Personal Data Privacy Lawsuits

The Lyon Firm is actively involved in Personal Data Misuse Class Action Lawsuits on behalf of consumers nationwide.
Nationwide Success

Data Privacy Attorney

INVESTIGATING Data Sharing & Data Misuse Claims

Consumer safety attorneys are taking on new class action data privacy violation cases every day. While companies collect, store, share, and sell your personal data, consumers often see their privacy compromised.

Cybersecurity may take a backseat to company profit and growth, and instances of data misuse are increasingly common. There are many new questions surrounding what companies can legally do with data they collect from their clients, but only a handful of states have actually signed consumer data privacy protections into law.

How secure are data systems? Judging by the huge number of data breaches announced each year, it is safe to say online privacy and cybersecurity needs some improvement on several fronts. Beyond the security and theft of personal data lies more concerns: data misuse and privacy violations.

Personal data privacy violations can be the basis for class action data misuse lawsuits, and The Lyon Firm aims to protect consumer privacy rights. If you have been the target of data sharing, personal data misuse or data privacy violations, call for a free consultation. You may be eligible to join existing data privacy class actions and compensation may be available.

Can I Protect My Personal Data Privacy?

Companies often take advantage of consumers by presenting a long, unreadable privacy policy on websites and apps. The end result is consumers signing away their personal data for nothing in return, except to use a website or media platform. Opting out of data collection may be difficult or impossible in some cases.

Not only is personal data collected and sold by certain companies for profit, but it is not always properly secured, and data breaches lead to data theft and a host of data privacy violations. Cyber security lawsuits are a growing trend in the legal world, and personal data privacy class actions may be necessary to hold companies accountable for instances of data misuse and data sharing.

There are many ways in which personal data can be leaked, stolen or misused by third parties. Data breaches can be very costly to everyone involved, and legal action may be a logical course of action.

What Consumer Data Privacy Laws Exist?

As of 2021, there is no federal legislation in the United States that addresses consumers’ data privacy concerns. There are laws such as HIPAA (personal health privacy), Gramm-Leach-Bliley (financial privacy), and COPPA (children’s online privacy) that establish industry-specific standards, but nothing that encompasses the full scope of online privacy matters.

There are, however, some state laws that may be the model for future federal data collection regulations, including personal data privacy and cybersecurity regulations in California, Illinois and Virginia.

consumer data protection law

The Biometric Information Privacy Act (BIPA) is one of the most modern examples of state legislation intended to regulate companies’ use of biometric data. Some of the more important provisions of the privacy law include:

  • Requirements for companies to seek informed consent prior to collecting personal biometric data
  • A limitation of rights to sell or disclose collected biometric data
  • A requirement for companies to create confidentiality and data retention guidelines
  • A prohibition of profiting from collected biometric data
  • The right of legal action for individuals affected by data theft violations
  • Enacting damages from $1,000 to $5,000 per negligent or reckless violation.

Not only do some states regulate a business’s use of biometric data, but they allow for individuals to bring legal action against companies that violate state biometric data laws. In January 2019, the Illinois Supreme Court ruled that private individuals can file data theft claims if they are able to show that their privacy rights have been violated.

The Illinois statute prohibits an entity from collecting biometric information unless it fulfills the following:

  • Informs individuals in writing that their biometric data is being captured
  • Outlines the purpose and period of time for which the data will be utilized
  • Receives a written release from individuals consenting to the data collection

Other states have been scrambling to catch up with modern advances and have been slow to provide biometric policies. Most states have no comprehensive biometric regulations. The following states are exceptions:

  • Texas has its own biometric privacy act which provides that a person cannot capture a biometric identifier without a prior consent, and may not sell biometric date without consent. A company or person must use reasonable care in storing it, and “shall destroy the biometric identifier within a reasonable time.” Violators may face a civil penalty of $25,000 for each violation,
  • Washington passed biometric privacy legislation in 2017. The law prohibits any company or individual from entering biometric data into a database for a commercial purpose without providing notice, obtaining consent, or providing a mechanism to prevent the subsequent use of a biometric identifier for a commercial purpose.
  • The California Consumer Privacy Act (CCPA) regulates biometric data by including it in the definition of “personal information.” Biometric data is defined in the CCPA to include physiological, biological or behavioral characteristics, including DNA, imagery of the iris, retina, fingerprint, face, hand, palm, vein patterns, and voice recordings.
  • New York has passed the Stop Hacks and Improve Electronic Data Security (SHIELD) Act, which broadens the definition of private information to include biometric information. The law applies specifically in the employment context and prohibits fingerprinting “as a condition of securing employment or of continuing employment.”
  • Arkansas amended existing laws and revised the definition of covered personal information to now include biometric data.

