Newsletter RSS

Mealey's Data Privacy

  • February 27, 2026

    DOJ Sues 5 More States Over Denied Access To Voter Registration Data

    The Department of Justice (DOJ) sued five more states — Kentucky, New Jersey, Oklahoma, Utah and West Virginia — on Feb. 26, seeking to compel state election officials to produce statewide voter registration lists under Title III of the Civil Rights Act of 1960 (CRA), alleging that the states refused demands issued to assess compliance with federal voter-registration maintenance requirements; two days earlier, the government appealed a trio of dismissed voter-roll cases in California, Oregon and Michigan.

  • February 26, 2026

    California Judge Requests More Evidence Before Final Approval Of $3.5M Settlement

    LOS ANGELES — A California judge issued a final ruling continuing a proposed $3.5 million class settlement resolving claims arising from a 2022 data breach that affected nearly 200,000 mental health patients, finding that supplemental evidence was required regarding notice results, claims auditing, administration costs and supporting documentation for requested attorney fees and expenses.

  • February 26, 2026

    Plaintiffs’ Motion To File For Reconsideration Granted In Dropbox Data Breach Row

    OAKLAND, Calif. — A California federal judge granted plaintiffs’ motion for leave to file a motion for reconsideration of an order compelling arbitration in a putative class action suit alleging that Dropbox Inc. failed to protect plaintiffs’ personally identifiable information (PII) that was allegedly compromised in a cyberattack, finding that “there has been an intervening change in controlling law that may alter the legal analysis of whether Dropbox users manifested unambiguous assent to its Terms of Service.”

  • February 25, 2026

    Judge Grants Meta’s Bid To File Amended Answer In Facial Recognition Software Suit

    EAST ST. LOUIS, Ill. — An Illinois federal judge granted a motion by Meta Platforms Inc. seeking leave to file a second amended answer and defenses in a putative class action suit alleging violations of a state privacy law regarding Meta’s collecting biometric information using facial recognition software through its Facebook messenger and messenger kids applications, finding in part that Meta used due diligence in researching its defenses.

  • February 25, 2026

    DOJ Voter Data Suit Seeking Michigan Information Dismissed

    GRAND RAPIDS, Mich. — Not one of the three federal acts cited by the federal government in its attempt to demand that Michigan turn over its voter registration list requires such a disclosure, a federal judge in that state ruled, granting two motions to dismiss the complaint, one filed by the state and one filed by intervenors.

  • February 25, 2026

    Injunction Request Partially Granted In FOIA Row Over DOJ Bid For Voting Records

    WASHINGTON, D.C. — A District of Columbia federal judge granted in part a nonprofit voting rights organization’s motion for a preliminary injunction to expedite its Freedom of Information Act (FOIA) requests for information about the U.S. Department of Justice’s (DOJ’s) efforts to obtain “sensitive” voter information, finding “that the FOIA requests at issue in this case are of such importance and urgency that a preliminary injunction requiring expedited processing is warranted.”

  • February 25, 2026

    Oregon Appeals Panel Affirms Trial Court’s Dismissal Of Health Data Breach Case

    PORTLAND, Ore. — The Oregon Court of Appeals affirmed a trial court’s dismissal of negligence claims arising from a health care data breach, holding that the plaintiff representing a putative class alleged only economic losses from stolen personal information and failed to establish a special relationship or independent statutory duty sufficient to overcome the economic loss doctrine.

  • February 25, 2026

    Image Hosting Service: No Photos Shared For AI, No Injury For Proposed Class

    DENVER — An online image hosting site pushed back on claims that it intended to license users’ photographs for use in training artificial intelligence, saying negotiations with unnamed third parties and speculative future conduct cannot form the basis of a class action.

  • February 24, 2026

    Opening Merits Brief Is Filed In High Court’s Geofence Warrant Case

    WASHINGTON, D.C. — In a Feb. 23 merits brief arguing in part that accessing location information culled from user’s mobile devices via a geofence warrant constitutes a search, a man who was convicted of armed robbery through evidence obtained via such a warrant urged the U.S. Supreme Court to rule that the warrants violate the Fourth Amendment to the U.S. Constitution.

