Federal Court Greenlights Use of the DOJ Bulk Sensitive Data Regulations to Advance Federal Wiretap Claims

Private plaintiffs are successfully using the U.S. Department of Justice (DOJ) Bulk Sensitive Data Regulations (the “Regulations”) to advance federal wiretap claims. In a first-of-its-kind ruling, the U.S. District Court for the Northern District of Illinois denied a motion to dismiss based on an alleged violation of the Regulations (see background on the Regulations).

The decision in Baker v. Index Exchange, Inc. is the first to address whether plaintiffs may rely on alleged violations of the Regulations to invoke the crime-tort exception to the Electronic Communications Privacy Act (ECPA) and overcome ECPA’s one-party consent defense. Although the decision arose at the motion to dismiss stage, it provides substantive judicial guidance on a litigation theory that has gained momentum since the Regulations took effect in April 2025, despite the fact that the Regulations do not provide a private right of action.

In this alert, we discuss this novel decision and identify the key takeaways for companies.

Emerging ECPA-Bulk Sensitive Data Regulations Litigation  

Under ECPA, an interception is not unlawful if at least one party gave prior consent (the “party consent defense”). This defense, however, is subject to an exception: if the communication was intercepted for the purpose of committing a criminal or tortious act, the interception is unlawful notwithstanding any prior consent (the “crime-tort exception”). Over the past year, multiple plaintiffs have filed lawsuits alleging that companies violated ECPA by intercepting users’ communications and transmitting sensitive personal data to entities linked to designated “countries of concern” under the Regulations. Plaintiffs characterize these transfers as violations of the Regulations and attempt to use them as the predicate “crime” or “tort” necessary to invoke ECPA’s crime-tort exception.

The complaints filed thus far allege that defendants are engaging in data brokerage transactions or restricted transactions in violation of the Regulations. Under the data brokerage theory, plaintiffs have argued that the transmission of data such as IP addresses, cookie data, and advertising identifiers to “countries of concern” or “covered persons” via real-time bidding, cookie syncing, and pixel transmissions constitutes a prohibited data brokerage transaction. Under the restricted transaction theory, plaintiffs have argued that data sharing within a corporate group (such as with a parent or affiliate) is a restricted transaction that does not comply with the Regulations’ security requirements. Until now, no court has addressed whether either theory could support the crime-tort exception under ECPA.

The allegations in Baker follow an ad-tech theory, alleging that Index Exchange is engaged in a prohibited data brokerage transaction. In Baker, Plaintiff alleged that Index Exchange, a Canadian supply-side advertising platform that facilitates real-time bidding transactions, intercepted his website communications and transferred his personal data to third-party advertising partners, including Temu. Plaintiff alleged that these transfers violated the Regulations because Temu, as an entity allegedly tied to a country of concern, constitutes a “covered person” under the Regulations.

Defendants moved to dismiss on several grounds, including that the website at issue had consented to the alleged interception, that Index Exchange was not subject to the Regulations because it is a Canadian company and not a “U.S. person,” and that Temu was not a “covered person.” The Court allowed the ECPA claim to proceed, holding that even though the website consented to the interception, Plaintiff plausibly alleged that the crime-tort exception applied via the violation of the Regulations. The Court rejected Defendants’ arguments that Index Exchange was not subject to the Regulations and that Temu was not a “covered person.”

What This Ruling Means for Companies

Baker provides insights into how courts may approach the numerous ECPA lawsuits alleging violations of the Regulations. Companies, particularly those in the ad-tech space, should consider the following:

• Legal risk associated with the Regulations extends beyond DOJ enforcement. Even though the Regulations do not provide a private right of action, plaintiffs citing Baker may use alleged violations to advance claims under existing privacy and wiretap statutes. Companies that rely on one-party consent as a shield against wiretap claims should be aware that plaintiffs now have judicial support for the argument that alleged violations of the Regulations strip that shield away. Plaintiffs may also use these lawsuits as a vehicle to seek discovery into defendants’ compliance practices under the Regulations.
• Foreign incorporation is not a safe harbor. The Court’s vicarious liability holding suggests that foreign incorporation alone may not defeat alleged violations of the Regulations where plaintiffs claim that U.S.-based personnel directed the challenged conduct. Companies should not assume that their corporate structure alone insulates them from these claims, as plaintiffs may scrutinize the location and role of executives, employees, and decision-makers involved in data governance and data-sharing activities.
• For now, the pleading bar is low. The Court accepted relatively general allegations about U.S.-based officers directing challenged transactions without requiring specifics about transactions, dates, or decisions. While future courts may impose a higher bar, companies should not count on motions to dismiss to dispose of these claims.
• Ad-tech and cross-border data flows remain a litigation and regulatory focus. Companies that participate in programmatic advertising, real-time bidding, or other data-sharing arrangements should carefully evaluate whether their data flows involve “covered persons” under the Regulations.

Key Holdings

1. Alleged Violations of the Regulations Can Support ECPA’s Crime-Tort Exception

The Court held that an alleged violation of the Regulations may qualify as a “tort action” sufficient to overcome ECPA’s one-party consent defense. The Court reasoned that a damages claim is tort-based when it arises from a statutorily defined wrong. Applying that framework, the Court characterized the alleged violations of the Regulations as “founded upon a tort” because they are “based on the alleged wrongful act of transmitting Americans’ sensitive personal data in a manner that may provide foreign adversaries access to that data.” On that basis, the Court held that alleged violations of the Regulations can support application of the crime-tort exception.

2. Non-U.S. Companies May Be Vicariously Liable for U.S.-Based Employees’ Conduct

Defendants argued that the Regulations do not apply because Index Exchange is a Canadian company and therefore not a “U.S. person” subject to the Regulations. The Court held that Index Exchange, a non-U.S. corporation, may be vicariously liable for its U.S.-based employees’ conduct. The Court reasoned that the Regulations prohibit a “U.S. person” from knowingly directing any data transaction that would be prohibited if engaged in by the U.S. person. The Court found that Plaintiff sufficiently alleged that the company’s U.S.-based employees and officers, who constitute U.S. persons under the Regulations, violated the Regulations by directing the prohibited transactions. The Court further concluded that since the Regulations do not limit traditional vicarious liability rules, liability attributable to an entity’s employee or agent may be imputed to the entity itself.

3. The Court Declined to Resolve Covered Person Disputes at the Pleading Stage

Defendants further argued that Plaintiff failed to adequately allege that Temu qualified as a “covered person” under the Regulations, which includes any entity that is organized or has its principal place of business in a country of concern or is more than 50% owned by a country of concern or covered persons. Defendants pointed to publicly available records showing that the relevant U.S. operations were conducted through a U.S.-based entity. The Court, however, characterized the issue as a factual dispute inappropriate for resolution at the pleading stage and held that allegations regarding ownership, control, and operational ties to a country of concern were sufficient to plausibly allege that Temu is a covered person.

Unresolved Questions

While Baker is a significant development, it leaves several issues unresolved. In related litigation, defendants have advanced additional arguments, including regarding whether:

• The Regulations are valid or exceed DOJ’s authority under the International Emergency Economic Powers Act (IEEPA);
• Particular data-sharing transactions fall within the Regulations’ financial services exemption, which covers certain transactions that are ordinarily incident to the provision of financial services;
• The data at issue constitutes sensitive personal data under the Regulations;
• Plaintiffs have adequately alleged that the relevant bulk data volume thresholds were satisfied; or
• Alleged violations of the Regulations can satisfy the criminal prong of ECPA’s crime-tort exception.

We will continue to monitor this evolving caselaw and provide updates on any significant developments.