Other states have introduced biometric legislation but most laws have not yet been enacted.

Data Sharing Case Study

In 2021, Zoom agreed to a $85 million settlement after the company allegedly misrepresented its end-to-end encryption on video calls. According to complaints, the company shared user data with companies like Facebook and Google without users’ consent. The settlement follows a class action claim of data privacy violations.

Attorneys and plaintiffs claimed that Zoom willingly shared personally identifiable information (PII) with third parties without proper permission, which in turn made it possible for such third parties to identify and track users’ behavior. The official legal complaint also alleged that Zoom misrepresented its security features.

The court allowed claims of breach of contract, breach of implied contract, and quasi-contract to proceed. Under the proposed settlement, Zoom agreed to “major changes to its practices,” meant to better protect consumer data.

Of course Zoom is not the only company facing legal scrutiny about data sharing practices. The Lyon Firm is currently investigating a variety o data sharing and privacy violation cases on behalf of plaintiffs nationwide.

Does My Car Collect Personal Data?

To add to other privacy concerns for American consumers, automobile manufacturers are allegedly collecting personal data at a rapid pace. Unfortunately, there have already been security breaches involving automakers. General Motors (GM) announced in May 2022 that it was hit by a credential stuffing attack that exposed customer information and allowed hackers to redeem rewards points and gift cards.

GM said that they detected the malicious login activity and began a data theft investigation. GM posted a data breach notification  and sent notices to affected customers.

A credential stuffing attack is possible when credentials are obtained from a previous data breach. Such data was likely not obtained from GM but a third party.

The stolen personal data of affected GM customers includes full names, email addresses, home addresses, usernames and phone numbers, last known and saved favorite location information, avatars and photos, profile pictures, search and destination information, and Wi-Fi hotspot settings.

Recent reports note that some modern cars collect a vast amount of personal data, and may track where we live, who we text, and what restaurants we visit. Collected data isn’t delivered to car owners, but rather to the automakers, or third parties willing to pay for the data. The data generated by cars may be worth billions of dollars each year.

TV Data Tracking

The misuse of TV data, collected by media conglomerates and other corporate entities, can pose a privacy concern to consumers and lead to class action lawsuits. In recent years, some landmark litigation has led to the strengthening of consumer data laws.

In most cases, if a company does not have your permission or written consent to collect and disseminate your personal information (location data, viewing history, demographics), they may be liable for violating privacy protection statues and can be sued accordingly.

Joe Lyon is a class action data privacy lawyer representing plaintiffs in and nationwide in a variety of personal data sharing litigation.

biometric data privacy

Biometric Data Misuse Litigation

Although some legislation protecting consumers from companies misusing their biometric data has been passed since 2008, class action lawsuits have not been filed until relatively recently. Companies have tried to shift away from potential legal trouble, but may are still toeing the line between legal marketing tactics and invasive schemes.

At the moment, only Illinois has passed biometrics legislation that provides for a private right of action, while Texas, Washington, California, New York, and Arkansas have passed biometric statutes only allow enforcement by the state attorneys general.

Who is buying my personal data?

A whole host of marketers and companies vying for your business. Companies like retailers and Facebook and Google collect a vast amount of data and sell it to third parties for various consumer tracking and marketing purposes. If that data is leaked, then other bad actors can use that info in more damaging ways.

What personal data can be collected and sold?


Please complete the form below for a FREE consultation.

  • This field is for validation purposes and should be left unchanged.


Joseph Lyon has 17 years of experience representing individuals in complex litigation matters. He has represented individuals in every state against many of the largest companies in the world.

The Firm focuses on single-event civil cases and class actions involving corporate neglect & fraud, toxic exposure, product defects & recalls, medical malpractice, and invasion of privacy.


The Firm offers contingency fees, advancing all costs of the litigation, and accepting the full financial risk, allowing our clients full access to the legal system while reducing the financial stress while they focus on their healthcare and financial needs.

photo of data privacy attorney Joe Lyon

Reviewing Data Sharing & Data Misuse Claims

Why are Data Privacy Cases important?

