Privacy litigation is expanding beyond data breaches to include routine data use, tracking technologies, and insufficient consent. New interpretations of laws like the CCPA and BIPA, plus wiretapping and video privacy statutes, are fueling class actions. Companies now face liability for consent failures—even without breaches—underscoring the need for robust consent mechanisms.
The consent landscape is undergoing seismic shifts in how courts and plaintiffs understand privacy. No longer confined to instances of hacking or data leaks, legal liability increasingly stems from routine data use and inadequate consent mechanisms. A growing body of recent case law and class-action settlements illustrates this emerging “frontier,” where the absence of a data breach doesn’t insulate companies from legal risk.
New interpretations of the California Consumer Privacy Act (CCPA) drive these changes. Courts are now allowing class actions targeting routine sharing of personal information, even when no breach occurred.
What kinds of cases are involved in these rulings? One example is Shah v. Capital One, plaintiffs alleged Capital One shared personal data with third-party analytics and advertising firms via tracking pixels and embedded technologies without sufficient notice or consent. The court denied Capital One’s motion to dismiss, recognizing plausible CCPA violations in the absence of traditional cybersecurity failures. This takes a step beyond past interpretations that allowed CCPA liability only in cases of hacking, leaks, or breaches.
Further to these considerations, questions have been raised in court cases that ask whether cookies and chatbot conversations can be considered “recordings” that violate US state wiretapping laws, which have nothing to do with data privacy but everything to do with informed consent. What kinds of mechanisms are in place to capture consent when certain forms of interaction were never before classified as they may now be, i.e., as wiretap violations rather than data privacy violations?
These changes open up a broader path to liability: companies must now scrutinize not just whether data is secured, but whether its collection, sharing, and use comply with notice, consent, and consumer control standards and whether the mechanisms at work could potentially be re-classified and made non-compliant.
Even outside tracking technologies, courts and regulators are pushing back on other forms of non-consensual data collection:
In a 2024 Illinois case, Charlotte Tilbury Beauty was accused of collecting facial geometry scans via virtual try-on tools without users’ consent. The company agreed to a USD 2.93 million settlement under the Biometric Information Privacy Act (BIPA)—granting each claimant USD 700 to 1,100 without needing proof of harm.
This underscores how biometric data collection, particularly without proper notice or opt-out, constitutes its own frontier of privacy liability.
Nonbreach cases are proliferating elsewhere, too. A GameStop class-action settlement alleged violation of the Video Privacy Protection Act (VPPA), based on sharing users’ identifiable video-related data with Facebook via tracking pixels—again, without consent. Eligible users could claim small USD vouchers.
This case echoes the pattern of litigation arising from sharing or surveillance practices, not data theft.
Privacy class actions also stretch into the realm of consumer communications. A USD 5.95 million settlement involving Albertsons, Star Markets, and Safeway addressed alleged violations of the Telephone Consumer Protection Act (TCPA), specifically, unsolicited text messages and calls sent despite opt-out requests.
This constituted liability without breach but for privacy intrusion via communications rather than data exposure.
This diversification of privacy litigation is happening amid a general explosion of cases across the US. A March 2025 series on US data privacy litigation notes nearly 2,000 lawsuits filed in federal courts in 2024 alone—spanning breaches, tracking, data brokers, biometrics, contracts, and beyond.
This expanding portfolio of legal theories reflects society’s evolving understanding of privacy harms.
Several factors converge to power this enforcement frontier. These include an expanded regulatory focus on transparency, consent and consumer control – not just data security, technological ambiguity, low barriers to initiate legal action, and corporate risk management.
With these issues in the mix, businesses need to start thinking about what consent means in an ever-evolving and fragmented landscape. How can they protect themselves?
The first line of defense is a consent management platform, but it’s a holistic ecosystem approach that will be required as consent law changes.
©2025 CookieHub ehf.
