Photo of Thea McCullough

Thea McCullough

Thea McCullough counsels national and multinational companies across industries as a member of the Data Privacy and Cybersecurity, Litigation, and Public Policy practice groups.

Thea advises clients on a broad range of privacy issues, such as privacy policies and data practices, responses to regulatory inquiries, and compliance obligations under federal and state privacy regulations, including biometric privacy laws. She also represents clients before the Federal Trade Commission in privacy enforcement actions and in consumer protection litigation.

Thea draws on her past experience across all branches of government to inform her practice and to advise clients on public policy matters. Most recently, Thea served as a clerk for the U.S. District Court for the Eastern District of Texas. Prior to beginning her legal career, Thea served as the communications director for the White House National Space Council, where she spearheaded messaging campaigns for Presidential Space Policy Directives and the administration's civil, commercial, and defense space policy initiatives, and previously as the communications director for the U.S. House Committee on Science, Space, and Technology, where she managed the communications team and developed messaging strategies for policy and legislation covering several issue areas, including cybersecurity, advanced technologies, space, energy, environment, and oversight. She also served as a national spokesperson for President Trump's 2020 campaign.

Thea is admitted to the DC Bar under DC App. R. 46-A (Emergency Examination Waiver); Practice Supervised by DC Bar members.

Contact:Read more about Thea McCulloughEmail

Adding to a growing body of case law following the Ninth Circuit’s decision in Popa v. Microsoft Corporation, a California federal court has dismissed for lack of subject matter jurisdiction a privacy suit against a news website, holding that the plaintiffs failed to allege a concrete injury sufficient to establish Article III standing. In Re: USA Today Co., Inc. Internet Tracking Litigation, 2026 WL 932655, at *3 (N.D. Cal. Apr. 6, 2026).

Continue Reading Another Court Dismisses Website Privacy Suit for Lack of Article III Standing

A recent Washington federal court decision emphasizes two key federal Wiretap Act principles. First, the Act’s crime-tort exception only applies if there are plausible allegations that a party to the communication intercepted communications specifically to commit a separate wrongdoing. Second, the statute does not allow secondary liability for “procuring” an interception by a third party. Nichols v. PeaceHealth Networks on Demand LLC, 2026 WL 607763, at *3-4 (W.D. Wash. Mar. 4, 2026).

Continue Reading Court Dismisses Federal Wiretap Claim Premised on Crime-Tort Exception, Rejects Aiding-and-Abetting Liability

As businesses increasingly deploy AI-powered call centers to streamline customer service, plaintiffs have turned to decades-old wiretapping laws to challenge these tools. In a recent decision, however, an Illinois federal district court held that use of an AI call analysis platform without caller consent does not violate the federal Wiretap Act because it falls within the statute’s ordinary course of business exception. Lisota v. Heartland Dental, LLC, 2026 WL 91667, at *6 (N.D. Ill. Jan. 13, 2026).

Continue Reading Use of AI Call Center Without Consent Not a Federal Wiretap Violation, Court Holds

In an effort to overcome hurdles to Article III standing, many website wiretapping suits today accuse businesses of unlawfully sharing sensitive health or financial data with third parties.  However, Federal Rule of Civil Procedure 11(b) requires plaintiffs’ lawyers to ensure that these “factual contentions” in a complaint “have evidentiary support.”  A California federal judge gave teeth to this requirement in a recent sanctions order, admonishing the plaintiff’s lawyers for “advancing unfounded and irrelevant allegations” about a business’s sharing of “health information.”  Mitchener v. Talkspace Network LLC, No. 2:24-CV-07067-JAK (BFMX), 2026 WL 84466, at *3-4 (C.D. Cal. Jan. 7, 2026).

Continue Reading Sanctions Order in Website Wiretapping Suit Reinforces Importance of Early Fact Investigation

An Illinois federal court has held that the state’s recent amendment to its Biometric Information Privacy Act (“BIPA”) capping damages to one recovery for repeated identical violations applies to cases filed prior to its enactment. Gregg v. Cent. Transp. LLC, 2024 WL 4766297, at *3 (N.D. Ill. Nov. 13, 2024).

Continue Reading Illinois Federal Court Rules BIPA Single-Violation Amendment Applies Retroactively

Massachusetts’s highest court has ruled that website operators’ use of third-party technology, including Google Analytics and Meta Pixel, to collect data on individuals’ browsing of and interactions with websites does not violate the state’s anti-wiretapping law. Vita v. New England Baptist Hospital, No. SJC-13542, 2024 WL 4558621, at *16 (Mass. Oct. 24, 2024). The court explained that those activities do not clearly amount to the person-to-person communications the 1960s-era statute is intended to cover.

Continue Reading Massachusetts Supreme Judicial Court Holds That Third-Party Technologies Relating to Web Browsing Do Not Violate Massachusetts Wiretap Act

An Illinois federal court has dismissed a proposed class action alleging X Corp. violated the state’s Biometric Information Privacy Act (“BIPA”) through its use of PhotoDNA software to create “hashes” of images to scan for nudity and related content. The court held that Plaintiff failed to allege that the hashes identified photo subjects and therefore failed to allege that the hashes constituted biometric identifiers. Martell v. X Corp., 2024 WL 3011353, at *4 (N.D. Ill. June 13, 2024).

Continue Reading Illinois Federal Court Dismisses BIPA Suit Against X, Holding “Biometric Identifiers” Must Identify Individuals

An Illinois federal district court recently dismissed for lack of personal jurisdiction a publicity privacy suit against Geneanet, which the complaint alleges is a French subsidiary of Ancestry.com that owns and operates an interactive genealogy website. See Shebesh v. Geneanet, S.A., No. 23-cv-4195 (N.D. Ill. May 3, 2024). Plaintiff Ethan Shebesh sued on behalf of himself and a putative class under the Illinois Right of Publicity Act, which prevents the use of an individual’s identity for a commercial purpose without the individual’s consent. 765 ILCS 1075/30(a). Shebesh asserted that Geneanet unlawfully used his and the putative class members’ names and other identifying information to advertise and sell premium memberships. Concluding that the plaintiff failed to show that Geneanet intentionally directed its conduct at Illinois, the court granted Geneanet’s motion to dismiss.

Continue Reading Illinois Federal Court Dismisses Publicity Privacy Suit Against French Genealogy Site for Lack of Personal Jurisdiction

Likely spurred by plaintiffs’ recent successes in cases under Illinois’s Biometric Information Privacy Act (“BIPA”), a new wave of class actions is emerging under Illinois’s Genetic Information Privacy Act (“GIPA”). While BIPA regulates the collection, use, and disclosure of biometric data, GIPA regulates that of genetic testing information. Each has a private right of action and provides for significant statutory damages, even potentially where plaintiffs allege a violation of the rule without actual damages.[1] From its 1998 enactment until last year, there were few GIPA cases, and they were largely focused on claims related to genetic testing companies.[2] More recently, plaintiffs have brought dozens of cases against employers alleging GIPA violations based on allegations of employers requesting family medical history through pre-employment physical exams. This article explores GIPA’s background, the current landscape and key issues, and considerations for employers.

Continue Reading Employers Beware: New Wave of Illinois Genetic Information Privacy Act Litigation