  • February 24, 2026

    Employers To Pay $1.7M In Attorney Fees Over Invasive Application Questions

    SAN DIEGO — A California federal judge granted final approval to a settlement of $1 per class member, amounting to approximately $172,000, and granted a motion for attorney fees of $1,775,000 to the plaintiffs’ attorneys to resolve class action claims against multiple employers for requiring job applicants to answer invasive medical inquiries, including when one plaintiff’s last menstrual period was, in violation of the California Fair Employment and Housing Act (FEHA) and California’s unfair competition law (UCL).

  • February 23, 2026

    City Waives Response To Officers’ Petition For Review Of COVID Shot Data Suit Toss

    WASHINGTON, D.C. — The city of Chicago waived its right to respond to a petition for writ of certiorari filed by current and former police officers asking the U.S. Supreme Court to address a circuit split regarding discovery and determine if a decision in an early 20th century smallpox case “should be limited or overturned in favor of a tiers-of-scrutiny approach in assessing First Amendment religious discrimination claims” in challenging the dismissal of claims that collection of their COVID-19 testing results and vaccination statuses violated federal and state law.

  • February 23, 2026

    $3.25M Data Breach Class Settlement Receives Final Approval; Judgment Entered

    SALT LAKE CITY — A Utah federal judge granted final approval of a $3.25 million class action settlement resolving nationwide negligence and California Consumer Privacy Act claims stemming from a September 2023 data breach, with final judgment entered three days later, closing the case.

  • February 23, 2026

    Notice Of Settlement Filed In Data Breach Class Case Against Medical Device Maker

    BOSTON — A medical device manufacturer and the patients who have accused the company of failing to protect their personal data from being stolen in two different breach incidents and made publicly available have until April 10 to file a motion for preliminary settlement approval, according to an electronic order filed by a federal judge in Massachusetts one day after the parties filed a joint notice of class settlement.

  • February 23, 2026

    $6 Million Settlement Approved In YouTube Biometric Privacy Class Action

    SAN FRANCISCO — A California federal judge granted final approval to a $6,022,500 nonreversionary class action settlement resolving claims that YouTube and Google violated the Illinois Biometric Information Privacy Act (BIPA) by collecting and storing scans of users’ facial geometry through a pair of video editing features without providing written notice, obtaining consent or maintaining a retention policy.

  • February 20, 2026

    Verizon, AT&T Tell High Court That FCC Forfeiture ‘Scheme’ Violates 7th Amendment

    WASHINGTON, D.C. — In consolidated cases before the U.S. Supreme Court asserting constitutional challenges to the Federal Communications Commission’s enforcement of  monetary forfeitures under the Communications Act, Verizon Communications Inc. and AT&T Inc. argue that “[t]he FCC’s in-house forfeiture scheme violates the Seventh Amendment and Article III” of the U.S. Constitution when “used to adjudicate legal disputes.”

  • February 20, 2026

    23andMe Data Breach MDL Dismissed After Settlements Approved In Bankruptcy Court

    The California federal judge overseeing multidistrict litigation against 23andMe Inc. and affiliates for a data breach in which millions of customers’ genetic data and personally identifiable information (PII) was hacked entered an order dismissing the MDL, following the final approval in Missouri federal bankruptcy court of a settlement worth up to $50 million to resolve U.S. customers’ claims against 23andMe and the final approval of a  $3.25 million settlement for Canadian class members.

  • February 20, 2026

    ECPA Suit Against Health Care Provider Dismissed Upon Joint Stipulation

    RIVERSIDE, Calif. — A federal judge in California dismissed a putative class action complaint alleging that a health care provider violated the Electronic Communications Privacy Act (ECPA) by using Facebook pixels to purportedly gather and share patients’ protected health information (PHI) with third parties in violation of the Health Insurance Portability and Accountability Act of 1996 (HIPAA) the day after the parties filed a joint stipulation of dismissal.

