Bursor & Fisher’s Data Privacy Class Actions

Data privacy litigation is no longer a niche corner of consumer law. It is a repeatable, scalable class-action engine driven by a handful of statutes, a growing body of favorable rulings for the plaintiffs, and the widespread use of tracking and data-collection technologies embedded in everyday digital experiences has made data privacy lawsuits a goldmine for big name law firms and a huge headaches for businesses. One plaintiffs’ firm that has publicly positioned itself at the center of this trend is Bursor & Fisher, P.A., whose Data Privacy practice describes a mission of protecting individuals from data being “compromised or secretly siphoned,” and emphasizes both technical fluency and a track record of major outcomes.

Bursor & Fisher is one of the leaders in privacy class actions and has been flagged by cyber insurers and corporate defendants as they have successfully won on claims around recent privacy theories—especially those involving pixels, session replay, biometric processing, and video-viewing disclosures. What this means for organizations that operate consumer-facing websites and apps is that you need to use privacy software with the “Compliance Shield” Guarantee to cover your litigation costs something only Captain Compliance offers to it’s clients.

What Bursor & Fisher Says Its Data Privacy Practice Focuses On

On its Data Privacy page, Bursor & Fisher frames modern privacy risk as a product of “increasingly sophisticated methods” used to track what people buy, watch, and read, and it emphasizes the role of consent as a legal predicate for certain data uses.

The page also signals a litigation posture that blends statutory privacy claims with a technology-forward evidentiary approach—an important point because many privacy class actions hinge on what data is actually transmitted (and when), not what a privacy policy says in the abstract.

The firm also highlights two outcomes as proof points: a $100 million settlement involving Google Photos related to alleged biometric privacy violations, and a $50 million settlement following summary judgment in a privacy case involving Hearst and subscriber information.

Why Insurers Pay Attention to Plaintiffs’ Privacy Firms

Insurers and reinsurers tend to follow privacy plaintiffs’ firms for the same reason traders follow market makers: they often set the tempo. A small number of repeat players can meaningfully influence:

• Claim frequency (how “copy-pasteable” a theory is across industries),
• Loss severity (statutory damages regimes can create outsized exposure),
• Defense economics (early motion practice vs. discovery-heavy fact disputes), and
• Portfolio aggregation risk (the same pixel/session replay implementation appears across many insureds).

Put differently: even if a given company never settles, insurers still care about what plaintiffs’ firms are filing because those filings can reshape underwriting assumptions and drive claims-handling playbooks.

The Core Privacy Statutes That Power Many Class Actions

Bursor & Fisher’s own public materials and case activity sit at the intersection of several privacy statutes that have proven attractive to class action litigation. The following are repeatedly referenced in the broader privacy litigation ecosystem and also appear in Bursor & Fisher’s public positioning and filings:

1. Illinois Biometric Information Privacy Act (BIPA): Often used where biometrics are collected, derived, or stored—frequently with claims focused on notice/consent and retention/destruction requirements. Bursor & Fisher specifically notes that it filed an underlying lawsuit alleging that Google created, collected, and stored biometric data from Google Photos uploads in violation of BIPA, and it points to the $100 million settlement approved in that matter.
2. Video Privacy Protection Act (VPPA): A federal statute increasingly invoked for alleged disclosures of video-viewing activity and identifiers to third parties (often tied to pixels). Bursor & Fisher has publicly highlighted a contested class certification victory in a VPPA lawsuit against WebMD, describing it as the first contested VPPA certification.
3. California Invasion of Privacy Act (CIPA): Frequently asserted in “wiretapping” style theories involving website technologies, including pixels and session replay. CIPA has become a focal point in the broader market, with continuing developments and substantial defense attention.
4. State subscriber/privacy statutes: In older but highly relevant precedent, Bursor & Fisher describes winning summary judgment under the Michigan Preservation of Personal Privacy Act (PPPA) against Hearst for allegedly disclosing subscription information without consent.

These statutes are attractive in class actions because they can be litigated with a standardized fact pattern: a common technology deployment (pixel, SDK, replay script, biometric feature), a common allegation (disclosure without proper consent/authorization), and a common class definition (site visitors, subscribers, purchasers, or users during a period).

