On June 16, 2026, a U.S. district judge denied a motion to dismiss in one of the first cases alleging a violation of the Electronic Communications Privacy Act ("ECPA") stemming from the defendant's data-sharing practices under the Department of Justice's 2025 Bulk Sensitive Data Rule ("Bulk Rule").

As one of the first cases in a string of cases filed in late 2025 and early 2026, this development marks a significant turning point in the use of the Bulk Rule to invoke the ECPA's crime/tort exception. Organizations with ties or connections to China should pay close attention to these developments as they relate to operating websites, collecting data, and sharing data between U.S. and Chinese affiliates.

Background

The plaintiff in the case, Baker, is an Illinois resident who visited a website that participates in the defendant Index Exchange Inc.'s ("Index") ad sale processes. Baker alleges that Index monitored and intercepted communications and collected IP addresses, cookie IDs, browser and device data, advertising IDs, and other behavioral information. Baker further alleges that Index shared this information with other companies, including covered persons as defined under the Bulk Rule.

Violation of the Bulk Rule

The Bulk Rule generally prohibits U.S. organizations from providing access to or transmitting certain categories of sensitive personal data to covered persons, as defined under the rule, in quantities exceeding the thresholds established by law. A covered person includes a non-U.S. entity that is organized or has its principal place of business in a country of concern, or that is more than 50% owned by a country of concern or by other covered persons. China is designated as a country of concern. For a more detailed discussion on the Bulk Rule, please see Reed Smith's previous article.

The plaintiff alleges that Index collected IP addresses, cookie IDs, browser and device data, advertising IDs, and behavioral information, and transmitted such information to covered persons under the Bulk Rule. The complaint alleged that Index knowingly facilitated these transfers involving the data of millions of U.S. citizens.

Connection to the ECPA

The ECPA generally prohibits the interception of communications unless at least one party consents to such interception. However, the ECPA contains what is commonly referred to as the crime/tort exception. Under this exception, if an interception was conducted for the purpose of committing any criminal or tortious act in violation of the laws of the United States, then the one-party consent defense no longer applies. In other words, if the interception violates applicable law and both parties have not consented to the interception, plaintiffs may seek damages.

Here, Baker alleges that Index collected millions of Americans' IP addresses and other data in volumes exceeding the thresholds established by the Bulk Rule, without providing or offering consent mechanisms such as a cookie banner.

The court found that Baker sufficiently alleged that Index violated the Bulk Rule by transmitting covered personal data to a covered person in quantities sufficient to trigger the rule's prohibitions. Accordingly, the court denied Index's motion to dismiss, and the case will proceed.

Conclusion

This case represents one of the first instances in which a plaintiff has used the Bulk Rule to invoke the ECPA's private right of action and seek ECPA damages. Organizations should broadly review the third parties they permit to deploy technologies on their websites. Organizations with connections to China, in particular, should evaluate their public disclosures and assess their Bulk Rule compliance. While these developments are still in the early stages, the denial of the motion to dismiss serves as an important reminder that, even though the Bulk Rule does not itself create a private right of action, significant legal risk remains. Organizations should be prepared to comply with the Bulk Rule and to monitor related litigation as it continues to develop.