On October 10, 2023, Judge Vince Chhabria of the Northern District of California granted final approval to a $725 million settlement in the Facebook Cambridge Analytica litigation — the largest data privacy class action recovery in the history of the United States. The settlement was the culmination of years of complex, technically demanding litigation against one of the most powerful and best-resourced technology companies on earth. It established legal standards for platform accountability for third-party data access that will shape privacy litigation for a generation.
Keller Rohrback L.L.P. was one of the firms that made it happen.
That single fact — participation in the largest consumer privacy settlement ever achieved — is the most efficient possible description of where Keller Rohrback sits in the landscape of plaintiff privacy litigation. But it significantly understates the firm’s full profile. The Cambridge Analytica settlement sits alongside a record that includes central roles in the T-Mobile data breach MDL, the VIZIO smart television privacy settlement, and a consistent pattern of appointment as lead or co-lead counsel in the most complex, high-stakes data privacy proceedings in the federal court system.
Keller Rohrback is not a boutique privacy plaintiff firm chasing session replay cases and CIPA statutory damages. It is a century-old complex litigation institution — founded in 1919 in Seattle — that has evolved its complex case capabilities to become one of the most consequential forces in national data privacy litigation. Understanding what this firm does, how it operates, and what its landmark cases mean for the compliance landscape is essential for any organization managing data privacy risk at scale.
The Firm: A Century of Complex Litigation, A Decade of Privacy Leadership
Institutional Foundation
Keller Rohrback L.L.P. was founded in Seattle, Washington in 1919 — making it one of the oldest continuously operating plaintiff-side complex litigation firms in the United States. Over more than a century of practice, the firm has developed and refined the institutional capabilities that complex litigation demands: massive discovery management, multi-jurisdiction coordination, expert witness development, complex damages modeling, and the organizational stamina to sustain years-long litigation against the most resource-rich defendants in the world.
The firm operates from offices in Seattle, New York, Oakland, and Phoenix, with a geographic footprint that mirrors the technology industry centers most relevant to its data privacy practice. The Seattle headquarters situates the firm in the Pacific Northwest technology corridor — home to Amazon, Microsoft, Expedia, and dozens of technology companies whose data practices are potential litigation subjects. The Oakland and New York offices provide proximity to Bay Area technology giants and the major financial institutions that are also within the firm’s litigation scope.
With a staff that includes attorneys across its multiple practice areas — consumer privacy, ERISA, financial products, employee benefits, environmental law, and securities — Keller Rohrback is not a privacy specialty boutique but a full-service complex litigation operation that brings cross-disciplinary capabilities to privacy cases. The combination of privacy expertise, financial services litigation experience, and ERISA practice gives the firm tools that purely privacy-focused firms do not have.
The Complex Litigation Group
The firm’s Complex Litigation Group is the institutional home of its data privacy and security practice. Led by senior partners including Derek W. Loeser and Lynn Lincoln Sarko — both of whom have been central to the firm’s landmark privacy recoveries — the group has assembled a team with deep expertise in the specific demands of complex privacy litigation: technical evidence development, class certification in data breach contexts, MDL leadership, and the negotiation of landmark settlements with some of the world’s most sophisticated defense teams.
Derek Loeser and Lynn Lincoln Sarko are among the most accomplished complex litigation attorneys in the plaintiff bar. Their track record — which includes not just privacy cases but landmark ERISA and financial products class actions — reflects a depth of complex litigation experience that is rare even among senior plaintiff practitioners. When courts appoint Keller Rohrback as lead MDL counsel, they are making a judgment about this institutional and individual capability.
The MDL Appointment Standard
Keller Rohrback’s consistent appointment as lead or co-lead counsel in Multi-District Litigation proceedings is one of the most significant indicators of the firm’s standing in the plaintiff complex litigation bar. MDL appointments are not routine — they require courts to evaluate competing firms and select the one (or the small group) with the greatest demonstrated capacity to manage the organizational complexity of consolidated national litigation.