  • February 19, 2026

    Former NPR Host Accuses Google Of Stealing His Voice For Use In AI

    SAN JOSE, Calif. — Google LLC and Alphabet Inc. stole National Public Radio host David Greene’s voice without authorization and used it as the default voice in NotebookLM, its artificial intelligence broadcasting product, the award-winning journalist claims in a California state court lawsuit alleging violation of the California unfair competition law, a pair of privacy laws and unjust enrichment.

  • February 18, 2026

    9th Circuit Affirms $115M Oracle Data Collection Settlement Over Objections

    SAN FRANCISCO — A Ninth Circuit U.S. Court of Appeals affirmed the $115 million settlement of a privacy and wiretap class action against Oracle America Inc., rebuffing an objecting class member’s arguments that the class claims could have been worth $100 billion and should have been allocated based on which state’s members allegedly had more valuable claims.

  • February 18, 2026

    8th Circuit Affirms Ruling Denying Substitution In Health Center Data Breach Suit

    ST. LOUIS — The Eighth Circuit U.S. Court of Appeals affirmed a lower court ruling denying a motion to substitute as a defendant the United States in a consolidated putative class action over an unauthorized third party gaining access to confidential information in a nonprofit health center’s data breach, finding that immunity under federal law related to medical treatment does not provide immunity in claims related to data security.

  • February 17, 2026

    Delaware High Court: Insurers Properly Pleaded Claim In Suit Over Ransomware Attack

    DOVER, Del. — The Delaware Supreme Court held Feb. 13 that insurers have adequately pleaded a breach of contract claim in their subrogation lawsuit seeking recovery from an application service provider for the amount they paid to nonprofit insureds for investigative and remediation steps arising from a ransomware attack, reversing a lower court’s grant of the provider’s motion to dismiss the insurers’ amended complaint and remanding.

  • February 12, 2026

    Judge Grants Partial Dismissal In Website Data Tracking Class Suit Against Cigna

    PHILADELPHIA — A Pennsylvania federal judge granted in part dismissal to Cigna in a putative class action suit against the insurer alleging violations of federal and state privacy laws and common-law invasion of privacy for its purported use of third-party tracking technology on its webpages, finding that the privacy claims failed because the plaintiffs consented to the data collection practices when agreeing to the website’s terms of use.

  • February 11, 2026

    Panera Bread Settles Over Data Breach As More Class Complaints Mount

    ST. LOUIS — A Missouri federal judge on Feb. 10 granted final approval to a $2.5 million nonreversionary class settlement resolving data privacy claims arising from Panera LLC’s 2024 data security breach involving unauthorized access to the names and Social Security numbers of the company’s employees, authorizing reimbursements of up to $500 in ordinary losses and up to $6,500 in extraordinary losses; following a separate data breach in January, Panera has been named as the defendant in a series of class complaints in the same court.

  • February 11, 2026

    5th Circuit Affirms Remand Of Data Breach Suit Against Health Care Provider

    NEW ORLEANS — The Fifth Circuit U.S. Court of Appeals affirmed the remand of a putative class action against a Texas health care provider for allegedly failing to protect patient data from a cyberattack, writing that a federal statute allowing removal and substitution of the United States as defendant for private health centers receiving federal funds did not apply to this case in which the center was facing claims for a “criminal data breach.”

  • February 06, 2026

    9th Circuit VPPA Appeal Vacated, Held In Abeyance Pending Supreme Court Ruling

    SAN FRANCISCO — The Ninth Circuit U.S. Court of Appeals vacated submission and held in abeyance an appeal of the dismissal of a Video Privacy Protection Act (VPPA) class action that alleged that a health website operator unlawfully disclosed personal information to Meta Inc., pending resolution of a U.S. Supreme Court case addressing a circuit split over several VPPA definitions.