
September 11, 2025
WASHINGTON, D.C. — In a posthearing minute order, a District of Columbia federal judge directed the Internal Revenue Service and Immigration and Customs Enforcement to submit the administrative record related to a recently enacted policy under which the IRS agreed to share certain taxpayers’ last known addresses with ICE for immigration enforcement purposes, with the judge deeming the record necessary to resolve plaintiff organizations’ motion to stay or enjoin this new information-sharing policy as barred by the Administrative Procedure Act (APA).
-
September 10, 2025
RICHMOND, Va. — The Fourth Circuit U.S. Court of Appeals temporarily stayed the mandate in an appeal over U.S. Department of Government Efficiency’s (DOGE) access to individuals’ personally identifiable information (PII) until after a petition for rehearing en banc filed by the unions and veterans who brought the complaint is considered.
-
September 09, 2025
NEW YORK — A Missouri woman’s Video Privacy Protection Act (VPPA) claim against NBCUniversal Media LLC was dismissed for a third time by a New York federal judge who found that although the plaintiff sufficiently pleaded that NBC knowingly collected her personally identifiable information (PII) connected with her viewing of videos on the website of the Today Show, the plaintiff did not establish that she qualified as a consumer under the statute.
-
September 05, 2025
SAN FRANCISCO — The United States and a Chinese toy company reached a settlement of claims that the company violated minors’ privacy through its collection of their geolocation data via the firm’s robot toys, telling a California federal court that they had agreed to a penalty of $500,000 to dispose of the claims brought under the Children’s Online Privacy Protection Act (COPPA) and the Federal Trade Commission Act.
-
September 05, 2025
SAN FRANCISCO — After an 11-day trial in a five-year-old privacy class action, a California federal jury awarded two classes of mobile device users more than $425 million for invasion of privacy and intrusion upon seclusion by Google LLC for the company’s practice of tracking mobile device users’ online activity despite selecting a setting to opt out of such data collection.