Since the U.S. Department of Justice’s (“DOJ”) Bulk Data Rule, 28 C.F.R. Part 202 (the “Rule”) took effect in 2025, numerous class actions have been filed asserting claims predicated on alleged Rule violations. Nevertheless, only one, to date, has made it past the pleading stage. In Baker v. Index Exchange, a federal district court for the first time allowed such a claim to survive a motion to dismiss, holding that an alleged Rule violation is sufficient to serve as a predicate “tort action” defeating the consent defense under the Electronic Communications Privacy Act, 18 U.S.C. § 2511 (the “ECPA”).1 This decision by Judge Kennelly in the Northern District of Illinois signals that companies face not only DOJ enforcement risk but also private class action exposure for noncompliance if they fail to comply with the Rule. The use of the ECPA as the vehicle to recognize a novel private cause of action for violations of the Rule is particularly significant as that statute provides for statutory damages and vicarious liability theories. Now that a court has approved this novel theory to proceed past the pleading stage, we expect to see a significant uptick in class actions that likewise allege noncompliance with the Rule as a basis for significant damages. Companies should prepare now by ensuring that their compliance programs are strong and defensible.
The Rule prohibits U.S. persons from knowingly engaging in data brokerage transactions that give “covered persons” access to bulk sensitive personal data, and it restricts other covered data transactions with such persons unless prescribed security requirements are met. “Covered persons” include entities organized in, principally based in, or majority-owned by persons in designated “countries of concern” — the People’s Republic of China (including Hong Kong and Macau), Cuba, Iran, North Korea, Russia, and Venezuela. The Rule’s application turns on the transaction type, the parties, the data categories, whether applicable bulk thresholds are met, and whether the transaction is outright prohibited or instead subject to security requirements as a “restricted transaction.” Frequently, this sort of concern arises when data is processed in a country of concern or a significant investment is made by an investor in those countries.
The Baker plaintiff alleged that Index Exchange, a global advertising technology company operating a supply-side platform for digital ad auctions, intercepted website visitors’ traffic data — including identifiers matched with third-party partners to identify individuals — and transmitted that data to a Chinese e-commerce platform as part of its programmatic bid-request process. The ECPA prohibits intentional interception of the contents of electronic communications and provides a private right of action for statutory damages of the greater of $100 per day or $10,000. A common defense is one-party consent, but that defense may be defeated where the interception was “for the purpose of committing any criminal or tortious act” (the “crime/tort exception”). Before Baker, no court had addressed whether an alleged Rule violation could supply the predicate tort needed to invoke this exception.
The Baker court found that the plaintiff adequately alleged a Rule violation sufficient to invoke the crime/tort exception at the pleading stage. Critically, the court did not determine whether the defendants actually violated the ECPA or the Rule on the merits. It deferred as factual disputes the questions of whether the data at issue meets the Rule’s bulk thresholds, whether the e-commerce platform to which Index Exchange allegedly transmitted visitors’ traffic data qualifies as a “covered person” under the Rule, and whether the alleged disclosures constitute interception of “contents” under the ECPA. The court also held that Index Exchange Inc., a Canadian parent company, could face vicarious liability for acts of its U.S. subsidiary’s employees, extending potential exposure to foreign parent entities.
The takeaway is clear: the risk arising from Rule noncompliance now extends well beyond DOJ enforcement. Baker establishes that Rule violations can unlock private class action claims carrying significant statutory damages, and that foreign parent companies may be held vicariously liable for their U.S. affiliates’ conduct — even if the DOJ has not initiated an investigation into a company’s compliance. Companies that handle cross-border data flows involving countries of concern should treat Baker as an additional reason to assess and strengthen their compliance programs — both to minimize the risk of such lawsuits being filed and to present the strongest defense if such a suit is filed.
- No. 25-cv-10517 (N.D. Ill. June 16, 2026).
Authors
Stay Up To Date with Ropes & Gray
Ropes & Gray attorneys provide timely analysis on legal developments, court decisions and changes in legislation and regulations.
Stay in the loop with all things Ropes & Gray, and find out more about our people, culture, initiatives and everything that’s happening.
We regularly notify our clients and contacts of significant legal developments, news, webinars and teleconferences that affect their industries.




