Blog Post

Jurisdiction Without Borders: How Online Data Collection Can Lead to Litigation Anywhere

  • LinkedIn icon
  • X/Twitter icon
  • Print icon

In May 2025, a major federal appellate court ruling redefined how courts analyze jurisdiction in the digital economy, giving businesses a new lens through which to view potential legal exposure across jurisdictions. The decision suggests that online tracking, data collection and embedded technologies, even without physical presence, may now be sufficient for courts to assert personal jurisdiction over out-of-state companies based solely on their digital activity.

The decision signals a shift that could reframe jurisdictional risk for digital businesses: companies may now be sued in a plaintiff’s home state based solely on how their technologies collect and use that individuals’ data. In other words, where users are located, and what a company’s technology is doing behind the scenes, could matter more to the overall data privacy risk landscape than where the company is incorporated or located.

In short, if a business collects, shares or monetizes user data across state lines, the scope of potential exposure has changed. 

There are several key legal shifts organizations should be aware of, including:

  • Courts are increasingly willing to assert jurisdiction based solely on online activities.
  • Geolocation and behavioral data collection are becoming central to the jurisdiction analysis.
  • The focus is shifting to whether companies knowingly collect data from users in a given state.
  • Litigation risk now extends across jurisdictions, wherever users are affected, regardless of physical presence.
  • State-level consumer protection enforcement is being actively reinforced in the courts.

These changes broaden litigation risk for data-driven and digital businesses, including:

  • E-commerce platforms
  • Adtech and martech vendors
  • Software as a service and analytics providers
  • Media and streaming companies
  • Retailers and brands using tracking tools

Digital risk mitigation

Given this backdrop, there are numerous proactive steps organizations can take to mitigate risk before a legal matter arises. These include:

  • Map the digital risk surface
    • Inventory all pixels, tags, and trackers across company websites and applications.
    • Identify what user data is being collected, which jurisdictions it touches and which parties it is shared with.
    • Evaluate whether any company platforms collect IP addresses, GPS data or other location-based signals and assess whether suppression or anonymization can enhance compliance with federal and state-level data privacy laws.
  • Revisit consent and disclosure
    • Confirm that consent banners are enforceable and jurisdictionally appropriate.
    • Ensure that consent choices are enforced at the tag level through a tag management system.
    • Align the privacy policy with actual data flows, not just intentions.
  • Clarify adtech roles and contracts
    • Review contracts to define the organization’s role and the role of providers by controller, processor or joint controller.
    • Re-examine indemnities, data-sharing and jurisdiction clauses.
    • Ensure contracts align with the real behavior of integrated technology.
  • Monitor for “silent” jurisdiction creep
    • Identify potential legal exposure from personalization, retargeting or user activity logging, and apply rigorous review.
    • Assess jurisdictional risk based on actual technology behaviors, not only where the organization operates.
  • Prepare a litigation response framework
    • Anticipate scrutiny from plaintiffs and regulators who are closely tracking these rulings. Being prepared is critical.
    • Build a defensible position early to reduce risk if the organization must justify its practices in court later.

Expert support 

FTI Technology helps to bridge legal risk, data architecture and platform operations across digital operations, advertising and marketing. Experts who have supported dozens of adtech and pixel remediations and response to high stakes litigations related to data privacy and adtech violations are available to provide:

  • Technical audits of trackers, cookies and other technologies that may collect or share customer data
  • Litigation-readiness programs for a wide range of data protection laws including the General Data Protection Regulation, the California Consumer Privacy Act, the Video Privacy Protection Act and more
  • Consent framework validation and enforcement
  • Cross-platform risk scoring and forensic testing
  • Forensic visibility into jurisdictional exposure

Recent legal developments represent a system catching up to the realities of modern data infrastructure and digital commerce. Data privacy programs that continue to assume jurisdiction rests solely on location and intent, rather than interaction, are due for a reset. FTI Technology helps clients get ahead of these emerging risks with precision, speed and solutions built for litigation-readiness.

Related topics:
Data Privacy

The views expressed herein are those of the author(s) and not necessarily the views of FTI Consulting, its management, its subsidiaries, its affiliates, or its other professionals.

Related Solutions