Privacy & Information Security Law Blog

On September 2, 2025, two class actions were filed in federal district court alleging that defendants digital advertising platforms Xandr, Inc. (“Xandr”) and Index Exchange, Inc. (“Index Exchange”) violated the Electronic Communications Privacy Act, 18 U.S.C. § 2510, et seq (“ECPA”) by unlawfully intercepting wire communications for the purpose of committing a criminal or tortious act – specifically, for the purpose of violating the U.S. Department of Justice’s Final Rule, 28 C.F.R. Part 202, implementing Executive Order 14117 (“Bulk Data Transfer Rule”).

These appear to be the first instances in which the Bulk Data Transfer Rule has been used as a key basis of a class action lawsuit.

In Porcuna v. Xandr, Inc., Case No. 4:25-cv-07385, filed in the U.S. District Court for the Northern District of California, the complaint alleges that Xandr, a Microsoft subsidiary, used tracking technologies on third-party websites to intercept the contents of users’ interactions with these websites without the users’ consent, in violation of ECPA. The complaint further alleges that, even if Xandr were deemed a party to the users’ communications with the websites, Xandr cannot take advantage of the “party exception” to liability under ECPA in 18 U.S.C. § 2511(2)(d) because the exception does not apply where the communication is intercepted for the purpose of committing a criminal or tortious act. In particular, the complaint alleges that Xandr’s interception and use of the communications was undertaken for the purpose of committing the criminal and tortious act of unlawfully transmitting users’ data, including IP addresses, advertising IDs, device IDs, and cookie data, to a Chinese-owned e-commerce platform, Temu, in violation of the Bulk Data Transfer Rule.

In Baker v. Index Exchange, Inc., Case No. 1:25-cv-10517, a case filed in the U.S. District Court for the Northern District of Illinois, the complaint includes highly similar allegations to the Xandr complaint. Baker alleges that Index Exchange, a supply-side digital advertising platform, violated ECPA by using tracking technologies to capture users’ interactions with third-party websites and transmit them to Temu for the purpose of violating the Bulk Data Transfer Rule.