David J. Oberly

Class Action Defense

David represents companies in high-stakes, high-exposure privacy and technology class action litigation, with deep experience in defending claims alleging noncompliance with the Electronic Communications Privacy Act (ECPA), California Invasion of Privacy Act (CIPA), and similar state wiretapping laws; Video Privacy Protection Act (VPPA); Telephone Consumer Protection Act (TCPA); Illinois Biometric Information Privacy Act (BIPA); and California Consumer Privacy Act (CCPA), among others.

He possesses an intricate, comprehensive understanding of the core strategies on which plaintiffs' attorneys commonly rely in privacy and technology class actions, the range of potential defenses that may be available to defeat or limit these claims, and what arguments to expect from plaintiffs in their attempts to oppose dismissal of these types of high-exposure lawsuits. Drawing upon this knowledge, David is adept at formulating innovative, winning litigation strategies that effectively posture privacy and technology class actions for dispositive dismissals or, alternatively, negotiated settlements on favorable terms to his clients.

His command of the complexities of cutting-edge technologies and associated data flows, the nuances of class action procedure and strategy, and the rapidly changing nature of the law in this space – combined with the innovative and creative approaches he brings to every dispute – enables David to consistently produce exemplary results and outcomes when companies need it the most and makes him a go-to litigator for high-stakes privacy and technology class action litigation matters.

As David's representative matters show, he excels not just at defending privacy and technology class actions but also at achieving decisive victories in these suits – often at the very outset of litigation. And when necessary, David effectively litigates class actions from start to finish in a manner that positions clients for favorable outcomes, whether through dismissal on summary judgment, or client-favorable individual or class settlements.

Compliance

David provides strategic guidance to companies across all industries – including technology, automotive, retail, financial services, and professional sports, among others – on the full range of legal, regulatory, and risk management issues that arise at the intersection of technology, business, and the law. He excels in helping companies navigate the complexities and nuances of today's growing global patchwork of consumer privacy, consumer protection, marketing and advertising, biometrics, children's and student privacy, and similar laws and regulations, while also managing associated risks.

David provides guidance and advice to companies on the use of web analytics tools and online/mobile tracking technologies; processing of precise location data and other types of sensitive data; targeted advertising; data monetization; profiling and automated decision-making; and other practices that seek to leverage personal data in commercial operations. In particular, David advises companies on practical strategies for achieving and maintaining compliance with the ECPA, CIPA and similar state wiretapping laws, VPPA, and TCPA, and similar state marketing laws.

He frequently partners with companies to operationalize compliance through the development and implementation of bespoke, enterprise-wide privacy programs. David conducts compliance audits, gap assessments, and risk analyses of current organizational privacy compliance programs to identify, address, and remediate compliance gaps, and he advises on strategic measures to manage and minimize associated legal risk and potential liability exposure. In this role, David also regularly:

• Advises on profiling and sensitive data processing activities and how to apply new opt-in and opt-out rights to those activities.
• Develops privacy policies, notices, consents, data retention guidelines and schedules, and online terms and conditions (and similar online agreements).
• Develops clickwraps and other online mechanisms for supplying notice, obtaining consent, and ensuring the enforceability of online agreements.
• Assists companies in conducting due diligence and managing vendors and other data recipients.
• Drafts, reviews, and revises service provider agreements to address privacy-critical issues.
• Advises companies with operations spanning multiple jurisdictions on how to address and satisfy vague and oftentimes conflicting compliance obligations.
• Advises on privacy legislation that could potentially impact companies' future legal and regulatory compliance obligations.

Transactions

David represents and advises companies involved in transactions relating to the collection, use, and sharing of personal data. In this role, he drafts and negotiates multiparty contracts for companies involved in technology deals, including software license agreements; end user license agreements (EULAs); software as a service (SaaS), platform as a service (PaaS), and other cloud service agreements; data processing addenda (DPAs); and negotiation playbooks. He also drafts and negotiates ancillary technology-related agreements, such as data sharing agreements, confidentiality and nondisclosure agreements, and media releases. In addition, David advises companies on key legal and commercial issues that arise in complex technology transactions.

