8 Biggest Data Privacy Lawsuits & Class Action Settlements
Table of Contents
Mishandling data and a failure to implement the right protocols is unfortunately a common occurrence in our digital age. When news of poor operations and data mishandling gets out, businesses can lose consumer trust and experience revenue drops. And in some cases, businesses can get sued by individuals, class action motions, or even have government bodies seek restitution through data privacy lawsuits.
Here are 8 real-world examples of data privacy litigation: companies that found themselves in court defending the mishandling of sensitive information.
The 8 Biggest Privacy Lawsuits Worldwide
Our list is based on cases that were either settled for restitution to the affected parties or ordered to pay fines to governing bodies.
1. Equifax (2019) — $650 Million
Equifax is one of the big three credit reporting agencies in the U.S. In 2017, a massive data breach at the agency exposed the financial and personal information of almost 150 million consumers because of a faulty framework in one of Equifax’s databases. The firm failed to fix a known vulnerability even when a patch was available to correct the issue. As if that’s not enough, the company didn’t provide timely disclosure of the breach.
In 2019, Equifax agreed to a settlement with the Federal Trade Commission, the Consumer Financial Protection Bureau (CFPB), and all of the 50 states and U.S. territories. The initial agreed amount was $575 million, which was to be split between a $300 million fund to help consumers impacted by the breach, $175 million to 48 states, Puerto Rico and District of Columbia, and the remaining $100 million to the CFPB. However, an additional $125 million was required to be set aside for the consumer impact fund, leading to a total of $650 million — the largest settlement for a data breach for its time.
2. T-Mobile (2022): $350 Million
Equifax isn’t the only company paying out large sums for privacy class action settlements. In 2022, the telecommunications giant T-Mobile announced a $350 million settlement for a class action suit that was spurred by a 2021 data breach impacting roughly 77 million subscribers in the U.S. Along with setting aside that $350 million to pay directly to claimants, legal fees, and administrative fees associated with the settlement, the firm committed to allocate an aggregated $150 million to invest in data security.
3. Home Depot (2014) $200 Million
At the time, this was one of the largest point-of-sale (POS) system data breaches to occur and the fallout was pervasive. Hackers were able to use stolen credentials to access Home Depot’s POS network, resulting in over 50 million credit card numbers, and 53 million email addresses being collected in a period of five months.
Not only did the home improvement retailer pay $134.5 million to credit card companies and banks, but it agreed to set aside $19.5 million to consumers impacted by the breach in 2016. The funds were set aside to cover credit monitoring. Meanwhile an additional $25 million was paid to financial institutions impacted by the breach for victims to access.
But in 2020, the brand paid an additional $17.5 million to 46 U.S. states and Washington, D.C. Additionally, the settlement required a massive overhaul of security protocols including improved training for key personnel, enhanced monitoring, and improved incident response.
4. Capital One (2021): $190 Million
Capital One is a popular financial institution that offers consumers loans, credit cards, and banking products. In 2021, the firm settled a violation of privacy class action lawsuit over a 2019 data breach that impacted 100 million people. Ultimately, it was found that a software engineer at Amazon’s AWS left countless citizens’ personal information exposed.
He was eventually arrested and both Capital One and AWS claimed that the employee wasn’t able to release or sell the stolen data. However, the financial giant agreed to pay $190 million to close the case.
5. Uber (2022): $148 million
Uber has had plenty of turns in the hot seat over rogue drivers assaulting female riders to inflating potential earnings to lure more drivers. However, this time, the ride-hailing firm found themselves in the FTC’s crosshairs for a 2016 data hack that leaked the confidential information of 57 million drivers and riders.
The firm faced serious prosecution from the U.S. Department of Justice (DOJ) and wisely chose to settle to avoid charges. What made this case so egregious wasn’t just that data was hacked, but that Uber attempted to cover up the problem. Hackers used stolen credentials to access sensitive data which included 600,000 driver’s licenses. When Uber realized what happened, the firm paid the hackers $100,000 in ransom to delete the data and not tell anyone about the hack.
