Privacy & Cybersecurity
Lieff Cabraser’s Privacy & Cybersecurity practice group is a nationally and internationally-recognized leader in safeguarding people’s privacy against the pervasive and often hidden ways digital technology intrudes into and affects our daily lives. Lieff Cabraser has a proven track record of successfully taking-on the powerhouses of Big Data and social media, and making the online ecosystem safer and more just. The Privacy & Cybersecurity practice group’s honors include the National Law Journal’s 2019 Elite Trial Lawyers award for privacy and data breach litigation and Law360’s 2017 Data Privacy Practice Group of the Year.
Privacy Faces its Greatest Challenge in the Digital Age
Today, our work, commerce, finances, and communications and interactions with others occur largely online, facilitated by digital technology that tracks us everywhere, impacting our choices, behavior, and well-being. These constant intrusions into our lives, whether on purpose or by accident, allow unprecedented and nearly limitless opportunities for companies to share and profit from our personal and private information. While we appreciate the convenience that these technologies bring, we are just as concerned that unchecked, these technologies are using their incredible computing power and data aggregation abilities to threaten us with near constant surveillance and commercial and political manipulation.
Lieff Cabraser’s Privacy & Cybersecurity practice group is committed to holding the line against abuses caused by the awesome power of this technology, and to preserving our society’s time-honored values of privacy, self-determination, and independent thought that allows our democracy to flourish.
Lawyers Dedicated to Preserving Privacy
Lieff Cabraser is committed to ensuring that the fundamental right to privacy is respected and endures even as technology evolves and society changes.
Our attorneys have the experience and technical expertise necessary to successfully litigate a comprehensive range of privacy claims. We represent individuals in precedent-setting cases against powerful technology, social media, healthcare, and entertainment companies, as we aim to reaffirm and enforce the privacy protections that the law provides to secure the most sensitive personal information of citizens here and around the world.
Significant Digital Privacy Lawsuits
Lieff Cabraser, with co-counsel, has filed a series of privacy class action lawsuits alleging that defendants (video streaming services, media companies, etc.) disclose private customer information to Meta Platforms, Inc., f/k/a Facebook, in violation of a law called the Video Privacy Protection Act. Plaintiffs allege that defendants have secretly, and without users’ consent, embedded tracking software known as the Meta “Pixel” on their websites, so that an ordinary person could identify a specific individual’s video watching-behavior using that individual’s Facebook ID.
These cases are in different procedural stages. On March 5, 2024, a the court granted final approval of a $2.625 million class action settlement in Fiorentino v. FloSports, Inc., No. 1:22-cv-11502-AK (D. Mass.). Plaintiff survived a motion to dismiss and obtained a favorable ruling in Czarnionka v. Epoch Times Ass’n, Inc., No. 22 CIV. 6348 (AKH), 2022 WL 17069810, at *1 (S.D.N.Y. Nov. 17, 2022), motion to certify appeal denied, No. 22 CIV.6348 (AKH), 2022 WL 17718689 (S.D.N.Y. Dec. 15, 2022) (The Facebook ID disclosed by defendant “is sufficient for an ordinary person to identify Plaintiff and similarly situated individuals” and comprises PII under the VPPA). On January 22, 2023, the court granted preliminary approval of a class settlement. In Vela, et al v. AMC Networks, Inc. d/b/a AMC+, No. 1:23-cv-02524-ALC (S.D.N.Y.), the Court granted preliminary approval of a proposed settlement on January 10, 2024. And in Collins, et al. v. Pearson Education, Inc., on March 1, 2024, the Court denied Defendant’s motion to strike and motion to dismiss. See Collins v. Pearson Educ., Inc., No. 23 CIV. 2219 (PAE), 2024 WL 895316, at *1 (S.D.N.Y. Mar. 1, 2024).
Other cases are in litigation and/or disclosed mediation postures. For more info, use the contact form on this page.