Thought Leader

David is a recognized thought leader in the privacy and technology space, including as a recipient of JD Supra's Readers' Choice Award for his writing on privacy and technology matters. He is also the author of LexisNexis's Biometric Data Privacy Compliance & Best Practices – a full-length, comprehensive compendium on biometrics law.

• Class Action Defense

• Obtained dismissal with prejudice of a multinational eyewear brand in a putative Florida Security of Communications Act (FSCA) wiretapping class action involving session replay software through Rule 12(b)(6) motion practice. This was the first FSCA lawsuit in the nation to be dismissed with prejudice on a Rule 12(b)(6) motion to dismiss.

• Facilitated a nuisance-value, individual settlement for an innovative building and siding solutions company in a putative CIPA trap-and-trace class action through informal negotiations with opposing counsel.

• Facilitated a nuisance-value, individual pre-suit settlement for a health care provider in a threatened CIPA pen register/trap-and-trace class action through negotiations with opposing counsel.

• Facilitated a nuisance-value, individual pre-suit settlement for a global specialty chemical company in a threatened CIPA pen register/trap-and-trace class action through negotiations with opposing counsel.

• Currently representing a health care system in a putative CIPA wiretapping class action involving Microsoft Clarity session replay software.

• Obtained summary judgment for a national banking association in a putative FCRA class action involving alleged inaccurate credit reporting.

• Obtained a dispositive, voluntary dismissal with prejudice of a national banking association in a putative consumer protection class action involving alleged improper overdraft fee practices and seeking an eight-figure damages award through a Rule 11 letter.

• Obtained a dispositive, voluntary dismissal of a national home storage and organizations supply company in a putative consumer protection class action involving alleged improper return and refund practices through a Rule 11 letter.

• Obtained a dispositive, voluntary dismissal of a global biometric identity verification technology provider in a putative BIPA class action involving a cryptocurrency exchange customer's use of a biometric identity verification solution through informal discussions with opposing counsel.

• Obtained a dispositive, voluntary dismissal of a national eyewear brand in a putative BIPA class action involving a biometric eyewear VTO tool within 48 hours of being retained to defend the matter through informal discussions with opposing counsel.

• Obtained a dispositive, voluntary dismissal of a national eyewear brand in a second putative BIPA class action involving a biometric eyewear VTO tool through informal discussions with opposing counsel.

• Obtained a dispositive, voluntary dismissal of an international cosmetics brand in a putative BIPA class action involving a biometric cosmetics VTO tool through informal discussions with opposing counsel.

• Obtained a dispositive, voluntary dismissal of a second international cosmetics brand in a putative BIPA class action involving a biometric cosmetics VTO tool through Rule 12(b)(6) motion practice.

• Obtained a dispositive, voluntary dismissal of a national party store chain in a putative BIPA class action involving a biometric time-and-attendance system without the need to engage in motion practice.

• Facilitated a nuisance-value, individual settlement for a ceiling fan manufacturer and designer in a putative TCPA class action through informal discussions with opposing counsel.

• Facilitated a nuisance-value, individual settlement for a national timeshare management software and financial services management company in a putative TCPA class action through Rule 12(b)(2) motion practice.

• Facilitated a nuisance-value, pre-suit settlement for a multinational logistics company in threatened litigation involving the inadvertent disclosure of sensitive employee data.

• Obtained summary judgment for one of the nation's largest grocery store chains in a high-profile federal civil rights and Second Amendment civil action arising from a customer's arrest on a private grocery store chain's property while open-carrying a weapon; summary judgment was affirmed by the U.S. Court of Appeals for the Sixth Circuit.

• Compliance, Risk Management & Product Counseling

• Serve as day-to-day outside privacy and technology counsel for digital identity software providers, technology platform developers, an eyewear retailer, and a financial intuition.

• Advised numerous companies on compliance with the ECPA, CIPA, VPPA, and related privacy and consumer protection laws governing web and online data collection, analytics, and tracking practices.

• Advised numerous companies on consumer privacy compliance obligations applicable to sensitive data, profiling, and automated decision-making activities.

• Advised a multibrand restaurant owner on the use of third-party data enrichment services for a customer and prospect profiling and targeting purposes.

