Global Privacy & Security

Global Privacy & Security

Our Global Privacy & Security team helps clients navigate the world’s data protection and data use regimes while building practical, scalable compliance programs that support innovation and business growth. We advise across all stages of the data management lifecycle—from data mapping and governance to cross-border transfers, use of AI, and incident response preparedness.

We work with companies to design privacy programs that are legally sound, technically feasible, and strategically aligned with the organization’s goals in various sectors including technology, security, healthcare, manufacturing, energy, finance, education, and retail.

Deep Legal Knowledge Across Frameworks

We counsel clients on a broad range of U.S. federal and state, international, and sector-specific privacy, AI, and other data protection laws, including:

• U.S. State Privacy Laws: California Consumer Privacy Act (CCPA/CPRA), Virginia Consumer Data Protection Act (VCDPA), Colorado Privacy Act, and other evolving state frameworks; targeted state and local frameworks related to biometric data, consumer health data, children’s data, AI

• Federal Laws: HIPAA and the Security Rule (for healthcare), GLBA (for financial institutions), COPPA and FERPA (for children and educational data), NIST Frameworks, FCRA, TCPA, CAN-SPAM, and other FTC enforcement frameworks, including Section 5 of the FTC Act

• International Regulations: EU and UK GDPR, Brazil’s LGPD, Canada’s PIPEDA and provincial privacy laws, India’s Digital Personal Data Protection Act (DPDPA), and other APAC and LATAM privacy laws that is supported by a strong and expansive network of international counsel

• Cross-Border Data Transfers: Standard Contractual Clauses (SCCs) (EU/UK and global), Binding Corporate Rules (BCRs), Data Privacy Framework Certification and Schrems II-compliant transfer risk assessments

• AI and Emerging Tech Regulation: EU AI Act, U.S. Executive Orders, FTC enforcement priorities, Colorado AI Act, Texas Responsible AI Governance Act, AI notice requirements for Connecticut and other states, and similar proposed frameworks across the U.S., sector- and data-specific AI laws, and trends in regulating automated decision-making and AI-driven data processing

• National Security and Cybersecurity: Global cross-border issues, risk management, and other data protection frameworks including NIST (Privacy, Cybersecurity, AI Risk Management Frameworks, and others), national security frameworks including the DOJ Data Security Program (Rule on Bulk Transfers of U.S. Sensitive Data), related controls and regimes, and [other risk management and data protection frameworks]

• Cookies and Online Tracking Tech: Regulatory compliance and implementation of global laws impacting online tracking, opt-outs and consent management (EU and UK GDPR, ePrivacy Directive, PECR, U.S. state privacy laws), Invasion of Privacy and Wiretapping regulations (CIPA, VPPA).

• Sensitive Data Management/Practices: Regulatory enforcement prioritization of sensitive data like biometrics, health/quasi-health, children/teens, geolocation (including bodily autonomy), evolving issues in relation to protected classes under existing law and emerging privacy laws, sensitive data under national security frameworks 

• Surveillance and Monitoring: Public and private sector, including video, audio and commercial surveillance 

We monitor legislative developments closely and offer clients strategic counsel on how to adapt to regulatory shifts—whether by updating policies, redesigning data flows, or modifying contractual frameworks.

Commercial Counsel and Vendor Management

Privacy obligations often arise in the context of business operations, partnerships, and third-party engagements. We support clients in:

• Drafting and negotiating data processing agreements (DPAs), data sharing agreements, and joint controller contracts
• Evaluating third-party vendor risks, including conducting privacy due diligence and reviewing subprocessor compliance
• Developing frameworks for data monetization, licensing, and analytics partnerships that comply with applicable privacy laws
• Counseling on ongoing vendor diligence, oversight, and risk management
• Providing product counseling, including with respect to sensitive data (such as children’s data, health-related data, geolocation data)

When privacy issues intersect with M&A or strategic partnerships, we provide privacy diligence and risk analysis, helping clients structure deals that account for both short-term exposures and long-term regulatory obligations.

Regulatory Compliance and Focused Technical Integration 

Unlike traditional legal teams, our group includes former engineers and software developers who understand how data moves through modern systems. We regularly work alongside privacy, product, engineering, and security teams to:

• Conduct privacy impact assessments (PIAs) and data protection impact assessments (DPIAs) on new technologies and business models

• Design and review consent management platforms, cookie banners, and user-facing privacy controls

• Develop and operationalize privacy-by-design frameworks, embedding compliance into product lifecycle and software development workflows

• Advise on data minimization, retention schedules, and automated processing in the context of AI and machine learning systems

AI and Privacy

In a rapidly evolving digital landscape, our Global Privacy & Security provides clients with guidance on the legal and regulatory challenges associated with artificial intelligence (AI). Our team brings deep experience advising global organizations on how to deploy AI responsibly—balancing innovation with compliance, transparency, and ethical risk management.

