Federal judge rules Index Exchange must face wiretap suit over Temu data
A federal judge ruled that ad-tech firm Index Exchange must face a class-action lawsuit alleging it violated the Electronic Communications Privacy Act. The suit claims the company intercepted user web activity on BibleGateway.com and illegally transmitted it, alongside IP addresses and device identifiers, to Chinese e-commerce platform Temu. The ruling allows the case to proceed under an exception to the wiretap law, despite the publisher's implicit consent.
Key Takeaways
- Judge Matthew Kennelly allowed the case to proceed based on the wiretap law’s exception where consent is invalid if intent involves a crime or civil wrong.
- The complaint alleges transmissions to Temu violate 2024 executive orders and 2025 regulations (BSD regulations) banning sensitive data transfers to China.
- Index Exchange's defense cited its Canadian base, but the court noted allegations that key decision-makers and officers are located within the United States.
- Data allegedly intercepted include IP addresses, browser info, and advertising identifiers linked to parent company PPD Holdings' affiliate Temu.
Why It Matters
This ruling significantly raises the legal risk for Supply-Side Platforms (SSPs) by challenging the 'publisher consent' defense that has historically shielded ad-tech from wiretap claims. By linking the Electronic Communications Privacy Act to recent executive orders on national security and data sovereignty, the court is creating a new regulatory front where standard programmatic processes like cookie syncing can be classified as illegal interceptions if the recipient is a 'country of concern.' For the streaming and digital media ecosystem, this signals that technical compliance now requires geo-political auditing of every demand-side partner. Closely monitor the June 23 status report for further discovery on whether Temu’s ownership structure triggers these specific federal bans.
Additional Context
The litigation against Index Exchange is part of a broader wave of legal challenges targeting the programmatic advertising supply chain under decades-old privacy statutes. Per the National Law Review in October 2025, a parallel class action, Porcuna v. Xandr, was filed in California alleging similar unlawful data interceptions and transfers to Chinese entities. These cases specifically leverage the 2025 Final Rule issued by the Department of Justice, which implemented President Biden’s Executive Order 14117. As reported by Davis Polk in January 2025, that rule effectively designated China, Russia, and Iran as 'countries of concern' and prohibited U.S. persons from knowingly engaging in bulk sensitive data transactions with them. While many ad-tech firms have successfully dismissed wiretap suits by pointing to 'one-party consent' from the website publisher, this Illinois ruling signals a shift toward the 'crime/tort' exception. According to analysis from Inside Class Actions in January 2026, while some California courts have dismissed pixel-tracking suits due to explicit cookie banners, the focus is now moving toward whether the underlying data transfer violates national security regulations. This is particularly relevant as the Department of Justice’s 'Data Security Program' ended its initial grace period in July 2025, leaving companies exposed to civil and criminal penalties for non-compliance. The case also highlights the jurisdictional complexities of the global ad-tech market. Index Exchange is officially headquartered in Toronto, Canada, but the court's refusal to dismiss indicates that having U.S.-based operations or decision-makers may be enough to trigger domestic liability. Per reporting from MediaPost in June 2026, the court is currently evaluating the role of U.S.-based employees in directing these specific data flows. As programmatic auctions happen in milliseconds across borders, the industry is now forced to reconcile real-time bidding efficiency with rigid cross-border data restrictions.
Read full article at mediapost.com