An MDL is a procedural mechanism that consolidates related cases filed in multiple federal districts into a single proceeding for pretrial purposes. In major data privacy cases — where thousands of plaintiffs may file in dozens of different federal courts — MDL consolidation is routine. Managing the consolidated proceeding requires coordinating with dozens of other plaintiff firms, managing discovery across potentially dozens of defendants or third parties, developing comprehensive class certification motions, briefing complex legal issues across multiple theories, and serving as the primary negotiating counterparty in settlement discussions.
The organizational demands of MDL leadership are substantial. Firms without the resources, infrastructure, and case management capabilities to sustain MDL proceedings do not receive these appointments repeatedly. Keller Rohrback’s track record of MDL leadership is a direct marker of the firm’s place at the top tier of complex plaintiff litigation.
The Landmark Cases: Building the Law of Data Privacy Accountability
In re Facebook, Inc. Consumer Privacy User Profile Litigation — The $725 Million Standard
The Facebook Cambridge Analytica settlement is the defining case in Keller Rohrback’s privacy practice and one of the most significant legal events in the history of consumer data privacy law. Understanding what happened, what the litigation established, and why it continues to matter for compliance professionals requires understanding the Cambridge Analytica scandal in its full technical and legal context.
The Cambridge Analytica Data Harvest: What Actually Happened
Facebook’s platform, beginning in the early 2010s, provided third-party developers with access to user personal data through an API — a technical interface that allowed apps to request information about users who installed the app and, critically, about those users’ Facebook friends. The “friends’ data” access was the mechanism through which the Cambridge Analytica data harvest became so significant.
Cambridge Analytica — a political consulting firm affiliated with Steve Bannon and funded by Robert Mercer — obtained access to Facebook user data through a personality quiz app called “This Is Your Digital Life,” developed by Aleksandr Kogan, a Cambridge University researcher. The app was installed by approximately 270,000 Facebook users. But through the friends’ data API access, the app harvested data on approximately 87 million Facebook users — the friends and friends-of-friends of those 270,000 installers — without those individuals’ knowledge or consent.
Facebook’s platform design had enabled this harvesting. The API access that allowed apps to collect friends’ data was a deliberate product decision — it made the platform more attractive to developers and enabled social features that increased user engagement. The consequence was that the data of tens of millions of Facebook users was accessible to any developer whose app was installed by someone with access to those users’ friend network.
Cambridge Analytica used this data to build psychographic profiles of American voters — detailed personality and preference assessments derived from Facebook behavioral data — which it then used in targeted political advertising campaigns, including for Donald Trump’s 2016 presidential campaign. The revelation of this data harvest, reported by The Guardian and The New York Times in March 2018, triggered a global crisis for Facebook and congressional hearings that put Mark Zuckerberg before Congress.
The Legal Theory: Platform Accountability for Third-Party Access
The legal significance of the Cambridge Analytica litigation — and Keller Rohrback’s contribution to it — goes beyond the headline settlement number. The case established important legal principles about platform accountability for third-party data access that apply far beyond the Facebook context.
The core theory: Facebook made representations to users about how their personal data would be used and who would have access to it. Those representations — in Facebook’s data policy, its terms of service, and its public statements — created legally enforceable obligations. When Facebook enabled third-party developers to harvest user data far beyond what users understood or consented to, it violated those obligations.
Facebook’s defense was predictable: users had agreed to terms of service that disclosed the platform’s data sharing practices, and Cambridge Analytica (not Facebook) was the bad actor who misused the data. Keller Rohrback and co-counsel defeated this defense by establishing that the platform’s own API design enabled the unauthorized harvest — that Cambridge Analytica could not have obtained 87 million users’ data without Facebook deliberately building an API that allowed app developers to access friends’ data without those friends’ consent.
This platform-as-enabler theory is the lasting legal legacy of the Cambridge Analytica settlement. A platform that designs data access mechanisms enabling third-party misuse of user data can be held liable for that misuse, even when the proximate cause of harm is the third party. This principle has profound implications for any company that provides third-party developers, partners, or advertising platforms with access to user data through APIs, SDKs, or data sharing arrangements.
