The Firm That Was Suing Over Cookies Before Most Companies Had a Privacy Policy
Scott Kamber started litigating internet tracking when “tracking” meant dial-up cookies and banner ad networks. Two decades later, KamberLaw is still filing cases — and the legal theories the firm helped develop from scratch are now the templates every plaintiff firm in the country is running.
There is a version of the digital privacy litigation landscape in which KamberLaw is a historical footnote — the boutique that was interesting in the early days, before the money got serious and the large plaintiff firms moved in. That version is wrong. KamberLaw remains a practicing litigation firm with an active docket, and its significance to any company assessing class action exposure today is not primarily archival. It is this: the firm spent two decades doing the slow, unglamorous work of losing motions, getting remanded, and occasionally winning — and in doing so, it wrote the roadmap that plaintiff-side privacy litigation now runs on.
Understanding KamberLaw means understanding how novel legal theories get converted into viable class action claims. The firm did not inherit a playbook. It built one and it’s Captain Compliance’s job to protect your business against these expensive privacy lawsuits by setting up our privacy software tools.
Scott Kamber and the Architecture of Early Internet Privacy Litigation
Scott Kamber founded KamberLaw in the late 1990s at a moment when consumer-facing internet companies were building behavioral advertising infrastructure with essentially no legal constraint. The Federal Trade Commission was beginning to pay attention to online privacy but had not yet issued enforceable rules. Congress had not extended ECPA’s wiretapping and stored communications provisions to cover internet traffic in any way that courts had confirmed. State privacy statutes were written for telephone surveillance. The entire legal framework for digital privacy was either absent or waiting for a court to say whether it applied.
Kamber’s early cases argued that it did apply — that cookies placed on consumer devices without disclosure constituted unauthorized access under the CFAA, that behavioral advertising networks intercepting user communications fell within ECPA’s Title II provisions on stored communications, and that the failure to honor privacy policy representations gave rise to contract and consumer protection claims. Many of these arguments lost. Some of them won. The ones that won became the foundation of a litigation industry.
The firm operates as a tight boutique — more research and theory shop than volume filer — with offices that have included New York, Colorado, and Nashville. That structure is deliberate. KamberLaw has historically punched above its weight by being earlier than competitors on legal theory development, not by filing the most complaints.
The Statutes: Federal Privacy Law Applied to Technology the Statutes Never Anticipated
Electronic Communications Privacy Act
KamberLaw’s most consequential statutory work has been under ECPA — specifically the Stored Communications Act provisions of Title II and, in earlier cases, the Wiretap Act provisions of Title I.
The firm’s core ECPA argument has been consistent for two decades: when a company’s tracking infrastructure intercepts or accesses the content of a consumer’s communications without authorization, it violates provisions that, while written for telephone wiretapping and stored voicemail, apply with equal force to internet transmissions. Courts have been inconsistent on this point, and the circuit split on what constitutes “content” versus “metadata” in the internet context remains genuinely contested. KamberLaw has been a plaintiff in those disputes since the disputes began.
The practical implication for businesses is that ECPA exposure is not limited to companies with obviously aggressive tracking practices. The statute’s authorization framework — which turns on whether data access was permitted under the terms of service and whether those terms were actually disclosed — creates liability for any company whose tracking operations outpace its privacy disclosures.
California Invasion of Privacy Act
KamberLaw has litigated CIPA wiretapping claims in California federal and state courts, a practice that has become considerably more crowded in recent years as California-based boutiques developed the statute into a volume litigation vehicle. The firm’s CIPA work predates the current wave by years, and its early cases helped establish that California’s wiretapping statute applied to real-time data transmissions — a predicate holding that the current generation of pixel-tracking plaintiffs’ firms relies on in essentially every complaint they file.
Computer Fraud and Abuse Act
The firm’s CFAA theory — that deploying tracking technologies exceeding user authorization constitutes unauthorized computer access — was controversial when first advanced and remains contested. The Supreme Court’s 2021 decision in Van Buren v. United States narrowed the CFAA’s authorization framework in a way that complicated some versions of this theory, but KamberLaw’s foundational argument that undisclosed tracking constitutes exceeding authorized access has found receptive courts in the civil context.
Representative Litigation: The Cases That Made the Theory
Flash Cookie Litigation and the DoubleClick-Era Settlements
KamberLaw’s most historically significant litigation involved what were then called “Local Shared Objects” — tracking mechanisms deployed by behavioral advertising networks that persisted after users deleted standard browser cookies. These flash cookies, used extensively by ad networks in the mid-2000s through early 2010s, were designed to be invisible to standard cookie management tools and to “respawn” deleted cookies.
