Data Privacy Disputes

Data privacy disputes often require detailed forensic examination of how a website or application handles personal data in practice, as distinct from what its privacy policy states. I conduct controlled forensic captures of web and mobile applications to record the network requests made during a user session, identifying what data is transmitted, to which third-party endpoints, and at what point in the user journey. This involves intercepting and analysing HTTP traffic, inspecting JavaScript execution, reviewing SDK integrations within mobile applications, and mapping data flows to third-party analytics, advertising, and tracking services. The resulting evidence provides a factual basis for assessing whether personal data was shared in circumstances that may not have been adequately disclosed to users.

A substantial element of this work involves the assessment of consent mechanisms. In my experience, the technical implementation of cookie consent banners and opt-out controls does not always correspond to the behaviour that the user interface appears to promise. I examine whether tracking scripts and cookies are set before consent is granted, whether opt-out selections are technically honoured (as opposed to merely recorded), and whether the categorisation of cookies and trackers within consent management platforms accurately reflects their function. These are technical questions that require forensic analysis of browser behaviour and network traffic, rather than a review of the consent interface alone.

In group litigation involving consumer data privacy, the volume of affected individuals and the range of device types, operating systems, and application versions can introduce complexity. I develop testing methodologies that account for these variables, conducting examinations across representative device and software configurations to establish whether the data handling behaviour was consistent or varied by platform. Where historical data handling is in question, I analyse archived versions of applications and websites using web archiving services, app store version histories, and source code repositories to reconstruct the technical position at the relevant time.

My data privacy work extends to matters arising under US federal and state privacy legislation. The technical questions in these disputes are often similar to those arising under GDPR, involving the forensic examination of tracking technologies, data sharing practices, and the effectiveness of opt-out mechanisms. However, the specific legal requirements vary by jurisdiction: the California Consumer Privacy Act (CCPA) and its successor, the California Privacy Rights Act (CPRA), impose particular requirements around the sale and sharing of personal information, the honourable implementation of "Do Not Sell or Share" signals, and the use of sensitive personal information. The Illinois Biometric Information Privacy Act (BIPA) raises distinct technical questions concerning the collection and storage of biometric identifiers. A growing number of state consumer privacy laws (including those in Virginia, Colorado, Connecticut, Texas, and others) introduce their own requirements for consent, data minimisation, and consumer rights mechanisms. The technical analysis in each case must be considered against the specific statutory requirements of the relevant jurisdiction.