Under Construction: California Class Action Lawsuits

#The Home Depot Suit

On May 1, 2026, law firms Emery | Reddy and Milberg filed a class action suit in the Northern District of California against The Home Depot, alleging violations of California’s ALPR privacy act and invasion of privacy. It’s the second class action against Home Depot in two months — Bursor & Fisher beat them to it with McGinity back in March. The two suits divide the timeline: McGinity covers shoppers caught before Home Depot quietly updated its ALPR policy in late December; Schmierer covers everyone since. And it lands the same week three separate Flock suits (Eldridge, Dutcher, and Javorsky) — which plaintiffs have moved to consolidate — now pending in the same court.

The new lawsuit challenges the common assumption that private corporations can surveil their customers and others without limitation. As it should, because that assumption is plainly incorrect. States can and do regulate the use of video and audio recording devices on private property, and California’s ALPR law doesn’t distinguish between private and public operators.

The other component — invasion of privacy — is an interesting tack. The suit alleges two slightly different violations: a violation of the right to privacy under the California Constitution, and the tort of “intrusion upon seclusion.” The complaint writes:

A reasonable person visiting a hardware store does not expect that their license plate data will be automatically captured, timestamped, stored in a national database, and made accessible to hundreds of law enforcement agencies, including federal immigration enforcement, all while the operator maintains a policy that omits mandatory disclosure elements and provides no meaningful restriction on who can access the data.

It also anticipates the obvious argument from Home Depot / Flock:

The California Supreme Court has recognized that the relevant question in an intrusion claim is not whether any single piece of information was publicly observable, but whether the manner, scope, and aggregation of the intrusion would be offensive to a reasonable person.

The complaint then lays out why a private corporation collecting data at its 233 locations in the state, storing that data with its private vendor, and sharing it in real-time with hundreds of police agencies, without Home Depot telling anyone about it, is offensive to Californians believing they’re just shopping for a new toilet seat.

The complaint has a point, and I’m excited to see where it goes. The statutory violations alone give a sense that Home Depot will end up out of pocket on this one, especially after Bartholomew v. Parking Concepts — the February California Court of Appeal decision that held operating ALPRs without a compliant policy is itself the harm.

Other private companies should take note. Flock can hammer its claims about “no reasonable expectation of privacy” and “30+ courts have consistently affirmed that ALPR devices perform lawful actions” all it wants; courts don’t typically look to marketing materials to find what the law is, and neither should anyone else.

#The Flock Suits

Home Depot will be defending itself in the same district where Flock is already in court. And the Flock side is getting interesting. Plaintiffs’ lawyers in three existing California class action suits — Eldridge v. Flock, Dutcher v. Flock, and Javorsky v. Flock — are getting into a consolidation scrap. The firms handling Eldridge and Dutcher don’t like the Javorsky team’s preservation strategy. The motion to consolidate puts it like this:

[Javorsky’s] difference [in approach] has already resulted in a prolonged disagreement with Flock regarding its retention protocols, which has likely resulted in the loss of hundreds of thousands of data points pertaining to putative class members.

But the more interesting bit is technical:

Flock has represented that capturing the broader set (including the ancillary “Identifier” tags) slows its preservation rate by roughly ten times.

The filing does not specify what these “‘identifier’ tags” are, but dollars to donuts that we’re talking about the searchable vectors that power FreeForm, Flock’s natural-language vehicle search tool. I have discussed these before in both the FreeForm context and the ReId context. The math mostly holds there; simple tags stored with the data would be fairly small, plausibly ~200 bytes, so if a vector is ~2kB, that would be about 10x larger and therefore 10x “slower.”

The part that doesn’t make sense in the filing is the preservation rate. It implies that preservation can’t happen in real-time on the backend. Why not? What prevents Flock from setting up an additional replica node? Does it not routinely keep replica copies of its data? If it doesn’t, how does it guarantee data integrity (and thereby both completeness and accuracy)?

I’ve raised these questions before in the context of changing log files:

A distributed explanation is not any better than deleting and adding records in a centralized database. In fact, it would be a very fundamental, very fatal, flaw for records that are supposed to be immutable — like audit records — to have multiple copies in multiple places without a single authoritative copy.

Apparently log entries can go missing without Flock’s system throwing an error. If you can’t be sure that your log is complete, you can’t rely on it to show whatever it is you’re auditing for — it may have been deleted.

If a similar distributed pattern holds for the “identifiers” or vectors — which Flock’s protestations in this new court filing seem to suggest — it would extend the integrity problem from the audit logs to the ALPR data itself.

The motion takes Flock’s “10x slower” claim at face value and uses it to triage: preserve the narrow set that identifies the class, drop the fight over ancillary fields. As a practical call under time pressure, it makes sense. But Flock’s underlying claim is the part that should not have gone unchallenged.

It’s worth considering what counts as “ALPR information” under California law. The statute defines it as “information or data collected through the use of an ALPR system” — not “license plate characters.” Whatever Flock’s cameras capture and feed into its searchable database is ALPR information, with all the operator duties that attach. Flock stating that the broader field set slows preservation by 10x is, in effect, telling the court those fields exist and are part of what the system collects. They’re covered. The plates are just one column in the table.

The more data collected, the more there is for Bartholomew’s harm analysis to work on, and the more there is for the privacy torts’ offensiveness analysis to grade as offensive. In re Facebook — Edelson’s signature win — established that biometric data has value as data. None of that argues for letting Flock walk away from the broader fields just because its architecture allegedly can’t keep up.

Even a narrow set — license plates and locations, a few bytes — is apparently more than Flock can copy or preserve at scale without slowing things down. It implies the live system runs on single copies without the kind of redundancy that would let it verify its own data — and its distributed database likely uses computers sitting unattended on the side of the road, intermittently accessible through spotty mobile connections, storing unencrypted video and images, for the express purpose of directing traffic stops, conducting searches, and providing evidence.

The disclosure failure has always done double duty for Flock — hide what the system collects, then escape enforcement when nobody asks. Now Flock wants it to do triple duty: wall off the undisclosed fields from the lawsuit, too.