Lieff Cabraser serves as Class Counsel in a class action against Oracle Inc., one of the world’s largest data brokers. Plaintiffs allege that Oracle surveilled consumers online and offline, compiled their personal data into detailed profiles—including geolocation, finances, demographics, interests, and health—and then sold those profiles to third parties. Plaintiffs further allege that Oracle’s “coretag” tracking code, embedded on thousands of popular websites, unlawfully intercepts consumers’ communications. Consumers did not consent to Oracle’s conduct; many were unaware that the company existed. This case is thus unique in that Oracle’s surveillance centers on people with whom the company had no direct relationship.
On August 9, 2024, Judge Richard Seeborg of the U.S. District Court for the Northern District of California granted preliminary approval to a class action settlement that (a) requires Oracle to pay $115 million into a settlement fund from which benefits to class members will be paid, and (b) requires Oracle to make changes to its business practices. The final approval hearing is set for November 14, 2024. More details about the case and settlement are available on the settlement website, https://www.katzprivacysettlement.com/.
Lieff Cabraser serves as Co-Lead Counsel in a class action lawsuit alleging that Meta Platforms, Inc. (formerly known as Facebook) violates the state and federal privacy rights of individuals who use the California DMV website. The complaint alleges that Meta does this through hidden tracking code known as the Meta “Pixel,” which sends Meta time-stamped, personally-identifiable records of users’ personal information, activities and communications from websites where it is embedded, including from the website of the California DMV. Through the Pixel’s surveillance, the complaint alleges that Meta obtains vast quantities of protected data from the DMV in violation of the Driver’s Privacy Protection Act and the California Invasion of Privacy Act, including the first names of users who click into their “MyDMV” portal page; the identities of persons with disabilities who start disabled parking placard applications on the DMV website; e-mail addresses belonging to users who check the status of pending applications; and the personally identifying contents of communications between users and the DMV.
Lieff Cabraser serves as a member of the Steering Committee in class action litigation against Marriott International Inc. and Accenture PLC for a 2018 data breach of Starwood Hotels affecting more than 100 million U.S. citizens. Plaintiffs allege that Marriott failed to fulfill its legal duty to protect its customers’ sensitive personal and financial information, causing class members’ personally identifying information, including credit cards and passport numbers, to be exfiltrated by cybercriminals. In May 2022, then-U.S. District Court Judge Paul Grimm granted in part Plaintiffs’ class certification motion, certifying three damages classes and four issues classes. Judge Grimm’s class certification order is presently on appeal to the Fourth Circuit.
Lieff Cabraser serves as Co-Lead Counsel on the Quest track in class action litigation against Quest Diagnostics Inc., Laboratory Corporation of America, and other blood testing and diagnostic companies that shared, or facilitated the sharing of, customers’ personal identifying financial and health information with a third-party debt collector American Medical Collection Agency that was breached. Plaintiffs allege that Quest (and other blood-testing labs) failed to fulfill its legal duty to protect customers’ sensitive personal, financial, and health information by sharing it with a third-party that lacked adequate data security. The complaints against each lab company allege that they were negligent, unjustly enriched, and violated numerous state consumer protection statutes. In December 2021, the Court denied Defendants’ motions to dismiss in part and granted Plaintiffs leave to replead their dismissed claims; the case is in discovery.
For several years, Lieff Cabraser litigated on behalf of internet users whose locations Google stored even though the relevant setting, which Google had explained would prevent the company from tracking their movements, had been disabled. The parties reached a $62 million settlement in 2023 that, in light of class size estimated at nearly 250 million individuals, provides funds for non-profit organizations aimed at promoting consumer internet privacy and thus furthering the interests of the class. The settlement also ensures changes to Google’s data collection and disclosure practices. The District Court granted final approval to the settlement in May 2024 and appointed Lieff Cabraser as Co-Lead Class Counsel. The sole group of objectors filed an appeal, which is now pending at the Ninth Circuit.
Lieff Cabraser with co-counsel have filed two class action lawsuits in Illinois federal court under Illinois’ Biometric Information Privacy Act (“BIPA”) alleging that defendants (truck driver monitoring companies and truck driving companies) are illegally obtaining truck drivers’ biometric information while they drive. This information is obtained without truck drivers’ written consent through dashboard cameras affixed to drivers’ faces that are constantly monitoring their behavior.