• Advised website operators and app developers on compliance with federal sector-specific laws, including FTC Act, HIPAA/HITECH, TCPA/TSR, FCRA, GLBA, COPPA, and FERPA.

• Advised companies on compliance with the CAN-SPAM Act and other online marketing laws applicable to corporate email marketing campaigns.

• Advised companies on strategic modifications to subscription programs and associated user flows for compliance with automatic renewal laws and mitigation of increased liability exposure stemming from heightened regulatory scrutiny of negative option marketing practices.

• Advised a global automobile manufacturer on compliance obligations and risk management considerations during the development of next-generation AI-powered perception system autonomous vehicle technology.

• Advised a global automobile manufacturer on compliance obligations and risk management considerations during the development of next-generation AI-powered perception system autonomous vehicle technology.

• Advised a luxury British sports car manufacturer on global privacy compliance obligations appliable to the collection and use of autonomous vehicle occupant personal data.

• Advised a global automobile ride dynamics product manufacturer on consumer privacy compliance obligations applicable to the collection and use of vehicle sensor data for analytics purposes.

• Advised the world's leading face biometrics technology company on global privacy and biometrics compliance obligations in connection with the launch of software offering involving cryptographically signed biometric barcodes (UR Codes).

• Advised a national video market platform developer on compliance obligations and risk management considerations in connection with the development and rollout of enhanced AI product functionalities.

• Advised an NFL franchise on compliance obligations and risk management considerations in connection with the implementation of a biometric security and access control solution at its home venue.

• Advised digital identity verification technology companies on global expansion strategies in connection with their entrance into the U.S. gaming market to supply age and identity verification solutions to sports betting, internet gaming, and fantasy contest operators.

• Online Privacy/Web Practices

• Developed a broad range of online privacy disclosures and agreements for numerous companies across all sectors, including privacy policies, consumer health data privacy notices, consumer privacy notices, employee/HR privacy notices, children's privacy notices, cookies and tracking technologies policies, cookie banners, notice and consent banners, and online terms and conditions.

• Conducted privacy assessments, compliance audits, and gap analyses of online privacy disclosures and practices, and prepared modifications and updates to remediate gaps and achieve global compliance with applicable privacy law.

• Advised companies on the design, layout, appearance, and content of clickwrap agreements to ensure enforceability against end users.

• Developed a comprehensive suite of online privacy disclosures for the world's leading face biometrics technology company, including website privacy policy, cookies and tracking technologies policy, DPF policy, GDPR notice, and state consumer privacy notice supplements.

• Developed website privacy policy, GPC disclosure language, online terms of service, and guest Wi-Fi acceptable use policy for a global SaaS connected device platform developer.

• Compliance Programs

• Developed numerous enterprise-wide compliance programs for companies across a diverse range of sectors, including the world's largest global portfolio of online dating services, a school digital media management platform provider, a vehicle ignition interlock device manufacturer, multiple national financial institutions, multiple international cosmetics brands, a national eyewear brand, and a national linens provider.

• Developed consumer rights response guidance, playbooks, and template policies and procedures for compliance with consumer privacy laws.

• Developed enterprise-wide internal privacy and data protection policies and procedures.

• Conducted a compliance audit and gap analysis of a national moving truck, trailer, and self-storage rental company's contemplated use of vehicle and equipment precise geolocation tracking technologies in advance of program rollout; advised on compliance implications relating to the use of tracking technologies and location data; and developed detailed, strategic guidance for satisfying heightened compliance obligations applicable to use of sensitive location data.

• Conducted a compliance audit and gap analysis of a multinational hotel property company's rewards membership application, guest registration flow, and online privacy policy, and prepared modifications to remediate compliance gaps.

• Conducted a compliance audit and gap analysis of a Fortune 500 energy company and convenience store brand owner's mobile app user flow and advised on user flow modifications to achieve compliance with applicable privacy law.

• Conducted a compliance audit and gap analysis of a foreign multinational banking firm's internal privacy and security policies and procedures and advised on strategies to remediate deficiencies and enhance the level of risk mitigation.

• Developed a NYDFS Part 500 Cybersecurity Regulation-compliant cybersecurity policy and incident response plan for a national servicer of residential and commercial mortgages.

