David J. Oberly

Class Action Defense

David represents companies in high-stakes, high-exposure privacy and technology class action litigation, with deep experience in defending claims alleging noncompliance with the Electronic Communications Privacy Act (ECPA), California Invasion of Privacy Act (CIPA), and similar state wiretapping laws; Video Privacy Protection Act (VPPA); Telephone Consumer Protection Act (TCPA); Illinois Biometric Information Privacy Act (BIPA); and California Consumer Privacy Act (CCPA), among others.

He possesses an intricate, comprehensive understanding of the core strategies on which plaintiffs' attorneys commonly rely in privacy and technology class actions, the range of potential defenses that may be available to defeat or limit these claims, and what arguments to expect from plaintiffs in their attempts to oppose dismissal of these types of high-exposure lawsuits. Drawing upon this knowledge, David is adept at formulating innovative, winning litigation strategies that effectively posture privacy and technology class actions for dispositive dismissals or, alternatively, negotiated settlements on favorable terms to his clients.

His command of the complexities of cutting-edge technologies and associated data flows, the nuances of class action procedure and strategy, and the rapidly changing nature of the law in this space – combined with the innovative and creative approaches he brings to every dispute – enables David to consistently produce exemplary results and outcomes when companies need it the most and makes him a go-to litigator for high-stakes privacy and technology class action litigation matters.

As David's representative matters show, he excels not just at defending privacy and technology class actions but also at achieving decisive victories in these suits – often at the very outset of litigation. And when necessary, David effectively litigates class actions from start to finish in a manner that positions clients for favorable outcomes, whether through dismissal on summary judgment, or client-favorable individual or class settlements.

Compliance

David provides strategic guidance to companies across all industries – including technology, automotive, retail, financial services, and professional sports, among others – on the full range of legal, regulatory, and risk management issues that arise at the intersection of technology, business, and the law. He excels in helping companies navigate the complexities and nuances of today's growing global patchwork of consumer privacy, consumer protection, marketing and advertising, biometrics, children's and student privacy, and similar laws and regulations, while also managing associated risks.

David provides guidance and advice to companies on the use of web analytics tools and online/mobile tracking technologies; processing of precise location data and other types of sensitive data; targeted advertising; data monetization; profiling and automated decision-making; and other practices that seek to leverage personal data in commercial operations. In particular, David advises companies on practical strategies for achieving and maintaining compliance with the ECPA, CIPA and similar state wiretapping laws, VPPA, and TCPA, and similar state marketing laws.

He frequently partners with companies to operationalize compliance through the development and implementation of bespoke, enterprise-wide privacy programs. David conducts compliance audits, gap assessments, and risk analyses of current organizational privacy compliance programs to identify, address, and remediate compliance gaps, and he advises on strategic measures to manage and minimize associated legal risk and potential liability exposure. In this role, David also regularly:

• Advises on profiling and sensitive data processing activities and how to apply new opt-in and opt-out rights to those activities.
• Develops privacy policies, notices, consents, data retention guidelines and schedules, and online terms and conditions (and similar online agreements).
• Develops clickwraps and other online mechanisms for supplying notice, obtaining consent, and ensuring the enforceability of online agreements.
• Assists companies in conducting due diligence and managing vendors and other data recipients.
• Drafts, reviews, and revises service provider agreements to address privacy-critical issues.
• Advises companies with operations spanning multiple jurisdictions on how to address and satisfy vague and oftentimes conflicting compliance obligations.
• Advises on privacy legislation that could potentially impact companies' future legal and regulatory compliance obligations.

Transactions

David represents and advises companies involved in transactions relating to the collection, use, and sharing of personal data. In this role, he drafts and negotiates multiparty contracts for companies involved in technology deals, including software license agreements; end user license agreements (EULAs); software as a service (SaaS), platform as a service (PaaS), and other cloud service agreements; data processing addenda (DPAs); and negotiation playbooks. He also drafts and negotiates ancillary technology-related agreements, such as data sharing agreements, confidentiality and nondisclosure agreements, and media releases. In addition, David advises companies on key legal and commercial issues that arise in complex technology transactions.

