DOJ Bulk Data Rule Offers Path for ECPA Claims, IAPP Says

The ECPA is a federal wiretapping statute similar to the California Invasion of Privacy Act (CIPA), though it includes a crime-tort exception, meaning the law applies only when the communication in question is intercepted for the purposes of committing a tortious or criminal act (see 2507290069).

The DOJ established the Bulk Sensitive Data Rule in April to prohibit “U.S. persons from engaging in certain categories of data transactions with six 'countries of concern,’” the blog said (see 2503100057). A recent class action at the U.S. District Court for Northern Illinois, Baker v. Index Exchange, demonstrates their connection, Simpson said.

In case 1:25-cv-10517, plaintiff John Baker said his online communications and sensitive data from accessing BibleGateway.com were collected and transmitted by advertising technology company Index Exchange to Chinese-owned e-commerce platform Temu (see 2511240043).

“The complaint argues that the ‘party exception’ under” the ECPA “does not apply because Index Exchange's interception was carried out for the purpose of committing a violation" of the Bulk Data Transfer Rule, Simpson said.

Though he admitted the “class action may encounter several hurdles in meeting the requirements of the ECPA as well as the Bulk Data Transfer Rule,” it nevertheless “marks a new frontier in ECPA litigation, one that applies national security law in circumventing limitations to ECPA applicability.”

Simpson cited other cases, like Porcuna v. Xandr, as arguing similar facts to Baker. Even so, “the party exception to the ECPA remains limited,” the blog noted, and “this exception is likely to face further constraints” as “new data sharing laws and regulations … crop up at the state and federal level.”