{{insights.date}}
{{insights.source}}
{{insights.type}}
Lydia de la Torre
Of Counsel
Lydia de la Torre provides strategic privacy compliance advice related to US and EU privacy, including data protection and cybersecurity law, the General Data Protection Regulation (GDPR), the California Consumer Privacy Act (CCPA), other states’ privacy and cyber laws, US financial privacy laws, and marketing and advertising compliance, as well as information security. She also represents clients in investigations with an eye toward helping them avoid litigation.
Lydia’s work in-house and with organizations has run the gamut, from pre-IPO start-ups to mature Fortune 500 companies, in a multitude of industries, including e-commerce, fintech and computer hardware. This experience has provided her with a direct understanding of client concerns.
As an expert and influential commentator on data privacy and protection across multiple sectors and geographies, including the GDPR, Lydia has been consulted by diverse stakeholders on the implications of proposed US and California legislation on data privacy and protection, including in relation to CCPA and CPRA.
Before joining the firm, Lydia served as co-director of the Santa Clara Law School Data Privacy Certificate Program, where she continues to teach privacy law.
Lydia is a frequently invited speaker on privacy-related topics, such as the freedom of speech implications of privacy laws, ethics and privacy, the application of privacy laws to blockchain technology, financial privacy laws and the CCPA. She is also a prolific writer and has been published in a variety of outlets, from mainstream media to privacy and legal publications. She is the editor of Golden Data, a Medium publication focused on data laws.
Lydia is well known as an expert in California privacy law, and she is often consulted in regards to compliance with the various privacy requirements in the state. Beyond CCPA, these laws include the California IoT law, the California law on Collection of Licence Plate Information, the California Reasonable Security Requirements, the Song Beverly Act and the California Requirements on Disposal of Consumer Records.
Lydia is a member of the California Lawyers Association’s Antitrust and Privacy Section and an adjunct professor at Santa Clara Law School.
- Assessed the applicability of CCPA to a law-firm client, evaluated the role that a law firm should take under CCPA (i.e., business, service provider or other) and devised a strategy for compliance with the act (including preparing a gap analysis and updating notice policies, procedures and contract terms). Provided advice on a data protection and privacy impact assessment regarding the implementation of different security-related products requiring monitoring of its network and employees. Reviewed data subject access procedures for compliance with CCPA and GDPR, and reviewed/updated records of processing. Conducted a tabletop exercise evaluation and next steps.
- Provided advice on the applicability of, and compliance with, COPPA to various organizations providing services to K-12 schools, including identification of a viable process to obtain verifiable parental consent. Drafted contractual language and COPPA notices, and provided advice on parental rights under COPPA, and how they compare/differ from data subject rights under GDPR. Work required consideration of COPPA compliance within the existing compliance framework for GDPR, as the frameworks do not fully align.
- Assisting with evaluation and remediation of accidental collection by the client of the data of minors under 13 subject to COPPA and the data of minors under 16 subject to GDPR. This is a high-risk area, as COPPA fines can quickly escalate, the requirements for consent diverge across the multiple affected jurisdictions, and the impact of collection absent parental consent diverges depending on which laws apply.
- Evaluated the applicability of new requirements under the ePrivacy directive to an online communication platform and related obligations. Reviewing existing data flows and devising a compliance strategy across the complex data sharing network, as well as colocation services and ISPs.
- For a privacy tech start-up, provided advice in connection with business strategy alignment with legal requirements and potential market for its services based on existing security and privacy requirements under applicable law. Analyzed the applicable requirements under US and EU privacy, data protection and cybersecurity laws for a ground-breaking searchable encryption product and related key management process. Supported with marketing materials highlighting privacy features.
- For a tech company, providing advice on policy initiatives related to pending bills before Congress in regards to various aspects of US law, including pre-emption principles under US federal law.
- Advising financial institutions on US financial privacy compliance, including GLBA, CalFIPPA, PCI-DSS, etc. Work included evaluation of the applicability of, and compliance with, CCPA for activities and data outside of the scope of applicable financial industry laws (e.g., financial services provided to non-consumers, data collected outside of the context of provision of financial services, etc.)
- For not-for-profit clients, provided advice on US and EU data protection and privacy laws that apply to the non-profit sector. Work included drafting of external notices and internal policies for compliance, handling of data subject access requests and erasure requests, and providing advice and support for deployment of GDPR compliance programs.
- For various clients, assessed the applicability of GDPR and CCPA, conducted gap assessments and created pragmatic roadmaps to build the processes and resources required in a manner tailored to each organization’s unique circumstances. Identified and designed strategies to comply with EU and US data transfer requirements, including drafting and negotiating service provider contracts and intra-group data transfer agreements. Advised post Schrems II and created guidelines to implement compliance strategies including SCCs, evaluation of surveillance risks related to different data flows and related safeguards required.
- Provided advice on compliance with GDPR and CCPA for cybersecurity clients providing services to governmental agencies. Work includes, but is not limited to, assessment of the applicability of GDPR and CCPA to the different products offered by each organization, as well as evaluation of specific products to identify if they fall into the category of selling under CCPA with emphasis on the review of relevant exceptions applicable in the law enforcement context.
- For a global vehicle manufacturer, advised on privacy and cybersecurity matters, including evaluation of new technology, monetization of data, new services, new data collection and new marketing initiatives for privacy/cyber issues.