Thought Leader

David is a recognized thought leader in the privacy and technology space, including as a recipient of JD Supra's Readers' Choice Award for his writing on privacy and technology matters. He is also the author of LexisNexis's Biometric Data Privacy Compliance & Best Practices – a full-length, comprehensive compendium on biometrics law.

• Class Action Defense

• Facilitated a nuisance-value, individual settlement for an innovative building and siding solutions company in a putative CIPA trap-and-trace class action through informal negotiations with opposing counsel.

• Facilitated a nuisance-value, individual pre-suit settlement for a health care provider in a threatened CIPA pen register/trap-and-trace class action through negotiations with opposing counsel.

• Facilitated a nuisance-value, individual pre-suit settlement for a global specialty chemical company in a threatened CIPA pen register/trap-and-trace class action through negotiations with opposing counsel.

• Currently representing a health care system in a putative CIPA wiretapping class action involving Microsoft Clarity session replay software.

• Obtained a dispositive, voluntary dismissal of a global biometric identity verification technology provider in a putative BIPA class action involving a cryptocurrency exchange customer's use of a biometric identity verification solution through informal discussions with opposing counsel.

• Obtained a dispositive, voluntary dismissal of a national eyewear brand in a putative BIPA class action involving a biometric eyewear VTO tool within 48 hours of being retained to defend the matter through informal discussions with opposing counsel.

• Obtained a dispositive, voluntary dismissal of a national eyewear brand in a second putative BIPA class action involving a biometric eyewear VTO tool through informal discussions with opposing counsel.

• Obtained a dispositive, voluntary dismissal of an international cosmetics brand in a putative BIPA class action involving a biometric cosmetics VTO tool through informal discussions with opposing counsel.

• Facilitated a nuisance-value, individual settlement for a ceiling fan manufacturer and designer in a putative TCPA class action through informal discussions with opposing counsel.

• Compliance, Risk Management & Product Counseling

• Serve as day-to-day outside privacy and technology counsel for digital identity software providers, technology platform developers, an eyewear retailer, and a financial intuition.

• Advised numerous companies on compliance with the ECPA, CIPA, VPPA, and related privacy and consumer protection laws governing web and online data collection, analytics, and tracking practices.

• Advised numerous companies on consumer privacy compliance obligations applicable to sensitive data, profiling, and automated decision-making activities.

• Advised website operators and app developers on compliance with federal sector-specific laws, including FTC Act, HIPAA/HITECH, TCPA/TSR, FCRA, GLBA, COPPA, and FERPA.

• Advised companies on compliance with the CAN-SPAM Act and other online marketing laws applicable to corporate email marketing campaigns.

• Advised companies on strategic modifications to subscription programs and associated user flows for compliance with automatic renewal laws and mitigation of increased liability exposure stemming from heightened regulatory scrutiny of negative option marketing practices.

• Advised a luxury British sports car manufacturer on global privacy compliance obligations appliable to the collection and use of autonomous vehicle occupant personal data.

• Advised a global automobile ride dynamics product manufacturer on consumer privacy compliance obligations applicable to the collection and use of vehicle sensor data for analytics purposes.

• Advised a national video market platform developer on compliance obligations and risk management considerations in connection with the development and rollout of enhanced AI product functionalities.

• Advised an NFL franchise on compliance obligations and risk management considerations in connection with the implementation of a biometric security and access control solution at its home venue.

• Advised digital identity verification technology companies on global expansion strategies in connection with their entrance into the U.S. gaming market to supply age and identity verification solutions to sports betting, internet gaming, and fantasy contest operators.

• Online Privacy/Web Practices

• Developed a broad range of online privacy disclosures and agreements for numerous companies across all sectors, including privacy policies, consumer health data privacy notices, consumer privacy notices, employee/HR privacy notices, children's privacy notices, cookies and tracking technologies policies, cookie banners, notice and consent banners, and online terms and conditions.

• Conducted privacy assessments, compliance audits, and gap analyses of online privacy disclosures and practices, and prepared modifications and updates to remediate gaps and achieve global compliance with applicable privacy law.

• Advised companies on the design, layout, appearance, and content of clickwrap agreements to ensure enforceability against end users.