The first case is against Samsara, Inc. and is in discovery after Plaintiff survived a 12(b)(6) motion to dismiss on his four BIPA claims and obtained a favorable ruling. See Karling v. Samsara Inc., __ F. Supp. 3d __, 2022 WL 2663513 (N.D. Ill. July 11, 2022). The second case is brought against Lytx, Inc. and Gemini Motor Transport, L.P. in the Northern District of Illinois. Lieff Cabraser serves as Co-Lead Counsel and an amended complaint was filed in November 2022. See Timmons v. Lytx, Inc., Case No. 1:21-cv-5427 (N.D. Ill.).
In June 2023, Lieff Cabraser sued Managed Care of North America following a 2023 healthcare data breach of more than 9 million customers’ personal, private, and highly-sensitive medical information. The complaint alleges that Managed Care failed to fulfill its legal duty to protect its customers’ sensitive personal and health information, causing class members’ personally identifying information to be exfiltrated by ransomware threat actors and put for sale on the so-called “dark web.” The case is pending in the Southern District of Florida before Judge Raag Singhal.
Lieff Cabraser serves as Co-Lead Counsel in class action litigation against Somnia, Inc., an anesthesiology services provider and practice management company that manages numerous anesthesiology providers, and individual anesthesiology providers for a 2022 data breach that impacted the personally identifiable information and private health information of almost half a million patients. Plaintiffs allege that Somnia and the anesthesiology providers Somnia manages failed to fulfill their legal duty to protect customers’ sensitive personal, financial, and health information by implementing insufficient data security practices and providing insufficient notice after the breach. The complaint asserts claims for negligence, negligence per se, breach of confidence, unjust enrichment, and violations of numerous California consumer protection statutes. Parties are currently briefing defendants’ motion to dismiss.
In June 2023, Lieff Cabraser and co-counsel filed a class action lawsuit in the Northern District of California against Laboratory Corporation of America and Laboratory Corporation of America Holdings and Meta Platforms, Inc. for collecting and facilitating the collection of identifiable and sensitive health information from users of Labcorp’s website using invisible tracking technology, including the Meta Pixel. The case is currently in the midst of motion to dismiss briefing.
Successes
Lieff Cabraser served as Lead Counsel in a privacy class action on behalf of Android users concerning Google’s unlawful exposure of confidential medical information and personally identifying information through its digital contract tracing system designed by Google to slow or stop the spread of COVID-19 on Android mobile devices. Plaintiffs resolved the suit via a novel early resolution process with Plaintiffs’ consulting expert’s review of highly confidential information from Google, which generated significant injunctive relief to fix the fundamental error and legally-binding representations and warranties by Google. On October 31, 2022, Judge Nathanael M. Cousins granted final approval to the settlement.
Lieff Cabraser served as Co-Lead Class Counsel in a class action lawsuit alleging that Plaid Inc., a financial technology company, invaded consumers’ privacy in their financial affairs. Plaid provides third-party bank account authentication services for several well-known payment apps, such as Venmo, Coinbase, Square’s Cash App, and Stripe. Plaintiffs alleged that Plaid used login screens that misleadingly looked like those of real banks to obtain consumers’ banking account credentials, and that it subsequently used consumers’ credentials to access their bank accounts and improperly take their banking data. Plaintiffs’ lawsuit asserted claims under state and federal privacy laws and charged that Plaid’s intrusions violated established social norms and exposed consumers to additional privacy risks.
In July 2022, Judge Donna M. Ryu of the U. S. District Court for the Northern District of California granted final approval to a class action settlement that requires Plaid to pay $58 million into a settlement fund from which benefits to settlement class members will be paid. Judge Ryu also praised “the robust injunctive relief provided by the settlement,” which requires Plaid to delete certain user data, disclose more information on the data it collects and stores, and maintain the Plaid Portal website, with which users can view and manage the financial accounts and apps connected by Plaid.