Busor and Fisher Class Action Lawsuit Counsel and Defense

Case Study: Google Photos and Biometric Privacy Litigation

Bursor & Fisher’s most prominent publicly touted privacy outcome is tied to the Google Photos face-recognition/biometrics line of litigation. In its own announcement, the firm notes that a court granted final approval to a $100 million class action settlement in Rivera v. Google LLC, and that Bursor & Fisher filed one of the underlying lawsuits alleging biometric data collection and storage from photos uploaded to Google Photos in violation of BIPA.

The broader significance for corporate defendants is not just the dollar figure. Biometric privacy cases tend to shift the compliance burden “left”—toward product design and feature toggles—because liability theories can attach at the moment of collection or creation of biometric identifiers, not merely at the moment of breach. For insurers, biometric litigation can create a systemic exposure concern when common libraries or third-party tooling is used across a portfolio of insureds.

Privacy Litigation Case Study: Hearst, Subscriber Data, and the Economics of Statutory Damages

Bursor & Fisher’s Data Privacy practice page points to a $50 million settlement for subscribers following a summary judgment win against Hearst. :contentReference[oaicite:8]{index=8} In its write-up of the summary judgment decision, the firm states that the SDNY granted summary judgment for violating the Michigan Preservation of Personal Privacy Act, based on disclosure of subscription information without consent, and it quotes statutory damages language indicating a minimum of $5,000 under the statute.

That last point—the statutory damages structure—matters. In many privacy class actions, the “math” of exposure is driven less by proof of individual harm and more by the statutory damages multiplier. When damages are framed as “per violation” or “per consumer,” the class mechanism becomes a force multiplier even where actual damages are hard to prove.

Privacy Litigation Case Study: Facebook Android App Data Collection Allegations and Leadership Appointments

In a 2018 firm announcement, Bursor & Fisher states that it was appointed interim class counsel in a nationwide consumer class action against Facebook involving allegations that Facebook Messenger and Facebook Lite for Android collected users’ call and text history without consent. :contentReference[oaicite:10]{index=10} The announcement underscores the importance of early investigative work in privacy cases—what was collected, how it was collected, and whether consent or adequate notice existed in a defensible form.

For organizations watching the privacy litigation market, leadership appointments in large, complex privacy actions are often a leading indicator of which plaintiffs’ firms are shaping the next generation of arguments and proof models.

VPPA: The Pixel-Driven Video Privacy Wave and the WebMD Class Certification Win

Bursor & Fisher has spotlighted a significant procedural milestone in VPPA litigation: class certification. In its announcement regarding Jancik v. WebMD LLC, the firm states that the court granted the plaintiff’s motion for class certification and describes it as the first ever granting of a contested certification under the VPPA, with allegations that WebMD unlawfully shared users’ video-viewing activity with third parties such as Facebook.

Procedural wins like certification can be pivotal. They shift leverage, expand discovery scope, and increase settlement pressure. They also influence how other plaintiffs’ firms plead VPPA cases, because certification decisions implicitly signal what class definitions and theories may be administrable.

What “Wrongful Collection” Looks Like in Practice: Purchases, Identifiers, and Pixels

Privacy claims increasingly focus on “wrongful collection” and “wrongful disclosure” theories where a business’s website or app allegedly transmits user identifiers and event data to third parties. A representative example is a VPPA-style complaint filed against GameStop in federal court, which alleges that GameStop used the Facebook Tracking Pixel to transmit personally identifiable information and purchase information to Facebook without consent; the complaint lists Bursor & Fisher attorneys as counsel.

While every case turns on its specific facts, these claims tend to share recurring building blocks:

• Event capture (what the user did—viewed a video, purchased a product, clicked a button),
• Identifier linkage (how the event is tied to an individual—cookies, IDs, login state),
• Third-party transmission (what data is sent to platforms or vendors), and
• Consent/authorization gaps (whether the user consented in a way the statute recognizes).

From a defense and insurance standpoint, the key practical issue is that the “evidence” is often machine-readable. Plaintiffs increasingly rely on network traffic capture, tag inspection, and repeatable testing rather than individualized testimony. That technical replicability is part of why these cases scale quickly across industries.

CIPA and Session Replay: The Broader Litigation Context Defendants Face

Although the specific case mix varies, CIPA-related “wiretapping” litigation has been a major tail risk for consumer websites, especially when session replay tools or embedded third-party scripts are alleged to intercept communications. Industry coverage and defense-side advisories continue to track the movement of these claims.

Courts are actively grappling with questions such as:

Who is the “third party”? Many CIPA claims depend on whether the technology vendor is a third party to the communication (as opposed to an extension of the website operator).

