There is a distinction in plaintiff litigation that matters enormously but is rarely articulated plainly. Most plaintiff firms are rule followers — they identify conduct that violates established legal standards, find a named plaintiff, and pursue a known litigation path toward a known outcome. They are essential participants in the legal system, but they are not the architects of it.
GET A FREE PRIVACY AUDIT AND CHECK TO SEE IF YOUR BUSINESS IS OUT OF COMPLIANCE & AT RISK
Schedule a 15-minute Demo with a Data Privacy Expert
And then there are the rule makers.
Lieff Cabraser Heimann & Bernstein is a rule maker. Over a career spanning decades, the firm has taken on cases that did not have clear answers — where the law was unsettled, where the technology was novel, where the conduct was widespread but courts had not yet decided whether it was actionable — and litigated them to outcomes that became the governing precedents for the entire digital economy. The Google location tracking case. The Oracle coretag surveillance settlement. The Facebook private message scanning litigation. The Trade Desk behavioral advertising challenge. The LiveRamp identity profiling case.
These are not individual disputes. They are the milestones of a body of law that every technology company, digital advertiser, data broker, and consumer-facing business now operates within. When a compliance team assesses whether its pixel deployment violates user privacy, when a general counsel reviews a data broker agreement, when a product team debates whether a mobile app SDK creates liability — they are working within a legal landscape that Lieff Cabraser helped construct.
For that reason, understanding this firm is not optional background reading for privacy professionals. It is foundational.
The Firm: San Francisco Origins, National Impact, $1 Billion in Privacy Recoveries
The Institutional Profile
Lieff Cabraser Heimann & Bernstein was founded in San Francisco and maintains its headquarters there — a fitting address for a firm whose privacy practice has been shaped by and has in turn shaped the legal environment governing Silicon Valley’s most consequential companies. The firm employs approximately 130 attorneys across its San Francisco headquarters and offices in New York, Nashville, and Munich — a focused, elite operation rather than a sprawling national firm.
The firm has been recognized as Law360’s Data Privacy Practice Group of the Year — an honor that reflects not merely volume of filings but quality of outcomes and significance of precedent. That recognition is earned by a track record that includes over $1 billion recovered in privacy and cybersecurity cases — a figure that represents actual delivered value to class members, not claimed damages that evaporated in negotiation.
Michael Sobol and Rachel Geman are among the partners leading the firm’s privacy practice. Both have been central to the landmark cases that define the firm’s reputation. Their work is characterized by deep investment in understanding the technical architecture of the systems they challenge — a prerequisite for litigation at the frontier of digital privacy law, where the difference between a viable claim and a dismissed one often comes down to a precise understanding of how data flows between a user’s browser, a website’s server, and a third-party data collection endpoint.
Why 130 Attorneys Beat 1,300
The firm’s relatively focused size is a strategic asset, not a limitation. In privacy litigation at the level Lieff Cabraser operates, quality of legal and technical analysis matters far more than volume of attorney hours. The firm selects cases with the care of a firm that litigates to the merits — that expects to brief complex technical issues, retain leading experts, engage in extensive discovery, and, when necessary, take cases to trial or through the appellate courts.
This selectivity has produced a case portfolio that is extraordinary in its consistency of significance. Each case in Lieff Cabraser’s privacy docket is there because it raises a genuinely important legal question, involves a sufficiently significant defendant, and has the potential to establish precedent that matters beyond the individual dispute. That approach — patient, rigorous, precedent-focused — has made the firm one of the most influential institutional forces in the development of digital privacy law.
The Landmark Cases: A Detailed Map of Digital Privacy Liability
Oracle $115 Million Settlement — Katz-Lacabe v. Oracle America
The Oracle settlement, which received final approval in 2024, is one of the most consequential data broker privacy cases in American legal history. Understanding it in full requires understanding what Oracle’s data operations actually were — because the conduct at issue goes well beyond what most people associate with the Oracle brand.