Lieff Cabraser filed suit with co-counsel, including the Attorney General of the State of New Mexico, in a federal case on behalf of children and their parents in New Mexico for violating the Children’s Online Privacy Protection Act (“COPPA”) and consistent state law. The lawsuit alleged that child-app developer Tiny Lab Productions and Google, whose AdMob advertising software is embedded in the Tiny Lab mobile games, surreptitiously and illegally harvested children’s personal information for profiling and targeting them for commercial gain, without adequate disclosures and verified parental consent. Specifically, the State alleged that Google and Tiny Lab collected and used personal data that included, among things, geolocation and persistent identifiers to serve children targeted advertisements or otherwise commercially exploit them. The apps at issue were clearly and indisputably designed for children, including names like “Fun Kid Racing” and “Candy Land Racing.” After surviving a motion to dismiss in 2020 and a motion for reconsideration of the same in 2021, the State settled with Google in December 2021, agreeing to significant changes to the Google Play Store and the treatment of child-directed games by Google AdMob.
In three related class actions, Lieff Cabraser, with co-counsel, represented parents whose children’s right to privacy was violated when their personal data was surreptitiously transmitted while playing child-directed mobile gaming apps. Specifically, Plaintiffs alleged that gaming app developers and their mobile advertising partners (developers of so-called “software development kits” or “SDKs”) collected personally identifying data (e.g., device identifiers and location data) through six apps (Subway Surfers, Where’s My Water? (Paid), Where’s My Water (Free/Lite), Where’s My Water? 2, Princess Palace Pets, and Llama Spit Spit), and used that data to monetize their apps through targeted behavioral advertising—without the knowledge of child users or their parents. In May 2019, U.S. District Judge James Donato issued an order largely denying the defendants’ motions to dismiss. Plaintiffs then pursued their claims (i) for intrusion upon seclusion and a violation of the constitutional right to privacy under California law, (ii) under the California Unfair Competition Law, (iii) under the Massachusetts statutory right to privacy, and (iv) under New York General Business Law Section 349.
In April 2021, Judge Donato granted final approval to 16 settlements, which provided stringent and wide-ranging privacy protections and meaningful changes to defendants’ business practices, ensuring participants in the largely unpoliced mobile advertising industry proactively protect children’s privacy in thousands of apps popular with children. Under the settlements, which The New York Times stated “could reshape the entire children’s app market,” Disney, Viacom, and others as well as their advertising technology partners must stop tracking children across apps and the internet for targeted advertising purposes.
As in the child privacy cases described immediately above, Lieff Cabraser filed suit against and settled an action with Idaho technology company Kochava, Inc., whose software code was embedded in Disney apps directed to children. In March 2022, U.S. District Judge B. Lynn Winmill granted final approval to a settlement modeled after the N.D. Cal. settlements, requiring Kochava to reform its business practices as to thousands of child-directed apps in which Kochava’s embedded software code transmits and monetizes personal data.
Lieff Cabraser served as Class Counsel representing individuals whose right to privacy was violated when Google intentionally equipped its Google Maps “Street View” vehicles with Wi-Fi antennas and software that collected data transmitted by those persons’ Wi-Fi networks located in their nearby homes. Google collected not only basic identifying information about individuals’ Wi-Fi networks, but also personal, private data being transmitted over their Wi-Fi networks such as emails, usernames, passwords, videos, and documents. Plaintiffs alleged that Google’s actions violated the federal Wiretap Act, as amended by the Electronic Communications Privacy Act. On September 10, 2013, the Ninth Circuit Court of Appeals held that Google’s actions are not exempt from the Act.
On March 20, 2020, U.S. District Judge Charles R. Breyer granted final approval to a $13 million settlement over Google’s illegal gathering of network data via its Street View vehicle fleet. Given the difficulties of assessing precise individual harms, the innovative settlement, which is intended in part to disincentivize companies like Google from future privacy violations, will distribute its monies to eight nonprofit organizations with a history of addressing online consumer privacy issues. The order approving the settlement was upheld on appeal.
