Privacy and Data Security

Established leadership in an evolving legal landscape

Munger, Tolles & Olson attorneys have extensive experience advising clients on compliance with state and federal data privacy laws and defending them in civil and regulatory privacy matters.

We have represented clients before regulatory agencies and courts on matters that involve:

  • California Information Privacy Act 
  • Illinois Biometric Information Privacy Act  
  • Electronic Communications Privacy Act 
  • Children’s Online Privacy Protection Act 
  • Stored Communications Act
  • Video Privacy Protection Act 
  • Computer Fraud and Abuse Act 
  • California Consumer Privacy Act 
  • California Confidentiality of Medical Information Act  

Our practice draws on the experience of former federal prosecutors who have investigated and litigated global cybercrimes such as malware attacks, email compromise and fraud schemes, and intrusions into the networks of transnational corporations. Similarly, we have defended numerous clients in privacy matters alleging unauthorized releases of confidential information, data gathering and the use of profile and location information. 


Our Privacy and Data Security practice includes the following service areas:

  • Litigation
  • Class Actions
  • Data Breach Notification and Reporting
  • Government Investigations
  • Legislative Advice
  • Regulatory Guidance
  • Compliance Counseling
  • Cross-Border Data Transfers


Our clients for privacy and data security matters include:

  • Snap
  • Square (Block)
  • University of California
  • The Walt Disney Company
  • Meta
  • HTC
  • Upwork


Our experienced privacy and data security attorneys include:

Related Practices


We have been at the forefront of legal developments in this area, including representing:

  • The Kobe Bryant Estate in winning a liability finding and $15 million in damages in Vanessa Bryant’s invasion of privacy and federal civil rights suit against the Los Angeles County Sheriff’s Department for its members’ illegal taking and sharing of photos from the helicopter crash that killed Kobe Bryant, his daughter Gianna, and seven others. 
  • Snap, Inc., in:
    • Obtaining dismissal of claims alleging it is liable for individual defendants taking snaps of an assault on the plaintiff. 
    • A class action brought under the Illinois Biometric Information Privacy Act (BIPA), Martinez v. Snapchat, Inc. After we removed the case and filed a motion to dismiss or compel arbitration, the plaintiffs voluntarily dismissed their claims.
  • An online service provider in several cases, including:
    • Obtaining dismissal of Wiretap Act and Stored Communications Act claims on the basis of user consent and negotiating a favorable class settlement in a class action challenging its importation of email contacts and sending of connection invitations to those contacts.
    • Several matters against parties using bots or other technologies engage in unauthorized data scraping, or create fake or unauthorized accounts, resulting in numerous favorable judgments or settlements.
  • Facebook in matters that include:
    • Two class actions—Lundy et al. v. Facebook et al. and Heeger v. Facebook — alleging that it misrepresented its practices with respect to the collection of location-related information when users turned off these settings, in violation of the California Invasion of Privacy Act (CIPA), the Stored Communications Act (SCA), and other laws. We obtained dismissal of all statutory damages claims brought under CIPA and the SCA on the pleadings, substantially narrowing the scope of the cases. Lundy was settled and Heeger was dismissed on a 12(b)(6) motion—a result which was featured by the Daily Journal as a highlighted verdict of the week.
    • An appellate victory that affirmed a $20 million settlement in a privacy class action alleging Facebook included user names and profile photos in ads without the users’ permission. The Ninth Circuit upheld the settlement, which included nominal per-user payments and mechanisms for users to prevent their images from being used in ads.
  • ESPN in obtaining dismissal of a high-stakes class action alleging that ESPN violated the Video Privacy Protection Act (VPPA) by disclosing Roku device IDs to a third-party data analytics company.
  • The Walt Disney Company in obtaining an injunctive-relief only settlement of a nationwide class action alleging that the online gaming apps of Disney and other developer defendants improperly collected personal data from the devices of minors for marketing purposes. There was no monetary payment to the class.
  • Block (formerly Square, Inc.), in a class action, Ruark v. Square, alleging Square sent an automatic receipt to third parties divulging confidential medial information, in violation of various state and federal privacy laws, including HIPAA. After filing a motion to dismiss, we reached a successful resolution with the individual plaintiff.
  • The University of California, in:
    • Winning a jury verdict in favor of UCLA Health System, which was accused of negligently releasing the plaintiff’s medical records in violation of California’s Confidentiality of Medical Information Act (CMIA). After a one-week trial, a Los Angeles jury rejected the plaintiff’s claim for more than $1.25 million in damages.
    • Multiple class and individual actions involving unauthorized access to computer networks that contained patients’ confidential medical information or other alleged unauthorized releases of such information. We obtained the first appellate ruling that a claim under California’s CMIA requires proof that the plaintiff’s confidential information was viewed by an unauthorized person.
  • An online payment technology company, in a privacy class action alleging that it secretly tracks and collects the personal data of users and merchants and creates “risk profiles” of these users. We secured dismissal of most claims with prejudice, including all claims seeking statutory damages. The case subsequently resolved with the individual plaintiff (with no payment to any class).
  • Mattel, in a class action, filed in the District of Northern California, alleging that a number of operators of YouTube channels aimed at children have collected personal information from users under the age of 13, in violation of the Children s Online Privacy Protection Act (COPPA), to target the minors for advertising based on their profiles.  The case was dismissed in district court on preemption grounds, however the matter was appealed to the Ninth Circuit, which reversed the dismissal and remanded it to district court.   
  • Upwork , in matters relating to impersonation by unauthorized persons posing as Upwork-endorsed freelancers on its platform. 
  • Transgender, non-binary, and intersex prisoners and former prisoners of the Washington Department of Corrections, in obtaining a consent decree that bars the Department from disclosing their medical information, sexual history and history of sexual victimization in response to Public Records Act requests. The litigation, filed with Disability Rights Washington and the ACLU of Washington, led to a new law and a $2.4 million settlement in a related matter regarding access to care and cross-gender searches. 