Oracle’s Data Broker Empire
Oracle Corporation, best known for its enterprise database software, has operated a massive consumer data business through its Oracle Data Cloud division. This division aggregates, enriches, and sells consumer data at industrial scale — combining data from offline sources (retail purchase records, loyalty programs, public records) with online behavioral data collected through a web of tracking infrastructure deployed across thousands of commercial websites.
The specific mechanism at the center of the Katz-Lacabe case was Oracle’s “coretag” — a tracking script embedded across thousands of commercial websites that collected detailed behavioral data about visitors to those sites. Users visiting these websites had no idea that Oracle — a company they had no relationship with and likely never thought about — was simultaneously collecting data about their browsing behavior through the coretag.
This is the most legally significant aspect of the Oracle case: Oracle had no direct relationship with the consumers it was tracking. They had not signed up for an Oracle service. They had not agreed to Oracle’s terms of service. They did not know Oracle existed in the context of their web browsing. Yet Oracle was systematically collecting their behavioral data, linking it to offline purchase and demographic records, and selling the resulting profiles to advertisers and marketers.
What the Case Established
The $115 million settlement established several legal propositions that have reshaped how courts and compliance teams think about data broker liability:
Third-party data collection without a direct relationship is actionable. The Oracle case eliminated any remaining argument that data broker practices are insulated from privacy liability because the data broker never directly interacts with the consumer. The coretag was deployed by Oracle on third-party websites — it was not Oracle’s own website — and the settlement confirms that this indirect collection model creates consumer privacy liability.
ECPA and CIPA apply to covert tracking scripts. The claims against Oracle included allegations under the Electronic Communications Privacy Act and the California Invasion of Privacy Act — federal and state wiretapping frameworks. The application of wiretapping statutes to covert tracking scripts embedded on third-party websites represents a significant extension of these frameworks beyond their traditional telephony context.
Scale of surveillance is a damages amplifier. Oracle’s coretag was deployed across thousands of websites and collected data about hundreds of millions of consumers. This scale — the systematic, industrial nature of the surveillance — was central to the damages calculus that produced a $115 million settlement. Courts and defendants increasingly recognize that the aggregate harm from large-scale covert tracking can justify large-scale compensation even when individual harm is difficult to quantify.
The Compliance Implications
For any company in the digital advertising ecosystem — publishers that host third-party ad tags, advertisers that use data enrichment services, data brokers that embed collection scripts across partner properties — the Oracle settlement is a direct statement of liability risk. The days of arguing that covert tracking scripts are a harmless commercial practice immune from legal challenge are over.
Google Location History — $62 Million and Three Years of Behavioral Change
The Google location tracking case, which produced a $62 million settlement covering approximately 250 million Google users, represents one of the most important cases in the history of digital privacy litigation — not merely for its financial scale but for what it revealed about the relationship between privacy controls and actual corporate data practices.
The Fundamental Deception
The core allegation in the Google location case was stark: Google provided users with a setting called “Location History” that, when disabled, appeared to stop Google from tracking the user’s physical location. Users who were concerned about location surveillance disabled this setting specifically because they wanted to prevent Google from recording where they went.
Google continued tracking their location anyway.
The mechanism was technical: even with “Location History” disabled, Google collected location data through other systems — including the “Web & App Activity” setting, which was enabled by default and whose location-tracking implications were not disclosed to users who had specifically disabled “Location History.” Users who had deliberately and specifically chosen to disable location tracking were unaware that location data was still being collected through a separate mechanism.
This conduct illustrates a pattern that recurs throughout Lieff Cabraser’s case portfolio: the gap between what privacy controls appear to do and what they actually do. When a user exercises a privacy choice — disabling a setting, opting out of tracking, limiting data collection — and the company continues collecting the same data through a different mechanism, the gap between the represented privacy choice and the actual data collection is both a legal violation and a manifestation of bad faith that resonates powerfully with courts and juries.
