Award Mouse thought multimedia interface book medal screen monitor

Data: US

Effective January 1, 2020, the California Consumer Privacy Act (CCPA) imposes burdensome European General Data Protection Regulation (GDPR) inspired transparency and individual data subject rights requirements on almost every company that handles “personal information” regarding California residents.

Effective January 1, 2023, employees and business contacts are in full scope of the California law, and further data subject rights and business obligations apply, including publishing retention schedules and ensuring collection purpose limitation. Also in 2023, CCPA/GDPR-inspired consumer privacy laws become effective in Colorado, Connecticut, Virginia and Utah, and Iowa, Montana, Indiana, Tennessee, Texas and Florida have passed legislation that will become effective in 2024. Many of these comprehensive state privacy laws require conducting and documenting assessments of data practices, which are subject to inspection by regulators. California and Colorado have promulgated very complex regulations detailing how companies must implement privacy protections, while further rule making remains ongoing.

Multiple other states have less comprehensive consumer privacy laws, several strictly regulating health-related data outside of the context of just healthcare providers, and three states now regulate data brokers. A patchwork of sectorial federal and state privacy laws (e.g., Health Insurance Portability and Accountability Act (HIPAA) and Gramm-Leach-Bliley Act (GLBA)) continue to apply, although the new state laws exclude rather than overlap some, but not all, of what is covered by existing laws. In addition to the federal Children’s Online Privacy Protection Act (COPPA), a growing number of states are regulating data and online activities of minors, most notably the California Age Appropriate Design Act.

How We Can Help

We can:

  • Determine the applicability of data privacy and protection laws to your company and its data
  • Conduct a gap assessment of your company’s current data practices against privacy and security and other consumer protection laws
  • Prepare and execute work plans to achieve compliance in a cost-effective, efficient manner, leveraging existing compliance efforts where applicable
  • Interpret nuances in statutory and regulatory provisions, such as identifying business partners as service providers, contractors, processors, co-controllers, third parties or something else under the laws and developing strategies for avoiding certain obligations or implications of the laws
  • Assist with individual compliance tasks, such as:
    • Conducting data inventories and assessing data practices
    • Designing processes and templates to respond to individual right requests and providing counsel on specific request responses
    • Drafting privacy notices, including meeting regulatory content requirements and addressing purpose, sale and sharing, targeted advertising, profiling, sensitive data, rights request processes, loyalty programs and other financial incentives and retention
    • Making data broker registrations
    • Assessing data security and incident preparedness
    • Preparing contracts, including updating data processing agreements (DPAs) to cover the new contracting requirements these laws mandate
    • Advising on digital advertising, data transfers, processing of sensitive data and use of automated decision-making and profiling, and how to apply new opt-in and opt-out rights to these activities when required
  • Help design and implement privacy-by-design and data inventory and assessment procedures and provide assessment counsel
  • Negotiate and document data-related transactions
  • Advise on the use of artificial intelligence, including profiling and automated decision making
  • Train employees regarding the new legal requirements
  • Educate C-suite/board and data stakeholders regarding compliance obligations
  • Defend companies in enforcement actions
  • Assess cybersecurity and respond to security incidents (Learn More)

Why Choose Us

  • Our lawyers have spent decades helping companies comply with requirements in other US data privacy and protection laws (e.g., HIPAA, GLBA, Fair Credit Reporting Act (FCRA), COPPA, Video Privacy Protection Act (VPPA), Cable Act, Privacy Act, California Online Privacy Protection Act (OPPA), California Shine the Light, the Illinois Biometric Information Privacy Act (BIPA) and other laws regulating biometrics, and state data security and incident notification laws, etc.). Our team includes the former chief information officer (CIO) of the US government, lawyers with significant business and in-house experience, and multiple regulatory agency lawyers.
  • Our US and European lawyers worked hand-in-hand to assist hundreds of enterprises with the compliance challenges stemming from the GDPR. Many of the same skills, processes and materials, as well as nuanced interpretations and decision-making, developed for GDPR compliance are used by us for US compliance.
  • The global composition of our Data Privacy, Cybersecurity & Digital Assets team provides us with unique experience that we leverage to our clients’ benefit when creating global data governance programs that address the Americas, Asia Pacific and EMEA.
  • The work that you will get from us will not be merely academic lists of the statutory requirements with examples as to how to comply. We pride ourselves on being responsive, commercial and practical in our advice by understanding and balancing our clients’ business goals and risk tolerance with legal requirements, best practices and potential exposure.

{{}} {{insights.type}} {{insights.contentTypeTag}}
{{blog.title}} {{blog.source}}

  • Multibrand consumer products company – Assessed impact of new state laws on current practices, including mobile apps, loyalty programs, processing of health and other sensitive personal data, targeted advertising and e-commerce and developed compliance strategies.
  • Transportation services provider – Serving as outside counsel for a leading bus line in North America on data privacy and security issues, including addressing complex data sharing arrangements with interline carriers and marketing and sales partners.
  • Leading consumer brand – Responded to an enforcement action by the California attorney general regarding various digital advertising practices and negotiated a resolution that did not result in any penalty.
  • Multinational technology company – Advised on designing several new innovative data-using product offerings, including revising customer agreements, preparing privacy statements, addressing secondary uses, designing user-friendly mobile app consent mechanisms, honoring individual rights, and advising on nuanced comparisons to GDPR and integrating with GDPR compliance efforts.
  • Online publishers – Counseling website and mobile app publishers on use of cookies and other tracking technologies, session replay, chatbots and other data-gathering and -processing practices, including regarding transparency and choice.
  • Biometrics services provider – Developed notice, consent and other compliance practices for a platform as a service (PaaS)/software as a service (SaaS) provider of biometrics and artificial intelligence services.
  • Global engineering and manufacturing company – Developed a work plan leveraging simultaneous GDPR and US compliance efforts with parallel work streams for customer and employee data.
  • Global digital advertising and analytics company – Advised on how state privacy laws apply to various data practices, then developed and implemented a compliance plan, including data mapping and assessments, drafting a separate US privacy statement, expanding individual rights processes to cover US residents, and updating vendor and customer agreements. Providing ongoing counsel on new practices.
  • Worldwide management consulting company – Advised this consulting company (serving purely as a service provider) regarding CCPA applicability and consequences of engaging in secondary data uses.
  • Specialty pharmacy/distributer – Helped one of the nation’s leading suppliers of critical-care biopharmaceuticals, plasma products and vaccines to interpret and plan CCPA implementation (largely for its employees, given that other consumer information is subject to HIPAA and, therefore, exempt from CCPA).
  • Global auto manufacturer – Advising on the applicability of state laws generally and how to structure new and innovative smart car technologies involving secondary uses of data for purposes such as usage-based insurance, value-add applications and services, and first- and third-party marketing.
  • Multifamily dwelling unit operator – Assessing proposed uses of data, including profiling and artificial intelligence, by the landlord for targeted advertising, tenant screening, differential pricing and services and renewal terms, including application of state and federal housing, credit and public accommodations laws, and state privacy laws.
  • Global food and beverage company – Counseling on development and implementation of its AI policy and framework and associated assessments, training personnel on program requirements, assisting with assessments and negotiating agreements with AI providers. Developing and implementing novel, consumer-facing non-fungible token (NFT) promotion in partnership with a major sports league.