Lieff Cabraser served on the Plaintiffs’ Steering Committee representing individuals in a class action lawsuit against Anthem for its alleged failure to safeguard and secure the medical records and other personally identifiable information of its members. The second largest health insurer in the U.S., Anthem provides coverage for 37.5 million Americans. Anthem’s customer database was allegedly attacked by international hackers on December 10, 2014. Anthem says it discovered the breach on January 27, 2015, and reported it about a week later on February 4, 2015. California customers were informed around March 18, 2015. The theft included names, birth dates, social security numbers, billing information, and highly confidential health information. The complaint charged that Anthem violated its duty to safeguard and protect consumers’ personal information, and violated its duty to disclose the breach to consumers in a timely manner. In addition, the complaint charged that Anthem was on notice about the weaknesses in its computer security defenses for at least a year before the breach occurred.
In August 2018, Judge Lucy H. Koh of the U. S. District Court for the Northern District of California granted final approval to a class action settlement which required Anthem to undertake significant additional cybersecurity measures to better safeguard information going forward, and to pay $115 million into a settlement fund from which benefits to settlement class members will be paid.
Lieff Cabraser served as Co-Lead Class Counsel representing consumers in a digital privacy class action against Google Inc. over claims the popular Gmail service conducted unauthorized scanning of email messages to build marketing profiles and serve targeted ads. The complaint alleged that Google routinely scanned email messages that were sent by non-Gmail users to Gmail subscribers, analyzed the content of those messages, and then shared that data with third parties in order to target ads to Gmail users, an invasion of privacy that violated the California Invasion of Privacy Act and the federal Electronic Communications Privacy Act. In February 2018, Judge Lucy H. Koh of the U. S. District Court for the Northern District of California granted final approval to a class action settlement. Under the settlement, Google made business-related changes to its Gmail service, as part of which, Google will no longer scan the contents of emails sent to Gmail accounts for advertising purposes, whether during the transmission process or after the emails have been delivered to the Gmail user’s inbox. The proposed changes, which will not apply to scanning performed to prevent the spread of spam or malware, will run for at least three years.
Lieff Cabraser served as Co-Lead Class Counsel in a nationwide class action lawsuit alleging that Facebook intercepts certain private data in users’ personal and private messages on the social network and profits by sharing that information with third parties. When a user composed a private Facebook message and included a link (a “URL”) to a third party website, Facebook allegedly scanned the content of the message, followed the URL, and searched for information to profile the message-sender’s web activity. This enabled Facebook to data mine aspects of user data and profit from that data by sharing it with advertisers, marketers, and other data aggregators. In December 2014, the Court in large part denied Facebook’s motion to dismiss. In rejecting one of Facebook’s core arguments, U.S. District Court Judge Phyllis Hamilton stated: “An electronic communications service provider cannot simply adopt any revenue-generating practice and deem it ‘ordinary’ by its own subjective standard.”
In August of 2017, Judge Hamilton granted final approval to an injunctive relief settlement of the action. As part of the settlement, Facebook has ceased the offending practices and has made changes to its operative relevant user disclosures.
Lieff Cabraser represented consumers who subscribed to LifeLock’s identity theft protection services in a nationwide class action fraud lawsuit. The complaint alleged LifeLock did not protect the personal information of its subscribers from hackers and criminals, and specifically that, contrary to its advertisements and statements, LifeLock lacked a comprehensive monitoring network, failed to provide “up-to-the-minute” alerts of suspicious activity, and did an inferior job of providing the same theft protection services that banks and credit card companies provide, often for free. On September 21, 2016, U.S. District Judge Haywood Gilliam, Jr. granted final approval to a $68 million settlement of the case.
Lieff Cabraser represented a plaintiff in Multi-District Litigation against Samsung, LG, Motorola, HTC, and Carrier IQ alleging that smartphone manufacturers violated privacy laws by installing tracking software, called IQ Agent, on millions of cell phones and other mobile devices that use the Android operating system. Without notifying users or obtaining consent, IQ Agent tracks users’ keystrokes, passwords, apps, text messages, photos, videos, and other personal information and transmits this data to cellular carriers. In a 96-page order issued in January 2015, U.S. District Court Judge Edward Chen granted in part, and denied in part, defendants’ motion to dismiss. Importantly, the Court permitted the core Wiretap Act claim to proceed as well as the claims for violations of the Magnuson-Moss Warranty Act and the California Unfair Competition Law and breach of the common law duty of implied warranty. In 2016, the Court granted final approval of a $9 million settlement plus injunctive relief provisions.
