Class Actions Allege Digital Ad Platforms Violated Privacy Law to Facilitate Data Transfers to Temu
SAN FRANCISCO & CHICAGO – september 2, 2025 – Two class action lawsuits filed today in federal court accuse digital advertising platforms Xandr, Inc.and Index Exchange, Inc. of violating the Electronic communications Privacy act (ECPA), 18 U.S.C. § 2510, and the seq, by allegedly intercepting user communications. The suits claim these interceptions were undertaken to violate the U.S. Department of Justice’s Bulk Data Transfer Rule, a regulation implementing Executive Order 14117. This marks what appears to be the first time the Bulk Data Transfer Rule has been central to class action litigation.The first lawsuit, Porcuna v. XANDR, Inc. (Case No.4:25-cv-07385),filed in the U.S. District Court for the Northern District of California, alleges that Xandr, a subsidiary of Microsoft, used tracking technologies on third-party websites to capture the content of user interactions without consent. The complaint argues that even if Xandr were considered a party to these communications, it cannot claim an exemption under ECPA as the intercepted data was allegedly used to commit a criminal or tortious act. Specifically, the suit claims xandr transmitted user data – including IP addresses, advertising IDs, device IDs, and cookie data – to Temu, a Chinese-owned e-commerce platform, in violation of the Bulk Data Transfer Rule.
A second, nearly identical suit, Baker v. index Exchange,Inc. (Case No. 1:25-cv-10517), was filed in the U.S. District Court for the Northern District of Illinois. The Baker complaint alleges that Index Exchange, a supply-side digital advertising platform, similarly used tracking technologies to capture user interactions on websites and transmit that data to Temu, also with the intent of violating the Bulk Data Transfer Rule.
The Bulk Data Transfer Rule, finalized by the Department of Justice, aims to mitigate national security risks associated with the large-scale transfer of U.S. citizens’ personal data to countries of concern. The lawsuits suggest a novel legal strategy, applying existing privacy laws to challenge data practices potentially violating the new regulation.