What the Settlement Required Beyond Money
The $62 million payment, substantial as it is, may be less significant than the injunctive relief component of the settlement: Google was required to implement stricter location data controls for three years and to make location tracking disclosures clearer and more accurate.
This behavioral change — affecting the privacy controls experienced by hundreds of millions of users — represents exactly the kind of structural impact that Lieff Cabraser pursues in its most significant cases. The goal is not merely compensation for past harm. It is modification of corporate behavior going forward, in ways that affect the entire user population rather than merely the named plaintiffs or class members who receive settlement proceeds.
Implications for Privacy Control Design
The Google location case has profound implications for how technology companies design and represent privacy controls. Any control that purports to limit or stop data collection — a toggle, a settings option, an opt-out mechanism — must actually perform the function it represents. Controls that stop one collection mechanism while allowing a parallel mechanism to continue collecting the same data are not merely inadequate — they are the factual basis for deception claims that generate massive class action liability.
This implication extends well beyond Google. Every company that provides users with privacy controls — location tracking settings, behavioral advertising opt-outs, data collection preferences — needs to audit whether those controls actually do what they represent. The gap between represented and actual privacy control function is one of the most significant sources of unmanaged privacy liability in the technology industry.
Meta Android Privacy Litigation — The Mobile Operating System Frontier
Lieff Cabraser’s appointment as interim class counsel in litigation against Meta and Google over an Android security vulnerability places the firm at the cutting edge of mobile privacy litigation — a frontier that is becoming increasingly significant as consumer data increasingly originates from mobile devices rather than desktop browsers.
The Android Sandboxing Vulnerability
The Android operating system is designed to isolate applications from each other through a security architecture called “sandboxing.” The premise of sandboxing is that App A cannot access the data of App B without explicit user permission — a privacy protection designed to prevent applications from covertly accessing each other’s data.
The allegations in the Meta/Google Android litigation claim that both companies exploited a vulnerability in Android’s sandboxing architecture that allowed them to bypass these protections and access data from other applications without user knowledge or consent. The implications of this allegation — if proven — are significant: it would mean that the core privacy architecture of the world’s most widely used mobile operating system was circumvented by its largest application developers to enable covert data collection that the operating system’s security model was specifically designed to prevent.
ECPA, CIPA, and California Constitutional Privacy
The legal theories deployed in the Meta/Google Android case span federal and state wiretapping statutes (ECPA and CIPA) as well as the California Constitutional right to privacy — a privacy protection that exists independently of any statute and that California courts have interpreted to impose affirmative obligations on companies handling California residents’ personal data.
The California Constitutional privacy claim is particularly significant because it is not a statutory cause of action whose elements can be precisely defined and argued on technical grounds. It is a constitutional claim that asks courts to evaluate whether corporate conduct violated the reasonable privacy expectations of California residents — a more flexible and potentially more powerful legal vehicle than statutory claims with specific technical requirements.
Lieff Cabraser’s pursuit of constitutional privacy claims alongside statutory theories reflects the firm’s commitment to developing the most robust legal foundation for each case, rather than relying on a single theory that could fail on technical grounds.
Facebook Private Message Scanning — Campbell v. Facebook and the Value of Behavioral Change
The Facebook private message scanning case — in which Lieff Cabraser represented users alleging that Facebook scanned and monetized the content of private messages — produced an outcome that is often misunderstood because it did not result in a large monetary settlement. What it produced instead was something potentially more significant: Facebook confirmed cessation of the challenged conduct.
The Privacy Intrusion: Private Messages as Data Products
Facebook Messenger is used by billions of people for communications they reasonably expect to be private — conversations with friends, family, romantic partners, colleagues. The allegations in Campbell v. Facebook were that Facebook systematically scanned the content of these private messages and used the information gleaned to inform its advertising targeting, recommendation systems, and data products.