- Provided advice on compliance with applicable industry frameworks for targeted advertising and related legal obligations for an organization that manufactures health equipment used by adults and minors alike. In regards to the same client, provided advice on the applicability of, and compliance with, COPPA, including a viable process to obtain verifiable parental consent in regards to health tech products.
Education
- Universidad Complutense de Madrid, J.D.
- Centro de Estudios Garrigues, LL.M.
- Santa Clara University, School of Law, L.L.M.
Admissions
- California, 2011
- Madrid, 1997
Memberships and Affiliations
- California Lawyers Association – Antitrust and Privacy division committee member
- Internet Ethics Advisory Group – Markkula Center for Applied Ethics
- Member of the International Association of Privacy Professionals
- Lecturer at Santa Clara Law School (teaching comparative privacy law)
- Editor of Golden Data (a Medium publication on data laws)
Languages
- Spanish
- English
- Global Data Review, “CCPA enforcement begins amid state budget crisis,” July 2020.
- Global Data Review, “California AG requests expedited review of CCPA regulations,” June 2020.
- Global Data Review, “CCPA amendments would create independent enforcer,” September 2019.
- Global Data Review, “California passes final version of CCPA, but questions remain,” September 16, 2019.
- The Recorder, “How Changes to California's Data-Privacy Rules Would Affect Employers,” September 14, 2019.
- Panelist, “Schrems II and EU-US data transfers,” event organized by the Association of Corporate Growth in Silicon Valley, August 2020.
- Moderator, “Cracking the Code: Can Efficient and Effective COVID-19 Tracing & Privacy Co-Exist?” webinar organized by The Hive Data, July 2020.
- Panelist, “Comparative Privacy Law: A Moderated Panel Discussion,” symposium co-presented by the Southwestern Institute for International and Comparative Law and the Institute for Law and Technology, divisions of CAIL, June 2020.
- Panelist, IV Garrigues Data Day – 1ª sesión, June 2020.
- Presenter, “Navigating Employee Privacy Issues During a Global Pandemic,” webinar training by the California Lawyers Association, May 2020.
- Panelist, “Protecting lives and liberty: Smartphone surveillance in the COVID-19 era,” organized by The Hive Data, April 2020.
- Panelist, “Future-Proofing Privacy Programs and CCPA,” IAPP KnowledgeNet event, Santa Clara University, March 2020.
- Moderator/presenter, “Privacy, Policymakers and the Tech Needed to Protect People panel,” San Francisco RSA conference, February 2020.
- Moderator, “California Consumer Privacy Act (CCPA) – Impact on Data-Driven Innovation,” sponsored by The Hive Data and Swissnex San Francisco, February 2020.
- Author, “What Is ‘Personal Information’ Under CCPA?” The California Lawyers Association, October 2019.
- Co-author, “CCPA Myth Buster: Not All Records Count,” IAPP – The Privacy Advisor, October 2019.
- Panelist, “NIST Draft Privacy Framework,” IAPP KnowledgeNet event, co-sponsored by CLA, August 2019.
- Panelist, “Medios de Pago,” Argentina FinTech Law 2019 Conference, June 2019.
- Keynote speaker, “GDPR in the USA – Is your organization ready?” IAITAM CXO Conference, May 2019.
- Author, “Blockchain: Challenges and solutions for compliance with GDPR,” Practicing Law Institute Course Handbook for the 20th Annual Conference on Privacy and Data Security Law, May 2019.
- Panelist, “The privacy and security challenges of new technologies,” PLI’s Institute on Privacy and Data Security Law 2019 Conference, May 2019.
- Panelist, “Privacy Law: Who let the data out? Data protection and privacy law in the 2020s,” Northern District of California Judicial Conference 2019, April 2019.
- Panelist, “Ethics and Privacy,” SCCE Regional Conference, March 2019.
- Testimony, Testified before the California Senate Judiciary Committee on what is GDPR and how it differs from CCPA, March 2019.
- Panelist, “CCPA v. GDPR,” Santa Clara Law School, Markula Center for Applied Ethics and the CLA Antitrust and Privacy Section, March 2019.
- Author, “What does ‘valuable consideration’ mean under CCPA?” IAPP, December 2018.
- Panelist, “Mars meets Venus: How do we balance innovation and regulation,” “Privacy: The new transformation for the Silicon Valley,” co-sponsored by Squire Patton Boggs and SPJ, November 2018.
- Panelist, “The California Consumer Privacy Act,” co-sponsored by the Santa Clara Law School University, CLA Antitrust and Privacy Section and the IAPP, November 2018.
- Panelist, “Open Access, Privacy, Court Records and the Right to be Forgotten,” Santa Clara University Law Library event, October 2018.
- Panelist, “Potential impact of the California Consumer’s Privacy Act,” Today’s General Counsel Institute’s “The exchange” eDiscovery San Francisco Conference, October 2018.
- Panelist, “The California Consumers Privacy Act of 2018,” Net Diligence Conference – Cyber Risk Summit, Santa Monica, California, October 2018.
- Panel dialogue leader, “The California Consumer Privacy Act – What impacts can be expected on companies and consumers through the US,” Sedona Conference (WG11), September 2018.
- Author, “GDPR matchup: The California Consumer Privacy Act of 2018,” IAPP, July 2018.