However, the breach wasn’t made public until nearly a year later when Dara Khosrowshahi took over as CEO after Travis Kalanick. The public disclosure saved the travel app from further prosecution along with paying $148 million to settle civil litigation.
6. Morgan Stanley (2022): $120 Million
Financial services and investment bank Morgan Stanley has had its fair share of controversy. In 2020, a class action lawsuit was brought against the financial giant alleging improper handling of personal data. According to court documents, the plaintiffs state that between 2016 and 2019, Morgan Stanley failed to properly wipe clean equipment from its data center.
Because of this, a software flaw in the equipment left the data of roughly 15 million customers potentially exposed. This became even more problematic because Morgan Stanley resold the equipment to third parties after it was decommissioned. To end the litigation, the financial institution initially offered to pay $120 million, but this sum was later reduced and confirmed to be $60 million.
That money is set aside for victims and would give them access to at least two years of fraud insurance protection along with the right to apply for up to $10,000 in reimbursement for damages caused by the data mishandling. However, similar to Capital One, Morgan Stanley was also slapped with a $60 million fine from the U.S. OCC
7. Vizio (2018): $2.2 Million
Vizio, the television manufacturer, found themselves in big trouble for unauthorized data collection. In 2017, the FTC, Attorney General of New Jersey, and the NJ director of the Division of Consumer Affairs (DCA), filed a joint lawsuit against Vizio and its subsidiary, Inscape Services.
The suit alleged that the TV maker secretly collected unauthorized data through its smart televisions and sold that data to third parties. The data wasn’t anonymized and would show exactly what was being watched, the associated IP address, any nearby Wi-Fi networks, and other identifying information.
Even scarier, disturbing details like age, sex, marital status, income, education, home ownership status, and even household size could be tied to viewing data. To fly under the radar, Vizio relied on a “smart interactivity” setting that claimed to only use data to make viewing suggestions. However, the brand’s smart TVs rarely made suggestions and failed to provide full disclosure of exactly how much data was being tracked.
Ultimately Vizio reached a $2.2 million settlement which included $1.5 million for the FTC and $1 million to the New Jersey DCA. But $300,000 was later dismissed, resulting in $2.2 million as the final amount.
8. Whole Foods (2023) $300,000
In early January, Whole Foods agreed to settle a class action lawsuit in Illinois that was brought by plaintiffs alleging that the posh grocery store “unlawfully collected voiceprints from employees” specifically at the firm’s distribution centers. According to court documents, Whole Foods used company equipment like headsets which employees were required to use.
However, the firm failed to provide proper notice that their voices would be recorded and stored for biometric use. Additionally, the suit claimed that in doing so, Whole Foods put employee privacy at risk and exposed them to potential danger at the hands of hackers who could commit identity theft. Because Whole Foods failed to secure consent, the grocery chain violated the Illinois Biometric Information Privacy Act (BIPA). Ultimately, the store chose to settle for almost $300,000.
9. Meta Pixel Lawsuits (Undisclosed)
A new emerging category of lawsuits targets firms deemed non-compliant with the California Invasion of Privacy Act (CIPA).
CIPA, also known as the wiretapping law, imposes strict limits on businesses' retention of communications about their customers. Some law firms have argued that the use of tracking technology, such as advertisements on Facebook and Instagram via the Meta Pixel, contravenes the law. Meta pixel lawsuits are gaining in prominence, and they are one to watch out for.
How to Protect Your Business From Data Privacy Litigation
Class action lawsuits aren't fun. They attract an inordinate amount of media attention and unwanted publicity, painting your brand in a negative light. In addition to the tangible financial losses, there's also the risk of reduced business and lost customer goodwill.
For an audit of your data privacy standards, our list of the best data privacy consultants is a good place to start. Or if you're looking for immediate help with cybersecurity and consent management, schedule a demo with Enzuzo to learn how we can help.
Osman Husain
Osman is the content lead at Enzuzo. He has a background in data privacy management via a two-year role at ExpressVPN and extensive freelance work with cybersecurity and blockchain companies. Osman also holds an MBA from the Toronto Metropolitan University.