📋 Case Overview

Type: Roundup — Privacy, Data & TCPA Class Actions

Updated: May 2026

Cases Covered: 4

Verticals: Website Tracking · Data Breach · AI Privacy · State Privacy Law

Data Privacy Lawsuits to Watch: Papa John's, Citizens Bank, and the Rise of AI-Driven Tracking Claims

Digital privacy litigation is accelerating in 2026. From major restaurant chains allegedly ignoring opt-out requests to banks failing to secure sensitive financial data, a new wave of class action lawsuits is putting consumer data rights at the center of the legal landscape. Meanwhile, courts and regulators are grappling with novel questions about artificial intelligence, third-party vendors, and what it actually means to comply with state privacy law.

Here is a look at four significant developments in data privacy and class action litigation that consumers and legal observers should be watching right now.

1. Papa John's — Alleged Tracking Despite Cookie Opt-Outs

Case Status: Newly Filed

Who May Be Affected: Users who visited Papa John's website and declined cookie tracking

Data at Issue: Browsing behavior, user activity

According to a recent class action filing covered by Top Class Actions, Papa John's is facing a new lawsuit alleging the company continued to track users' data even after those users explicitly rejected cookies on the company's website.

The complaint alleges that Papa John's deployed tracking technology that collected and transmitted user data regardless of whether visitors opted out of cookies — a practice the lawsuit claims violates consumer privacy rights. According to the filing, this type of tracking may occur through third-party scripts embedded in the site that operate independently of a user's cookie preferences.

The case touches on a growing legal theory: that cookie consent banners, if not properly enforced on the backend, may be functionally meaningless — and potentially deceptive. Plaintiffs in similar cases have argued that companies cannot present users with a choice they are not actually honoring.

What to watch: Whether the court finds that alleged post-opt-out tracking constitutes a cognizable legal harm will be central to this case's viability.

2. Citizens Bank — Data Breach Allegedly Exposed Sensitive Customer Information

Case Status: Newly Filed Class Action

Who May Be Affected: Citizens Bank customers whose personal information may have been compromised

Data at Issue: Personally identifiable information (PII), potentially including financial data

A recently filed class action lawsuit alleges that Citizens Bank failed to adequately protect the sensitive personal information of its customers, resulting in a data breach that exposed highly sensitive personally identifiable information, according to reporting from Top Class Actions.

The lawsuit alleges that Citizens Bank did not implement sufficient security measures to safeguard customer data and that the breach could have been prevented with reasonable data security practices. The complaint claims that affected customers now face an elevated risk of identity theft, financial fraud, and related harms.

Data breach lawsuits of this type frequently cite a defendant's alleged failure to encrypt data, monitor for unauthorized access, or notify affected individuals in a timely manner. Courts have increasingly required plaintiffs to demonstrate concrete harm — such as actual fraudulent charges or documented identity theft — to establish legal standing, following the U.S. Supreme Court's 2021 ruling in TransUnion LLC v. Ramirez.

What to watch: The scope of exposed data and the bank's notification timeline will likely shape the litigation's trajectory.

3. Woodard v. OpenAI & Mixpanel — AI-Assisted Data Collection Enters the Courtroom

Case: Woodard v. OpenAI, Inc., Mixpanel, Inc., Case No. 3:25-cv-10301 (N.D. Cal.)

Case Status: Filed; early litigation stage

Who May Be Affected: Users of platforms that use Mixpanel's analytics tools

Data at Issue: User behavior data allegedly processed using AI

A lawsuit filed in the Northern District of California is drawing significant attention from privacy law practitioners as what may be an early signal of a new category of data litigation: AI-driven data collection claims.

According to analysis published on the Alston & Bird Privacy, Cyber & Data Strategy Blog, the plaintiffs in Woodard v. OpenAI allege that analytics company Mixpanel uses artificial intelligence technologies developed by OpenAI to collect and process user data. The case raises questions about whether the use of AI tools in the analytics pipeline creates new or heightened privacy obligations — and whether existing arbitration clauses are enforceable in this context.

The lawsuit highlights the rapid convergence of AI vendor relationships, third-party data processing, and individual user rights. As AI becomes embedded in more data infrastructure, legal experts suggest this case could serve as a template for a broader wave of AI-assisted tracking claims.

This type of litigation is still developing, and courts have not yet established clear precedent on how traditional privacy frameworks apply when AI is part of the data collection chain.

What to watch: How the court addresses the intersection of AI, vendor liability, and arbitration agreements in a privacy context.

4. CCPA Enforcement — Regulator Sets Record Penalty Over Vendor Contract Failures

Case Status: Settled (September 2025)

Penalty: $1.35 million

Who Is Affected: Businesses operating under California's Consumer Privacy Act

While not a class action, a California Privacy Protection Agency (CalPrivacy) enforcement action settled in September 2025 is having ripple effects across corporate legal and compliance departments — and may foreshadow future private litigation.

According to analysis from Seyfarth's Global Privacy Watch, the $1.35 million settlement — the largest CCPA penalty to date — included a notable allegation: the company had failed to amend or enter into required data protection contracts with third-party vendors. Under California's privacy framework, businesses that share consumer data with service providers are required to have written contracts that govern how that data is handled.

The agency's decision to itemize vendor contracting failures as a discrete grievance signals that regulators view these agreements as substantive compliance obligations — not paperwork formalities. Privacy law practitioners have noted that this enforcement posture could expose companies to both regulatory action and civil class action claims if vendor data-sharing arrangements are not properly documented and enforced.

What to watch: Whether plaintiffs' attorneys begin incorporating CCPA vendor contract failures into consumer class action theories in California and other states with similar requirements.

Key Takeaways

• Opt-out doesn't always mean opt-out. The Papa John's lawsuit illustrates that clicking "reject cookies" may not stop all tracking — a technical gap that plaintiffs' attorneys are increasingly targeting.
• Data breach standing remains a hurdle. Plaintiffs in cases like Citizens Bank must generally show concrete, realized harm — not just the risk of future harm — to keep their cases alive in federal court.
• AI is entering the privacy litigation space. The Woodard v. OpenAI case may be an early preview of a significant new category of tracking and data collection claims tied to AI-powered analytics tools.
• Vendor contracts are now a compliance battleground. The record CCPA penalty highlights that regulators — and potentially plaintiffs — are scrutinizing not just what companies do with data, but what their contracts with third parties require.
• No receipts required for many privacy claims. Unlike product defect cases, many data privacy class actions do not require physical proof of purchase — only evidence that you used the platform or service in question.

Are you following any of these cases, or have you received a class action notice related to data privacy? Share your experience in the comments below.

InjuryClaims.com reports on class action lawsuits and legal developments. Nothing on this page constitutes legal advice. Eligibility for any settlement or lawsuit depends on individual circumstances, which only a qualified attorney can evaluate.