Our team has extensive experience with a wide range of internet privacy and e-commerce issues, including online tracking, online marketing, and the leveraging of big data. We help companies comply with the many statutes, rules and industry self-regulatory programs that govern privacy and consumer protection in the online ecosystem.

Representative matters include:

• Advising communications providers on the extent to which they can track customers and third parties and develop profiles of their online and offline behavior through analysis of internet traffic
• Assisting dozens of companies from virtually every industry—from technology firms to defense contractors to broker-dealers to startups—with the drafting and modification of online privacy policies
• Helping both child-directed and general audience websites and services comply with the Children's Online Privacy Protection Act, including design of parental notice and consent mechanisms and age-screening mechanisms
• Counseling leading online companies, financial institutions, healthcare companies, and others on lawful ways to amass information about consumers and leverage that big data for insights (or sell it to third parties) 
• Assisting a streaming video provider in complying with the Video Privacy Protection Act
• Helping a large equipment manufacturer with all stages of worldwide roll-out of a new content-streaming device and software, from design of product features to drafting of country-specific consumer privacy notices
• Advising clients throughout the internet ecosystem on the lawful use of cookies, web beacons, web logs, flash cookies and other forms of online tracking

We represent a wide range of banks, credit card companies, insurance companies, investment advisors, broker-dealers, online financial services companies, mobile payments companies and their IT vendors on the full spectrum of financial privacy and consumer protection issues. We help clients comply with the Gramm-Leach-Bliley Act (GLBA), Fair Credit Reporting Act (FCRA), Fair and Accurate Credit Transactions Act (FACTA), Right to Financial Privacy Act, their implementing regulations, and numerous state and foreign analogues. We also conduct investigations of potential statutory and regulatory violations.

Representative matters include:

• Drafting GLBA- and FCRA-compliant consumer privacy policies for a range of financial institutions, from large banks to small startups
• Assisting financial institutions in complying with anti-money-laundering obligations, congressional inquiries, and litigation-related document requests in a manner consistent with domestic and foreign financial privacy laws
• Drafting and revising companies' FACTA-mandated "red flags" policies for prevention, detection, and remediation of identity theft
• Drafting a memo for a trade association analyzing state analogues to federal financial privacy statutes and identifying compliance challenges
• Conducting internal investigations of potential violations of privacy and cross-marketing provisions of the FCRA by client employees
• Assisting a financial institution in designing program to data-mine customer financial transactions and identify meaningful trends in the data
• Counseling a number of fintech startups, including mobile payment providers, on financial privacy compliance
• Advising a major cloud computing company on financial regulators' data privacy requirements in many EU member states and countries in Asia, Latin America and the Middle East

We regularly represent clients before federal and state agencies such as the Federal Trade Commission (FTC), the Federal Communications Commission, and state Attorneys General in connection with enforcement actions and confidential regulatory investigations. We also represent clients in high-profile litigation concerning privacy and consumer protection, including consumer class actions, government enforcement efforts, and challenges to government surveillance programs.

Representative matters include:

• Assisting major technology companies and an internet service provider in responding to confidential FTC and state AG investigations into privacy practices
• Representing a major information technology company in Wiretap Act litigation over its mapping technology
• Helping a major data brokerage company respond to congressional inquiries concerning industry and client data practices
• Defending a large internet service provider in national privacy class action arising from public release of subscribers' internet search query data
• Representing a leading social network in negotiations with, and several court cases against, European data protection authorities and consumer protection authorities regarding service features, terms and conditions, and privacy policy
• Representing a large communications company in national, multidistrict class-action litigation in connection with claims that its alleged provision of assistance to the National Security Agency (NSA) violated privacy laws 
• Representing a leading social network in litigation before the Foreign Intelligence Surveillance Court
• Representing a large communications company in litigation over the NSA's surveillance programs
• Assisting online clients in successfully challenging subpoenas and other legal process seeking subscriber data, search query data, and similar information on privacy and free speech grounds
• Advising a major automobile company on responding to congressional inquiries related to privacy and cybersecurity
• Assisting a software company in responding to claims under the Computer Fraud and Abuse Act

Our privacy and consumer protection practice is international in scope. We advise clients on data protection regimes on six continents and craft practical solutions to transferring data across borders. We frequently draw on the knowledge of skilled data protection specialists in our offices in Europe and Asia to advise on foreign data protection laws, e-commerce regulations, and cross-border data issues.

