Privacy and Consumer Protection REGULATORY AND GOVERNMENT AFFAIRS

WilmerHale’s Privacy and Consumer Protection Practice represents sophisticated, high-profile clients on the full range of privacy and consumer protection challenges—from routine matters to cutting-edge issues where the law is unclear and the enforcement risks are high. Our internationally recognized team, composed of lawyers from different practice areas and offices, possesses a mix of counseling, regulatory, litigation, enforcement and transactional knowledge.

Our clients include leading companies in nearly every industry—technology companies, financial institutions, media companies, government contractors, healthcare companies, communications and Internet providers, retailers, manufacturers, online service providers, social networks, e-commerce companies, and many others. This diversity gives us a broad perspective and enables us to spot and address unique and complex issues. It also empowers us to develop in-depth abilities in specialized areas such as financial, health, and children’s privacy. Our practice also leverages WilmerHale’s renowned capabilities in dealing with sector-specific regulatory authorities at the state, federal and international levels. We regularly engage with regulators that—with increasing vigor—are exercising oversight and enforcement powers on the privacy and consumer protection practices of the companies under their jurisdiction.

Braun, Martin

Dr. Martin Braun

Partner

+49 69 27 10 78 207 (t)

martin.braun@wilmerhale.com

Carome, Patrick J.

Patrick J. Carome

Partner

+1 202 663 6610 (t)

patrick.carome@wilmerhale.com

Holter_Michael.jpg

Michael Holter

Partner

+44 (0)20 7645 2574 (t)

michael.holter@wilmerhale.com

Hurewitz, Barry J.

Barry J. Hurewitz

Partner

+1 202 663 6089 (t)

barry.hurewitz@wilmerhale.com

Rhee, Jeannie S.

Jeannie S. Rhee

Partner

+1 202 663 6027 (t)

jeannie.rhee@wilmerhale.com

von Hehn, Paul A.

Paul A. von Hehn

Partner

+32 475 902 965 (m) +32 2 285 49 03 (t)

paul.vonhehn@wilmerhale.com

Experience

Online Privacy and "Big Data"

Our team has extensive experience with a wide range of Internet privacy and e-commerce issues, including online tracking, online marketing, and the leveraging of "big data." We help companies comply with the many statutes, rules, and industry self-regulatory programs that govern privacy and consumer protection in the online ecosystem.

Representative matters include:

  • Advising communications providers on the extent to which they can track customers and third parties and develop profiles of their online and offline behavior through analysis of Internet traffic
  • Assisting dozens of companies from virtually every industry—from technology firms to defense contractors to broker-dealers to startups—with the drafting and modification of online privacy policies
  • Helping both child-directed and general audience websites and services comply with the Children's Online Privacy Protection Act, including design of parental notice and consent mechanisms and age-screening mechanisms
  • Counseling leading online companies, financial institutions, healthcare companies, and others on lawful ways to amass information about consumers and leverage that "big data" for insights (or sell it to third parties) 
  • Assisting a streaming video provider in complying with the Video Privacy Protection Act
  • Helping a large equipment manufacturer with all stages of worldwide roll-out of a new content-streaming device and software, from design of product features to drafting of country-specific consumer privacy notices
  • Advising clients throughout the Internet ecosystem on the lawful use of cookies, web beacons, web logs, flash cookies, and other forms of online tracking

Financial Privacy

We represent a wide range of banks, credit card companies, insurance companies, investment advisors, broker-dealers, online financial services companies, mobile payments companies, and their IT vendors on the full spectrum of financial privacy and consumer protection issues. We help clients comply with the Gramm-Leach-Bliley Act, Fair Credit Reporting Act, Fair and Accurate Credit Transactions Act, Right to Financial Privacy Act, their implementing regulations, and numerous state and foreign analogues. We also conduct investigations of potential statutory and regulatory violations.

