May 15, 2026

Recent GenAI Class Actions Build on Early Successes and Break New Ground

Holland & Knight Cybersecurity and Privacy Blog
William F. Farley | Caitlin F. Saladrigas
Cybersecurity Blog 1

A July 15, 2025, Holland & Knight Cybersecurity and Privacy Blog post, "Up Next in Privacy Litigation: Consumer Class Actions Targeting Generative AI Tools," discussed the newly emerging trend of consumer privacy class actions targeting companies' use of generative artificial intelligence (AI) tools with which consumers interact. The main technology targeted in these suits are Generative AI (GenAI) tools used to provide customer service analytics that, according to plaintiffs, can transcribe and summarize conversations with customers and offer suggestions in real time. In the last six months, multiple courts have assessed whether such allegations are sufficient to survive motions to dismiss, and several new filings are targeting GenAI tools outside the customer call center context. Many – but importantly, not all – of those decisions have been favorable to the plaintiffs asserting these claims, seemingly laying a critical foundation for a proliferation of wiretap litigation attacking new and different types of GenAI technologies.

Foundational Recent Rulings Establish a Wiretap Foothold

Early rulings have confirmed that at least some GenAI tools can give rise to viable wiretap claims. These complaints invoked the California Invasion of Privacy Act (CIPA) §§ 631 and 632, framing AI vendors as third-party "eavesdroppers" that intercept, transcribe, analyze and use call contents in real time. Consistent with the website privacy advertising technology (AdTech) cases that have flooded dockets around the country, these cases often emphasized alleged nondisclosure of the vendor's participation and its capability or practice of leveraging data to improve its own models and services.

Although the GenAI privacy litigation trend is still in its infancy, the first notable court rulings are setting the stage for countless forthcoming cases. Much like the website AdTech area, no bright line rules have been established, and rulings are already coming out in favor of both plaintiffs and defendants.

Valencia v. Invoca (S.D. Cal.): Motion to Dismiss CIPA Claim Denied

On November 17, 2025, the U.S. District Court for the Southern District of California denied defendant Invoca's motion to dismiss in a GenAI call center tool class action brought under CIPA. The complaint alleged that Invoca's software records conversations of consumers that call its corporate client for support and feeds the conversations into an AI algorithm that returns processed data to the corporation in the form of dashboards, reports and searchable transcripts.

The court allowed CIPA claims to proceed, rejecting the contention that the analytics vendor was merely an extension of the company that received the phone call from the consumer. The court acknowledged the split in authority under CIPA as to whether a third-party company must actually use the data it obtains for its own purposes or only has to have the capability to use the data in order to sustain a claim. The court adopted the "mere capability" approach and found the allegations that Invoca has the capability to, and actually does, use the data for its own purposes to be sufficient. Thus, the court found allegations of undisclosed phrase-spotting, AI conversation analysis and sentiment detection – performed by a third party – sufficient to plead "eavesdropping," aligning with two other district court decisions in the Northern and Eastern districts of California.

Lisota v. Heartland Dental (N.D. Ill.): Dismissal on the Federal Wiretap Act

On January 13, 2026, the U.S. District Court for the Northern District of Illinois granted the defendants' motion to dismiss a wiretapping claim against call platform provider RingCentral and its customer Heartland Dental. Notably, the complaint only brought a claim under the federal Wiretap Act and not any state analogue such as CIPA. The complaint alleged that RingCentral's AI-powered telephone service captured and transcribed calls made to dental clinics supported by Heartland using speech recognition and language learning models to generate real-time transcripts, call summaries and sentiment analysis without the caller's knowledge or consent.

