Privacy Counseling and Compliance
Innovators, change makers, and technology leaders face challenges and opportunities emerging from the ever-changing patchwork of global and regional privacy laws and regulations.
Many of the world’s most prominent and innovative companies look to our attorneys to help them understand their data practices and navigate in an increasingly complex legal and regulatory landscape.
Our Privacy & Security attorneys have amassed deep knowledge in U.S. and international privacy and data protection laws. These include, but are not limited to, the wave of new omnibus privacy legislation sweeping the United States—first in California, with other states following suit.
Perkins Coie’s knowledge is built on years of experience advising clients on the Federal Trade Commission Act (FTC) and state analogues, as well as the E.U.’s General Data Protection Regulation (GDPR), California Consumer Privacy Act (CCPA) and California Privacy Rights Act (CPRA), and other omnibus privacy laws around the world. Our team includes attorneys skilled in advising clients on specialty areas of privacy law. These include the Children’s Online Protection Privacy Act (COPPA), the Biometric Information Privacy Act (BIPA), the Capture or Use of Biometric Identifier Act (CUBI), and others; wiretapping/recording laws, education privacy, and financial and credit-related privacy matters such as the Gramm-Leach-Bliley Act (GLBA) and the Fair Credit Reporting Act (FCRA; the Health Insurance Portability and Accountability Act (HIPAA); and laws relating to employee privacy. We also advise clients on obligations that arise from communicating with and marketing to consumers, including the Telephone Consumer Protection Act (TCPA), the Controlling the Assault of Non-Solicited Pornography and Marketing Act (CAN-SPAM), and self-regulatory regimes related to ad tech (such as the Network Advertising Initiative (NAI) and the Digital Advertising Alliance (DAA)).
We work collaboratively with our clients to develop a comprehensive understanding of how they collect, use, store, share, retain, and otherwise process personal information. Through this work, we also see market practices and apply that insight and common experience across our client base to help companies address pain points, overcome compliance hurdles in ways that minimize business impact, and ensure our clients are well positioned to comply with their legal and regulatory obligations.
How we help clients
- Guide clients through the intricate landscape of global and regional privacy laws and regulations.
- GDPR, CCPA, CPRA, and specialty areas like COPPA, BIPA, HIPAA, etc.
- Consumer communication and marketing obligations, such as TCPA, CAN-SPAM, and ad tech regulations.
Innovators and tech leaders face complex global privacy law challenges. Our expert attorneys guide companies through these intricacies with deep legal knowledge and innovative compliance tools.
Omnibus Privacy Laws
The CCPA was a sweeping legislation in 2018 that ushered in significant changes to data management for companies doing business in the state. Working with the California Chamber of Commerce, we led key industry coalitions in developing comments in the CCPA rulemaking process and in negotiations on the ballot initiative that later became 2020’s CPRA.
Building on that work, we now counsel clients on compliance with the CCPA, the CPRA, and the myriad state laws that have followed, including Virginia’s Consumer Data Protection Act (VCDPA) and Colorado’s Privacy Act (CPA). We also advise clients on trends we see in draft legislation at the state and federal level and keep them apprised of bills that become law. Our attorneys counsel clients on all aspects of compliance with these laws, including privacy policy updates, user interface adjustments, consent mechanisms, internal data protection policies and procedures, vendor contracts, and much more. We also represent clients and industry groups in rulemaking proceedings under these laws.
Our guidance on consumer privacy laws is not limited to the United States. We have helped clients build global compliance programs built on the GDPR and requirements imposed by e-privacy laws in the E.U. and U.K. Where appropriate, we team with local counsel in key markets, playing the role of “global quarterback.” In this way, we ensure that clients have a comprehensive and coherent global strategy while still accounting for the nuances of local laws.
We offer innovative tools intended to allow clients to benefit from our years of experience and learning, including our Privacy Starter Kit that includes a suite of templates, checklists, and guidance documents that companies can use to start building their compliance program. We also have a proprietary data mapping solution, Data Navigator, that we use with clients, which is an online tool that makes it easy to track, digest, and compare data protection legislation in the United States and around the world.
FTC Act/Unfair and Deceptive Acts and Practices
In the United States, privacy and data security have long been regulated through prohibitions on unfair and deceptive acts and practices, vigorously enforced by the FTC and state attorneys general. We advise clients on all aspects of how these laws apply to privacy and data security. Our advice is informed by our decades of work in this area, our deep knowledge of the FTC and state attorneys general and their approaches to wide-ranging privacy and data security issues, and our extensive experience guiding clients through regulatory investigations and enforcement actions.
Biometrics
We help innovative companies understand and comply with the laws governing biometric data and biometric technologies, counseling in sectors including e-commerce, consumer products, security, human resources, finance, and healthcare. We have also defended many clients in high-stakes litigation related to biometric technologies in courts across the country.
