A new era for Privacy Act litigation?

Over the past three months, sweeping changes at every level of the federal government have raised new concerns about data privacy. The rapid turnover in agency leadership and restructuring of key departments have led to speculation that Americans' personal data is at greater risk of unlawful disclosure.

Recent lawsuits suggest these concerns may be well-founded. Several federal agencies are already facing litigation over alleged unauthorized data-sharing, including with Elon Musk’s newly established Department of Government Efficiency ("DOGE"). Many of these lawsuits allege violations of the Privacy Act of 1974 (“Privacy Act”).

The Privacy Act, passed in the wake of Watergate, was designed to restore public trust in the government’s ability to safeguard personal data. It limits federal agencies' ability to disclose private information without consent and provides individuals with a cause of action for damages when those protections are violated.

With emerging lawsuits challenging how government agencies handle personal data, the Privacy Act is being tested as a tool to hold the federal government accountable. As courts weigh these cases, the outcomes could reshape privacy litigation and class actions against the federal government.

For plaintiffs’ attorneys, these developments signal that Privacy Act violations could present new opportunities for litigation. As federal agencies come under scrutiny for improper data-sharing, attorneys should be evaluating whether potential plaintiffs, including government employees, individuals receiving federal benefits, or anyone whose sensitive information is held by the government, may have viable claims.

Privacy Act requirements

Codified at 5 U.S.C. § 552a, the Privacy Act dictates how the government must store records with private information, who can access those records, and under what circumstances the government can disclose private information. Subject to some exceptions, the Privacy Act prohibits the disclosure of any individual’s private information without “prior written consent.” 

Specifically, the Privacy Act prohibits the disclosure of “records” including “education, financial transactions, medical history, and criminal or employment history that contains [an individual’s] name, or the identifying number, symbol, or other identifying particular assigned to the individual, such as a finger or voice print or a photograph.” 

According to the Privacy Act, US citizens and lawful permanent residents may also request access to their information. In addition to these provisions, agencies must comply with various procedural and reporting requirements, which fall outside the scope of this article but remain critical to ensuring compliance with the law.

Private cause of action under the Privacy Act

The Privacy Act provides a private cause of action for damages, acting as a waiver of sovereign immunity, for a violation that has an “adverse effect” on an individual. It allows recovery of “actual damages,” with a minimum recovery of $1,000, as well as reasonable fees and costs. 

If a violation of the Privacy Act is adequately alleged, then plaintiffs must meet the following three elements to recover:

• Intentional or willful violation: The agency must have intentionally or willfully violated the Privacy Act’s requirements. 
• Actual damages: Plaintiffs must show real financial harm. 
• Causation: Plaintiffs must demonstrate that the agency’s violation caused their damages.

Key Privacy Act cases that have shaped its interpretation

While the Privacy Act establishes strict guidelines for handling the public’s personal data, its impact has largely been defined by litigation. Over the years, courts have clarified what constitutes a violation, what damages plaintiffs can recover, and how agencies can be held accountable. Several high-profile cases have had significant influence on how the Privacy Act is enforced and interpreted today. 

The following 3 cases illustrate the evolving application of the Privacy Act and highlight critical legal precedents that continue to inform current and future litigation.

Doe v. Chao, 540 U.S. 614 (2004) 

Plaintiffs sued the Department of Labor for disclosing their Social Security numbers in violation of the Privacy Act. Plaintiffs sought certification of a class of claimants to a Black Lung benefits program who had their private information revealed by the government to third-parties. 

The question before the Court was whether the Privacy Act requires “actual damage” to receive the statutory minimum of $1,000. The Court held that “the minimum guarantee goes only to victims who prove some actual damages.” The Court did not define “actual damages,” noting a circuit split at the time, but held that plaintiffs had nevertheless failed to allege any cognizable damages. In FAA v. Cooper, 566 U.S. 284 (2012), the Court later held that actual damages was “limited to proven pecuniary or economic harm.”

In re U.S. Office of Personnel Management Data Security Breach Litigation, 928 F.3d 42 (D.C. Cir. 2019)

In 2014 and 2015, OPM experienced a massive data breach, exposing the personal information of over 21 million federal employees, including Social Security numbers, addresses, fingerprints, and background-check details.

Plaintiffs brought class-action cases against OPM and its contractor KeyPoint, which were consolidated in the US District Court for the District of Columbia. Plaintiffs alleged that OPM “willfully failed” to secure their private information in violation of the Privacy Act. On appeal, the D.C. Circuit found that Plaintiffs had stated a claim under the Privacy Act, which waived the government’s sovereign immunity. 

The court held that allegations of financial losses from instances of identity fraud, fees to close accounts, and payments for credit repair and protection services were “actual damages” under the Privacy Act. 

In 2022, OPM and KeyPoint reached a class-wide settlement for $63 million. 

