Privacy Litigation Spikes with No Federal Solution in Sight

Privacy litigation is on the rise, according to law firm Duane Morris’s 2025 Class Action Review, with expansive growth expected in privacy and data breach class actions, largely thanks to state laws.

Workplace use of data: There are many legitimate uses of data in the workforce. Large employers seek to maintain a culture of trust in the workplace while providing leading wages, benefits, and a safe work environment. Toward these ends employers collect and process information about workers that is essential for issuing pay checks, administering benefits—such as health insurance and paid leave—and withholding taxes.

State trends: State legislation is generally designed with consumers—not employees—in mind, but legislation governing biometric data has not drawn specific lines. States have been actively implementing privacy laws to protect individuals’ data and stay competitive with international regulation like the EU’s GDPR.  Currently about 20 states have enacted some sort of privacy legislation. The statutes differentiate on whether they exempt HR data and whether they provide a private right of action.

Illinois’ BIPA: As widely reported, the Illinois Biometric Information Privacy Act (BIPA) resulted in a massive spike in litigation against employers beginning in 2019 when the state Supreme Court ruled that BIPA plaintiffs do not need to prove actual harm. Of the top BIPA class action settlements in 2024, six involved employer use of fingerprint and other employee biometric data.

• Much of the class action momentum under BIPA has been quelched by an August 2024 amendment eliminating per-scan damages (which states a new claim arises each time a company collects or discloses covered information) and reducing penalties. As Duane Morris reports, “While the per-person damages remain significant, the growth in such claims” is flattening.

What’s next: Comprehensive state laws will continue to grow, particularly around biometric data collection and use, including state laws that classify biometric data as “sensitive” and around the use of AI which impact how companies handle personal data.

By 2026, all 20 states with enacted privacy legislation will have taken effect leading to more privacy enforcement.

Prospects for federal legislation: The federal arena has been focused on AI with establishment of Artificial Intelligence (AI) frameworks pushed by the Biden White House and Department of Commerce. Those frameworks are expected to be revisited by the incoming Trump Administration, which will focus on greater flexibility.

In addition, the bipartisan American Privacy Rights Act, introduced in 2024, sought to establish a comprehensive federal framework for consumer data privacy and security. Achieving federal privacy legislation has been stymied by disagreements on preemption of state laws private rights of action, and the balance between consumer protections and business interests.  The proposal may be revived in the 119^th Congress, but prospects are uncertain.

The bottom line: As Congress works on consumer privacy legislation, HRPA is encouraging members of Congress to consider the inherent differences between employment-related and consumer data — advocating that any federal consumer privacy legislation must be clear in its scope and focused on consumers.