Mercor Faces Lawsuits Over Data-Privacy Breach

Mercor, a San Francisco AI training contractor valued at $10 billion, is facing at least seven class-action lawsuits after a March data breach allegedly exposed a broad set of sensitive worker and applicant data. Plaintiffs and multiple press outlets say the breach and company practices resulted in disclosure of recorded job interviews, facial biometrics, screenshots of contractors' computers, and applicant-vetting files such as background checks. Meta and other large clients have paused work or are reevaluating relationships. Mercor disputes the allegations and says it complies with law and retained forensic vendors to investigate.

The complaints and reporting converge on three technical and operational claims that matter for practitioners:

• •Data types exposed: recorded video interviews, audio, facial biometric data, screenshots capturing potentially proprietary client systems, and background-check records.
• •Alleged operational practices: monitoring contractor devices via screenshot or surveillance tooling; stockpiling applicant vetting data and sharing it with partners; and reusing recorded interviews and contributed materials to train or evaluate models.
• •Regulatory hooks: Plaintiffs have invoked state statutes including the Illinois Artificial Intelligence Video Interview Act that requires notice, consent, retention limits, and deletion procedures for AI-analyzed video interviews. Vendor relationships cited in suits include named vendors such as Delve AI and LiteLLM.

This episode exposes a weak link in the AI data supply chain: firms that recruit, monitor, and pay human annotators or evaluators often collect data at scale with contractual and technical practices that blur ownership and consent boundaries. The case crystallizes three industry pressures: the hunger for specialized, high-quality human-in-the-loop data; the outsourcing of that work to large contractor pools (Mercor reportedly hired 30,000 contractors last year); and the rush to reuse human-generated artifacts to improve model performance. For platform customers and large model builders, the litigation raises second-order legal and compliance risks because using vendor-provided materials can transfer liability if those materials contain proprietary or personally identifiable information. Practitioners building data pipelines should see this as a warning: provenance, consent metadata, and enforceable deletion controls are not optional for production datasets.

Expect near-term vendor diligence upgrades, contractual demands for provenance metadata, and technical controls such as automated PII detection and redaction before ingestion. Tools that can annotate sources with per-item consent, retention windows, and provenance chains will increase in procurement value. Also, legal exposure under state-level AI interview laws means HR-tech integrations that perform interview analysis will face stricter compliance workflows.

Litigation outcomes and any regulatory enforcement or private settlements will set precedents for vendor liability and customer indemnity obligations. Watch for changes in vendor contracts, new industry standards for human-data provenance, and technical offerings from model-hosting and MLOps vendors that embed consent and retention controls into dataset registries.