- areas of expertise
Today, smart businesses strive to be responsible custodians of personally identifiable and other sensitive data. That means building privacy and data security considerations into product development and marketing campaigns, particularly in the expanding and complex advertising technology ecosystem. Companies can leverage consumer data while respecting individual privacy rights and taking appropriate steps to comply with privacy and data security laws.
Sophisticated businesses know that privacy savvy is a competitive differentiator in our data-rich world. With decades of experience in media, advertising and privacy law, the Frankfurt Kurnit Privacy & Data Security Group – top-ranked in Chambers Global – advises clients on the full range of US and international privacy and data security, Ad Tech, predictive analytics, and incident response matters.
Our Privacy & Data Security lawyers advise consumer products companies and their agencies, publishers, technology providers, the sharing economy, media and entertainment companies, professional firms, and other businesses across industries and of all sizes.
Representative Client Matters
US Privacy & Data Security Compliance Programs
- We advise on legal requirements and best practices for safeguarding customer and employee information.
- We prepare written information security programs, including incident and data breach response plans.
- We draft and update public-facing privacy policies for websites, mobile applications, and IoT devices to address evolving business practices, including policies of multinational organizations with hundreds of websites.
- We conduct and prepare data audits and classification projects, and tag and cookie management programs.
- We assist organizations with compliance with US State and federal privacy and data management laws and standards including the Children’s Online Privacy Protection Act (COPPA), Gramm-Leach-Bliley, HIPAA, CAN-SPAM, the Telephone Consumer Protection Act (TCPA), the Fair Credit Reporting Act, the Payment Card Industry Data Security Standard, and California’s many laws including the newly enacted California Consumer Privacy Act and longstanding California laws including the Shine the Light law and the Online Privacy Protection Act.
International Privacy Compliance and Cross-Border Data Transfers
- We help organizations — both Data Controllers and Data Processors — to establish and/or update privacy programs to comply with the EU General Data Protection Regulation (GDPR). This work includes assessing data flows; risk-ranking vulnerabilities; establishing appropriate allocation of ownership, responsibility, and liability for personal data of consumers and employees; documenting legal bases for data processing; updating upstream and downstream contracts, policies, and procedures; and addressing data subject rights. We often serve as GDPR “quarterback” — interviewing candidates for Data Protection Officer and bringing in and overseeing the work of local European counsel where needed.
- We assist companies addressing the legal requirements for cross-border data transfers, including implementing the EU-US Privacy Shield Principles and applying for certification under the Privacy Shield framework; preparing and implementing standard contractual clauses (Controller to Controller, and Controller to Processor); and advising on implementing mechanisms for providing notice and obtaining consent for data transfers under the laws of a variety of other non-US jurisdictions in Canada, Latin America and Asia.
Ad Tech and Big Data Analytics Issues
- We negotiate complex Ad Tech agreements on behalf of advertisers, agencies, publishers, technology providers, and others businesses.
- We advise on the legal and reputational risks associated with sophisticated interest-based advertising campaigns involving traditional and cutting edge tracking technologies.
- We assess interest-based advertising risk under applicable laws including the Fair Credit Reporting Act, Federal Trade Commission guidance, and self-regulatory standards promulgated by the Digital Advertising Alliance, the Interactive Advertising Bureau and others.
- We counsel enterprise customers and providers of Big Data analytics and fraud prevention services on legal compliance, risk mitigation, and proper allocation of liability.
Structure Vendor Management, Cloud Computing and Other Tech Transactions
- We negotiate and draft the terms for vendor agreements involving the sharing of sensitive information, and we advise on due diligence.
- We negotiate cloud computing deals and transactions on behalf of both cloud service providers and enterprise purchasers, including Software as a Service (SaaS), and other information technology outsourcing transactions.
Security Incident Preparedness and Response
We advise and train on proactive incident response preparedness.
- We help clients assess and remediate sensitive data breaches.
- We work with law enforcement officials, third party forensics experts, and remediation vendors.
- We advise clients on when and how to notify affected customers and employees, business partners, and regulators.
- We help clients manage crisis communications with the press, security researchers, and bloggers.
- We advise on responses to regulatory inquiries and investigations.
- We help clients respond to customer or employee complaints.
- We provide ongoing, post-breach counselling.
- We represent organizations in resolving and, where necessary, litigating disputes relating to sensitive information, including under COPPA, the TCPA, and the CAN-SPAM Act. We have successfully defended corporations against putative consumer class actions alleging false advertising, privacy, and other claims under state and federal consumer protection statutes. We are counseling publishers, agencies, brands, ad tech companies, and other players in the advertising ecosystem on how to avoid exposure under the California Consumer Privacy Act (which -- effective January 1, 2020 -- specifies a private right of action and damages up to $750 per violation); false advertising and deceptive business practices laws; and other hotbeds of class action exposure.
Daniel Goldberg, Jeremy Goldman, Rayna S. Lopyan and Elliott Siebers are accredited by the International Association of Privacy Professionals as Certified Information Privacy Professionals with a focus in US private-sector privacy law.