Privacy and Data Security
Established leadership in an evolving legal landscape
Munger, Tolles & Olson attorneys have extensive experience advising clients and defending against alleged violations of data privacy and information security laws.
We have represented clients before regulatory agencies and all levels of state and federal courts on matters that include the California Information Privacy Act, Illinois Biometric Information Privacy Act, the Electronic Communications Privacy Act, the Children’s Online Privacy Protection Act, the Stored Communications Act, the Video Privacy Protection Act, the Computer Fraud and Abuse Act, and the California Confidentiality of Medical Information Act. We also counsel clients on compliance with the California Consumer Privacy Act, other state and federal privacy laws, and cross-border data transfer issues related to the GDPR.
Our practice draws on the experience of former federal prosecutors who have investigated and litigated global cybercrimes such as malware attacks, email compromise and fraud schemes, and intrusions into the networks of transnational corporations.
Our Privacy and Data Security practice includes the following service areas:
Our clients for privacy and data security matters include:
- The Walt Disney
- University of
Our experienced privacy and data security attorneys include:
We have been at the forefront of legal developments in this area, including representing:
- Snap in a class action brought under the Illinois Biometric Information Privacy Act (BIPA), Martinez v. Snapchat, Inc. After we removed the case and filed a motion to dismiss or compel arbitration, the plaintiffs voluntarily dismissed their claims.
- An online service provider in several cases, including:
- Obtaining dismissal of Wiretap Act and Stored Communications Act claims on the basis of user consent and negotiating a favorable class settlement in a class action challenging its importation of email contacts and sending of connection invitations to those contacts.
- Various matters involving unauthorized data scraping, fake accounts, and inauthentic engagement, resulting in numerous favorable judgments or settlements.
- Facebook in matters that include:
- Two class actions—Lundy et al. v. Facebook et al. and Heeger v. Facebook — alleging that it misrepresented its practices with respect to the collection of location-related information when users turned off these settings, in violation of the California Invasion of Privacy Act (CIPA), the Stored Communications Act (SCA), and other laws. We obtained dismissal of all statutory damages claims brought under CIPA and the SCA on the pleadings, substantially narrowing the scope of the cases. Lundy was settled in August 2022. Heeger was dismissed in January 2021 on a 12(b)(6) motion—a result which was featured by the Daily Journal as a highlighted verdict of the week.
- An appellate victory that affirmed a $20 million settlement in a privacy class action alleging Facebook included user names and profile photos in ads without the users' permission. The Ninth Circuit upheld the settlement, which included nominal per-user payments and mechanisms for users to prevent their images from being used in ads.
- ESPN in obtaining dismissal of a high-stakes class action alleging that ESPN violated the Video Privacy Protection Act (VPPA) by disclosing Roku device IDs to a third-party data analytics company.
- The Walt Disney Company in obtaining an injunctive-relief only settlement of a nationwide class action alleging that the online gaming apps of Disney and other developer defendants improperly collected personal data from the devices of minors for marketing purposes. There was no monetary payment to the class.
- Block (previously Square, Inc.), in a class action, Ruark v. Square, alleging Square sent an automatic receipt to third parties divulging confidential medial information, in violation of various state and federal privacy laws, including HIPAA. After filing a motion to dismiss, we reached a successful resolution with the individual plaintiff.
- HTC in nationwide class actions alleging that installation and use of Carrier IQ software on smartphone devices violates the federal Wiretap Act, Stored Communications Act, Computer Fraud and Abuse Act, and other laws.
- Upwork in matters relating to impersonation by unauthorized persons posing as Upwork-endorsed freelancers on its platform.
- The University of California in winning a jury verdict in favor of UCLA Health System, which was accused of negligently releasing the plaintiff’s medical records in violation of California’s Confidentiality of Medical Information Act (CMIA). After a one-week trial, a Los Angeles jury rejected the plaintiff’s claim for more than $1.25 million in damages.
- The University of California in multiple class and individual actions involving unauthorized access to computer networks that contained patients’ confidential medical information or other alleged unauthorized releases of such information. We obtained the first appellate ruling that a claim under California’s CMIA requires proof that the plaintiff’s confidential information was viewed by an unauthorized person.
- An online payment technology company in a privacy class action alleging that it secretly tracks and collects the personal data of users and merchants and creates “risk profiles” of these users. We secured dismissal of most claims with prejudice, including all claims seeking statutory damages. The case subsequently resolved with the individual plaintiff (with no payment to any class).
We specialize in challenging matters that set important precedents, which is why clients turn to us when the stakes are high and they need a knowledgeable, experienced partner to help guide matters to an efficient resolution. Our work includes:
- ESPN: Dismissing a Video Privacy Protection Act class action
Munger, Tolles & Olson represented ESPN in obtaining dismissal of a high-stakes Video Privacy Protection Act (VPPA) class action in Eichenberger v. ESPN, Inc. After representing ESPN at the trial and appellate courts, we won a victory in the Ninth Circuit when the court unanimously affirmed the district court's ruling dismissing a class action alleging that ESPN violated the VPPA by disclosing Roku device IDs to a third-party data analytics company on the theory that Roku device IDs constitute “personally identifiable information” under the VPPA. In addition to the critical legal issues, the suit also carried the possibility of statutory damages of up to $2,500 per violation.
Media Coverage: 9th Circ. Says ESPN App User's Data Isn't Personal Info