The $725 Million Settlement: What Made It Possible
Several factors combined to produce the landmark settlement amount:
The scale of affected users. 87 million affected users in a class action context creates aggregate damages exposure that is difficult to manage through litigation. Even modest per-user damages multiply into enormous aggregate numbers at that scale.
The reputational and regulatory context. Cambridge Analytica erupted at a moment of maximum public concern about Facebook’s data practices. The Congressional hearings, the FTC’s parallel investigation (which ultimately produced a $5 billion penalty against Facebook — the largest FTC penalty in history at the time), and the global regulatory response under GDPR created enormous institutional pressure on Facebook to resolve the civil litigation.
The quality of the plaintiff representation. The $725 million outcome required plaintiff counsel capable of sustaining complex litigation through years of discovery, class certification briefing, and settlement negotiation — with the technical expertise to understand and articulate the platform’s data architecture, the legal expertise to develop and defend novel theories of platform liability, and the credibility to negotiate a settlement that courts and class members would find adequate. Keller Rohrback brought all of these capabilities.
The congressional and regulatory feedback loop. The parallel FTC investigation — which was directly informed by the civil litigation’s factual development — created a feedback dynamic in which settlement pressure from the civil case and regulatory pressure from the FTC were mutually reinforcing. Facebook resolved the FTC matter with a $5 billion penalty and simultaneously negotiated the civil class settlement, creating a combined accountability outcome of nearly $6 billion in a single data privacy scandal.
T-Mobile Data Breaches — The 2021 and 2022 Cases
Keller Rohrback’s involvement in the T-Mobile data breach litigation — arising from both the 2021 breach affecting 76.6 million customers and the 2022 breach affecting 37 million accounts — establishes the firm’s position at the top tier of data breach class action practice alongside Hausfeld.
The 2021 Breach: Security Failures at Scale
The 2021 T-Mobile breach exposed the personal information of approximately 76.6 million Americans — one of the largest data breaches in U.S. history by affected population. The exposed data included names, Social Security Numbers, dates of birth, driver’s license information, and IMEI numbers. Internal investigation revealed that the attacker had been inside T-Mobile’s systems for weeks before detection — a dwell time that is itself evidence of inadequate security monitoring.
The $350 million settlement — reached with Hausfeld as co-lead counsel — was structured to address both the retrospective harm and the prospective security failures. In addition to the settlement fund, T-Mobile was required to invest $150 million in data security improvements over two years — a mandatory security investment component that has become a template for major data breach settlements.
The T-Mobile settlement’s per-capita significance — often described as among the largest per-capita data breach settlements in U.S. history — reflects the quality of the damages analysis and class certification work that plaintiff counsel including Keller Rohrback developed. Per-capita outcomes in data breach cases are a function of both the size of the settlement fund and the rigor of the damages methodology that establishes how class members’ harm should be calculated. Keller Rohrback’s ERISA and financial products practice background — which includes extensive complex damages modeling — contributes directly to the firm’s ability to develop compelling damages analyses in privacy cases.
The 2022 Breach: Recidivism as an Aggravating Factor
The 2022 T-Mobile breach — occurring approximately one year after the 2021 breach and the initiation of the related litigation — created a distinctive liability dynamic: a company that had already acknowledged security failures in the 2021 breach suffered another significant breach while that litigation was active.
The recidivism dimension — a second major breach at a company already under legal scrutiny for security failures — is a powerful fact pattern for plaintiffs. It supports arguments that the first breach did not generate adequate remediation, that security improvement commitments were not fulfilled, and that the company’s security governance was fundamentally inadequate rather than merely experiencing an isolated failure. In damages terms, a pattern of repeated breaches supports gross negligence arguments that can expand damages beyond the ordinary negligence standard.
For corporate defendants generally, the T-Mobile two-breach pattern is a cautionary illustration of how a first breach creates not only the immediate litigation but a heightened duty of care whose breach in a subsequent incident generates compounded liability.
VIZIO Consumer Privacy Litigation — The Smart Television Privacy Frontier
Keller Rohrback’s class settlement in the VIZIO consumer privacy litigation addressed a category of privacy violation that most compliance teams outside the consumer electronics industry have not fully considered: the collection and sale of television viewing history by smart TV manufacturers without adequate disclosure or consent.