The court conducted an analysis on both standing merits grounds. The court first found that plaintiff had standing because her alleged injury – secret listening by RingCentral – was closely analogous to the common law tort of intrusion upon seclusion. Turning to the merits, the court dismissed the claim based on the "ordinary course of business" exception to the federal Wiretap Act. The ordinary course of business exception excludes from liability interceptions "by a provider of wire or electronic communication service in the ordinary course of its business." 18 U.S.C. § 2510(5)(a)(ii). Under that definition, the court found that RingCentral's real-time listening, transcription and AI analysis were essential to its core service as an "AI-powered business communications platform." Because the interception was necessary to facilitate – not incidental to – the provision of RingCentral's electronic communication service, it fell within the statutory exception. Crucially, the court found that the ordinary course of business exception applied in this scenario, regardless of whether it considered a narrow interpretation of the exception endorsed by plaintiff (which requires some nexus between the need for the alleged interception and the provider's ultimate business) or a broader interpretation endorsed by defendants (which "extends the exception to any actions taken in furtherance of a provider's 'legitimate business purposes.") See Lisota v. Heartland Dental, LLC, No. 25 CV 7518, slip op. at 6 (N.D. Ill. Jan. 13, 2026) (internal quotations omitted). The court distinguished cases involving targeted advertising informed by intercepted content, where the interception served separate business objectives rather than the core service itself. The dismissal was without prejudice.

Plaintiffs Construct New Theories and Eye New Targets

Though the call center cases continue to be filed, more recent cases are attacking different types of GenAI technology. Plaintiffs are beginning to target consumer-facing website features, as well as back-end analytics and training tools that may not be visible to the consumer:

  • Thele v. Google. Alleges Gemini "Smart features" were activated by default to analyze Gmail/chat/meet contents without informed consent, asserting CIPA, Stored Communications Act (SCA), California Comprehensive Computer Data Access and Fraud Act (CDAFA), intrusion on seclusion and California constitutional privacy claims
  • Khan v. Figma. Alleges training of AI on customer content by unilaterally opting its customers into "Content Training" defaults after changing its terms of service, asserting contract- and privacy-adjacent theories in a putative nationwide class
  • Saucedo v. Sharp Healthcare (Cal. Super. Ct.) and Stewart v. Kurien (Cal. Super. Ct.). Claims confident doctor-patient conversations during medical visits were recorded using "ambient AI" tools without consent and notes generated by the tool falsely state that patients were advised of and consented to the recordings; pleads CIPA, Confidentiality of Medical Information Act (CMIA), intrusion and emotional distress – issues readily translatable to institutional deployments

Companies looking to roll out consumer-facing GenAI tools should follow these cases, and any repetition or expansion of the underlying legal theories, closely.

Practical Implications and Forward-Looking Guidance

  • Federal vs. State Divergence. Early rulings may dictate where future cases are filed. The federal Wiretap Act's ordinary course of business exception may constrain federal claims where the platform's core service necessarily entails the use of AI tools. Thus, future filings may cluster in jurisdictions that can also support an analogous state wiretapping statute such as CIPA.
  • Beyond Calls. Plaintiffs are targeting AI embedded in consumer communications (Google's Gemini "Smart features") and AI training on user content (Figma), suggesting exposure for unannounced default settings and misalignment with prior privacy promises.
  • Healthcare Context Sensitivity. The Stewart and Sharp/Abridge complaints show that undisclosed "ambient AI" recording in clinical settings can trigger CIPA, CMIA and intrusion theories, compounded by alleged false consent entries.
  • Disclosure and Consent Architecture. Post-Valencia, expect scrutiny of whether callers were informed of a third-party analytics vendor's live participation and the nature of AI-driven analysis. Boilerplate "this call may be recorded" may not suffice where unannounced simultaneous analysis by a third party is alleged.
  • Vendor Contracts and Marketing. Plaintiffs' counsel mine vendors' marketing materials and websites for language about model training, analytics and transcription of communications to target technology that could implicate wiretapping statutes. Further, they also look for vendors that publicize their customers as a "short list" of future defendants.

Related Blog

Cybersecurity and Privacy Blog

Editors

Ashley L. Shively Mark H. Francis

Related Practices

Data Strategy, Security & Privacy Artificial Intelligence Artificial Intelligence Policy & Regulation Emerging Technologies Law and Policy Litigation and Dispute Resolution Class Action Litigation and Arbitration Consumer Protection Defense and Compliance

Related Industry

Technology & Telecommunications
Subscribe to Updates and Events
Click to Sign Up

Related Insights