The U.S. Supreme Court seldom takes up privacy cases, but the 2026 term includes two matters that could have profound implications for how businesses collect, retain, and disclose data. One addresses constitutional limits on modern surveillance, and the other reexamines the application of a legacy privacy statute that has become a focal point for litigation in the digital age.

Geolocation Data & the Fourth Amendment

In Chatrie v. United States, the Court will confront the rising use of geofence warrants, which are search warrants requiring companies to turn over location information for all devices present within a defined geographic area during a specified time period. These warrants seek bulk location data from providers such as Google, effectively generating a list of electronic “suspects” based on who was near a crime scene.

This case builds on Carpenter v. United States (2018), which recognized heightened Fourth Amendment protections for historical location information. The question in Chatrie is whether geofence warrants, by targeting data about everyone in an area rather than a specific individual, constitute an unreasonable search. Complicating the analysis is the fact that many users opt into services like Google’s Location History, raising contested issues about consent and reasonable expectations of privacy.

For organizations that maintain detailed location data, the Court’s decision could reshape how and when law enforcement access that data, with potential operational, compliance, and privacy policy implications.

Video Privacy Protection Act & Digital Data Flows

Also on the Court’s docket is Salazar v. Paramount Global, a case asking the justices to clarify who qualifies as a “consumer” under the Video Privacy Protection Act (“VPPA”). The VPPA was enacted in 1988 after a video store released Supreme Court nominee Robert Bork’s rental records, and it prohibits “video tape service providers” from disclosing personally identifiable information about their consumers without consent.

In recent years, plaintiffs have repurposed the VPPA in the digital context, bringing class actions against websites and media companies based on third-party tracking technologies that capture and share user video-viewing information. A central battleground has been whether someone who only subscribes to non-video content (such as an email newsletter) can nonetheless be treated as a VPPA “consumer” for purposes of statutory exposure.

The Supreme Court’s resolution of that question will significantly influence litigation risk in media, advertising, and technology sectors. A narrower interpretation could sharply reduce the pool of plaintiffs and limit exposure, whereas a broader one could preserve the statute as a potent basis for class actions tied to everyday digital interactions.

What This Means for Clients

These cases underscore that privacy law in the United States is not static even for longstanding statutes or familiar constitutional protections. For businesses, the implications are practical and immediate:  (i) Location-data practices should be reviewed in light of potential narrowing (or reaffirmation) of Fourth Amendment protections around device tracking and law enforcement access; (ii) Contractual commitments, retention schedules, and disclosures related to location data and similar signals may need to be revisited; (iii) Digital content and analytics flows, particularly involving video and embedded technology, pose litigation and compliance risk under evolving statutory interpretations; and (iv) Risk frameworks and policies should anticipate continued judicial scrutiny of legacy privacy laws as applied to modern technologies.

Even without sweeping holdings that extend beyond the specific legal questions at issue, Chatrie and Salazar will signal how the Court views the relationship between evolving technologies and established privacy protections informing risk, governance, and product decisions for years to come.

What Clients Should Do Now

While the Supreme Court’s decisions in Chatrie and Salazar will not be issued until later in the term, organizations do not need to wait for final rulings to reduce risk. These cases highlight areas where many companies already face regulatory, litigation, or reputational exposure.

Companies should consider taking the following steps now:

• Reassess Location Data Practices: (a) Inventory what location data is collected, how granular it is, and how long it is retained; (b) Confirm whether location tracking features are truly opt-in and whether consent disclosures are clear, conspicuous, and accurate; and (c) Review internal procedures for responding to law enforcement requests, including geofence warrants and other bulk data demands.
• Review Data Retention and Minimization Policies: (a) Evaluate whether location, device, or behavioral data is being retained longer than necessary for business purposes; (b) Align retention schedules with actual operational needs and stated privacy disclosures; and (c) Consider whether shorter retention periods could meaningfully reduce exposure without impairing core functionality.
• Audit Video and Embedded Media Flows: (a) Identify where video content is embedded on websites, apps, or marketing pages; (b) Map third-party analytics, pixels, and SDKs that may receive video-viewing data or unique identifiers; and (c) Assess whether existing consent mechanisms adequately address VPPA risk, particularly for users who are not traditional “subscribers.”
• Revisit Privacy Policies and Consumer Notices: (a) Ensure disclosures accurately describe how video, location, and behavioral data are collected and shared; (b) Confirm that policies reflect actual practices, not legacy assumptions about how technology is used; and (c) Pay close attention to definitions of “consumer,” “user,” or “subscriber,” which may take on heightened importance depending on how the Court rules.
• Pressure-Test Litigation and Regulatory Exposure: (a) Evaluate whether existing practices could support VPPA claims or constitutional challenges if scrutinized by regulators or plaintiffs’ counsel; (b) Consider how these risks intersect with state privacy laws, including the CCPA/CPRA, and evolving enforcement priorities; and (c) Prepare internal talking points and escalation paths in the event of a regulatory inquiry or class-action demand.

A Final Thought

These cases reinforce a broader reality: privacy risk is increasingly shaped not only by statutes and regulations, but by how courts interpret older laws in light of modern technology. Organizations that treat privacy as a living governance issue rather than a one-time compliance exercise are best positioned to adapt as the legal landscape evolves.

For companies with significant data-driven operations, now is a good time to review practices, close gaps, and ensure that privacy programs can withstand both regulatory scrutiny and private litigation as the Supreme Court weighs in.

This publication is published by the law firm of Ervin Cohen & Jessup LLP. The publication is intended to present an overview of current legal trends; no article should be construed as representing advice on specific, individual legal matters. Articles may be reprinted with permission and acknowledgment. ECJ is a registered service mark of Ervin Cohen & Jessup LLP. All rights reserved.