If true, this conduct represents one of the most fundamental violations of reasonable privacy expectations in the history of digital technology. The entire value proposition of a private messaging system is that messages are private — accessible only to sender and recipient. The commercial exploitation of private message content for advertising purposes transforms a private communication channel into a surveillance system for commercial gain.
Injunctive Relief as the Goal
The case’s resolution — injunctive relief and Facebook’s confirmation that it ceased the challenged conduct — is a reminder that not all significant privacy litigation aims primarily at monetary recovery. For Lieff Cabraser, the goal in Campbell was behavioral change: stopping a privacy violation that affected billions of users, not merely obtaining compensation for those users.
This outcome model — privacy litigation as a mechanism for enforcing behavioral change on the most powerful technology companies in the world — is distinctive and consequential. A $100 million settlement distributed among a billion affected users produces a few cents per user and changes nothing about corporate behavior. A court order or binding commitment to stop the challenged conduct changes the data practices of a platform used by billions of people going forward.
Lieff Cabraser’s willingness to pursue cases with injunctive relief as the primary goal reflects a sophisticated understanding of what privacy litigation can and should accomplish — and it creates a category of cases that companies cannot simply settle their way out of with a financial payment.
Oracle and LiveRamp: The Data Broker Identity Profiling Frontier
Beyond the Oracle coretag settlement, Lieff Cabraser has pursued LiveRamp Holdings over its “RampID” system — a persistent identity profiling infrastructure that links users across websites and devices without their meaningful consent.
What RampID Does
LiveRamp’s RampID system creates a persistent, cross-device identity for individual consumers by linking together data from multiple sources: first-party data from websites and apps, offline purchase and demographic records, email addresses, and device identifiers. The resulting “RampID” is a stable, persistent identifier that follows a consumer across the internet — enabling advertisers to target the same individual across different devices, websites, and contexts — even when that consumer has taken steps to limit tracking or has not consented to cross-site profiling.
The RampID system is the infrastructure that makes modern programmatic advertising possible at scale. It is also, Lieff Cabraser argues, a systematic privacy violation. The 2025 denial of LiveRamp’s motion to dismiss — allowing the ECPA and CIPA claims to proceed — is a significant judicial signal that courts are willing to apply wiretapping frameworks to the infrastructure of programmatic advertising.
The Programmatic Advertising Industry at Risk
The LiveRamp case is not merely about one company’s product. It is a challenge to the foundational architecture of the digital advertising industry. If persistent identity profiling without meaningful consent violates ECPA and CIPA, then the entire ecosystem of cross-device identity resolution, audience extension, and programmatic audience targeting is exposed.
Every publisher that participates in a real-time bidding ecosystem that uses RampID or similar identity resolution infrastructure. Every advertiser that purchases audiences built on cross-device profiles. Every demand-side platform and supply-side platform in the programmatic stack. The potential scope of liability that a successful LiveRamp outcome would create is industry-wide.
This is precisely why Lieff Cabraser pursued it.
The Trade Desk: A Direct Challenge to Behavioral Advertising’s Data Foundation
Lieff Cabraser’s appointment as lead counsel in litigation against The Trade Desk — one of the world’s largest and most sophisticated programmatic advertising platforms — represents perhaps the most direct challenge to the behavioral advertising industry’s data practices that any court has yet been asked to adjudicate.
The Trade Desk’s Data Architecture
The Trade Desk operates as a demand-side platform (DSP) — a technology platform that enables advertisers to purchase digital advertising inventory across millions of websites, apps, and connected TV platforms through automated, real-time auctions. At the scale The Trade Desk operates, this requires a sophisticated data infrastructure: the platform creates and maintains comprehensive consumer profiles that inform its bidding algorithms about which advertising impressions are worth purchasing at what price.
The allegations against The Trade Desk are that these consumer profiles — which the complaint characterizes as covering health, financial, political, and location data — were created and maintained without meaningful user consent. That the data collection underlying these profiles violated ECPA, CIPA, and related privacy frameworks. And that the scale and intimacy of the resulting surveillance infrastructure — comprehensive profiles of millions of Americans across sensitive categories of personal data — constitutes a systematic privacy violation of the first order.
