Privacy

In an increasingly complex and globally regulated data environment, we help clients design and operationalize privacy and data protection programs that scale across jurisdictions, technologies, and business models. Our approach integrates legal requirements into day-to-day operations, enabling companies to manage risk while continuing to innovate.

We counsel clients on the full spectrum of U.S., European, and international privacy laws, including the FTC Act, HIPAA, Fair Credit Reporting Act (FCRA), Gramm-Leach-Bliley Act (GLBA), CAN-SPAM, Children's Online Privacy Protection Rule (COPPA), Family Educational Rights and Privacy Act (FERPA), Video Privacy Protection Act (VPPA), Telephone Consumer Protection Act of 1991 (TCPA), Illinois’ Biometric Information Privacy Act (BIPA), state breach notification laws, the European Union’s General Data Protection Regulation (GDPR), the California Consumer Privacy Act (CCPA), Australia’s Privacy Act 1988, Australian Privacy Principles (APPs), China’s Personal Information Protection Law (PIPL), and other emerging privacy laws. We guide clients through cross-border data transfers, regulatory alignment, and evolving global standards.

Our work spans all aspects of data governance and compliance, including data mapping, risk assessments, privacy-by-design implementation, and the development of policies and procedures that support transparency, accountability, and defensible data use. We regularly advise on data issues arising from emerging technologies, including AI and machine learning, digital platforms, digital identity, and advertising technology.

We partner with clients to build and maintain privacy and security programs that align with global regulatory expectations and are tailored to their products, data ecosystems, and growth strategies, delivering practical solutions that can be implemented at scale.

The increasing use of biometric technologies, such as facial recognition, voiceprints, and fingerprint-based systems, presents significant privacy, data security, and litigation risks. In the United States, these risks are amplified by the rise of class-action litigation, particularly under statutes such as the Illinois Biometric Information Privacy Act (BIPA).

Our Privacy & Data Security lawyers have extensive experience advising clients across industries on biometric data risks, including defending against BIPA allegations and class-action claims. We combine deep litigation experience with practical guidance on compliance, risk mitigation, and the responsible deployment of biometric technologies.

While our litigation experience is primarily U.S.-focused, we also advise clients on biometric data considerations under global privacy frameworks, including the EU’s General Data Protection Regulation (GDPR), where biometric data is treated as a special category of personal data subject to heightened requirements around consent, purpose limitation, and security.

The challenges:

• Evolving regulatory environment: Laws governing biometric data continue to expand, particularly at the state level in the United States. Statutes such as BIPA have driven a surge in class-action litigation, while global frameworks like GDPR impose strict requirements on the collection and use of biometric data.
• Heightened data sensitivity: Biometric identifiers are inherently sensitive and, if compromised, cannot be changed. Organizations must implement robust safeguards to protect against misuse, unauthorized access, and security vulnerabilities.
• Specific AI data security challenges: The use of biometric data in AI models and identity verification systems introduces additional legal and operational challenges, including data sourcing, consent, and downstream use risks.
• Litigation exposure: Companies face significant exposure to class-action lawsuits, particularly in the United States, where plaintiffs increasingly target biometric technologies used in consumer-facing products and services.

Our capabilities:

• Market-leading biometric litigation experience: We are among the leading firms defending biometric privacy claims in the United States, with deep experience handling BIPA class actions and other high-stakes litigation involving facial recognition, voiceprints, and similar technologies. We have represented clients ranging from startups to global technology companies in complex, high-exposure matters.
• Extensive litigation experience: Our seasoned litigators have a history of achieving favorable results for clients in high-stakes litigation related to biometric technologies. We have successfully defended clients, from startups to the world’s leading technology companies, against a multitude of BIPA lawsuits. We are one of the few firms in the country with extensive experience defending cases involving facial recognition or alleged “face scans” and voiceprints.
• AI and emerging technology guidance: We are well-versed in the legal issues associated with obtaining biometric data for AI model training and anticipating the legal implications of utilizing biometric technology for user identification.
• Integrated risk management approach: Our Biometric Law team collaborates closely with our nationally recognized Insurance Recovery practice to help clients assess insurance coverage and potential indemnification rights.
• Ongoing legal intelligence and support: We regularly track legal developments across the nation to help clients comply and mitigate legal risk so they can continue providing innovative products and services and protect their businesses and stakeholders.

Our global data security and breach response team brings decades of experience helping clients prepare for and respond to complex cyber incidents across jurisdictions. We advise on the design and implementation of security programs and provide rapid, coordinated responses to ransomware attacks, data breaches, and other high-impact events.

We guide clients through the full life cycle of an incident, including containment, forensic investigation, regulatory analysis, and stakeholder communications. Our team regularly coordinates cross-border response efforts, navigating overlapping legal and regulatory requirements, including breach notification obligations, data transfer restrictions, and engagement with regulators in multiple jurisdictions.