• Developed a suite of internal privacy and data protection policies for a national security firm.

• Developed TPA and PIA templates for a leading global online manufacturer and retailer of licensed sportswear, sports merchandise, sports collectibles, NFTs, and trading cards.

• Developed a DTIA template for a multinational consumer goods company and corresponding DTIA guide for customer use in conducting assessments of the company's products and services.

• Advised a foreign technology developer on strategic enhancements to its privacy compliance program, including workable methods and solutions for satisfying GPC compliance obligations under consumer privacy laws.

• Developed an enterprise-wide HIPAA compliance program for a national environmental organization.

• Technology Transactions

• Drafted a template enterprise software license agreement, DPA set, and EULA for the world's leading face biometrics technology company.

• Drafted a template VAR agreement and EULA for an AI-driven access control and identity verification platform provider.

• Drafted and negotiated a SaaS agreement and DPA for a national eyewear brand in connection with the procurement of online technology platform services.

• Advised a second NFL franchise in the negotiation of DPAs with league/franchise vendors.

• Advised a global identity assurance software provider in the negotiation of a SaaS agreement with a financial institution.

• Advised a national financial institution in the negotiation of a SaaS agreement with a customer call center service platform supplier.

• Advised a global consumer-to-consumer online marketplace in the negotiation of a SaaS agreement with an identity verification software supplier.

• Developed a comprehensive enterprise service agreement, DPA, and platform terms of service for a school digital media management provider.

• American Bar Association
  • Chair, Brief Subcommittee – TIPS Cybersecurity & Data Privacy Committee (2024 – present)
  • Chair, Newsletter Subcommittee – TIPS Cybersecurity & Data Privacy Committee (2022 – present)
  • Vice Chair – TIPS Cybersecurity & Data Privacy Committee (2021 – present)
  • Vice Chair – TIPS Technology & New Media Committee (2021 – present)
• Cincinnati Bar Association
  • Member – Board of Trustees (2022 – 2024)
  • Founder/Chair – Cybersecurity & Data Privacy Practice Group (2020 – 2023)
  • Chair – Membership Services & Development Committee (2019 – 2023)
  • Member – Awards Committee (2020 – 2023)
  • Co-Chair – Superhero Run for Kids 5K Planning Committee (2018 – 2020)
• Ohio State Bar Association
  • Member – Young Lawyers Section Council (2018 – 2021)
• United Way of Greater Cincinnati
  • Member – Emerging Leaders (2020 – 2023)
• Listed in Best Lawyers: Ones to Watch^® in America for Technology Law (2023)
• Selected as a Top Cybersecurity Author, JD Supra Readers' Choice Awards (2021)
• Selected to Ohio Rising Stars (2017 – present)
• Selected to Washington, D.C. Rising Stars for Technology Transactions (2018 – 2025)
• Participant – Cincinnati Academy of Leadership for Lawyers (2018)