What VIZIO Was Doing
VIZIO, one of the largest television manufacturers in the United States, deployed “Automatic Content Recognition” (ACR) technology in its smart televisions. ACR works by capturing pixel-by-pixel images of what is displayed on the television screen — regardless of how the content is delivered (over-the-air broadcast, cable, streaming, gaming) — and matching those images against a database of known content to identify what the viewer is watching.
VIZIO collected this ACR data from millions of televisions and sold aggregated and individual-level viewing data to advertising companies and data brokers. The data could be linked to individuals through their IP addresses and other identifiers, enabling advertisers to target viewers based on their actual television watching behavior — not just their internet browsing.
VIZIO had not adequately disclosed this data collection to consumers. The television’s ACR feature was enabled by default. The disclosure in VIZIO’s terms of service was not specific enough to put consumers on notice that their moment-by-moment viewing history was being captured, transmitted to VIZIO’s servers, and sold to advertisers.
The VPPA Application to Smart Televisions
The Video Privacy Protection Act, enacted in 1988 in response to video rental store disclosure concerns, prohibits video tape service providers from knowingly disclosing personally identifiable information about consumer viewing behavior. Keller Rohrback’s VIZIO case applied this framework to smart television ACR data collection — arguing that a television manufacturer that collects viewing data and sells it to advertising companies is a “video tape service provider” disclosing “personally identifiable information” in connection with video materials.
The VIZIO settlement established that VPPA exposure is not limited to streaming services or video subscription platforms. Any company that collects and monetizes data about consumers’ video viewing behavior — including television hardware manufacturers deploying ACR technology — is a potential “video tape service provider” subject to the VPPA’s disclosure prohibitions.
This VPPA application to hardware manufacturers is significant beyond the VIZIO context. Smart televisions, set-top boxes, cable provider apps, gaming consoles that stream video content, and any other device or platform that collects viewing history data faces the same statutory framework. The compliance imperative — specific, informed consent for the disclosure of viewing history to third parties — is the same regardless of the technical delivery mechanism.
The Connected Device Privacy Frontier
The VIZIO case points toward a broader connected device privacy compliance challenge that is intensifying as consumer electronics become more data-intensive. Smart speakers, smart home devices, connected appliances, wearable health monitors, and in-vehicle infotainment systems all collect behavioral data about their users — sometimes in continuous, always-on surveillance modes that generate far more intimate data than traditional internet browsing.
Keller Rohrback’s VIZIO work signals that the firm’s privacy practice extends into the connected device space — and that the legal frameworks applicable to internet privacy (VPPA, ECPA, state wiretapping statutes) apply with equal force to the data collection practices of connected consumer devices.
The Legal Theories: A Technical and Doctrinal Analysis
Computer Fraud and Abuse Act (CFAA)
The Computer Fraud and Abuse Act is a federal statute that prohibits unauthorized access to protected computers. In the data privacy context, Keller Rohrback has pursued CFAA claims in cases where third parties accessed user data without authorization — either by circumventing platform security controls or by exceeding the scope of authorized access.
The Cambridge Analytica fact pattern illustrates the CFAA application: Cambridge Analytica (through Kogan’s app) obtained data under the guise of an authorized academic research app, then used that data for commercial political consulting purposes that exceeded the scope of the platform’s authorized use. The argument: exceeding the authorized scope of platform access constitutes “unauthorized access” under the CFAA.
Courts have been inconsistent on the scope of the CFAA’s “unauthorized access” prohibition — some have narrowly construed it to require circumventing technical access controls, while others have applied it more broadly to conduct that exceeds authorized use terms. The Supreme Court’s 2021 decision in Van Buren v. United States narrowed the CFAA’s scope in some respects while leaving its application to third-party developer overreach unresolved. Keller Rohrback continues to develop CFAA theories as the case law evolves.
The CFAA’s significance in privacy cases is its federal character — providing federal jurisdiction for privacy claims that might otherwise require state court filing — and its civil remedies, which include actual damages and injunctive relief.
