Representative Experience

For not-for-profit clients, provided advice on US and EU data protection and privacy laws that apply to the non-profit sector. Work included drafting of external notices internal policies for compliance, handling of data subject access requests and erasure requests, and providing advice and support for deployment of GDPR compliance programs.

Identified and designed strategies to comply with EU  data transfer requirements, including drafting and negotiating service provider contracts and intra-group data transfer agreements. Advised post Schrems II and created guidelines to implement compliance strategies including SCCs, evaluation of surveillance risks related to different data flows and related safeguards required.

For multiple clients negotiated complex contracts involving the use of personal data including contracts related to marketing and advertising, research, and human resources. 

For various clients, assessed the applicability of GDPR, conducted gap assessments and created pragmatic roadmaps to build the processes and resources required in a manner tailored to each organization’s unique circumstances. 

Evaluated the applicability of new requirements under the ePrivacy directive to an online communication platform and related obligations. Reviewing existing data flows and devising a compliance strategy across the complex data sharing network, as well as colocation services and ISPs.

Assisted with evaluation and remediation of accidental collection by the client of the data of minors under 13 subject to COPPA and the data of minors under 16 subject to GDPR. This is a high-risk area, as COPPA fines can quickly escalate, the requirements for consent diverge across the multiple affected jurisdictions, and the impact of collection absent parental consent diverges depending on which laws apply.

Incorporated benefit organizations and corporations, including professional corporations and benefit corporations, and acted as corporate secretary.

Acted as Chief Privacy Officer and Data Protection Officer for-hire assisting with data subject rights requests, compliance program building and maintenance of records requirements.

Provided advice on the applicability of, and compliance with, COPPA to various organizations providing services to K-12 schools, including identification of a viable process to obtain verifiable parental consent. 

Assessed the applicability of GDPR, conducted gap assessments and created pragmatic roadmaps to build the processes and resources required in a manner tailored to each organization’s unique circumstances. 

Provided advice on compliance with GDPR and CCPA for cybersecurity clients providing services to governmental agencies. Work includes, but is not limited to, assessment of the applicability of GDPR and CCPA to the different products offered by each organization, as well as evaluation of specific products to identify if they fall into the category of selling under CCPA with emphasis on the review of relevant exceptions applicable in the law enforcement context.

For a tech company, providing advice on policy initiatives related to pending bills before Congress in regards to various aspects of US law, including preemption principles under US federal law.

Provided advice on compliance with applicable industry frameworks for targeted advertising and related legal obligations for an organization that manufactures health equipment used by adults and minors alike. In regards to the same client, provided advice on the applicability of, and compliance with, COPPA, including a viable process to obtain verifiable parental consent in regards to health tech products.

Advised financial institutions on US financial privacy compliance, including GLBA, CalFIPPA, PCI-DSS, etc. Work included evaluation of the applicability of, and compliance with, CCPA for activities and data outside of the scope of applicable financial industry laws (e.g., financial services provided to non-consumers, data collected outside of the context of provision of financial services, etc.)

For a global vehicle manufacturer, advised on privacy and cybersecurity matters, including evaluation of new technology, monetization of data, new services, new data collection and new marketing initiatives for privacy/cyber issues.

For government agency, provided advice on the requirements under the California Information Practices Act and the California Public Records Act. 

For not-for-profit clients, provided advice on US and EU data protection and privacy laws that apply to the non-profit sector, drafted privacy policies and disclosures. 

Identified, designed and implemented strategies to comply with EU  data transfer requirements.

Provided advice on the applicability of, and compliance with, COPPA to various organizations providing services to K-12 schools, including identification of a viable process to obtain verifiable parental consent. Drafted contractual language and COPPA notices, and provided advice on parental rights under COPPA, and how they compare/differ from data subject rights under GDPR. Work required consideration of COPPA compliance within the existing compliance framework for GDPR, as the frameworks do not fully align.

For a privacy tech start-up, provided advice in connection with business strategy alignment with legal requirements and potential market for its services based on existing security and privacy requirements under applicable law. Analyzed the applicable requirements under US and EU privacy, data protection and cybersecurity laws for a ground-breaking searchable encryption product and related key management process. Supported with marketing materials highlighting privacy features.

For various clients, assessed the applicability of GDPR and CCPA, conducted gap assessments and created pragmatic roadmaps to build the processes and resources required in a manner tailored to each organization’s unique circumstances. 

Assessed the applicability of CCPA to a law-firm client, evaluated the role that a law firm should take under CCPA (i.e., business, service provider or other) and devised a strategy for compliance with the act (including preparing a gap analysis and updating notice policies, procedures and contract terms). Provided advice on a data protection and privacy impact assessment regarding the implementation of different security-related products requiring monitoring of its network and employees. Reviewed data subject access procedures for compliance with CCPA and GDPR, and reviewed/updated records of processing. Conducted a tabletop exercise evaluation and next steps.