Maine Appeals
First Class Defense
January 28, 2026

First Circuit Five: Top 5 Class Action Decisions of 2025

Appeals, Arbitration, Class Action Litigation, Class Actions, Class Certifications, Consumer Class Actions, First Circuit Decisions, Litigation, Privacy Class Actions, Standing, US District Court - Mass
Authors:
Practice area:

A review of the year’s most impactful privacy, data breach, arbitration, and technology-driven class action rulings from the First Circuit and the District of Massachusetts.

The First Circuit and the District of Massachusetts issued consequential class action decisions in 2025 that are likely to shape the trajectory of privacy, data breach, arbitration, and technology-driven litigation for years to come. Several opinions narrowed popular plaintiffs’ theories at the pleading stage, while others reinforced Massachusetts as a challenging venue for early dismissal in data breach cases. Taken together, these rulings offer a roadmap for where class action litigation risk is tightening versus expanding. Below, we highlight the most meaningful decisions for the class action landscape this year.

1. Goulart v. Cape Cod Healthcare, Inc. (D. Mass. June 2025)

The Ruling. In a significant defense win amid the ongoing wave of website tracking technology litigation, in Goulart the court held that the crime-tort exception to the consent exemption under the Federal Wiretap Act, the Electronic Communications Privacy Act (ECPA), does not apply when website browsing data is collected for commercial purposes. The plaintiffs’ attempt to characterize routine data monetization as a tortious act was rejected at the pleading stage.

Why It Matters. Plaintiffs’ counsel have increasingly relied on the crime-tort exception to sidestep consent defenses to website technology “wiretap” claims, alleging that any undisclosed data sharing is inherently unlawful. Goulart forecloses that tactic. The court made clear that “commercial” does not equal “criminal” or “tortious” for purposes of the ECPA.

Key Takeaway. The Goulart decision authored by Judge Stearns provides a compelling framework for defending ECPA claims on a motion to dismiss where the alleged injury is nothing more than the commercial use or monetization of data. When paired with standing arguments, it allows defendants to attack both jurisdiction and liability under the existing statutory framework early.

2. In re: MOVEit Customer Data Security Breach Litigation (D. Mass. July 2025)

The Ruling. In a series of bellwether rulings issued by Judge Burroughs, the court largely denied motions to dismiss filed by software developers and contract vendors. The court held that plaintiffs sufficiently alleged Article III standing and negligence based on a duty to implement reasonable safeguards. For our complete analysis of the decision, see our prior post.

Why It Matters. These rulings reinforce the impact of the 2023 decision in Webb v. Injured Workers Pharmacy on data breach litigation within the First Circuit. Detailed allegations of increased risk, mitigation costs, and exposure of sensitive data were sufficient at the pleading stageto survive dismissal.

Key Takeaway. Within the First Circuit after Webb, motions to dismiss for lack of standing are no longer a sure path to early resolution in data breach class actions. For defendants, that means fewer early exits and a greater need to focus on litigation strategy beyond the threshold stage. For our recent analysis of the aftermath of Webb and its lasting impact on data breach litigation in the First Circuit, see our prior post.

3. Pizza Hazel, Inc. v. American Express Co. (D. Mass. Oct. 2025)

The Ruling. In Pizza Hazel, Judge Kelley adopted Magistrate Boal’s Report and Recommendation that the court deny a motion to compel arbitration. In its decision, the court refused to enforce an arbitration agreement after finding that the contract allowed unilateral amendment without adequate notice to class members. The defendant could not show that plaintiffs were informed of, or assented to, the revised arbitration terms. For our complete analysis of the decision, see our prior post.

Why It Matters. This decision underscores growing judicial scrutiny (within and outside of the First Circuit) of “rolling contracts” and unilaterally, frequently updated online terms without robust notice mechanisms. These courts are increasingly unwilling to infer consent from silence or continued use without evidentiary support.

Key Takeaway. Companies should review arbitration clauses to confirm that any unilateral amendment process provides notice and an opt-out to counterparties and avoids retroactive effect. Companies that revise arbitration provisions should maintain reliable records demonstrating that specific users received notice and affirmatively or implicitly opted in. Without notice, arbitration enforcement is at serious risk.

4. Campos v. TJX Companies, Inc. (D. Mass. Jan. 2025)

The Ruling. In a decision by Judge Burroughs, the court granted a motion to dismiss a website tracking technology “spy pixel” class action for lack of Article III standing. The court concluded that the alleged data collection was too anonymous and commercial in nature to constitute a concrete intrusion. For our complete analysis of the decision, see our prior post.

Why It Matters. Campos signals that not all website tracking technology cases automatically satisfy standing, particularly where plaintiffs cannot plausibly allege individualized harm or meaningful invasions of privacy.

Key Takeaway. Campos pairs effectively with Goulart to inform a two-step defense strategy: first, the argument that there is no standing based on the absence of concrete harm; second, the argument that there was no statutory violation where the conduct involves routine commercial data practices consistent with reasonable expectations.

5. Therrien v. Hearst Television, Inc. (D. Mass. July 2025)

The Ruling. After earlier denying class certification on implied ascertainability grounds, the court granted summary judgment for the defense in this Video Privacy Protection Act (VPPA) case. The plaintiff failed to establish that he was a “subscriber” or that the data allegedly disclosed constituted personally identifiable information. For our complete analysis of the decision, see our prior post.

Why It Matters. Therrien represents a major defense victory in VPPA litigation. It demonstrates that even where plaintiffs survive standing challenges, they may still fail on class certification standards and the VPPA’s statutory elements—particularly subscriber status and PII.

Key Takeaway. The definition of “subscriber” remains a critical pressure point in VPPA cases. Many digital tracking claims falter where plaintiffs are merely casual website visitors. Defendants should challenge subscriber status early and consistently.

Looking Back on 2025: Lessons Leading into the Coming Year

The top 2025 class action decisions from the First Circuit and the District of Massachusetts reflect a litigation environment defined by sharp contrasts. Courts remain skeptical of overreaching privacy theories untethered to concrete harm, while simultaneously allowing certain data breach claims to proceed past the pleading stage. For defendants, success increasingly depends on targeted, issue-specific strategies—leveraging standing and statutory defenses early, and preserving class certification and merits defenses for later stages. Companies should consider reassessing notice and consent practices, data governance, and arbitration provisions in light of these evolving trends.

Tagged

Leave a Comment

Your email address will not be published. Required fields are marked *

To top