• "Recent CCPA Decision Portends Potential Expansion of Class Action Liability Exposure For Cookies, Pixels, and Tracking Technologies," republished in Law360 (May 2025)
• "Recent Wiretapping Class Action Dismissal Offers Compliance Lessons," republished in Law360 (April 2025)
• "Location Data Practices Targeted by California Lawmakers and Regulators," republished in FinTech Law Report (March 2025)
• "Key Takeaways and Lessons Learned From Bipa Choice of Law Dismissal," Biometric Update (November 2024)
• "Biometric Privacy Law in Texas Close Enough to BIPA to Protect Match," Biometric Update (November 2024)
• "Seventh Circuit Refuses to Compel BIPA Mass Arbitration Against Samsung: Takeaways and Lessons," Cybersecurity Law Report (November 2024)
• "Securing Insurance Coverage for BIPA Class Actions a Growing Challenge," Biometric Update (October 2024)
• "Issues to Consider When Retaining Third-Party Vendors for CTA Filing Services" (October 2024)
• "Scope and contours of BIPA biometric 'identifiers' and 'information'," Biometric Update (July 2024)
• "BIPA Amendments Passed by Illinois Legislature: What Companies Need to Know" (June 2024)
• "Colorado HB 1130: The nation's first-of-its-kind hybrid biometrics law," Biometric Update (June 2024)
• "Analyzing the EU Artificial Intelligence Act: Spotlight on Biometrics," Republished June 2024, in Bloomberg Law (May 2024)
• "Colorado Enacts BIPA-Like Regulatory Obligations (and More), Ushering in a New Era of Biometrics Regulation in the U.S.," republished in Architecture & Governance Magazine and FinTech Law Report (May 2024)
• "New Federal Bill Would Drastically Alter Privacy Landscape," Law360 (May 2024)
• "Biometrics Risks in the Lone Star State: What In-House Counsel & C-Suite Executives Need to Know," CPI TechREG Chronicle (April 2024)
• "How In-House Counsel Should Address Risk When Deploying New AI Tools," Today's General Counsel (April 2024)
• "Google's BIPA Extraterritoriality Dismissal Provides Key Lessons," Biometric Update (March 2024)
• "Takeaways From Recent Meta BIPA Decision: What Companies Need to Know," Biometric Update (March 2024)
• "FTC Rite Aid Settlement Offers Key Lessons for Mitigating Risk When Deploying Biometrics or AI Tools," republished January 5, 2024, in Law360 (December 2023)
• "BIPA Defendant Ordered to Produce Per-Scan Damages Data," Biometric Update (December 2023)
• "Illinois Supreme Court Holds BIPA Health Care Exemption Applies to Employees," Biometric Update (December 2023)
• "Strategies for Defending Against the Newest BIPA Class Action Threat: Mass Arbitration," Biometric Update (December 2023)
• "Takeaways From the ICO's Draft Guidance on Biometric Data," Biometric Update (November 2023)
• "Key Takeaways From Recent BIPA Biometric Technology Vendor Decision," Biometric Update (October 2023)
• "Utah Consumer Privacy Act: New legislation adds another wrinkle to the US legal landscape," The Daily Swig (April 2022)
• "Biometric Data Collection Takeaways From BNSF Ruling," Law360 (March 2022)

• "Responsible and Ethical Commercial Biometrics" (January 2024)

• Six Baker Donelson Attorneys Named to 2025 Washington, D.C., Super Lawyers List (May 29, 2025)
• Baker Donelson Adds Renowned Biometric Privacy Thought Leader David J. Oberly in D.C. (November 8, 2023)

• Biometric Update Cites David Oberly on Colorado Bill Regulating Collection of Biometric Data (November 13, 2024)
• David Oberly Quoted in Reuters on Amendments to Illinois Biometric Information Privacy Act (August 5, 2024)
• David Oberly Discusses Meta's $1.4 Billion Biometric Data Privacy Lawsuit Settlement in Biometric Update (July 30, 2024)
• David Oberly Analyzes Intentions, Prospects of Illinois BIPA Bill Change in Biometric Update (April 12, 2024)
• David Oberly Comments on Risk to Vendors After FTC's Rite Aid Settlement in Cybersecurity Law Report (January 31, 2024)
• Healthcare IT News Cites David Oberly Regarding States Enacting Cybersecurity Safe Harbor Legislation (January 30, 2024)
• In Cybersecurity Law Report, David Oberly Discusses the Broad Impact of FTC's Rite Aid Order on Users of Biometrics and AI (January 24, 2024)
• David Oberly Talks with Law360 About Federal Regulatory Focus on AI (November 9, 2023)
• Law360 Highlights Addition of Biometric Pro David Oberly to Baker Donelson's D.C. Office (November 9, 2023)
• David Oberly quoted in Bloomberg Law on legal risks of virtual try-on fashion technology (July 8, 2022)
• David Oberly discusses shifts in privacy regulation landscape with Legaltech regarding Apple's upcoming in-app deletion deadline (May 28, 2022)
• Local 12 WKRC Cincinnati speaks with David Oberly regarding Ohio lawmakers' push to make stalking through devices like AirTags a crime (May 20, 2022)
• David Oberly speaks with Bloomberg on "voiceprints" and how they are affecting the legal landscape of Biometrics Litigation (May 18, 2022)
• Bloomberg's Privacy & Data Security Law interviews David Oberly on risks of outsourcing payroll following recent wage suits (March 30, 2022)