Our experienced guidance includes a wide range of biometric technologies, including facial recognition technologies, voiceprint technologies, and fingerprint technologies. Well-versed in evolving technologies, we advise on the unique issues associated with obtaining data to train artificial intelligence (AI) models and anticipating the legal implications of utilizing biometric technology for user identification. We also monitor relevant laws and closely track legal developments across the country. Our deep and always-current knowledge allows us to help clients comply with these laws and reduce their legal risk so they can continue providing innovative products and services.
Wiretapping/Recording Laws
Often, companies that offer products, services, and other features that allow people to communicate may seek to review, record, or utilize that communications data in a variety of ways. Whether it’s to render a virtual world, to facilitate machine learning, provide personalized services, or merely for quality-control purposes, real-time access to communications data could implicate the federal Wiretap Act and state recording/eavesdropping laws.
These laws, which generally make it a crime to intercept, eavesdrop, or record a communication without consent, are often decades out of date and present an array of complex issues when applied to modern technologies. Our attorneys’ decades of litigation and practical experience, including in the criminal context, provides practical direction on how companies can avoid or mitigate wiretapping and other risks related to surveillance laws.
Advertising Privacy
Our attorneys are skilled in helping companies market to consumers in ways that comply with legal requirements, self-regulatory rules adopted by industry bodies, and best practices. Drawing on our experience representing companies in actions asserting violations of the TCPA and wiretapping laws, we counsel companies on how to set up marketing programs and campaigns to minimize risk of claims under
Our team represents companies as they work through the unique issues posed by the advertising technology (or ad tech) ecosystem. Working with companies, including ad tech providers, advertisers, publishers, and communications providers, we draw on our deep experience and relationships with self-regulatory groups such as the Network Advertising Initiative (NAI) to help companies address a wide range of challenges posed in the ad tech space. These include helping them to draft meaningful and accurate disclosures of ad tech practices and understanding how, and under what circumstances, to offer choice with respect to data collection and use practices as well as how to respond to any such choices, such as those communicated via global privacy controls and do-not-track signals.
Children's and Education Privacy
The privacy and safety of children as they navigate connected services is increasingly under scrutiny by regulators and is the focus of regulatory and legislative proposals. At the federal level, we help clients to comply with COPPA and the Family Educational Rights and Privacy Act (FERPA). We also defend companies when they are investigated or sued for alleged transgressions of COPPA, as well as other issues concerning children’s use of technology. At the state level, we also advise technology providers on the requirements of student privacy laws such as California’s Student Online Personal Information Protection Act (SOPIPA) that have been adopted across the United States.
Financial Privacy and Security
Clients rely on us to help them navigate federal and state financial privacy laws, including the GLBA, California Financial Information Privacy Act (CalFIPA), FCRA, and New York Cybersecurity Regulation. Our clients operate in a wide range of financial sectors, from banking and lending to payment processing, and offer innovative financial platforms and technologies.
We assist them in creating required privacy notices and compliance training programs, as well as establishing regulatory compliance and data governance programs. Our team also assists with negotiating service provider and vendor agreements to ensure that our clients’ legal obligations are properly passed through to third parties. Because our clients must appropriately safeguard their information, we work with them to establish policies and controls that meet legal and industry security standards, including the Safeguards Rule and Payment Card Industry Data Security Standard (PCI DSS).
Health Privacy
We have assisted various covered entities, including both brick-and-mortar and digital healthcare providers, health insurers, and employer-sponsored group health plans and their business associates with broad compliance advice and training with respect to such laws as HIPAA, the Health Information Technology for Clinical and Economic Health (HITECH) Act, and state statutes like California’s Confidentiality of
Our counsel includes reviewing and drafting policies and procedures and business associate agreements, advising covered entities and business associates regarding the confidentiality, integrity, and availability of electronic protected health information (PHI), and the appropriate technical, physical, and administrative safeguards to protect that data. When our covered entity clients have been subject to investigation, we have represented them in U.S. Department of Health and Human Services (HHS) and state attorneys general investigations.
Employee Privacy
Employers must comply with federal and state statutes that govern the handling of personally identifiable information of personnel. We provide compliance guidance on topics ranging from monitoring workplace communications, surveilling on-duty behavior (in a manner that is compliant with state lifestyle laws and the National Labor Relations Act (NLRA)), and addressing issues with searches of employees’ offices and persons.
We also advise clients with respect to background check legislation including the FCRA and similar state laws, and privacy implications of employment drug testing at all stages of employment from preemployment to post-incident/termination. Our team is well versed in best practices with respect to employee personnel files, covering issues such as privacy implications for unsuccessful applicant data, retention policies, check-the-box laws, and driving record laws. We also advise on employee medical records, privacy in employee benefits, and the burgeoning area of employee biometric information.