A recent lawsuit signals the rapid convergence of issues relating to artificial intelligence, vendor‑managed platforms, and individual arbitration in the data breach ecosystem. In Woodard v. OpenAI, Inc. & Mixpanel, Inc., Case No. 3:25-cv-10301 in the Northern District of California, Plaintiffs alleged that Mixpanel uses artificial intelligence technologies developed by OpenAI to collect user data. Mixpanel’s data collection came to a head in November 2025, when it was hit by a third-party criminal cyberattack that allegedly impacted consumers’ OpenAI accounts on the Mixpanel platform.
Plaintiffs—both consumers and businesses—sued Mixpanel and OpenAI. OpenAI subsequently moved to compel individual arbitration, arguing its Terms of Use and accompanying mandatory arbitration provision are binding on all users. Mixpanel, meanwhile, moved to dismiss, arguing the plaintiffs lacked standing and could not prevail against it on claims for negligence, breach of implied contract, and unjust enrichment because the plaintiffs were OpenAI consumers, not Mixpanel customers.
In the Mixpanel case, the plaintiffs voluntarily dismissed their claims before filing a response to either motion. As a result, the Northern District of California did not weigh in on the merits of the plaintiffs’ artificial intelligence-based claims.
Yet the case highlights that the AI landscape is just starting to make its mark on litigation generally and data breach litigation in particular. As the use of AI continues to expand and evolve, businesses will need to closely monitor how the use of AI impacts risk and think critically regarding the steps required to address those risks.
