Share

A New Era of Comprehensive Privacy Laws and the Surge in Data Privacy Litigation: Important Updates for 2026

Alert
01.26.2026
By Steve Cosentino, Megan McCurdy, Ashley Crisafulli & Michal Whitney

Pervasive data collection has fueled a dramatic transformation in the legal data privacy landscape, marked by two distinct, yet parallel, developments: a wave of new state privacy laws and a surge in online privacy lawsuits.

During 2024, seven states passed comprehensive privacy laws, bringing the total number of states with comprehensive privacy laws to 20.1 That same year, lawsuits related to online privacy skyrocketed, with nearly 4,000 cases filed in 2024—up from just over 200 cases filed in 2023—alongside countless additional claims asserted through demand letters and arbitration. In 2025, the litigation trend continued, and over these three years we identified online tracking claims filed in 315 courts across 45 states plus the District of Columbia against 3,512 unique defendants.2 Although no new comprehensive state privacy laws were enacted during 2025, several states amended existing statutes.

Key Takeaways

  • Growing Patchwork of Privacy Laws – As of January 2026, 20 states are actively enforcing comprehensive privacy laws, creating a complex and varied compliance environment for organizations that collect consumer data.
  • Surge in Privacy Litigation – Claims related to online tracking technologies have increased dramatically, targeting not only consumer-facing businesses but also B2B companies and nonprofits.
  • Broad Use of Legal Theories – Plaintiffs are relying on older statutes and common law claims, including invasion of privacy, misrepresentation, and unjust enrichment, to pursue high-exposure privacy actions, even where state laws do not provide a private right of action.
  • Proactive Risk Management Recommended – Organizations using cookies, pixels, session replay tools, or other tracking technologies should audit data practices, confirm consent mechanisms, and review vendor relationships to mitigate regulatory and litigation risk.

Stinson's privacy litigation team consistently assists clients with claims alleged under the California Invasion of Privacy Act (CIPA)3 and other state privacy laws. Although consumer-oriented websites present the most risk for such claims, we are seeing demands made against B2B companies and even some non-profits as well. 

However, these legislative and litigation trends are not directly connected. Most state privacy laws do not include a private right of action, empowering state regulators with exclusive enforcement authority.4 Yet, the rapid escalation in lawsuits calls into question: what is driving this litigation boom, and why consider these separate trends together?

The answer lies in the pervasive use of online tracking technologies, raising questions at the core of both regulatory enforcement efforts and plaintiff allegations, which include common law invasion of privacy, breach of contract, unjust enrichment, misrepresentation, conversion and even straight negligence Companies looking to minimize the potential claims need to ask the following questions:

  • Is the collected data stored securely?
  • Do data collection, usage, and deletion practices align with public-facing notices and legal requirements?
  • Are third parties accessing or buying this data?
  • Did consumers provide informed, specific, and valid consent where necessary?
  • What tracking technologies are in use (e.g. cookies, pixels, tags, fingerprinting, session recording) and at what point are they activated?
  • Was a consent management tool deployed, and did it operate as intended?

Organizations face these and many other complex challenges within the rapidly-evolving regulatory and legal environment. Heading into 2026, these trends show no signs of slowing, and organizations must contend with growing legal risks tied to their use of online tracking technologies.

Regulatory Compliance Challenges

California pioneered U.S. comprehensive privacy legislation in 2018, enacting the California Consumer Privacy Act (CCPA), which became effective in 2020 and was amended by the California Privacy Rights Act effective in 2023. Four states followed suit over the next two years, enacting comprehensive privacy statutes during legislative sessions in 2021–2022 (CO, CT, UT, VA). In 2023, eight states passed statutes (DE, FL, IN, IA, MT, OR, TN, TX), and seven more states enacted comprehensive privacy legislation in 2024 (KY, MD, MN, NE, NH, NJ, RI). Although no new comprehensive privacy laws were enacted in 2025, the year marked another milestone in U.S. privacy compliance with eight of the new state laws taking effect, and several legislatures enacting amendments to existing privacy statutes. As of January 2026, the final three enacted privacy laws have taken effect, totaling 20 states now actively enforcing comprehensive privacy laws.

While many of these laws follow similar frameworks, they differ significantly in often non-obvious ways. For example, a seemingly identical consumer right, such as the right to data access, might entitle a consumer in one state to access only the information they directly provided to the controller, while in a nearby state, it extends to all the data the controller has collected or derived about them from any source. Other state privacy laws, such as Maryland's Online Data Privacy Act are outliers, setting stricter standards and imposing higher compliance burdens for businesses.

Similarly, state privacy laws diverge in areas such as statutory exemptions, controller obligations, whether prior consent is required or an opt-out mechanism suffices, the presence and duration of a mandatory right to cure violations of the statute, and the types of changes in collection and processing that necessitate another data impact assessment. These variations make it impractical for organizations to rely on a one-size-fits-all compliance approach.

Like most consumer protection laws, a state's privacy laws apply based on the residency of consumers whose data is collected, processed, or disclosed. An organization may become subject to these laws through activities across a wide range of contexts, such as consumer transactions, subscriptions, lead generation, and website or mobile app tracking technologies. Organizations must assess the geographic origin of their consumer data and ensure adherence to state-specific standards, such as transparency in data collection, use, and disclosure, adherence to data minimization and security requirements, and enablement of consumer rights, such as access, correction, and deletion.