Why the Trade Desk Case Matters for the Entire Industry
Advertising technology operates in a complex web of relationships — publishers, advertisers, DSPs, SSPs, data management platforms, identity resolution providers, measurement vendors. Data flows between these entities constantly, in real time, as part of the bidding and optimization infrastructure that funds much of the internet.
Lieff Cabraser’s Trade Desk case asks courts to evaluate whether the data flows that power this infrastructure — specifically the collection and use of health, financial, political, and location data for behavioral targeting — are legal. If courts ultimately find that they are not — that the behavioral advertising industry’s foundational data practices violate federal and state privacy law — the implications would be transformative.
This is the horizon-level litigation risk that companies participating in programmatic advertising need to understand. The Trade Desk case is not a nuisance lawsuit. It is a potentially industry-reshaping challenge to the business model that finances most of the commercial internet.
The Legal Theories: How Lieff Cabraser Builds Cases at the Frontier
The Wiretapping Statutes as Digital Surveillance Constraints
Running through virtually every Lieff Cabraser digital privacy case is the application of federal and state wiretapping statutes — specifically ECPA and CIPA — to modern digital data collection practices. Understanding how and why these statutes apply is essential to understanding the legal landscape the firm has helped create.
ECPA, enacted in 1986, prohibits the intentional interception of electronic communications in transmission. CIPA, enacted in 1967, prohibits unauthorized wiretapping and, through its pen register provisions, the capture of routing and addressing information from electronic communications.
Neither statute was designed with the internet in mind. Both were designed to address telephone-era surveillance. Lieff Cabraser’s contribution to privacy law has been to develop and litigate the arguments for why these statutes — properly interpreted in light of their underlying purposes — apply to modern digital tracking technologies: third-party scripts that intercept browser communications, tracking pixels that capture URL sequences, SDKs that collect data from mobile applications, and identity resolution systems that aggregate behavioral data into comprehensive profiles.
The Oracle coretag case, the LiveRamp RampID case, the Meta Android case, and the Trade Desk case all rest on this foundation. Each represents a different application of the wiretapping framework to a different data collection mechanism — and each successful outcome extends the reach of the statutes further into the digital tracking ecosystem.
ECPA and the Consent Defense
A critical battleground in ECPA cases is the consent defense. ECPA permits the interception of communications where one party to the communication has consented. Digital tracking companies frequently argue that consumers have consented to tracking through the acceptance of privacy policies, terms of service, or cookie consent mechanisms.
Lieff Cabraser’s cases have been instrumental in developing the counter-argument: that consent to general data collection in a privacy policy is not specific, informed consent to the particular collection mechanism at issue. A user who accepts a website’s terms of service has not specifically consented to an invisible third-party tracking script collecting data and transmitting it to a data broker the user has never heard of. The consent must be specific to the conduct at issue — and most digital tracking consent mechanisms fall far short of this standard.
This consent specificity requirement — developed through Lieff Cabraser’s litigation — has significant implications for every consent management platform, cookie banner, and data collection disclosure in the digital economy.
The California Constitutional Privacy Right
California’s Constitution explicitly guarantees its residents a right to privacy. Unlike statutory privacy rights, which can be defended against with technical arguments about whether specific conduct falls within a statute’s defined prohibitions, constitutional privacy rights are evaluated against the broader standard of whether conduct violated reasonable privacy expectations.
Lieff Cabraser’s deployment of California Constitutional privacy claims — most prominently in the Meta Android case — represents an important litigation strategy that other plaintiff firms have not fully replicated. The constitutional claim creates a floor beneath the statutory theories: even if a defendant can argue its conduct falls outside the technical scope of ECPA or CIPA, it may still be unable to escape a constitutional privacy claim that asks whether reasonable Californians would expect this conduct.