Lieff Cabraser represented individuals who joined LinkedIn’s network and, without their consent or authorization, had their names and likenesses used by LinkedIn to endorse LinkedIn’s services and send repeated emails to their contacts asking that they join LinkedIn. On February 16, 2016, the Court granted final approval to a $13 million settlement, one of the largest per-class member settlements ever in a digital privacy class action. In addition to the monetary relief, LinkedIn agreed to make significant changes to Add Connections disclosures and functionality. Specifically, LinkedIn revised disclosures to real-time permission screens presented to members using Add Connections, agreed to implement new functionality allowing LinkedIn members to manage their contacts, including viewing and deleting contacts and sending invitations, and to stop reminder emails from being sent if users have sent connection invitations inadvertently.
Lieff Cabraser served as Plaintiffs’ Co-Lead Counsel in class action litigation against Sony for failing to take reasonable measures to secure the data of its employees from hacking and other attacks. As a result, personally identifiable information of thousands of current and former Sony employees and their families was obtained and published on websites across the Internet. Among the staggering array of personally identifiable information compromised were medical records, Social Security Numbers, birth dates, personal emails, home addresses, salaries, tax information, employee evaluations, disciplinary actions, criminal background checks, severance packages, and family medical histories. The complaint charged that Sony owed a duty to take reasonable steps to secure the data of its employees from hacking. Sony allegedly breached this duty by failing to properly invest in adequate IT security, despite having already succumbed to one of the largest data breaches in history only three years ago. In October 2015, an $8 million settlement was reached under which Sony agreed to reimburse employees for losses and harm.
Lieff Cabraser represented identity theft victims in a nationwide class action lawsuit against Intuit for allegedly failing to protect consumers’ data from foreseeable and preventable breaches, and by facilitating the filing of fraudulent tax returns through its TurboTax software program. The complaint alleged that Intuit failed to protect data provided by consumers who purchased TurboTax, used to file an estimated 30 million tax returns for American taxpayers every year, from easy access by hackers and other cybercriminals. The complaint further alleged that Intuit was aware of the widespread use of TurboTax exclusively for the filing of fraudulent tax returns. Yet, Intuit failed to adopt basic cyber security policies to prevent this misuse of TurboTax. As a result, fraudulent tax returns were filed in the names of the plaintiffs and thousands of other individuals across America, including persons who never purchased TurboTax. In May 2019, Judge Edward J. Davila of the U. S. District Court for the Northern District of California granted final approval to a settlement that provided all class members who filed a valid claim with free credit monitoring and identity restoration services, and required Intuit to commit to security changes for preventing future misuse of the TurboTax platform.
“We are now into a whole unexplored, but sensitive, area dealing with privacy in the cyberworld . . . . [T]his is an area that will foment practices, litigation, jurisprudence, and I think it’s worthwhile.”
–U.S. District Judge, September 2019, approving preliminary settlement in Lieff Cabraser’s Google Street View Litigation
“Current privacy expectations are developing, to say the least, with respect to a key issue raised in these cases–whether the data subject owns and controls his or her personal information…”
-U.S. District Judge, May 2019, denying motion to dismiss in Lieff Cabraser’s Child Online Privacy Litigation
“Your location, your messages, your heart rate after a run. These are private things. Personal things. And they should belong to you. Simple as that.”
-Technology Company, October 2019 Advertisement
Contact us
Please use the form below to contact a digital privacy attorney at Lieff Cabraser. You can also call us toll-free at 1 800 541-7358. There is no charge or obligation for our review of your case. The information you provide will help us hold companies accountable for their failures to properly secure and protect personal user information in every sphere of modern life.