Without personal data privacy violation class actions, large corporate defendants would be able to cause small amounts of harm over a large group of individuals without any risk of monetary penalty. By holding companies accountable for safely storing your personal information, every consumer will have more control over how their data is used in the future. 


  • This field is for validation purposes and should be left unchanged.

Questions About Data Privacy Lawsuits

What to do if you are a victim of data Misuse
  1. Get confirmation of the data theft or misuse and collect as many details about the incident as possible. 
  2. Contact an attorney to investigate the complex litigation involved in data privacy lawsuits. 
  3. Try to find out what information was exposed and protect yourself as much as possible. 
  4. Talk to an attorney before accepting any settlement direct from a company. 
  5. Monitor your accounts and personal information closely. 
Can I get compensation for data theft?

Yes, in most cases. However, each case is different, but some recent lawsuits have proven to be quite valuable. In one data theft suit, Ohio Attorney General and attorneys general in other states obtained a $17.5 million settlement against The Home Depot due to a data breach in 2014. The settlement resolves a multistate data breach which exposed the payment card information of approximately 40 million Home Depot consumers.

The Home Depot data breach made vulnerable the company’s self-checkout point-of-sale system. In addition to the $17.5 million settlement, The Home Depot has agreed to improve network security and maintain data security practices in order to strengthen its data security program and protect the personal information of consumers.

Who is liable for data misuse?

Under current privacy law the firm or organization that is storing user data are responsible for data breaches and will pay any fines or damages that are the result of legal action. The actual data holder—an organization that provides cloud storage—is not usually legally implicated or held responsible in litigation. 

How can I prevent data misuse?

It’s not as easy as just alerting companies to stop collecting and selling your personal information, but you can take certain steps to protect yourself, including:

  • Opt out of data collection practices if possible
  • Review your credit report
  • Use strong and different passwords for all of your accounts
  • Do not offer your personal information unless necessary
  • Check bank accounts for suspicious activity
  • Limit how exposed you are on social media
  • Speak with a cybersecurity attorney
what is BIPA?

Lawmakers established the Illinois Biometric Information Privacy Act (BIPA) in 2008 in response to the growing use concern of biometric data misuse. The Act seeks to help regulate the “collection, use, safeguarding, handling, storage, retention, and destruction of biometric identifiers and information.”

According to the BIPA, biometric identifiers may include:

  • Retina or iris scan
  • Fingerprint
  • Voiceprint
  • Scan of hand
  • Face geometry

The BIPA addresses the retention, collection, disclosure, and destruction of personal biometric data. Private entities collecting biometric data must inform subjects of the data collection and provide the specific purpose and the length of the collection term. The subject must provide a written release.

Under the BIPA, any person harmed by a privacy violation has a right of legal action. Plaintiffs may recover damages of $1,000, and for intentional or reckless violations, up to $5,000 in liquidated damages or actual damages, whichever is greater.

What is a Class Action Lawsuit?

A Class Action is a lawsuit brought by an individual on behalf of all other similarly situated individuals. Rule 23 of the Federal and State Rules of Civil Procedure allows for Class Action lawsuits to resolve disputes in an efficient format.

Class Actions are typically filed when the amount of money in dispute for a single plaintiff would not justify litigating the case, but where the amount of damages of the entire class of Plaintiffs would justify the cost of litigation. Without class actions, large corporate defendants would be able to cause small amounts of harm over a large group of individuals without any risk of monetary penalty.

What are class action requirements?

In order for a case to be certified as a Class Action, the Court must determine that the case is appropriate for class action treatment under Rule 23. There are different elements depending on whether the case is seeking monetary or injunctive relief. In general, the Court must find the following elements are satisfied:

  • Numerosity: The proposed class must be so numerous that simply joining the individual plaintiffs would be impractical. Generally, the class size should exceed 100 individuals.
  • Common Questions of Law or Fact: The facts and/or legal questions in the dispute must be common to all class members. This does not mean all facts or issues must be identical, but the primary facts and law that will determine the issue in dispute must be common among all class members.
  • Typicality: The named Plaintiff in the case must have the same facts and legal issues as the class they are proposing to represent. If the Plaintiff’s individual case involves issues of fact or law unique to that Plaintiff and are irrelevant to the ultimate issue, class certification may be denied by the Court.
  • Plaintiff/Counsel Adequately Represents the Class: The Court must find that the Plaintiff and Plaintiff’s Counsel are competent and will protect the class’ interests.
  • Predominance: Common questions of fact predominate over individual facts.
  • Superiority: The Class Action is a more efficient and fair means of resolving the dispute. The Court will look at the following factors when making this determination: (1) Class Member interest in maintaining a separate action; (2) the extent of any litigation already begun by other class members; (3) desirability or undesirability of litigating the case in a particular Court ; (4) difficulties in managing the class.
When Should I contact The Lyon Firm?