The Negligence Framework in Data Breach Cases
Keller Rohrback’s data breach litigation is built on a sophisticated negligence framework that goes beyond the simple assertion that “the company should have had better security.” The firm’s negligence theory in breach cases like T-Mobile is built around:
The duty of care. Companies that collect and store large volumes of personal information owe a duty of care to protect that information against foreseeable unauthorized access. The scope of this duty is commensurate with the sensitivity and volume of information held — a company with 76 million users’ Social Security Numbers owes a higher duty of care than a company with only email addresses.
The breach of duty through known unaddressed vulnerabilities. The most powerful element of Keller Rohrback’s negligence cases is evidence of security vulnerabilities that were known to the defendant and not adequately remediated. Internal security assessments, audit reports, and executive communications that identified security gaps — combined with evidence that adequate remediation resources were not allocated — support gross negligence arguments that expand potential damages beyond the ordinary negligence standard.
Causation through technical forensics. Establishing that the specific breach was caused by the specific unaddressed vulnerability — rather than by an unforeseeable attack vector or unavoidable sophisticated intrusion — requires detailed forensic analysis linking the attacker’s method of entry to the known vulnerability. Keller Rohrback’s technical evidence development in breach cases includes this forensic causation analysis.
Damages through a sophisticated multi-component framework. Data breach damages are legally contested terrain. Defendants argue that nominal information exposure without documented misuse produces no recoverable harm. Keller Rohrback counters with damages theories that include: the increased risk of future fraud, the cost of protective measures (credit monitoring, fraud alerts, identity theft remediation), the loss of the economic value of the compromised personal information, and the loss of privacy as an injury in itself.
The Implied Contract Theory
Every company that publishes a privacy policy is, under Keller Rohrback’s implied contract theory, making legally enforceable promises about how it will handle user data. The privacy policy does not merely describe what the company does — it represents what the company has committed to do. When actual practices fall short of those representations, the shortfall is a breach of implied contract whose measure is the consumer’s reliance damages — the value of the privacy protection they were promised and did not receive.
The implied contract theory is particularly powerful in cases where the privacy policy makes specific, concrete representations: “We will never sell your personal information,” “Your data is protected by industry-leading security,” “We do not share your data with advertisers without your consent.” When those specific representations turn out to be false, the breach of contract claim is concrete and well-defined.
For compliance teams, the implied contract theory creates a specific imperative that goes beyond HIPAA and CIPA compliance: your privacy policy must accurately represent your actual practices in every specific representation it makes. Vague aspirational language (“we take your privacy seriously”) creates less implied contract exposure than specific, measurable representations (“we use AES-256 encryption for all stored personal data”). Reviewing privacy policies through the lens of implied contract liability — assessing each specific representation against the actual technical reality — is an essential component of privacy legal risk management.
VPPA: Beyond Streaming Services
As the VIZIO case illustrates, Keller Rohrback’s VPPA practice extends the statute’s application well beyond traditional video rental and subscription streaming contexts. The firm’s view of VPPA coverage — encompassing any entity that collects and shares consumers’ video viewing data — is broadly applicable to the modern digital entertainment landscape:
Smart TV manufacturers deploying ACR technology. Cable and satellite providers sharing channel-viewing data with advertising partners. Gaming platforms that collect and share data about video content watched through their systems. Automotive infotainment systems that track in-vehicle video viewing. Social media platforms that collect data about video content users watch on the platform and share that data with advertising systems.
Each of these contexts involves the collection and potential disclosure of personally identifiable video viewing information — the exact conduct the VPPA prohibits without specific, informed consent. Keller Rohrback’s VIZIO precedent is the template for VPPA claims across all of these categories.
The Industries and Defendants in Keller Rohrback’s Targeting Scope
Major Technology Platforms
Facebook / Meta is the most prominent technology platform defendant in Keller Rohrback’s portfolio, but the Cambridge Analytica case’s legal framework — platform accountability for third-party data access enabled by the platform’s own design — applies to any major technology platform that provides API or SDK access to user data for third-party developers.
