Federal Judge Lets Wiretap Claim Against Index Exchange Proceed Over Data Sent to Temu (2026)
Federal Judge Lets Wiretap Claim Against Ad-Tech Firm Index Exchange Proceed Over Data Sent to Temu
A federal judge in Chicago has refused to dismiss a Federal Wiretap Act claim accusing the advertising technology company Index Exchange of intercepting a user's website activity and transmitting it to the China-linked retailer Temu. The court held that one party's consent may not shield the conduct because of the wiretap law's crime or tort exception.
Information last verified on June 21, 2026. This is a developing story; we update it as the record changes.
Status: The court denied a motion to dismiss in mid-June 2026, an early-stage ruling that the plaintiff's allegations are legally sufficient. It is not a finding of liability, and the case (No. 1:25-cv-10517, N.D. Ill.) continues.
Jurisdiction scope: This article addresses a federal ruling under the Federal Wiretap Act and the one-party consent rule it applies. It does not address state two-party consent statutes or give individualized advice. For the underlying law, see the Federal Wiretap Act and ECPA guide and the one-party consent states guide.
What Happened
In Baker v. Index Exchange, Inc., No. 1:25-cv-10517, filed in the U.S. District Court for the Northern District of Illinois and assigned to Judge Matthew F. Kennelly, the court denied Index Exchange's motion to dismiss in mid-June 2026. Index Exchange is a supply-side digital advertising platform. The plaintiff, John Baker, alleges that when he visited BibleGateway.com, Index Exchange used tracking technology to capture his interactions and personal information, including his IP address, cookie identifiers, advertising identifiers, and details about his devices and browsers, and transmitted that data to Temu, a retailer tied to the Chinese company PDD Holdings.
Baker brought a claim under the Federal Wiretap Act, part of the Electronic Communications Privacy Act. Index Exchange argued the case should be dismissed because the website itself consented to any interception, which under the statute's one-party consent rule would ordinarily defeat the claim. The court rejected that argument at the pleading stage.
Judge Kennelly wrote that "even if BibleGateway.com consented to the interception of its communications with Baker, he has sufficiently alleged that the crime/tort exception applies based on Index Exchange's alleged violation of the BSD regulations," referring to the Department of Justice's Bulk Data rule. The court was clear that the ruling is preliminary. It noted unresolved factual questions, including whether the restriction on data transfers applies to Temu, and it allowed the wiretap claim to proceed rather than deciding the merits.
What the Law Actually Says
The Federal Wiretap Act, 18 U.S.C. section 2511, makes it unlawful to intercept electronic communications, with several exceptions. The most important for everyday recording and tracking questions is the one-party consent rule in section 2511(2)(d): it is not unlawful for a person to intercept a communication where that person is a party to the communication or where one of the parties has given prior consent, unless the interception is for the purpose of committing a criminal or tortious act. That last clause is the crime or tort exception, and it is the hinge of this ruling.
The practical effect is that consent is not an unconditional shield. When a defendant argues that a website or one participant agreed to the interception, a plaintiff can still proceed by plausibly alleging that the interception was carried out to further an independent crime or tort. Here, the alleged independent violation is the Department of Justice's Bulk Data rule, codified at 28 CFR Part 202, which implements Executive Order 14117. That rule restricts and in some cases prohibits transfers of Americans' bulk sensitive personal data to countries of concern, a list that includes China, and the National Security Division enforces it.
The court did not decide that Index Exchange violated the Bulk Data rule or the Wiretap Act. It held only that, taking the allegations as true, the plaintiff stated a claim because the alleged data transfer could supply the unlawful purpose that strips away the one-party consent defense. The relationship between two distinct legal regimes is what makes the decision notable: a national-security data-transfer rule is being used to satisfy the crime or tort element of a wiretap claim against an ordinary advertising vendor.
Analysis: Why This Matters
The following is analysis from the Recording Law Editorial Team.
Most Americans encounter one-party consent as the rule that lets a person record their own phone call or conversation in much of the country. This ruling is a reminder that the same statutory framework governs digital interception, and that the consent defense built into it has a limit many people overlook. The crime or tort exception has always been part of section 2511(2)(d), but it is being deployed in a new way: not to address a wiretap aimed at blackmail or fraud, the classic examples, but to address routine web tracking that allegedly fed a prohibited cross-border data transfer.
