The amount you can sue for invasion of privacy varies significantly depending on the type of violation, applicable law, and whether you’re pursuing an individual claim or class action. Statutory damages can range from $5,000 per violation under California law to $500,000 per violation under federal privacy statutes, while class action settlements have reached into the billions—with some individual class members receiving as little as $0.30 or as much as $35 per person.
In December 2025, approximately 98 million Google users won a $425.7 million verdict for unlawful data collection, demonstrating the substantial financial consequences companies face when they violate privacy rights at scale. The specific amount you can recover depends on whether your case falls under state or federal law, the nature of the privacy violation (unauthorized tracking, biometric data collection, breach notification failures), and whether you’re part of a class action or pursuing individual damages. Understanding these thresholds and recent precedents is essential because privacy litigation is rapidly evolving—legal experts predict a surge in website tracking lawsuits in 2026, and new legislation like California’s proposed SB 690 could reshape damage calculations.
Table of Contents
- What Are the Statutory Damage Amounts for Invasion of Privacy?
- How Large Are Recent Privacy Settlements and Verdicts?
- What Factors Determine Your Invasion of Privacy Damages?
- How Do Class Actions Compare to Individual Invasion of Privacy Lawsuits?
- What Limitations and Challenges Affect Privacy Damage Awards?
- What Must You Prove to Win an Invasion of Privacy Claim?
- What’s the Future of Invasion of Privacy Litigation and Damage Awards?
- Conclusion
What Are the Statutory Damage Amounts for Invasion of Privacy?
California’s Invasion of Privacy Act (CIPA) provides the clearest statutory framework, allowing plaintiffs to recover $5,000 per violation or three times the actual economic damages, whichever is greater. This means a single company that violates your privacy through unauthorized website tracking could owe thousands per day of violation. Under the Federal Stored Communications Act (part of the Electronic Communications Privacy Act), damages are $100 per day of violation or $10,000 total, whichever is greater—a lower threshold than CIPA but still substantial when violations persist over months or years.
Federal privacy statutes can provide even higher recovery amounts: $500,000 per violation or the greater of actual damages, plus reasonable attorney’s fees. These federal claims typically apply to egregious violations like unauthorized wiretapping, unlawful access to communications, or systematic collection of biometric data. The difference between state and federal statutory damages is significant—a company violating your privacy for six months could face $18,000 in damages under ECPA ($100 × 180 days) but potentially millions under federal privacy law, especially in a class action context.
How Large Are Recent Privacy Settlements and Verdicts?
Recent years have seen record-breaking settlements that illustrate the potential financial exposure for companies that violate privacy rights. The $425.7 million verdict awarded to Google users in December 2025 represents one of the largest jury verdicts for unauthorized data collection, while Meta settled with Texas for $1.4 billion in 2024 over biometric data violations involving facial recognition. These aren’t isolated incidents—Capital One paid $190 million to settle a 2019 data breach affecting 100 million people, and Disney+/Hulu/ESPN+ paid $2.75 million for violations related to opt-out failures.
More recent settlements show the trend continuing upward. Fubo settled VPPA and CIPA violations for $3.4 million in July 2025, and Kaiser faced a settlement of $46-47.5 million for a privacy breach. However, these headline figures can be misleading when applied to individual class members. Historical analysis shows that settlement payments per user range from as low as $0.30 (Ashley Madison, 2015) to $35 per user (Facebook, 2019)—meaning even in a $425 million settlement, individual recovery depends heavily on the total number of class members and the actual distribution formula.
What Factors Determine Your Invasion of Privacy Damages?
The amount of damages you can recover depends on several factors: the type of privacy violation, the duration of the violation, whether you suffered actual economic damages or just statutory damages, and the defendant’s conduct (whether it was negligent or intentional). A company that collects your biometric data without consent faces different exposure than one that fails to properly notify you of a data breach. Intentional violations typically result in higher awards than negligent ones, and violations affecting millions of people create larger class actions with significant total damage exposure.
The number of violations matters significantly, particularly under CIPA. If a company violated your privacy on multiple occasions or across different tracking mechanisms, you may have multiple violations that multiply the statutory damage amount. Additionally, courts consider whether you suffered tangible harm—identity theft, fraud, emotional distress, or loss of income from the violation. If you can prove actual damages (for example, fraudulent charges resulting from a data breach), many statutes allow you to recover the greater of statutory damages or actual damages plus attorney’s fees, providing additional leverage in settlement negotiations.
How Do Class Actions Compare to Individual Invasion of Privacy Lawsuits?