Every major technology platform that operates a developer ecosystem — Apple’s App Store, Google Play, Amazon AWS marketplace, Salesforce’s AppExchange, any platform with a third-party developer API — faces the potential liability that the Cambridge Analytica case articulates: if the platform’s data access architecture enables unauthorized data harvesting by third-party developers, the platform may share liability for that harvesting even when the developer is the proximate wrongdoer.
Telecommunications Companies
Keller Rohrback’s T-Mobile work establishes the firm’s position in telecommunications privacy and security litigation. Telecom companies handle uniquely sensitive data — call records, location history, message content, account credentials — for populations measured in the tens of millions, and their historical underinvestment in consumer-grade security creates catastrophic breach exposure when security failures occur.
The telecommunications sector is also subject to specific federal regulatory frameworks — FCC regulations on customer proprietary network information (CPNI), FTC unfair and deceptive practices authority, and state attorney general consumer protection authority — that create regulatory liability alongside civil class action exposure. A major telecom breach generates simultaneous FCC inquiry, FTC investigation, and civil class action — the same compounding institutional pressure that defines the modern data breach enforcement environment.
Consumer Electronics and Connected Device Manufacturers
The VIZIO case establishes Keller Rohrback’s interest in connected device privacy. As consumer electronics become more sophisticated data collection platforms — smart TVs, smart speakers, connected appliances, in-vehicle systems — the data practices of device manufacturers are increasingly within the scope of privacy litigation frameworks that were designed for software and online services.
Consumer electronics companies that have not specifically audited their data collection practices, user consent mechanisms, and third-party data sharing arrangements for VPPA, ECPA, and state privacy law compliance are operating with meaningful unmanaged risk.
Financial Services and ERISA
Keller Rohrback’s ERISA and financial products practice background creates a specific capacity to pursue privacy and data security cases in financial services contexts — cases that involve both the financial data privacy frameworks (GLBA, FCRA, state financial privacy laws) and the fiduciary duty frameworks (ERISA) that apply to retirement plan data and employee benefits data.
Financial services companies and ERISA plan sponsors that handle large volumes of employee personal and financial data face Keller Rohrback exposure across both the privacy and the fiduciary frameworks — a cross-disciplinary liability profile that few plaintiff firms can fully develop.
The MDL Leadership Model: Why It Matters for Defendants
What MDL Leadership Actually Involves
Being appointed lead counsel in a major data privacy MDL is an institutional achievement that reflects both the quality of the firm’s litigation capabilities and the respect that courts have for its ability to manage complex, multi-party proceedings. Understanding what MDL leadership actually involves helps compliance professionals appreciate what their organization faces when Keller Rohrback is leading the plaintiff coalition.
Discovery coordination. In a major MDL, plaintiff counsel must coordinate discovery requests across potentially dozens of plaintiffs and defendants, manage the review and analysis of millions of documents, develop and defend expert witnesses on technical and damages issues, and ensure that the factual record developed in pretrial proceedings is comprehensive enough to support class certification and trial.
Plaintiff coalition management. MDL lead counsel must manage relationships with dozens of other plaintiff firms whose clients are part of the consolidated proceeding — coordinating legal strategy, allocating work, and ensuring that the consolidated litigation speaks with a coherent voice on key legal issues.
Settlement authority negotiation. Lead MDL counsel negotiates with defendants on behalf of the entire plaintiff class — developing settlement terms that are fair and adequate for thousands of class members with varying circumstances. This requires both negotiating skill and the credibility that comes from demonstrated trial capability.
Court management. Lead counsel in an MDL has an ongoing relationship with the presiding judge — managing case schedules, briefing key legal disputes, and representing the plaintiff class in all significant court proceedings. Courts appoint lead counsel based on their confidence that the firm can manage this relationship effectively.
Keller Rohrback’s track record of MDL appointments reflects consistent performance across all of these dimensions. For defendants in MDL proceedings where Keller Rohrback is lead counsel, the practical implication is that the opposing plaintiff coalition is well-organized, well-resourced, and led by attorneys with deep experience in exactly the kind of litigation they are engaged in.