Navigating this growing patchwork demands a proactive and adaptable approach. Organizations should prioritize regular audits of their data practices, frequent end-to-end testing of compliance technologies, finding ways to enhance collaboration across IT, legal, marketing, web, and other teams, and keeping external privacy notices, internal policies, and employee training programs current with both evolving regulations and litigation risks.

Rising Risks in Privacy Disputes

The rise in privacy-related litigation stems from aggressive strategies by plaintiffs' firms and evolving interpretations of laws that either directly concern or can be interpreted to touch on data privacy. Organizations must increasingly defend actions brought by both private plaintiffs and regulatory enforcers. These actions commonly allege violations of consumer protection, privacy and surveillance statutes, and common law doctrines such as misrepresentation, conversion, and constitutional principles.  

Consumer Protection Claims are common tactics pursued by plaintiffs' attorneys and government agencies, already well-versed in litigating consumer protection claims under statutes such as the California Consumer Legal Remedies Act, California Computer Data Access and Fraud Act, unfair competition laws, and false advertising laws, have adapted their approaches to target privacy. These firms leverage existing legal playbooks to pursue claims against organizations for practices involving online tracking technologies. Additionally, state attorneys general and federal agencies are increasingly initiating enforcement actions.

Statutory Claims are notable for their breadth and potential for significant financial exposure. While some cases rely on recently-enacted laws, many invoke older statutes that were not originally intended to address modern privacy concerns. For example, Cold War-era surveillance laws have been interpreted more broadly in recent years, with courts expanding their application to digital privacy disputes. This trend has opened the door for claims under statutes such as CIPA, which imposes penalties of $5,000 per violation. CIPA claims are often referred to as "wiretap"5 claims or "trap and trace"6 claims, often targeting social networking pixel tags. While newer privacy statutes are also being tested in the courts, they generally lack the established legal precedent and widespread application of older laws.

Common Law Theories are playing an increasingly prominent role in data privacy litigation. Plaintiffs have asserted a growing number of claims under theories such as invasion of privacy under those state constitutions that establish a right of privacy (such as California's), unjust enrichment, trespass to chattels, and various forms of fraud and misrepresentation. These proceedings are fact-specific in nature, yet often hinge on broad and evolving concepts, such as whether consumers had a reasonable expectation of privacy in the context of online tracking, and whether the defendant’s conduct was highly offensive or pervasive enough to warrant liability. Courts have struggled to apply these principles consistently, resulting in a patchwork of precedential decisions that offer broad discretion to subsequent judges and juries, and amplify legal uncertainty for organizations making strategic decisions.

The dynamic nature of privacy litigation, driven by both evolving statutory frameworks and flexible common law theories, poses a growing challenge for organizations that rely on online tracking technologies.

What to do About it

  • Understand what information you are collecting, tracking, selling, and transferring. Many organizations were not aware of the extent and nature of these practices across their organizations. Consider engaging our privacy team to help assess the scope and risks of your organization’s data practices.
  • Confirm your website complies with the privacy laws currently in effect and that user consent tools, such as cookie banners and opt-out preference signal recognition, are present, functioning as intended, and configured to help you prevent or defend against potential claims.
  • Audit the privacy practices of third-party vendors that your company uses for website operation and marketing technologies.
  • Engage legal counsel if you receive a demand letter. Our seasoned attorneys have experience with many of the plaintiffs" firms in this field and are adept at responding to their frequent privacy claims.

We are helping clients across industries understand their data practices, confirm compliance, evaluate risks, and defend against claims.

By adopting proactive compliance strategies now, organizations can mitigate legal risks while building trust in an increasingly privacy-conscious marketplace.

For more information on emerging state privacy laws, online tracking risks, and data privacy litigation trends, please contact Steve Cosentino, Megan McCurdy, Ashley Crisafulli, Michal Whitney or the Stinson LLP contact with whom you regularly work.

  1. The twenty state privacy laws are the California Consumer Privacy Act (CCPA), Virginia Consumer Data Protection Act (VCDPA), Colorado Privacy Act (CPA), Connecticut Data Privacy Act (CTDPA), Utah Consumer Privacy Act (UCPA), Florida Digital Bill of Rights (FDBR), Oregon Consumer Privacy Act (OCPA), Texas Data Privacy and Security Act (TDPSA), Montana Consumer Data Privacy Act (MCDPA), Delaware Personal Data Privacy Act (DPDPA), Iowa Consumer Data Protection Act (ICDPA), Nebraska Data Privacy Act (NEDPA), New Hampshire Privacy Act (NHPA), New Jersey Data Privacy Act (NJDPA), Tennessee Information Protection Act (TIPA), Minnesota Consumer Data Privacy Act (MNCDPA), Maryland Online Data Privacy Act (MODPA), Indiana Consumer Data Protection Act (ICDPA), Kentucky Consumer Data Protection Act (KCDPA), Rhode Island Data Transparency and Privacy Protection Act (RI-DTPPA).
  2. These statistics are based on data collected and managed by an internal team of Stinson attorneys and legal research experts.
  3. California Invasion of Privacy Act (CIPA) Cal. Pen. C. § 630–638.55.
  4. The sole exception is CCPA, which has a limited private right of action related to data breaches.
  5. California Invasion of Privacy Act (CIPA) Cal. Pen. C. § 361(a) (Wiretapping Communications).
  6. California Invasion of Privacy Act (CIPA) Cal. Pen. C. § 638.51(a) (Pen Registers and Trap and Trace Devices).

Subscribe to Stinson's
News & Insights
Jump to Page

We use cookies on our website to improve functionality and performance, analyze website traffic and enable social media features. For more information, please see our Cookie Policy.