Class actions dominate privacy litigation because they allow millions of affected individuals to combine their claims into a single lawsuit with significant bargaining power. The Google verdict of $425.7 million would be impossible to achieve through individual lawsuits—the scale makes it economically feasible for attorneys to pursue the case. In class actions, each class member typically receives a small payment (often between $5 and $50) plus attorneys’ fees that can total millions.
Your individual recovery is limited by the total settlement divided among all class members, but you gain access to justice you couldn’t afford individually. Individual invasion of privacy lawsuits are rare because most single-victim cases don’t generate damages large enough to justify litigation costs. However, if you suffered substantial economic damages from the privacy violation—for example, identity theft losses exceeding $10,000, fraudulent credit lines, or significant emotional distress—an individual case may be viable. The tradeoff is clear: class actions provide access to claims but typically result in modest individual payouts, while individual suits require higher damages to be economically viable but could theoretically recover 100% of your losses plus additional statutory damages.
What Limitations and Challenges Affect Privacy Damage Awards?
One critical limitation is that statutory damage thresholds are under legislative pressure to decrease. California’s SB 690, proposed in 2025, would have limited CIPA’s scope by adding a “commercial business purpose” carve-out for website tracking. Although the measure passed the California Senate unanimously, it stalled in the Assembly and is expected to resurface in the 2026 session. If such legislation passes, the $5,000 per-violation threshold could be reduced or eliminated for routine tracking, substantially lowering potential damages for common privacy violations.
Another limitation is the requirement to file claims within statute of limitations windows, which vary by state and claim type (typically 2-4 years). Additionally, companies can argue that violations resulted from technical errors rather than intentional misconduct, which can reduce damages in some jurisdictions. Many privacy cases settle before trial, meaning you won’t receive the full statutory amount—you’ll receive the negotiated settlement value. Finally, if a company is judgment-proof (lacks sufficient assets), even a favorable court decision won’t result in payment, making settlement negotiations before trial critically important.
What Must You Prove to Win an Invasion of Privacy Claim?
To establish an invasion of privacy claim, you typically must prove that the defendant intentionally or negligently violated your privacy expectations without valid consent or legal justification. For data collection cases, this means showing that the company collected personal information without your informed consent or in violation of its own privacy policy. For data breach claims, you must demonstrate that the company failed to implement reasonable security measures. The burden varies—CIPA cases require proof of an actual violation and knowledge of the defendant’s actions, while some federal claims only require showing negligent handling of personal information.
Courts increasingly recognize that statutory damages don’t require proof of actual harm. This is significant because it means you can recover $5,000 per violation under CIPA even if you suffered no financial loss or identity theft. However, you must prove the violation occurred—which requires technical evidence showing tracking, data collection, or unauthorized access. Documentation is critical: privacy policy screenshots, device logs, settlement notifications, credit reports showing fraud, and expert analysis of cookie data or biometric collection.
What’s the Future of Invasion of Privacy Litigation and Damage Awards?
Legal experts predict website tracking privacy lawsuits will surge in 2026, driven by the emerging case law from recent mega-settlements and growing consumer awareness of data collection practices. The pending legislation and recent verdicts suggest courts and lawmakers are taking privacy violations seriously, but the trajectory of damages is uncertain.
While the $425.7 million Google verdict shows juries are willing to award substantial amounts, legislative efforts to limit CIPA’s scope indicate that damage thresholds may decrease in the coming years. The evolution of privacy law will likely follow a pattern seen in other consumer protection areas: early mega-verdicts establishing precedent, followed by legislative backlash and attempts to cap damages, resulting in a stabilization of recovery amounts. For now, invasion of privacy damages remain among the most generous in consumer litigation, with both statutory and actual damages available depending on jurisdiction and violation type.
Conclusion
Invasion of privacy lawsuits can result in recovery ranging from $5,000 to $500,000 per violation under statutory frameworks, though class action settlements typically distribute smaller amounts per individual. Recent verdicts demonstrate that courts are willing to hold companies accountable for systematic privacy violations at scale—the $425.7 million Google verdict and $1.4 billion Meta settlement represent watershed moments in privacy litigation. However, your actual recovery depends on whether you participate in a class action (which may yield $5 to $50 per person) or pursue an individual claim (which requires higher damages to be economically viable).
If you believe your privacy has been violated through unauthorized tracking, biometric data collection, or inadequate breach notification, documenting the violation and consulting with a privacy attorney is essential. The landscape is shifting rapidly, with legislation potentially limiting future damage awards even as courts currently recognize the seriousness of privacy violations. Understanding both the potential recovery amount and the limitations of current law will help you make informed decisions about pursuing a claim.