BIPA: Biometric Data and the Highest Per-Violation Damages in Privacy Law
Lieff Cabraser’s BIPA practice addresses one of the most financially dangerous privacy statutes in the United States. As discussed in the Hausfeld context, BIPA’s statutory damages of $1,000 to $5,000 per violation — without any requirement to prove actual harm — create class action exposure that can reach into the billions of dollars for technology companies that collect biometric data at scale.
Lieff Cabraser’s TikTok litigation is the most prominent current expression of this practice. The allegations that TikTok collected facial geometry data from users’ videos without the specific, written, informed consent BIPA requires — against a platform with hundreds of millions of U.S. users — creates a damages theory that would be transformative if fully realized.
COPPA and the Protection of Children’s Data
The Children’s Online Privacy Protection Act creates specific obligations for companies that knowingly collect data from children under 13 — including requirements for verifiable parental consent, specific disclosures, and limits on the commercial use of children’s data. Lieff Cabraser’s work in children’s app and gaming platform litigation reflects the firm’s attention to this enforcement area and its willingness to pursue cases where the affected population is among the most legally protected.
The Industries in Lieff Cabraser’s Targeting Scope
Data Brokers and Advertising Technology Platforms
The Oracle, LiveRamp, and Trade Desk cases define Lieff Cabraser’s primary focus: the infrastructure of the digital advertising economy. This sector — data brokers, identity resolution providers, demand-side platforms, supply-side platforms, data management platforms, and measurement vendors — represents the most systematic and large-scale collection of consumer behavioral data in human history.
It is also, increasingly, the most legally exposed. Every case Lieff Cabraser has brought in this space has produced either a significant settlement, a judicial ruling allowing claims to proceed, or both. The trajectory is clear: the behavioral advertising industry’s data practices are under sustained, sophisticated legal challenge that is not going away.
Social Media and Consumer Technology Platforms
Facebook, Meta, Google, TikTok — the consumer technology platforms that collectively define the digital experience for most Americans — have been central defendants in Lieff Cabraser’s case portfolio. These platforms are targeted because they combine massive scale (hundreds of millions or billions of users), technically sophisticated data collection practices (behavioral tracking, biometric collection, cross-device profiling), and revenue models explicitly dependent on data monetization.
The firm’s willingness to pursue these cases — and its track record of producing significant outcomes against some of the most resource-rich defendants in the world — reflects both institutional courage and practical effectiveness.
Healthcare Technology
The intersection of healthcare data with digital tracking technology has become one of the most active areas of privacy litigation, and Lieff Cabraser’s expertise in pixel tracking and third-party script liability positions the firm well to pursue healthcare pixel cases. The combination of HIPAA’s protections for protected health information, CIPA and ECPA’s wiretapping prohibitions, and California Constitutional privacy rights creates a layered liability environment for healthcare technology companies that deployed advertising pixels on patient-facing web properties.
Mobile App Developers and SDK Vendors
The Meta Android litigation and Lieff Cabraser’s broader mobile privacy practice reflects the recognition that mobile applications have become a primary vector for covert data collection. Third-party SDKs embedded in mobile apps — analytics SDKs, advertising SDKs, attribution SDKs — frequently conduct independent data collection that goes beyond what the app itself discloses to users. The developer who integrated the SDK may be unaware of the SDK’s full data collection behavior; the users of the app are almost certainly unaware.
Lieff Cabraser’s litigation has established that both the SDK vendor and the app developer may face liability for this covert collection — a liability theory that every mobile app developer with third-party SDKs needs to understand.
Children’s Digital Products
COPPA litigation and children’s app privacy cases represent a distinctive category within Lieff Cabraser’s practice — one where the regulatory framework (COPPA, state COPPA analogues) is specific and demanding, and where the affected population’s vulnerability creates both legal and reputational dimensions to litigation that adult consumer cases do not have.