• Compliance Programs

• Developed numerous enterprise-wide compliance programs for companies across a diverse range of sectors, including the world's largest global portfolio of online dating services, a school digital media management platform provider, a vehicle ignition interlock device manufacturer, multiple national financial institutions, multiple international cosmetics brands, a national eyewear brand, and a national linens provider.

• Developed consumer rights response guidance, playbooks, and template policies and procedures for compliance with consumer privacy laws.

• Developed enterprise-wide internal privacy and data protection policies and procedures.

• Conducted a compliance audit and gap analysis of a national moving truck, trailer, and self-storage rental company's contemplated use of vehicle and equipment precise geolocation tracking technologies in advance of program rollout; advised on compliance implications relating to the use of tracking technologies and location data; and developed detailed, strategic guidance for satisfying heightened compliance obligations applicable to use of sensitive location data.

• Conducted a compliance audit and gap analysis of a Fortune 500 energy company and convenience store brand owner's mobile app user flow and advised on user flow modifications to achieve compliance with applicable privacy law.

• Technology Transactions

• Drafted a template enterprise software license agreement, DPA set, and EULA for the world's leading face biometrics technology company.

• Drafted and negotiated a SaaS agreement and DPA for a national eyewear brand in connection with the procurement of online technology platform services.

• Advised a second NFL franchise in the negotiation of DPAs with league/franchise vendors.

• Advised a global identity assurance software provider in the negotiation of a SaaS agreement with a financial institution.

• Advised a global consumer-to-consumer online marketplace in the negotiation of a SaaS agreement with an identity verification software supplier.

• American Bar Association
  • Chair, Brief Subcommittee – TIPS Cybersecurity & Data Privacy Committee (2024 – present)
  • Chair, Newsletter Subcommittee – TIPS Cybersecurity & Data Privacy Committee (2022 – present)
  • Vice Chair – TIPS Cybersecurity & Data Privacy Committee (2021 – present)
  • Vice Chair – TIPS Technology & New Media Committee (2021 – present)
• Cincinnati Bar Association
  • Member – Board of Trustees (2022 – 2024)
  • Founder/Chair – Cybersecurity & Data Privacy Practice Group (2020 – 2023)
  • Chair – Membership Services & Development Committee (2019 – 2023)
  • Member – Awards Committee (2020 – 2023)
  • Co-Chair – Superhero Run for Kids 5K Planning Committee (2018 – 2020)
• Ohio State Bar Association
  • Member – Young Lawyers Section Council (2018 – 2021)
• United Way of Greater Cincinnati
  • Member – Emerging Leaders (2020 – 2023)
• Listed in Best Lawyers: Ones to Watch^® in America for Technology Law (2023)
• Selected as a Top Cybersecurity Author, JD Supra Readers' Choice Awards (2021)
• Selected to Ohio Rising Stars (2017 – present)
• Selected to Washington, D.C. Rising Stars for Technology Transactions (2018 – 2025)
• Participant – Cincinnati Academy of Leadership for Lawyers (2018)