We have handled hundreds of data breaches and cybersecurity incidents globally and use that experience to deliver efficient, real-time response strategies that mitigate risk, reduce business disruption, and support operational continuity. We advise on privacy, regulatory exposure, litigation risk, reputational considerations, and directors’ duties arising from cyber incidents.

Beyond incident response, we help clients build and mature cybersecurity risk management programs, enhance resilience, and prepare executive teams and boards for crisis scenarios. Our capabilities include incident readiness planning, tabletop exercises, governance design, and coordination with forensic and technical experts to support recovery following ransomware, cyberattacks, and other security events.

Many companies, including communications providers, mobile app providers, financial technology companies, generative AI companies, and augmented reality and virtual reality providers, face regular demands from law enforcement, civil litigants, and others around the world seeking information about their customers, such as their online activity, private communications, location information, financial transactions, or other sensitive details. These demands often raise novel conflicts related to free speech, privacy, and public safety, in scenarios that are fraught with legal and reputational risk. Our legal process response practice helps global technology leaders and emerging companies respond to, and where appropriate, object to and litigate, requests for their users’ data.

Each year we handle thousands of matters concerning requests for user data and other legal processes from around the world. These matters include assisting clients as they establish policies and procedures for responding to legal process; negotiating with hundreds of law enforcement officers and litigants over the validity or scope of legal process; and briefing and appearing in courts throughout the United States on issues arising under the federal Stored Communications Act, Wiretap Act, Pen Register/Trap and Trace Statute, and All Writs Act; the First, Fourth, Fifth, and Sixth Amendments to the U.S. Constitution; the Foreign Intelligence Surveillance Act (FISA) and the FISA Amendments Act; and CalECPA and other state-specific laws.

In addition, our team regularly guides clients facing cross-border user data requests from governments, litigants, and inter-governmental agencies throughout the world, on matters raising complex issues involving conflicts of law, international comity, and international human rights. We also provide guidance on legal frameworks governing the interception, access, and use of communications data in jurisdictions around the world, including the United States, United Kingdom, the European Union, Australia, India, Brazil, and countries around the world. Our team has established relationships with lawyers and professionals in more than 100 countries to assist our clients in responding to, objecting to, or litigating those requests. Our lawyers also actively represent clients who are participating in international policy development regarding government and other requests for user information.  

Our team’s level of experience advising on these issues is of critical importance to our clients. Our compliance work also extends to responding to legal process issued or obtained by the U.S. intelligence community for counterterrorism and counterespionage investigations, as well as other privacy matters, including data security breaches and defending clients in investigations brought by federal and state agencies.

Our team is led by former government officials with deep experience managing sophisticated national security matters. With this insider’s knowledge and perspective, we resolve our clients’ most sensitive concerns.

Clients seek our comprehensive counsel on issues involving counterespionage, counterterrorism, protection of critical infrastructure and cyberspace, and other domestic threats. We work closely with companies on prevention and readiness, intrusion response, and remediation/hardening. We also help clients form contracting and other business relationships with components of the U.S. intelligence community, including establishing subsidiaries to work with U.S. national security departments and agencies and mitigate any foreign ownership, control, or influence.

We advise companies on compliance related to U.S. export control laws and economic and trade sanctions programs, and handle surveillance requests. Our team has defended and represented clients as targets and witnesses in investigations before the U.S. intelligence community, including the Committee on Foreign Investment in the United States.

We advise clients on national security considerations across both cross-border transactions and critical infrastructure protection. Our guidance spans foreign investment review regimes worldwide—including the United Kingdom's National Security and Investment Act and the Cyber Incident Reporting for Critical Infrastructure Act—as well as the full range of international regulatory frameworks governing critical infrastructure sectors. As security requirements continue to evolve across jurisdictions, our lawyers draw on deep experience in cybersecurity, insider threats, and the operational technologies employed across critical sectors to help clients stay current, compliant, and secure wherever they operate.

We also advocate for clients’ interests in responding to proposed changes to legislation potentially affecting national security issues. We have provided testimony—in open and classified hearings—to the U.S. Senate Select Committee on Intelligence and the U.S. House Permanent Select Committee on Intelligence and advised clients who are doing the same.

Our Privacy Class-Action Defense lawyers represent leading technology companies and other data-driven businesses in high-exposure, consumer privacy class actions, including matters brought against companies operating global digital platforms and services. Our experience spans a wide range of claims, including alleged violations of federal and state privacy laws, such as the California Consumer Privacy Act, Stored Communications Act, Wiretap Act, Telephone Consumer Protection Act, and Biometric Information Privacy Act, as well as common law claims involving the collection and use of personal data, including intrusion upon seclusion and alleged violations of constitutional privacy rights.

These cases are frequently brought on behalf of putative classes numbering in the thousands or millions, creating significant financial exposure and the risk of business disruption through injunctive relief. We defend clients against claims arising from digital products, online tracking, communications technologies, and data-driven technologies.