Representative matters include:

• Helping numerous multinational and US-based companies legitimize data flows from the European Union to the United States through Safe Harbor certifications or execution of EU model contractual clauses
• Helping companies lawfully transfer data to the United States from countries in North and South America, Asia, the Middle East, Australia and Africa
• Assisting companies in complying with the EU "cookie directive," which requires consumer consent to the use of many cookies and other online tracking mechanisms
• Assisting companies in structuring their collection, use, and sharing of consumer and employee personal data to comply with foreign legal requirements, including local registration requirements
• Counseling clients on design of employee monitoring programs and external threat mitigation programs consistent with data protection laws
• Advising clients on compliance with European data protection rules in connection with marketing strategies, licensing agreements, enforcement of corporate compliance rules and data retention for online service providers
• Advising several multinational companies on data protection and employee notice/consent issues arising from centralization of global human resources information systems in the United States
• Advising companies on responding to issues created by the recent disclosures of US intelligence programs involving the acquisition of data by governments under a variety of authorities
• Assisting numerous multinational litigants with issues arising from US discovery requests for sensitive information stored abroad
• Advising numerous companies about legal and policy implications of reforms to the EU data protection law
• Advising a leading cloud services provider on a draft industry code of conduct for data privacy and security
• Advising multiple US and non-US companies on compliance with Chinese state secrets regulations

We help companies avoid “deceptive” and “unfair” trade practices under the Federal Trade Commission Act and state analogues. We also advise companies on a wide range of marketing issues in the online and offline contexts, including the CAN-SPAM Act, the Telephone Consumer Protection Act (TCPA), the Telemarketing Sales Rule and many international analogues. We also counsel companies on compliance with sector-specific consumer protection laws, including with respect to financial information.

Representative matters include:

• Counseling consumer reporting agencies, information furnishers, and users of consumer reports on applicability and requirements of the FCRA, including with respect to content of adverse action notices and consumers' rights to challenge inaccuracies
• Helping dozens of companies design their privacy practices and/or modify their privacy notices to avoid commission of "deceptive" or "unfair" trade practices
• Advising clients on worldwide media campaigns, including email and telephone marketing
• Assisting clients in designing text-message marketing campaigns that comply with the TCPA
• Engaging with the FTC on behalf of client complaining of deceptive and unfair trade practices of other companies in a related industry sector

We counsel companies on the requirements of federal, state and foreign laws governing electronic surveillance by government officials and private companies, including the USA PATRIOT Act, Foreign Intelligence Surveillance Act, Computer Fraud and Abuse Act, Electronic Communications Privacy Act, Stored Communications Act, Wiretap Act and their state equivalents.

Representative matters include:

• Advising communications companies on the application of surveillance laws to big data information collection efforts, including tracking of consumers both online and offline
• Drafting a compliance manual for use by client employees in responding to surveillance requests from law enforcement and third-party subpoenas for customer information from private litigants
• Advising online companies on application of the Computer Fraud and Abuse Act and Electronic Communications Privacy Act to "screen scraping" activities
• Counseling numerous clients on Wiretap Act and state two-party consent statutes with respect to monitoring of employee and customer communications

Our work for healthcare providers, health plans, pharmaceutical and biotechnology companies, equipment suppliers, information technology vendors, consultants, and service providers encompasses the full range of health data regulatory considerations. We advise a broad range of stakeholders in the healthcare system on privacy, data security and breach notification matters, including the regulatory standards imposed pursuant to the Health Insurance Portability and Accountability Act (HIPAA), Health Information Technology for Economic and Clinical Health (HITECH) Act, and supplemental state regulations. For clients involved in clinical research, we provide counsel on human research protections imposed pursuant to the Common Rule and related regulations.  

Representative matters include:

• Developing and implementing HIPAA compliance policies and procedures for HIPAA-covered entities and their business associates
• Negotiating business associate agreements for service providers and covered entities
• Developing patient consent and patient privacy documentation for clinical research
• Advising numerous clients on health data issues in corporate mergers and acquisitions, including restrictions on transfers of health data as corporate assets
• Advising clients on potential HIPAA concerns raised by production of materials in litigation and investigations

We routinely draft terms to allocate and manage data-related responsibilities in agreements with a privacy dimension. We also conduct due diligence and prepare representations regarding privacy and consumer protection issues in a wide range of transactions, including acquisitions and venture capital financing.

Representative matters include:

• Negotiating cloud computing contracts, with complex privacy terms and international data protection implications, on behalf of both cloud computing providers and companies outsourcing their data to the cloud
• Representing numerous companies licensing consumer data to and from business partners
• Conducting privacy and data protection due diligence on numerous online companies on behalf of investors or purchasers
• Drafting representations, indemnity provisions and privacy clauses in many corporate transaction agreements
• Representing a company with large online behavioral advertising business in the sale of its advertising assets and licensing of ongoing data flows from the company to the purchaser

We counsel clients on a range of mobile privacy issues, including the design and operation of mobile apps and the tracking of consumers' physical locations and movements through their mobile devices. 

Representative matters include:

• Advising a hedge fund on permissible uses of mobile tracking data in making investment decisions
• Counseling communications providers on permissible uses of mobile calling information, mobile browsing data, and location information in big data analysis and marketing campaigns
• Assisting a client in designing, deploying, and marketing a mobile wallet application and service
• Analyzing mobile applications for a wide range of companies to ensure compliance with FTC, California AG and other legal obligations concerning mobile apps
• Advising communication providers on application of Customer Proprietary Network Information rules to customer location data