• "Recent CCPA Decision Portends Potential Expansion of Class Action Liability Exposure For Cookies, Pixels, and Tracking Technologies," republished in Law360 (May 2025)
• "Recent Wiretapping Class Action Dismissal Offers Compliance Lessons," republished in Law360 (April 2025)
• "Location Data Practices Targeted by California Lawmakers and Regulators," republished in FinTech Law Report (March 2025)
• "Key Takeaways and Lessons Learned From Bipa Choice of Law Dismissal," Biometric Update (November 2024)
• "Biometric Privacy Law in Texas Close Enough to BIPA to Protect Match," Biometric Update (November 2024)
• "Seventh Circuit Refuses to Compel BIPA Mass Arbitration Against Samsung: Takeaways and Lessons," Cybersecurity Law Report (November 2024)
• "Securing Insurance Coverage for BIPA Class Actions a Growing Challenge," Biometric Update (October 2024)
• "Issues to Consider When Retaining Third-Party Vendors for CTA Filing Services" (October 2024)
• "Scope and contours of BIPA biometric 'identifiers' and 'information'," Biometric Update (July 2024)
• "BIPA Amendments Passed by Illinois Legislature: What Companies Need to Know" (June 2024)
• "Colorado HB 1130: The nation's first-of-its-kind hybrid biometrics law," Biometric Update (June 2024)
• "Analyzing the EU Artificial Intelligence Act: Spotlight on Biometrics," Republished June 2024, in Bloomberg Law (May 2024)
• "Colorado Enacts BIPA-Like Regulatory Obligations (and More), Ushering in a New Era of Biometrics Regulation in the U.S.," republished in Architecture & Governance Magazine and FinTech Law Report (May 2024)
• "New Federal Bill Would Drastically Alter Privacy Landscape," Law360 (May 2024)
• "Biometrics Risks in the Lone Star State: What In-House Counsel & C-Suite Executives Need to Know," CPI TechREG Chronicle (April 2024)
• "How In-House Counsel Should Address Risk When Deploying New AI Tools," Today's General Counsel (April 2024)
• "Google's BIPA Extraterritoriality Dismissal Provides Key Lessons," Biometric Update (March 2024)
• "Takeaways From Recent Meta BIPA Decision: What Companies Need to Know," Biometric Update (March 2024)
• "FTC Rite Aid Settlement Offers Key Lessons for Mitigating Risk When Deploying Biometrics or AI Tools," republished January 5, 2024, in Law360 (December 2023)
• "BIPA Defendant Ordered to Produce Per-Scan Damages Data," Biometric Update (December 2023)
• "Illinois Supreme Court Holds BIPA Health Care Exemption Applies to Employees," Biometric Update (December 2023)
• "Strategies for Defending Against the Newest BIPA Class Action Threat: Mass Arbitration," Biometric Update (December 2023)
• "Takeaways From the ICO's Draft Guidance on Biometric Data," Biometric Update (November 2023)
• "Key Takeaways From Recent BIPA Biometric Technology Vendor Decision," Biometric Update (October 2023)
• "Utah Consumer Privacy Act: New legislation adds another wrinkle to the US legal landscape," The Daily Swig (April 2022)
• "Biometric Data Collection Takeaways From BNSF Ruling," Law360 (March 2022)

• "Responsible and Ethical Commercial Biometrics" (January 2024)

• Six Baker Donelson Attorneys Named to 2025 Washington, D.C., Super Lawyers List (May 29, 2025)
• Baker Donelson Adds Renowned Biometric Privacy Thought Leader David J. Oberly in D.C. (November 8, 2023)

• Biometric Update Cites David Oberly on Colorado Bill Regulating Collection of Biometric Data (November 13, 2024)
• David Oberly Quoted in Reuters on Amendments to Illinois Biometric Information Privacy Act (August 5, 2024)
• David Oberly Discusses Meta's $1.4 Billion Biometric Data Privacy Lawsuit Settlement in Biometric Update (July 30, 2024)
• David Oberly Analyzes Intentions, Prospects of Illinois BIPA Bill Change in Biometric Update (April 12, 2024)
• David Oberly Comments on Risk to Vendors After FTC's Rite Aid Settlement in Cybersecurity Law Report (January 31, 2024)
• Healthcare IT News Cites David Oberly Regarding States Enacting Cybersecurity Safe Harbor Legislation (January 30, 2024)
• In Cybersecurity Law Report, David Oberly Discusses the Broad Impact of FTC's Rite Aid Order on Users of Biometrics and AI (January 24, 2024)
• David Oberly Talks with Law360 About Federal Regulatory Focus on AI (November 9, 2023)
• Law360 Highlights Addition of Biometric Pro David Oberly to Baker Donelson's D.C. Office (November 9, 2023)
• David Oberly quoted in Bloomberg Law on legal risks of virtual try-on fashion technology (July 8, 2022)
• David Oberly discusses shifts in privacy regulation landscape with Legaltech regarding Apple's upcoming in-app deletion deadline (May 28, 2022)
• Local 12 WKRC Cincinnati speaks with David Oberly regarding Ohio lawmakers' push to make stalking through devices like AirTags a crime (May 20, 2022)
• David Oberly speaks with Bloomberg on "voiceprints" and how they are affecting the legal landscape of Biometrics Litigation (May 18, 2022)
• Bloomberg's Privacy & Data Security Law interviews David Oberly on risks of outsourcing payroll following recent wage suits (March 30, 2022)