Cybersecurity & Privacy Group Of The Year: Gibson Dunn

Accolades  |  February 5, 2025

Law360

Gibson Dunn helped Meta Platforms Inc. stave off claims that Illinois’ biometric privacy law broadly applies to nonusers’ facial scans and assisted DoorDash Inc. in limiting its exposure in one of the first regulatory investigations under California’s trailblazing data privacy law, earning the firm a spot among the 2024 Law360 Cybersecurity & Privacy Groups of the Year.

With companies across a range of industries facing growing scrutiny from regulators and private plaintiffs over their data privacy and security practices, the global and interdisciplinary privacy, cybersecurity and data innovation practice group at Gibson Dunn has steered its clients through the complex and rapidly evolving web of laws, regulations and best practices for handling, protecting and sharing consumers’ personal information. 

Leveraging its deep bench of experienced litigators and counselors, the practice group — which consists of a core of 14 attorneys who are spread across offices in the United States and abroad and are supported by dozens of their colleagues from related disciplines such as technology and artificial intelligence — has stayed on top of cutting-edge issues such as biometric privacy and state data privacy law compliance, securing favorable outcomes in matters of first impression and high-stakes regulatory matters. 

“What clients are really looking for is a firm that’s able to handle in-house all the data privacy and cybersecurity issues they’re facing around the world, and they come to us because we have an incredibly strong global practice,” said Ashlie Beringer, who rejoined the firm in 2021 to co-lead the practice group after a stint as Facebook’s deputy general counsel. 

The group’s ability to seamlessly provide a full range of litigation and regulatory assistance to its clients, coupled with the significant support it has received from the firm’s leadership, has helped the practice to continue to grow stronger over the years. 

“Our group is very nimble, and we’re able to make sure that we’re bringing the right mix of experience and talent to bear and are able to handle all different aspects of any given matter,” said Lauren Goldman, a member of the group and co-chair of the firm’s technology litigation practice group.

The firm has leaned on its depth and breadth of talent to secure several favorable outcomes in the past year, including a Ninth Circuit ruling handed down in June that affirmed the dismissal of a proposed class action accusing Meta’s Facebook of violating Illinois’ Biometric Information Privacy Act through its incidental scanning of the faces of nonusers who appeared in users’ photos. 

The plaintiff argued that the law required Meta to obtain consent from every anonymous nonuser who appeared in a photo to be able to deploy its tag suggestion feature, which uses facial recognition technology to analyze uploaded photos and find matches to face templates that are created only for fellow users. 

However, in refusing to revive the dispute, the Ninth Circuit concluded that the “face signatures” Facebook allegedly generates of nonusers aren’t covered by the landmark biometric statute because they’re quickly discarded once a user match isn’t found and can’t be used to identify someone. 

The ruling significantly limited the reach of the statute and paves the way for technology companies to continue to develop and deploy a broad range of biometric identification systems, artificial intelligence models and similar cutting-edge products. 

“Companies that use a very broad range of these types of systems were closely watching this case with great interest because the plaintiff’s theory was so broad that, if it were accepted by the Ninth Circuit, it would have knocked out so many very useful applications of biometric technology,” said Goldman, who argued the case on behalf of Facebook before the Ninth Circuit.  

With government enforcers and policymakers showing increasing focus in this area, the Ninth Circuit’s ruling is also likely to help shape the regulatory approach to this emerging area while providing some helpful “flexibility” to companies in the development of these technologies, Beringer added.

The Gibson Dunn team was thrust into the center of another cutting-edge dispute when it was retained by DoorDash to defend the food delivery service against California Attorney General Rob Bonta’s claims it violated the state’s consumer privacy law, which was enacted in 2018 as the first comprehensive state law of its kind. The state accused DoorDash of failing to clearly inform users of their ability to opt out of the sale of their personal information to a marketing vendor.

The firm was brought in late in the matter to replace existing counsel, and the attorney general had already put an initial settlement demand on the table.

However, the Gibson Dunn team was able to chip away at this demand by raising novel arguments over the adequacy of the statutorily required notice the attorney general must give companies to allow them to fix potential violations and by providing evidence that the company had discontinued its allegedly unlawful conduct before the privacy statute took effect in 2020.