What Lieff Cabraser’s Case Portfolio Reveals About the State of Digital Privacy Law
The Third-Party Script Problem
Running through the Oracle, LiveRamp, Trade Desk, and session replay cases across multiple plaintiff firms is a single fundamental technical pattern: third-party scripts embedded on websites that collect user data and transmit it to the script operator without users’ knowledge or consent.
This pattern — the invisible third party that turns every website visit into a data collection event for entities the user has never interacted with — is the technical foundation of the modern digital advertising economy. It is also, increasingly, the legal foundation of the most significant privacy class action litigation of the current era.
Every business that embeds third-party scripts on its website — advertising pixels, analytics tags, session replay tools, social media widgets, A/B testing platforms, heat mapping tools — is participating in a data collection ecosystem that has been successfully challenged in court. The question is not whether these scripts create legal risk. The Oracle settlement established that they do. The question is whether the business has implemented the consent infrastructure, disclosure practices, and data governance framework that makes its participation in that ecosystem defensible.
The Consent Architecture Gap
Lieff Cabraser’s cases consistently identify the same fundamental gap: the distance between what privacy controls and consent mechanisms appear to offer users and what they actually deliver. The Google location settings that didn’t stop location collection. The Facebook privacy settings that didn’t stop private message scanning. The privacy policies that purported to limit data sharing while covert tracking continued.
This consent architecture gap — the systematic failure of privacy representations to match privacy reality — is both the legal theory and the moral core of Lieff Cabraser’s most significant cases. It is also a direct compliance imperative: every privacy control and consent mechanism a company provides to users must be audited against technical reality to ensure it delivers what it represents.
The Behavioral Advertising Industry’s Reckoning
The combination of the Oracle settlement, the LiveRamp motion to dismiss denial, and the Trade Desk litigation represents a systematic legal challenge to behavioral advertising’s data foundations that goes well beyond any individual case. Lieff Cabraser is methodically challenging the infrastructure layer by layer: coretag collection, identity resolution, demand-side platform profiling.
If the legal trajectory continues — and there is little reason to expect it to reverse — the behavioral advertising industry faces a compliance transformation that will require genuine consent for the data practices it currently conducts without it. The businesses that understand this trajectory and begin building toward consent-based advertising infrastructure now will be better positioned than those that wait for judicial or regulatory compulsion.
Frequently Asked Questions About Lieff Cabraser Privacy Litigation
What makes Lieff Cabraser different from other privacy plaintiff firms?
The combination of historical depth, technical sophistication, and precedent focus. Lieff Cabraser has been litigating digital privacy cases since before most current privacy plaintiff firms existed in their current form. Their case portfolio represents decades of cumulative expertise in the technical architecture of digital tracking systems and the legal frameworks that apply to them. They select cases for their precedent-setting potential, not just their settlement value.
What was the significance of the Oracle coretag settlement specifically?
The Oracle settlement established that data broker practices — specifically, embedding tracking scripts on third-party websites to collect consumer data without any direct consumer relationship — create actionable consumer privacy liability. Before this settlement, there was meaningful legal uncertainty about whether data brokers’ indirect collection methods were covered by consumer privacy statutes. That uncertainty is significantly reduced.
What does the Google location case mean for privacy control design?
It means that privacy controls must work as represented. A “disable location tracking” setting that continues to collect location data through a parallel mechanism is not a privacy control — it is a deceptive representation that creates massive class action liability. Every privacy setting a company provides must be audited against technical reality.
Is the Trade Desk case specifically about behavioral advertising?
Yes — and it is the most direct legal challenge to behavioral advertising’s data practices that any plaintiff firm has yet brought. If the Trade Desk litigation ultimately succeeds on the merits, the implications extend across the entire programmatic advertising ecosystem — DSPs, SSPs, publishers, advertisers, and the data infrastructure that connects them.
Does BIPA apply outside Illinois?