Protecting sensitive personal information is getting more and more difficult, but that doesn’t mean it’s not possible. By forcing companies to become accountable for their lack of cybersecurity measures following data misuse and data breach incidents, consumers will have a more secure future.

Large companies control vast amounts of data, leaving nearly all Americans at risk when their personal data is compromised. If your financial, medical, or consumer information is misused, you may file a data privacy violation claim.

What are some examples of data privacy lawsuits?

The majority of BIPA lawsuits are filed against employers who utilize biometric timekeeping systems with fingerprint or facial recognition scans, and collect the employee biometric data.

Motorola, Clearview AI and Vigilant are facing legal action for allegedly collecting mugshots that were used by law enforcement. Microsoft, Amazon, Alphabet, and FaceFirst Inc. are alleged to have violated privacy laws by collecting photos for facial recognition data from the website, Flickr.

A proposed class action alleges Ring, LLC has failed to protect the privacy of its motion-activated cameras and the personal information of its customers. The complaint alleges Ring’s devices are rife with security vulnerabilities, which may compromise the personal data of existing and future customers.

Cyber criminals may have the potential to hack into Ring devices and home networks. The lawsuit aos brings to light the fact that Ring has shared users’ personal identifying information with third parties without first obtaining prior consent. The complaint says the devices are not well-equipped to deal with potential hacks.

Plaintiffs in the case want Ring to take additional security measures to protect the privacy of user accounts and installed devices, as well as stop sharing personal data without clear and informed consent.

Reports have surfaced that several user accounts and devices were hacked, and plaintiffs argue the company was late in addressing security issues.

Beyond the security issues, Ring permits third parties to track users, raising eyebrows from consumer safety and data privacy advocates.


Your Right to Justice

Learn About the Legal Process

Filing Class Action lawsuits is a complex and serious legal course and can carry monetary sanctions if proper legal course is not followed. The Lyon Firm is dedicated to assisting injured plaintiffs work toward a financial solution to assist in compensating for medical expenses or other damages sustained.

We work with law firms across the country to provide the most resources possible and to build your case into a valuable settlement. The current legal environment is favorable for consumers involved in data breach class actions, deceptive marketing lawsuits, TCPA telemarketing claims, and financial negligence claims.

Recent Class Action Cases

We work with law firms across the country to provide the most resources possible and to build your case into a valuable settlement. 

Data Breach & Privacy Lawsuits

Invasion of privacy law has been established to protect consumers and citizens of the United States. When companies are negligent and fail to protect consumer information, which can be used in malicious ways, victims can contact a class action attorney to represent them in class action data breach lawsuits. A number of privacy breach and data breach claims have been settled by The Lyon Firm and other consumer protection lawyers around the country.

Consumer Protection Class Action

Consumers have rights in the USA, and when companies do not provide a service they have promised, or hold up their end of a bargain, legal action may be necessary. Consumer protection attorneys work on your behalf to hold companies responsible for providing a fair and safe service.

The Lyon Firm has worked with law firms nationwide in consumer class actions involving deceptive marketing, false advertising, food mislabeling and misleading marketing claims.

TCPA Robocall Class Actions

TCPA lawsuits have become one of the most common kinds of legal claims. The TCPA Act provides privacy protection for consumers by restricting how companies and organizations can contact you by telephone. Robocall harassment and unfair debt collection has been a serious issue that has required lawsuits in order to keep telemarketing companies at bay.

If you have experienced telephone harassment by a bank, real estate company, hotel, political campaign or anyone else, you may have TCPA claim. The Lyon Firm works diligently to seek compensation for those harassed at their home or work.

Wage and Hour Lawsuits

Class action wage and hour lawsuits are always ongoing, as some employers fail to treat employees properly, and attempt to cut workers out of earned wages. Wage theft lawsuits can be valuable for a class of plaintiffs who believes their employer has cheated them out of overtime pay and other earned wages.

There have been several wage theft lawsuits and settlements that have compensated employees for the wages they have earned, as well as damages for emotional distress and punitive damages when an employer is negligent in treating workers in accordance to Ohio labor law.