The firm filed cases against multiple defendants deploying flash cookie infrastructure, including advertising networks and the media companies that hosted their code. The resulting settlements established several important precedents: that unauthorized persistent tracking technologies could support class action claims; that cy pres remedies directed toward digital privacy research were appropriate where individual damages were difficult to calculate; and that corporate defendants would pay meaningful sums to settle claims even when individual class members had suffered no traditional economic harm.
These settlements were controversial — criticized by class action reform advocates as primarily benefiting plaintiffs’ counsel rather than class members — but their precedential function is undeniable. The principle that “no measurable individual harm” does not defeat a class action claim in the tracking context is now foundational to every CIPA and VPPA complaint filed by the current generation of plaintiff firms.
Behavioral Advertising Network Cases
In the late 2000s and early 2010s, KamberLaw filed a series of cases against companies operating behavioral advertising networks — platforms that tracked users across websites to build profiles for targeted advertising. These cases argued that the interception of browsing data to build user profiles violated ECPA’s stored communications provisions and that the failure to disclose the extent of tracking violated consumer protection statutes.
The cases faced significant procedural challenges, including Article III standing questions that courts were only beginning to develop frameworks for. The firm’s experience navigating those challenges — and its record of keeping cases alive long enough to reach settlement discussions — reflects the litigation discipline that distinguishes firms with deep practice history from newer entrants running proven theories.
Pixel Tracking and Healthcare Defendants
More recent KamberLaw activity has included participation in the wave of healthcare pixel tracking litigation that accelerated after the HHS Office for Civil Rights issued guidance in December 2022 confirming that tracking pixels on HIPAA-covered entities’ websites that transmit protected health information to third parties trigger HIPAA’s privacy rule requirements.
Healthcare pixel cases occupy an unusual intersection: they involve both federal statutory claims under ECPA and HIPAA-adjacent theories, and state law claims under CIPA and state consumer protection statutes, against defendants — hospitals, health systems, and healthcare platforms — that are particularly sensitive to reputational harm and regulatory scrutiny. KamberLaw’s experience with pixel-based ECPA claims positions it to participate in this litigation category, though the current volume leaders in healthcare pixel litigation include firms that have built out the discovery infrastructure specifically for these cases.
Target Industries and the Anatomy of a KamberLaw-Style Claim
KamberLaw cases have crossed virtually every industry sector with a significant consumer web presence. The firm’s target selection logic reflects its theory-development approach: cases are filed where the facts support an untested or underdeveloped legal argument, not primarily where the class is largest.
Retail and e-commerce. Companies running behavioral advertising infrastructure, cart abandonment tools, and cross-site retargeting pixels face multiple potential ECPA and CIPA exposure points given the density of tracking code on retail sites.
Media and publishing. Companies that monetize audience data through advertising networks remain in KamberLaw’s historical sweet spot. The firm’s flash cookie and behavioral advertising cases were disproportionately filed against media defendants.
Healthcare and health technology. The combination of HIPAA-adjacent sensitivity and ECPA claims creates compounding exposure. Healthcare organizations that have not audited their pixel inventory since the 2022 HHS guidance are operating with unassessed risk.
Adtech infrastructure. KamberLaw has historically pursued claims against the infrastructure layer — advertising networks, data brokers, and analytics platforms — rather than limiting itself to the consumer-facing companies that deploy their tools.
What Sets KamberLaw Apart From Volume Plaintiffs’ Firms
The current digital privacy litigation landscape includes firms that file hundreds of complaints per year against a systematically identified list of companies running unmasked tracking code. These firms — Swigart Law Group, Tauler Smith, and their equivalents in states that have enacted tracking-focused statutes — are volume operations. They have automated the case identification process, standardized their complaints, and built settlement infrastructure that makes even small per-case recoveries economically rational at scale.
KamberLaw is not that kind of firm, and never has been. Its cases tend to be fewer, factually more developed, and legally more novel. The firm is more likely to be the plaintiff in a case that breaks new ground on what ECPA covers than the firm sending demand letters to every e-commerce operator in California.
For compliance purposes, this distinction matters in two ways. First, KamberLaw cases are more likely to result in precedent that affects all businesses in a sector, not just the named defendant. A KamberLaw win on an ECPA theory creates exposure for every company using similar technology. Second, the firm’s complaint quality is typically higher than volume shop complaints, which means motions to dismiss are less likely to resolve the exposure early.