Case Study

We specialize in challenging matters that set important precedents, which is why clients turn to us when the stakes are high and they need a knowledgeable, experienced partner to help guide matters to an efficient resolution. Our work includes:

Assurance IQ and Active Prospect: Dismissing a class action alleging online activity tracking 

Munger, Tolles & Olson successfully secured the dismissal of a class action alleging Assurance IQ and its software vendor ActiveProspect recorded users’ activity and information provided on their website in violation of California’s privacy laws. The case has been closely watched by online companies that use third-party session replay software to support customer service, compliance, and other web-related functions. In recent years, companies have been targeted by class actions advancing a novel argument that replay software use constitutes illegal wiretapping in violation of Section 631(a) of the California Invasion of Privacy Act (CIPA). 

MTO won dismissal of the lawsuit in June 2023, after a federal judge found the claims were time barred under the CIPA’s one-year statute of limitations. The court rejected the plaintiff’s argument that he was entitled to delayed discovery since he wasn’t aware that his online activity was being tracked until more than a year after he visited Assurance’s website. The court tossed the lawsuit with prejudice, finding that Assurance had properly informed Javier that his data could be used and shared in its privacy policy and that he had not properly invoked the delayed discovery rule.

Media Coverage:Assurance IQ Customer’s Web Tracking Suit Gets Tossed 


Jonathan H. Blavin

Grant Davis-Denny

Robyn K. Bacon

Victoria A. Degtyareva


Munger, Tolles & Olson Partner Bethany Kristovich Discusses Important District Court Ruling Involving Privileged Information

Munger, Tolles & Olson partner Bethany Kristovich was quoted in Law360’s recent article, “Covington May Face Uphill Battle If It Appeals SEC Win,” and R...
Read More

Munger, Tolles & Olson Named Tech Litigation Department of the Year Finalist

Munger, Tolles & Olson was named a finalist for Tech Litigation Department of the Year by......
Read More