We work across industries to advise on:

• Data privacy and AI governance frameworks

• Regulatory compliance, including the EU AI Act, GDPR, CCPA, and other emerging AI-specific legislation

• Algorithmic accountability, bias mitigation, and explainability requirements

• Data minimization and consent strategies for AI training datasets

• Vendor and technology contracting, including model licensing and AI-as-a-service agreements

• AI risk assessments and impact analyses

• Internal policies for responsible AI use and deployment

• Responding to regulator inquiries or investigations related to AI systems

Our privacy lawyers collaborate closely with our technology, intellectual property, and litigation teams to offer holistic, business-oriented advice. 

Regulatory Engagement and Enforcement Defense

We are frequently called upon to represent companies in regulatory inquiries, audits, and investigations initiated by:

• The Federal Trade Commission (FTC) – for deceptive practices, data misuse, AI-related risk, and children’s privacy violations

• California Privacy Protection Agency (CPPA) – for alleged violations of CCPA/CPRA, including failures in consumer rights fulfillment, targeted advertising, children’s data, and security safeguards

• State Attorneys General – in multi-state investigations of tracking technologies, mobile apps, children’s data, and sensitive data processing

• The U.S. Department of Health and Human Services (HHS)/Office for Civil Rights (OCR) – in HIPAA audits, breach investigations, and enforcement

• International Data Protection Authorities (DPAs) – including in the EU, UK, Brazil, and Canada

Industry Experience

• Automotive: Telematics, ADAS, V2X data, and connected vehicle privacy

• Healthcare and Health Tech: HIPAA, 42 CFR Part 2, health AI and other health tech, Consumer Health Data privacy, and HHS/OCR investigations

• Technology and AI: Algorithm design, AI governance, and privacy-by-design in product development, automated decision-making, and AI training data

• AdTech and Marketing: Global consent frameworks, pixel and other online tracking, real-time bidding compliance

• Education: COPPA, FERPA, and student data use in K-12 and higher education

• Finance: GLBA, fintech integrations, open banking APIs

• Public Sector: FedRAMP, FISMA, CMCC, and controlled unclassified information (CUI)

• Cookie Litigation: Wiretap-based claims targeting tracking technologies—actively defending multiple companies

• Regulatory Defense: Responding to FTC, CPPA, and multi-state AG inquiries

• Employee Monitoring: Lawful tracking, surveillance, and emerging workplace privacy risks

• Facial Recognition and Biometrics: BIPA defense, regulatory counseling, and policy design for biometric technologies

• Childrens’/Teens’ Data: Product counseling and overall compliance with overlapping federal, state and local requirements

• M&A Privacy Diligence: Cyber due diligence, rep & warranty coverage, and risk quantification

• Data Processing, Security, and Data Use Agreements: Commercial contracting for data licensing, transfer, and joint data ventures

Cybersecurity & Data Breach Litigation

In the aftermath of a data incident, experience matters. Our litigators are seasoned trial lawyers who have repeatedly defeated class certification and have tried as lead counsel data privacy class actions to favorable outcomes. When clients need help, our team of experienced litigators can:

• Defend against class actions arising from federal and state privacy laws, including the Fair Credit Reporting Act (FCRA), Telephone Consumer Protection Act (TCPA), the Health Insurance Portability and Accountability Act (HIPAA), Family Educational Rights and Privacy Act (FERPA), Electronic Communications Privacy Act (ECPA), and other statutory and common law causes of action for privacy breaches. 

• Collaborate to implement a litigation strategy that addresses our clients’ business needs and objectives. 

• Develop effective strategies to achieve client goals – whether seeking a motion to dismiss, obtaining summary judgement, defeating class certification, or winning at trial. 

• Anticipate potential landmines in an environment where data breach class action litigation is evolving. 

• Protect our clients’ reputations and manage public relations strategies in high-profile cases. 

Cybersecurity & Data Breach Response

Your company’s data is one of its most important assets. In the event of a security incident or breach, our team responds immediately: 

• Coaching you through the incident 

• Advising on each step of the process 

• Mitigating the damage and operational disruptions 

• Navigating the numerous consumer protection and industry specific notification laws

Following is a selected sampling of matters and is provided for informational purposes only. Past success does not indicate the likelihood of success in any future matter.

• Counseled international manufacturers on development of global privacy and data security policies and data management program
• Counseled international company seeking to obtain Privacy Shield Certification 
• Counseled franchisor through discovery of malware compromising credit card processing of the company and multiple franchise locations through all stages of data breach response 
• Counseled compromised POS payment processing service provider through data breach notification to POS service provider’s client customers 
• Counseled financial institution and payment processing vendor through all stages of data breach incident involving the loss of sensitive customer data, including incident analysis and breach containment, incident disclosure (such as notification in compliance with all regulatory requirements), loss mitigation, and remediation customized to meet each client’s specific business and industry requirements 
• Counseled major national retailer through a security incident investigation involving the discovery of malware potentially compromising all credit card processing of the company, compliance, risk assessment, and remediation
• Counseled an international construction company and hotel portfolio management company through a breach investigation, response, and notification involving the theft of employee W-2 tax information obtained as a result of phishing scheme
• Counseled the domestic subsidiary of a major international company through a security incident investigation involving employee theft and misappropriation of customer credit card information