We focus on achieving swift and efficient resolution wherever possible, including through early motion practice and strategic case positioning. When early resolution is not achievable or aligned with client objectives, we have the depth of experience to litigate class actions through all phases, including discovery, class certification, summary judgment, and trial. Our team has successfully obtained dismissals, defeated class certification, and negotiated favorable individual and class-wide settlements.

Our litigation team includes more than 70 lawyers dedicated to privacy-related disputes. In addition to defending claims, we advise clients on steps to mitigate class-action risk, including product design considerations, data practices, and emerging litigation trends, helping reduce exposure before claims arise.

Companies face increasing scrutiny of their privacy, data security, and AI practices from regulators across multiple jurisdictions, with expanding mandates and a growing willingness to use investigative and enforcement powers aggressively.

Our team advises clients on high-stakes privacy, data security, and consumer protection investigations brought by regulators in the United States and globally. We have experience coordinating responses to parallel inquiries across jurisdictions, engaging directly with regulatory authorities, and managing complex, cross-border investigations involving multiple agencies and legal frameworks.

We represent clients at all stages of regulatory investigations, from initial inquiries and information requests through enforcement actions and resolution. We regularly serve as coordinating counsel in matters involving regulators across regions, helping clients align strategy, manage risk, and maintain consistency in communications and legal positions.

When matters progress to enforcement, we defend clients in administrative proceedings and litigation, while also advising on negotiated resolutions, remediation, and ongoing compliance obligations. We work closely with clients to design and implement compliance programs, address regulatory expectations, and manage post-resolution requirements, including third-party assessments and reporting obligations.

We also advise on engagement with policymakers and regulators on emerging privacy and data governance issues, helping clients anticipate regulatory trends and respond effectively.

The landscape for consumer privacy and safety laws continues to expand rapidly, both in the United States and globally, as regulators adopt comprehensive frameworks that grant individuals greater rights over their personal data and impose increasingly detailed obligations on technology companies and businesses to safeguard information.

The United States remains one of the most dynamic and complex environments for consumer privacy regulation, with a growing number of state laws creating a patchwork of requirements around data collection, use, sharing, and retention. Our Privacy & Data Security lawyers have deep experience advising clients on these laws, including developing compliance strategies that account for differing state requirements and evolving enforcement expectations.

We help clients assess and operationalize their data practices by building data maps and inventories, evaluating how personal data is collected, used, disclosed, and retained, and aligning those practices with applicable legal frameworks. Our work includes advising on privacy notices, user rights processes, product and interface design, and updates to vendor and data-sharing agreements.

For companies operating across borders, we help translate U.S. privacy requirements into scalable, global compliance programs. Our team includes lawyers with experience advising on the European General Data Protection Regulation and the United Kingdom’s data protection regime, as well as Australia’s federal privacy framework, including the Privacy Act and Australian Privacy Principles. We closely track legislative developments and enforcement trends and coordinate across jurisdictions to align consumer-facing practices, governance structures, and risk management approaches with local regulatory expectations.

In an era of technology-driven business, harnessing the advantages of evolving tech is more critical than ever. Effective outsourcing and procurement help businesses control costs, develop and implement core business strategies, maximize the efficiency of support functions, and execute complex commercial transactions in which data is a core part of the deal. Our technology lawyers have extensive experience handling strategic matters, complex technology contracts, IP and software commercialization, digitalization, IT transformation, and data protection agreements, as well as counseling clients on the impact of data protection provisions in commercial agreements, including insurance, indemnity, and liability clauses.

Our team has a strong track record of working seamlessly with clients’ project teams and taking a hands-on approach to closing deals. That experience gives us practical insight into the factors that contribute to the success of large IT projects and supports our work on M&A transactions for both buy- and sell-side deals. We draft privacy and security-related requests and disclosures, assess potential compliance gaps, recommend mitigation measures, prepare privacy representations and disclosure schedules, and lead negotiations with counterparties on privacy and security issues.

Our clients operate across jurisdictions, requiring coordinated, global approaches to data protection and governance. We help organizations design and implement scalable data governance frameworks that align with international privacy laws while supporting business operations and growth.

We advise on global data protection regimes, including the EU General Data Protection Regulation and other evolving privacy frameworks, and help clients navigate the complexities of managing personal data across borders. Our focus is on building governance structures that can be implemented consistently across regions while remaining adaptable to local legal requirements.

Our team works with multinational companies to assess data practices, identify regulatory risk, and develop practical governance programs that address data use, access, retention, and transfer. We coordinate with local counsel in key jurisdictions to help ensure that global strategies are informed by on-the-ground regulatory considerations.

Taking a pragmatic, business-focused approach, we help clients operationalize global data governance, reducing fragmentation, supporting compliance, and enabling the responsible use of data across their organizations.