What Keller Rohrback’s Cases Mean for Corporate Privacy Compliance
The Third-Party Access Audit Imperative
The Cambridge Analytica case’s most durable compliance lesson is that platform accountability for third-party data access is real and expensive. Any company that provides third-party developers, business partners, or advertising platforms with access to user data through APIs, SDKs, or data sharing arrangements must treat those access grants as potential liability events — not merely as technical product decisions.
The audit imperative: systematically review every third-party data access permission your platform or product provides. For each permission, document: what data is accessible, to whom, for what purposes, and under what limitations. Assess whether each access grant is covered by user consent that is specific enough to encompass the actual use case. Assess whether each third-party recipient has contractually committed to using the data only for authorized purposes. Assess whether you have monitoring mechanisms to detect unauthorized use of the access.
This audit is not merely a best practice — it is the compliance work that the Cambridge Analytica legal framework demands. If you provide third-party API access to user data and a bad actor harvests that data for unauthorized purposes using your API, Keller Rohrback’s legal theory holds that you may share liability for the harvest.
The Security Documentation Imperative
Keller Rohrback’s negligence framework in breach cases creates a specific documentation imperative that goes beyond simply having good security. You must also be able to demonstrate, through documentation, that your security program was adequate relative to the risks you faced — and that known vulnerabilities were identified and addressed with appropriate resources and timelines.
The documentation that creates the gross negligence case Keller Rohrback builds against breach defendants is internal documentation of known vulnerabilities not adequately remediated. The documentation that defeats that case is the same internal documentation showing that vulnerabilities were identified, risk-prioritized, and remediated with appropriate resources and timelines.
Security governance documentation must include: Regular security risk assessments with documented findings. Remediation plans for identified vulnerabilities with assigned owners and timelines. Evidence of actual remediation — not just planned remediation. Board-level review of material security risks and investment decisions. Incident response plan testing with documented outcomes.
This documentation is both good security governance and litigation preparation. A defendant with a complete, well-maintained security governance record is substantially better positioned in Keller Rohrback’s negligence framework than a defendant whose security program existed but was not documented.
The Smart Device VPPA Compliance Gap
The VIZIO settlement should function as a compliance wake-up call for any company in the consumer electronics, media technology, or connected device space. The VPPA applies to video viewing data collection regardless of the hardware mechanism — ACR in smart TVs, pixel-level capture in set-top boxes, playback monitoring in gaming consoles. The consent requirement is specific and demanding: informed, affirmative consent for the disclosure of video viewing history to third parties.
Many consumer device manufacturers have ACR or similar viewing data collection features that are enabled by default, disclosed in terms of service that users do not read, and sold to advertising companies or data brokers without consumer awareness. This configuration — which was VIZIO’s configuration — is the VPPA fact pattern that generates liability. The compliance fix is straightforward: default-off data collection, specific affirmative consent for sharing, and honest disclosure of exactly what data is collected and how it is used.
Frequently Asked Questions About Keller Rohrback Privacy Litigation
What made the Facebook Cambridge Analytica settlement the largest in data privacy history?
The combination of scale (87 million affected users), the quality of the legal theories (platform accountability for third-party access enabled by the platform’s own design), the parallel regulatory pressure from the FTC’s $5 billion penalty proceeding, and the quality and credibility of plaintiff counsel including Keller Rohrback. No single factor produced the $725 million outcome — it was the combination of all of these elements, sustained over years of complex litigation.
How does Keller Rohrback’s CFAA practice interact with privacy claims?
The CFAA provides federal jurisdiction for privacy claims that might otherwise be limited to state court, and it specifically targets unauthorized data access — a theory that applies in cases like Cambridge Analytica where third-party developers accessed user data beyond the scope of their authorized use. Post-Van Buren, the CFAA’s scope is more limited than before, but Keller Rohrback continues to develop CFAA theories in cases where the unauthorized access element is clearly satisfied.
What is the compliance lesson from the two T-Mobile breaches?
That a first breach creates a heightened duty of care whose breach in a second incident is evidence of gross negligence, not merely ordinary negligence. Companies that experience breaches must treat the compliance remediation commitment as absolute — not as a best-efforts aspiration. A second breach at a company that already acknowledged security failures in a first breach is among the most damaging fact patterns in data breach litigation.