Compliance Implications: What KamberLaw’s Docket Tells You to Fix
The specific vulnerabilities KamberLaw has exploited across two decades of litigation point to a concrete set of compliance priorities.
Undisclosed data flows are the core exposure. Every significant KamberLaw case has turned on a gap between what a company disclosed in its privacy policy or terms of service and what its tracking infrastructure actually did. The path to ECPA and CFAA claims runs through that gap. A company whose privacy disclosures accurately describe its data collection practices — including third-party sharing — is materially harder to sue than one whose disclosures are generic.
Third-party tracking code is your liability, not your vendor’s. KamberLaw has consistently named the deploying company — the website or app operator — as a defendant, not just the tracking vendor. Your AdTech stack is your legal exposure. Vendor agreements that disclaim liability do not resolve that exposure on the plaintiff side.
Persistent tracking without consent is a recurring target. From flash cookies to session replay to cross-site fingerprinting, the through-line in KamberLaw’s docket is tracking that survives user attempts to limit it. If your tracking infrastructure is designed to work around cookie preferences, browser settings, or consent signals, you are building exposure into your system architecture.
Healthcare organizations face compounding risk. The combination of ECPA, state wiretapping statutes, and HIPAA-adjacent theories that characterize healthcare pixel litigation means healthcare defendants face more claims per tracking incident than equivalent retail defendants. Pixel audits for healthcare organizations should be treated as a priority compliance obligation, not a discretionary review.
Novel theories become standard claims within five years. KamberLaw’s twenty-year history demonstrates that legal theories that look fringe at the complaint stage are frequently well-established precedent within a litigation cycle. Companies that assess risk only against current settled case law are consistently behind the actual exposure curve.
The Longer View
Scott Kamber filed his first internet privacy cases when the companies he was suing were still figuring out how browsers worked. The legal theories he developed in those early cases were, at the time, genuinely speculative — arguments that courts had never been asked to resolve and might easily have rejected.
Most of them eventually prevailed, or were absorbed into the legal frameworks that currently govern digital privacy litigation. The firm that argued flash cookies constituted unauthorized tracking helped create the legal infrastructure that supports today’s pixel litigation wave. The firm that pushed ECPA’s reach to behavioral advertising networks helped establish the statutory hooks that current plaintiffs’ counsel use against healthcare companies, media defendants, and retail operators.
For any business operating a website with third-party tracking code — which is to say, nearly every business with a web presence — KamberLaw represents a particular kind of risk: not necessarily the most likely plaintiff to file a complaint tomorrow, but the firm most likely to be behind the theory that gets used against you five years from now.
The time to address that is before the theory reaches your industry.
5 Compliance Steps to Reduce Your Exposure from a Kamber Law Firm Lawsuit
- Conduct a full data flow audit. Map every cookie, pixel, script, and SDK on your web properties and document the legal basis for each data transmission — including third-party transmissions that occur the moment a page loads, before any user action.
- Align your privacy disclosures with your actual tracking infrastructure. The gap between what your privacy policy says you collect and what your tracking code actually transmits is the single most common basis for ECPA and state wiretapping claims. Close that gap before a plaintiff’s forensics team finds it for you.
- Implement consent mechanisms that function before data transmission occurs. Consent banners that fire tracking code while the consent UI is still loading do not constitute prior informed consent under California or federal standards. Technical implementation matters as much as disclosure language.
- Healthcare organizations must audit pixel inventory immediately. The HHS December 2022 guidance on tracking pixels and HIPAA, combined with active federal litigation, makes this a first-priority obligation for any HIPAA-covered entity or business associate with a consumer-facing web presence.
- Evaluate emerging theories, not just settled case law. Retain privacy counsel who tracks active plaintiff-side litigation and can identify theories currently in development — not just claims that have already generated precedent. KamberLaw’s docket history shows the gap between novel theory and mainstream claim is shorter than most compliance calendars assume.
How Captain Compliance Can Help
KamberLaw-style exposure does not begin with a complaint — it begins with a tracking script that fires before your consent banner loads, or a privacy policy that has not been updated since you added three new analytics vendors. Captain Compliance specializes in proactive data privacy audits, cookie consent implementation, ECPA and CIPA risk assessments, and litigation-readiness reviews that close the gaps plaintiff firms exploit.