BIPA is an Illinois statute with extraterritorial effect when Illinois residents’ biometric data is collected, regardless of where the collecting company is headquartered. For national and global technology platforms that collect biometric data, BIPA applies whenever an Illinois resident uses the platform. Given that Illinois has nearly 13 million residents, virtually any consumer technology platform of meaningful scale has BIPA exposure.
What should a company do if it discovers it has been using third-party SDKs that conduct undisclosed data collection?
Immediately audit the scope of the collection; assess whether affected users include California, Illinois, or other high-risk jurisdiction residents; consult privacy counsel to evaluate disclosure obligations and potential remediation requirements; review the SDK vendor contract for representations about data collection; and implement consent management or discontinue the SDK if compliant deployment is not achievable. Document the remediation process carefully.
The Compliance Framework That Lieff Cabraser’s Cases Demand
The cumulative lesson of Lieff Cabraser’s case portfolio — from Oracle to Google to Facebook to LiveRamp to The Trade Desk — is a specific and demanding compliance framework that goes beyond generic privacy best practices.
Achieve genuine visibility into third-party data flows. You cannot manage what you cannot see. Map every third-party script, pixel, SDK, and data sharing relationship in your digital ecosystem. Understand what data each third party collects, where it goes, and what the third party does with it. The Oracle case establishes that ignorance of your data broker relationships is not a defense.
Audit consent mechanisms against technical reality. Every privacy control and consent mechanism must deliver what it represents. Conduct technical audits — using network traffic analysis, code review, and consent testing — to verify that privacy controls actually prevent the data collection they purport to prevent. The Google location case is the definitive illustration of what happens when they do not.
Implement specific consent for biometric collection. Any product, application, or service that collects facial geometry, voiceprints, fingerprints, or other biometric identifiers from Illinois or other protected-population residents must implement the specific, written, informed consent those statutes require — not a general privacy policy acceptance, but a specific disclosure and consent for the biometric collection specifically.
Review advertising technology vendor data use terms. Your advertising pixels and tags are creating data sharing relationships with advertising platforms and data brokers. Review your vendor contracts to understand what your advertising partners do with data your pixels transmit. If those data uses are not disclosed to your users, you have a disclosure gap that creates the exact liability Lieff Cabraser has successfully pursued against Oracle and others.
Build consent-based infrastructure for the advertising transition. The behavioral advertising industry’s legal vulnerabilities are structural and will not be resolved by individual company compliance fixes. Businesses that begin transitioning toward consent-based advertising infrastructure — first-party data strategies, contextual advertising, consent-based audience building — are positioning for a regulatory and legal environment that is moving inexorably in that direction.
Conclusion: The Legal Standards Lieff Cabraser Built, and the Compliance They Demand
Lieff Cabraser Heimann & Bernstein has done something genuinely rare in the legal profession: built a body of precedent, through decades of sustained, rigorous litigation, that defines the legal standards governing the digital economy. The Oracle settlement established data broker liability. The Google location case established that privacy controls must work as represented. The Facebook message scanning case established that surveillance of private communications for commercial purposes is legally untenable. The LiveRamp and Trade Desk cases are establishing that identity profiling and behavioral advertising infrastructure require genuine consent.
These outcomes are not merely the results of individual lawsuits. They are the building blocks of a digital privacy legal regime that every business in the digital economy must operate within.
For compliance professionals, Lieff Cabraser’s case portfolio is both a warning and a roadmap. A warning that every major category of digital data collection has been successfully challenged in court — and that the legal framework for challenging more of it is being developed in active litigation today. A roadmap because the specific practices at the center of each case reveal exactly what consent infrastructure, disclosure architecture, and governance practices are required to operate defensibly in the current legal environment.
The firms that treat privacy compliance as a genuine business imperative — that build the consent infrastructure, audit their data flows, align their privacy controls with technical reality, and govern their third-party relationships rigorously — are operating within the legal standards Lieff Cabraser helped establish. The ones that do not are operating outside them, whether they know it or not.