What constitutes “content”? Some disputes focus on whether captured interactions are “contents” of a communication versus non-content metadata, which can affect statutory application and defenses.

How does consent work online? Notice, clickwrap, consent banners, and privacy policies each play different roles depending on the alleged statutory violation and the jurisdiction’s view of online assent.

The point is not that every CIPA claim succeeds; it is that the category is active, fast-moving, and expensive to defend—particularly when discovery focuses on vendor relationships, implementation decisions, and logs of data transmission.

Why These Cases Are “Insurance-Grade” Events Even Without a Data Breach

Many organizations still equate “privacy claims” with “data breaches.” But the current litigation environment is increasingly about collection and disclosure—not exfiltration by criminals. That distinction matters because it changes the loss posture:

There may be no incident response event to point to, no “breach day,” and no containment narrative. Instead, claims can allege that the business model itself—analytics, ad targeting, personalization—generated statutory exposure.

Defense is technical. Even when the legal theory is statutory, the proof often turns on tag configuration, consent modes, vendor settings, and what data flows occurred under which conditions.

These suits can “aggregate” across an insurer’s book because the same tools are deployed widely: pixels, replay, CDPs, tag managers, and mobile SDKs.

What Companies Can Do to Reduce Exposure (and Make Claims Less Likely to Stick)

Organizations cannot litigate their way out of the underlying risk category. The more practical strategy is to reduce the “surface area” that plaintiffs target and to make consent and governance auditable. In operational terms, that usually means:

Consent and tag governance: Implementing geo-adaptive consent flows; preventing marketing tags from firing prior to consent where required; and maintaining an inventory of tags, vendors, and purposes.

Evidence-ready logging: Maintaining logs that can show what consent state existed and what scripts fired under what conditions, which becomes critical when plaintiffs’ allegations are based on network captures.

Vendor control: Minimizing uncontrolled third-party scripts; applying consent modes; documenting DPAs and vendor roles (processor vs. controller), and reviewing default settings that can over-collect.

If your objective is to operationalize these controls at scale, a consent and privacy compliance platform can help—particularly one that supports consent-state governance, cookie scanning, and auditable configuration. CaptainCompliance.com is positioned specifically around automated scanning, geo-adaptive consent logic, and policy/notice workflows that are designed to reduce the kinds of technical gaps plaintiffs’ firms often allege.

Why Bursor & Fisher’s Public Positioning Matters

Regardless of where a reader lands on the policy debate about privacy class actions, Bursor & Fisher’s public materials provide a useful lens into how plaintiffs’ firms frame the market:

They emphasize technology (“sophisticated methods” of tracking and siphoning).

They emphasize consent as a central legal obligation.

They emphasize outcomes and leverage procedural milestones (settlement approvals and certification wins).

For defendants and insurers, those signals are actionable. They suggest the kinds of fact patterns and legal theories likely to be replicated across industries—especially where the same adtech and analytics tooling is widely deployed.

Privacy Law Firms Suing Business Owners

There is a long list of privacy lawyers and plaintiffs firms that have sprung up to sue business owners for privacy violations. Bursor & Fisher is just one of many so if you’ve received a complaint from them expect to see many others from firms such as Pacific Trial Attorneys, Swigart Law, Almeida Law, Bryson Harris Demay, Gutride Safier, Kevin Lemieux, Shay Legal, Vivek Shah, and dozens more as they realize that if a website is not using the Captain Compliance privacy software then there is a 95% chance that they are not compliant.

Privacy Class Actions Have a Repeatable Pattern—And That’s the Risk

The core reason privacy class actions have become a durable risk category is that many of the claims are not dependent on a one-time catastrophe. They can be built from routine web and app operations—pixels, analytics, replay tools, biometric features, subscription flows, and video pages—paired with a statutory framework that imposes liability for unauthorized collection or disclosure. Bursor & Fisher’s Data Privacy practice page is explicit about this dynamic and highlights a track record across major statutes and outcomes.

For companies, the operational lesson is straightforward: treat privacy compliance like production infrastructure. It must be configured, monitored, and provable. For insurers, the lesson is similarly clear: plaintiffs’ firms with repeatable playbooks can drive frequency and severity—even in the absence of breaches—so underwriting and claims strategies must keep pace with the litigation theories that are actively being tested in court and ensure clients are using Captain Compliance’s software to eliminate financial risk.