For website operators and the ad-tech vendors they embed, the decision signals litigation exposure that does not turn on whether the site agreed to the tracking. If a plaintiff can tie the data flow to an independent legal violation, consent from the site may not end the case at the motion-to-dismiss stage. The Department of Justice's Bulk Data rule gives plaintiffs a new candidate for that independent violation whenever sensitive data allegedly reaches a country of concern. That is a meaningful expansion of the theories available in privacy class actions, even though it remains untested on the merits.
We are not predicting how this case resolves or whether the bulk-data theory will survive later stages, and the court itself flagged open factual questions. The narrower and more durable point is doctrinal: one-party consent is a defense with a built-in exception, and the exception is wide enough that a separate regulatory violation can keep a wiretap claim alive.
How This Affects You
If you run a website or use third-party advertising and analytics tools, the takeaway is that consent from your site to a vendor's interception is not a guaranteed defense to a federal wiretap claim. As a general matter, where one party consents, the Wiretap Act still permits a claim when the interception is alleged to further a separate crime or tort. Courts have generally treated that exception as fact-dependent, so outcomes vary with the specific allegations.
For individuals, the case is part of a broader trend of older interception statutes being applied to modern tracking technology. None of this is advice about your particular situation. Whether any specific tracking practice violates the Wiretap Act, or whether a data transfer implicates the Department of Justice's Bulk Data rule, depends on facts a court would have to weigh, and many of those questions are unresolved in this case.
This is general legal information, not legal advice. It covers a federal ruling under the Federal Wiretap Act and the one-party consent rule, and it reflects sources verified on June 21, 2026. Laws change and this story is developing; consult a lawyer licensed in your jurisdiction about your specific situation.
Sources
- Baker v. Index Exchange, Inc., No. 1:25-cv-10517 (N.D. Ill.), docket (CourtListener): https://www.courtlistener.com/docket/71256090/baker-v-index-exchange-inc/
- Federal Wiretap Act, 18 U.S.C. section 2511 (Cornell Legal Information Institute): https://www.law.cornell.edu/uscode/text/18/2511
- 28 CFR Part 202, Access to U.S. Sensitive Personal Data and Government-Related Data by Countries of Concern or Covered Persons (eCFR): https://www.ecfr.gov/current/title-28/chapter-I/part-202
- Executive Order 14117 final rule, Federal Register (Jan. 8, 2025): https://www.federalregister.gov/documents/2025/01/08/2024-31486/preventing-access-to-us-sensitive-personal-data-and-government-related-data-by-countries-of-concern
Related articles
- Federal Wiretap Act and ECPA: the complete guide
- One-party consent states
- US data broker registration laws and the Delete Act
- Otter.ai wiretap lawsuit explained
Last updated: 2026-06-21. This is a developing story; details verified as of 2026-06-21.
Frequently Asked Questions
What did the judge decide in the Index Exchange case?
Judge Matthew F. Kennelly denied Index Exchange's motion to dismiss a Federal Wiretap Act claim, holding that the plaintiff plausibly alleged the crime or tort exception applies even if the website consented to the interception. It is an early-stage ruling, not a finding of liability, in Baker v. Index Exchange, No. 1:25-cv-10517 (N.D. Ill.).
How can a wiretap claim survive if one party consented?
The Federal Wiretap Act's one-party consent rule (18 U.S.C. section 2511(2)(d)) does not apply when the interception is for the purpose of committing a criminal or tortious act. That crime or tort exception let the claim proceed here, based on an alleged violation of the Department of Justice's Bulk Data rule.
What is the Department of Justice Bulk Data rule?
It is a final rule at 28 CFR Part 202, implementing Executive Order 14117, that restricts or prohibits transfers of Americans' bulk sensitive personal data to countries of concern, including China. The Department of Justice's National Security Division enforces it.
Did the court find Index Exchange violated the law?
No. The court ruled only at the pleading stage that the allegations are legally sufficient to proceed. It noted unresolved factual questions, including whether the bulk-data restriction applies to Temu, and did not decide the merits.
Does this change one-party consent recording rules?
It does not change the statute, but it highlights that one-party consent has always carried a crime or tort exception. Consent is not an absolute shield when an interception is alleged to further an independent crime or tort.
Sources and References
- Docket, Baker v. Index Exchange, Inc., No. 1:25-cv-10517 (N.D. Ill.)(courtlistener.com)
- 18 U.S.C. 2511, Federal Wiretap Act (ECPA)(law.cornell.edu)
- 28 CFR Part 202, DOJ Bulk Data rule(ecfr.gov).gov
- Executive Order 14117 final rule, Federal Register (Jan. 8, 2025)(federalregister.gov).gov