This work resulted in a deal announced in February 2024 that required DoorDash to pay a $375,000 penalty, which was significantly less than both the initial settlement demand and the state’s first resolution with a different company under the California Consumer Privacy Act. The resolution also included injunctive terms that reiterated existing requirements of the law but notably did not require DoorDash to make any changes to its business practices. 

Beringer noted that her team’s move to press the argument that Bonta had not followed his notice and cure obligations under the law was important in terms of not only putting DoorDash in a good negotiating position but also highlighting the value more broadly of such provisions, which are included in several state privacy laws and provide “an important safety valve for companies trying to comply with new laws before any guidance is issued.”

 “Our experience is that, in many states that have notice and cure provisions under their privacy law, AGs have not given it sufficient attention and tend to perceive that by providing a general boilerplate letter that goes out to many companies when enforcement begins, they’ve given sufficient notice,” Beringer said.

In negotiating the deal, which was only the second to be publicly disclosed under the CCPA, the Gibson Dunn team was also “very surgical and focused” on ensuring that the deal’s terms reinforced companies’ obligations under the statute without attempting to expand the substantive reach of the law, according to Beringer.

“A lot of these state privacy laws that are coming online are being drafted in very non-specific terms that leave a lot of room for interpretation, so it was important for us to keep any tendency to overreach in check,” Beringer said. 

The Gibson Dunn team built on this work by separately assisting DoorDash in its First Amendment challenge to a New York City law requiring delivery services to provide restaurants with certain customer information. 

DoorDash and other food delivery services apps contesting the law argued it infringed the First Amendment by requiring the companies to hand over diner data they otherwise wouldn’t provide, such as customers’ full names and phone numbers, to restaurants.

In a September 2024 ruling, a New York federal judge agreed with this contention, finding that the law was unconstitutional because the city had failed to demonstrate that an incentive-based program or other “less-restrictive alternatives” weren’t available to reach its objective of ensuring restaurants obtain valuable data about customers.

The practice group has also been engaged by clients to work on a range of other hot-button issues in the data privacy and security space during the past year. 

This work includes representing Charles Schwab Corp. and its affiliate TD Ameritrade Inc. in sprawling multidistrict litigation in Massachusetts federal court over the massive and complex data breach involving Progress Software’s MOVEit file transfer tool, which impacted thousands of entities around the globe that relied on the compromised tool and exposed millions of records.

Gibson Dunn also represented Cartoon Network in a proposed class action accusing YouTube and several prominent content providers of illegally tracking the online viewing habits of children in order to increase advertising revenue. Following several opportunities for the plaintiffs to amend their pleadings, a California federal judge cut Cartoon Network and a raft of other YouTube channel owners from the suit in a Jan. 13 ruling, finding that these companies couldn’t be held directly liable for the alleged conduct. 

That case “emphasizes the focus that plaintiffs in privacy class action litigation have and will continue to have on children’s data in particular,” noted privacy partner Cassandra Gaedt-Sheckter, who also chairs the firm’s global AI practice, adding that this scrutiny of both private litigants and states is only likely to intensify as the new Republican administration at the federal level shifts its focus to other issues. 

As it handles these matters, the Gibson Dunn team has also been steadily expanding to bolster its capabilities to navigate all aspects of the data privacy landscape, from increasingly complex litigation to intense regulatory investigations at the state and federal levels. 

Recent notable additions to the group include Jane Horvath, who previously served as chief privacy officer at Apple Inc. and joined the firm in early 2023 to co-chair its privacy, cybersecurity and data innovation practice group; Keith Enright, the former vice president and chief privacy officer for Google LLC who since last September has co-chaired the firm’s AI practice; and Vivek Mohan, who arrived at the firm in 2022 to co-chair its AI practice group after stints with Mayer Brown LLP and Apple. 

These recruitments have aided in the firm’s success by providing clients with not only practitioners who are at the top of their fields but also executives who have been in-house at tech companies and can provide valuable insight into the operational side of these issues, Beringer noted. 

As data privacy and cybersecurity topics continue to attract significant attention at both the state and federal levels, the Gibson Dunn practice group expects to continue to be at the forefront and build up its resources and expertise to respond to these new challenges, according to Goldman.

“The combination of our depth of talent and the way the team is built to work seamlessly across both practice areas and jurisdictions is very attractive, and we do expect continued growth,” she said. “It’s a fun place to practice, especially in such a cutting-edge area.” 

Reprinted with permission from Law360.