/Passle/5db069e28cb62309f866c3ee/SearchServiceImages/2026-02-20-02-46-22-415-6997cafe4a43b1faccb0748d.jpg)
Authors
On February 19, 2026, Google LLC was named in a series of class action complaints for alleging violations of numerous California statutes, including the California Invasion of Privacy Act , as well as the Department of Justice's rule on "Preventing Access to Americans' Bulk Sensitive Personal Data and United States Government-Related Data by Countries of Concern" (the “Bulk Rule”). These are part of a string of lawsuits filed against large multinational technology firms alleging violations of the Bulk Rule.
Background
The Bulk Rule originated from Executive Order 14117 and was codified in 28 C.F.R. Part 202, with the final provisions becoming effective on October 6, 2025. The Bulk Rule is designed to restrict the processing and transfer of specified categories of sensitive personal data—including human 'omic data, biometric data, precise geolocation data, personal health data, and personal financial data—to designated countries of concern (such as China) unless a specific exception applies. The rule also imposes robust compliance, audit, and recordkeeping obligations on covered entities.
For a detailed analysis, please see our previous piece on the Bulk Rule.
Class action
The class action complaints, McGrath v. Google LLC , Nadeu v. Google LLC, and Jenkins v. Google LLC, allege that Google illegally transfers certain categories of covered sensitive data to China in a data brokerage capacity as outlined and defined under the Bulk Rule. Specifically, the complaints allege that Google combined users' IP addresses and other network-level signals with cookie data and persistent advertising identifiers, and transferred such data to third parties, such as Pangle, whom the complaints allege are "covered persons" as defined under the rule.
Conclusion
As noted, these lawsuits represent the latest in a string of class action complaints against major technology firms alleging violations of the Bulk Rule. Each of these cases has alleged improper transfer of sensitive data to covered third-party persons, specifically involving cookie data, IP addresses, other network-level signals, and/or persistent advertising identifiers. Penalties can vary for violations of the Bulk Rule, but the plaintiffs in these class action complaints allege that the violation of the Bulk Rule also constitutes a violation of the Electronic Communications Privacy Act, which provides for statutory damages of $100 per day per violation or $10,000, whichever is greater. Given this evolving enforcement landscape, companies should immediately review their advertising technology practices and assess their potential exposure under the Bulk Rule.