Private lawsuits surge over 2025 US DOJ Bulk Data Rule

A wave of class-action lawsuits is targeting major tech companies for allegedly violating the federal Bulk Data Rule by sharing users' personal data in bulk with entities tied to China.

• Plaintiffs accuse a Microsoft subsidiary, Google, Lenovo, and Index Exchange of unlawfully intercepting and sharing personal data in bulk with Chinese companies
• The lawsuits rely on the Electronic Communications Privacy Act because the underlying national security rule lacks a private right of action
• The cases highlight the severe litigation risks of using tracking pixels and software development kits for advertising without proper data governance

What’s the Bulk Data Rule?

The “Bulk Data Rule” (BDR), which took effect in April 2025, prohibits the transfer of Americans’ sensitive personal data by “data brokers” to six countries of concern: China, Russia, Iran, North Korea, Cuba, and Venezuela.

The Department of Justice classifies certain uses of tracking pixels or Software Development Kits (SDKs) as a form of “data brokerage” under the rule.

In addition, the BDR restricts sensitive personal data shared in bulk to these six countries from any U.S. entity unless they follow certain data security requirements, which include encryption, de-identification, or aggregation of personal data before or during the transfer.

This means providing large volumes of IP addresses and advertising IDs to marketers or any other entity based in China is prohibited.

How are private litigants suing under a national security rule?

The BDR does not include a “private right of action” allowing individuals to sue for violations of the law. This means only the government can enforce the rule directly.

To get around this, plaintiffs are using the Electronic Communications Privacy Act (ECPA). The ECPA allows individuals to sue entities for impermissibly intercepting their communications.

While the ECPA generally shields the participants in electronic communications from liability, litigants argue that the crime-tort exception applies. They claim the data is collected to commit a tort or crime by transmitting it to countries targeted by the BDR.

What are the allegations against specific companies?

Multiple lawsuits allege that companies deployed online trackers on their webpages to intercept visitor communications and transmit them to third parties.

• In Baker v. Index Exchange, the plaintiff claims the digital advertiser’s real-time bidding practices constitute unlawful wiretapping. The company allegedly intercepted consumer communications and shared sensitive data with Temu, a Chinese-owned e-commerce platform.
• In Porcuna v. Xandr, plaintiffs allege that Microsoft’s advertising subsidiary enabled Temu to conduct covert data collection.
• In Jenkins v. Google, the plaintiffs argue that Google shared digital IDs with a ByteDance affiliate and Temu's parent company without valid consent.
• In Christy v. Lenovo, plaintiffs allege the hardware manufacturer’s website tracking and advertising infrastructure enabled bulk transfers of sensitive identifiers to entities tied to China.

Why is this critical for data brokers and other companies?

Chinese companies play an increasingly important role in the digital ecosystem, and each of these cases shows how failing to carefully map data flows, assess third-party risk, and obtain appropriate consent can lead to allegations of sharing data with a “foreign adversary.”

Data brokers in the adtech space should be especially careful because they are the target of each lawsuit so far. 

More broadly, if any business shares personal data for advertising without a valid consent banner or proper security controls, it exposes itself to this type of litigation.

By leveraging privacy auditing tools for websites and apps and privacy code scanning for internal software, businesses can automate risk discovery and prevent litigation. Continuous monitoring helps ensure potential violations are identified before data reaches restricted entities.

Prevent similar enforcement by continuously scanning your websites, apps, and internal software with Privado AI. Privado AI offers the most comprehensive solution to verify in real-time that the personal data processed is compliant with all applicable privacy requirements for each location, including your privacy policies.