Does the VPPA apply to my smart television or connected device product?
If your product collects data about consumers’ video viewing behavior and shares or discloses that data to third parties — advertisers, data brokers, analytics companies — you face VPPA analysis under Keller Rohrback’s framework. The VIZIO case establishes that the VPPA is not limited to streaming services or rental platforms. Hardware manufacturers and device platforms that collect and monetize viewing data face the same statutory framework.
How does Keller Rohrback’s ERISA practice background affect its privacy litigation approach?
It provides cross-disciplinary capability that most privacy plaintiff firms lack — specifically, expertise in complex damages modeling, fiduciary duty analysis, and the litigation dynamics of employee benefits cases. In the privacy context, this background contributes to the sophisticated damages analyses that have produced landmark per-capita settlements and to the firm’s capacity to pursue privacy cases in financial services contexts where ERISA and privacy frameworks overlap.
What types of companies should be most concerned about Keller Rohrback specifically?
Major technology platforms with third-party developer ecosystems, telecommunications companies with significant breach exposure, consumer electronics and connected device manufacturers with ACR or behavioral data collection, and any company that has experienced a significant data breach with documented evidence of prior security vulnerabilities. These are the fact patterns that align most directly with Keller Rohrback’s demonstrated case portfolio.
The Compliance Framework That Keller Rohrback’s Cases Demand
The compliance program that addresses Keller Rohrback’s full litigation scope is comprehensive and requires coordination across technical security, legal, product development, and executive governance.
Build and maintain a documented security governance program. Security risk assessments, remediation tracking, board-level oversight of material risks, and incident response testing — documented with the rigor of a program that may one day be presented to a court as evidence of reasonable care. The documentation must show not just that assessments were conducted but that findings were acted upon.
Audit all third-party data access permissions systematically. Apply the Cambridge Analytica framework: for every API, SDK, or data sharing arrangement through which third parties access user data, document the scope of authorized use, verify that consent covers the actual use case, and implement monitoring to detect unauthorized use.
Implement VPPA-compliant consent for all video viewing data. If your product or platform collects data about consumer video viewing behavior — including through hardware ACR, software analytics, or SDK-based monitoring — implement affirmative, informed consent for any disclosure of that viewing data to third parties, and make data collection default-off rather than default-on.
Align privacy policy representations with technical reality. Every specific representation your privacy policy makes about data handling, security, and sharing must reflect actual technical practice. Review your privacy policies through the implied contract lens: if a representation is not true, remove it or correct it.
Develop a breach response capability that includes litigation preparation. When a breach occurs, the first hours and days determine both the scope of harm and the legal position. A tested, documented breach response plan that includes legal assessment of disclosure obligations, preservation of relevant documentation, and early engagement of breach response counsel is a material factor in the eventual litigation outcome.
The Firm That Built the Precedents Every Privacy Program Must Know
Keller Rohrback L.L.P. has, through a series of landmark cases spanning two decades of digital privacy litigation, built a body of precedent and a set of legal principles that every corporate privacy program must understand and account for.
The Cambridge Analytica settlement established that platform accountability for third-party data access is real, expensive, and judicially enforceable at the highest levels. The T-Mobile cases established that data breach liability extends to mandatory security investment and that repeated breaches evidence gross negligence. The VIZIO settlement established that the VPPA applies to hardware manufacturers collecting viewing data through ACR technology. Together, these cases map the terrain of corporate data privacy accountability across the most consequential categories of data practice in the digital economy.
For compliance professionals, the Keller Rohrback case portfolio is not merely litigation history. It is the governing framework for how courts will analyze third-party data access accountability, data breach negligence, and connected device privacy violations for years to come. The compliance programs that take these frameworks seriously — that audit third-party access permissions, document security governance, implement VPPA-compliant consent, and align privacy representations with technical reality — are operating within the legal standards that Keller Rohrback’s landmark cases have established.
The ones that do not are building the factual predicate for the next landmark case.