Rice v. United States, 211 F.R.D. 10 (D.D.C. 2002), disapproved, 245 F.R.D. 3 (D.D.C. 2007)

The Court certified a class of ranchers whose “personal financial information” derived from permit applications was released by the US Forest Service to an environmental group pursuant to the Freedom of Information Act without adequate redactions. 

The Court reasoned that because “the proposed class seeks only the statutory minimum of $1,000 in damages for its members, and because the proof of damages for emotional distress need be only ‘minimal,’ the determination of damages for putative class members would not be a complicated matter,” and was suitable for class certification. 

However, in 2007, the court decertified the class for failure to state “actual damages,” holding that “cursory descriptions of emotional harm” were insufficient to state a claim under the Privacy Act. 

Emerging Privacy Act litigation to watch

While these cases set key precedent, new lawsuits have been filed in response to alleged unauthorized data sharing within the federal government. If these cases succeed, they could establish new legal standards for liability under the Privacy Act, offering plaintiffs’ attorneys fertile ground for future class actions.

Gribbon et al. v. Musk et al. (D.D.C. No. 25-cv-422)

On February 12, 2025, plaintiffs sued Elon Musk, Scott Besent, OPM, and the Department of the Treasury alleging Privacy Act violations and seeking damages. Plaintiffs are six individuals who allege the government has received their private data through tax returns, federal student loans, or government benefits. 

Plaintiffs allege that OPM and the Treasury Department “had a duty to deny access to Defendant Musk and his DOGE employees unless they had the proper credentials or authority. Instead, Defendants permitted a major security breach of highly sensitive private information.” Each plaintiff alleges that they purchased credit or identity protection services in response to the alleged violations. In addition to Privacy Act violations, plaintiffs bring claims under the Computer Fraud and Abuse Act. 

Read the full complaint here. 

Nemeth-Greenleaf et al. v. U.S. Office of Personnel Management et al. (D.D.C. No. 25-cv-407)

On February 11, 2025, plaintiffs, all federal employees, sued the OPM, the Department of the Treasury, and senior officers of those agencies for violations of the Privacy Act. Plaintiffs state that “Defendants’ failure to protect government employees’ privacy is the biggest breach of American trust by political actors since Watergate.” 

All plaintiffs allege that their data had been compromised and that they bought identity theft protection and monitoring services in response to the alleged violations. Plaintiffs bring a single claim under the Privacy Act seeking actual and statutory damages, among other forms of relief. 

Read the full complaint here. 

American Federation of Teachers et al. v. Scott Bessent et al. (D. Md. No. 25-cv-430)

In another major Privacy Act case last month, the American Federation of Teachers and other labor organizations and federal employees filed a lawsuit against the US Departments of the Treasury, Education, and the OPM. The lawsuit claims that these agencies unlawfully disclosed sensitive personal information of millions of Americans to individuals affiliated with DOGE and seeks injunctive relief. 

On February 24, 2025, the U.S. District Court for Maryland issued a Temporary Restraining Order (“TRO”) against the majority of the defendants. The TRO enjoins relevant defendants from disclosing “the personally identifiable information of the plaintiffs and the members of the plaintiff organizations to any DOGE affiliates.” 

Read the full complaint here. 

Using legal tech to uncover data privacy violations

Upon the passing of the Privacy Act in 1974, Senator Sam J. Ervin remarked that “the effect on the right to privacy of massive information-gathering and dissemination through the use of sophisticated computer technology is just beginning to be realized.”

In 2025, his words continue to be relevant and timely.

As allegations against the federal government increase for collecting, storing, and sharing personal data, Privacy Act litigation has the potential to become an important cause of action for protecting individuals’ privacy. Plaintiffs’ attorneys who stay ahead of these cases may find new opportunities to hold government agencies accountable, seek damages for affected individuals, and shape the next generation of privacy law.

However, it’s likely that violations may go undetected due to data being buried within complex systems and vast repositories of public records. 

This is where Darrow steps in.

Darrow’s Legal Intelligence Platform uses a combination of AI-powered anomaly detection algorithms and human expertise to identify potential breaches of privacy laws by scanning, evaluating, and clustering publicly-available data. We partner with plaintiffs’ attorneys to uncover and pursue high-value data privacy violations, ensuring that unauthorized disclosures don’t escape legal scrutiny.

Beyond case discovery, our in-house legal consultants and data privacy experts provide ongoing strategic support, helping firms refine claims, anticipate defenses, and increase their chances of securing favorable resolutions. With Darrow, attorneys can focus on building strong arguments and driving meaningful change in data privacy enforcement and litigation.

Partner with Darrow to find new data privacy cases and grow your practice

This might interest you:

• Pen register lawsuits: Redefining privacy under CIPA‍
• The new target in wiretap claims
• The VPPA lawsuit wave: Old laws meet new tech

‍

‍

‍

‍

‍