Representative matters include:

  • Drafting GLBA- and FCRA-compliant consumer privacy policies for a range of financial institutions, from large banks to small startups
  • Assisting financial institutions in complying with anti-money-laundering obligations, congressional inquiries, and litigation-related document requests in a manner consistent with domestic and foreign financial privacy laws
  • Drafting and revising companies' FACTA-mandated "red flags" policies for prevention, detection, and remediation of identity theft
  • Drafting a memo for a trade association analyzing state analogues to federal financial privacy statutes and identifying compliance challenges
  • Conducting internal investigations of potential violations of privacy and cross-marketing provisions of the Fair Credit Reporting Act by client employees
  • Assisting a financial institution in designing program to data-mine customer financial transactions and identify meaningful trends in the data
  • Counseling a number of "fintech" startups, including mobile payment providers, on financial privacy compliance
  • Advising a major cloud computing company on financial regulators' data privacy requirements in many EU member states and countries in Asia, Latin America, and the Middle East

Litigation and Regulatory Enforcement

We regularly represent clients before federal and state agencies such as the Federal Trade Commission, the Federal Communications Commission, and state Attorneys General in connection with enforcement actions and confidential regulatory investigations. We also represent clients in high-profile litigation concerning privacy and consumer protection, including consumer class actions, government enforcement efforts, and challenges to government surveillance programs.

Representative matters include:

  • Assisting major technology companies and Internet service provider in responding to confidential Federal Trade Commission and state AG investigations into privacy practices
  • Representing a major information technology company in Wiretap Act litigation over its mapping technology
  • Helping a major data brokerage company respond to congressional inquiries concerning industry and client data practices
  • Defending a large Internet service provider in national privacy class action arising from public release of subscribers' Internet search query data
  • Representing a leading social network in negotiations with, and several court cases against, European data protection authorities and consumer protection authorities regarding service features, terms and conditions, and privacy policy
  • Representing a large communications company in national, multi-district class-action litigation in connection with claims that its alleged provision of assistance to the NSA violated privacy laws 
  • Representing a leading social network in litigation before the Foreign Intelligence Surveillance Court
  • Representing a large communications company in litigation over the National Security Agency's surveillance programs
  • Assisting online clients in successfully challenging subpoenas and other legal process seeking subscriber data, search query data, and similar information on privacy and free speech grounds
  • Advising a major automobile company on responding to congressional inquiries related to privacy and cybersecurity
  • Assisting a software company in responding to claims under the Computer Fraud and Abuse Act

International Data Protection

Our privacy and consumer protection practice is international in scope. We advise clients on data protection regimes on six continents and craft practical solutions to transferring data across borders. We frequently draw on the knowledge of skilled data protection specialists in our offices in Europe and Asia to advise on foreign data protection laws, e-commerce regulations, and cross-border data issues.

Representative matters include:

  • Helping numerous multinational and US-based companies legitimize data flows from the European Union to the United States through Safe Harbor certifications or execution of EU model contractual clauses
  • Helping companies lawfully transfer data to the United States from countries in North and South America, Asia, the Middle East, Australia, and Africa
  • Assisting companies in complying with the EU "cookie directive," which requires consumer consent to the use of many cookies and other online tracking mechanisms
  • Assisting companies in structuring their collection, use, and sharing of consumer and employee personal data to comply with foreign legal requirements, including local registration requirements
  • Counseling clients on design of employee monitoring programs and external threat mitigation programs consistent with data protection laws
  • Advising clients on compliance with European data protection rules in connection with marketing strategies, licensing agreements, enforcement of corporate compliance rules, and data retention for online service providers
  • Advising several multinational companies on data protection and employee notice/consent issues arising from centralization of global human resources information systems in the United States
  • Advising companies on responding to issues created by the recent disclosures of US intelligence programs involving the acquisition of data by governments under a variety of authorities
  • Assisting numerous multinational litigants with issues arising from US discovery requests for sensitive information stored abroad
  • Advising numerous companies about legal and policy implications of reforms to the EU data protection law
  • Advising a leading cloud services provider on a draft industry code of conduct for data privacy and security
  • Advising multiple US and non-US companies on compliance with Chinese state secrets regulations

Consumer Protection

We help companies avoid "deceptive" and "unfair" trade practices under the Federal Trade Commission Act and state analogues. We also advise companies on a wide range of marketing issues in the online and offline contexts, including the CAN-SPAM Act, the Telephone Consumer Protection Act, the Telemarketing Sales Rule, and many international analogues. We also counsel companies on compliance with sector-specific consumer protection laws, including with respect to financial information.

Representative matters include:

  • Counseling consumer reporting agencies, information furnishers, and users of consumer reports on applicability and requirements of Fair Credit Reporting Act, including with respect to content of adverse action notices and consumers' rights to challenge inaccuracies
  • Helping dozens of companies design their privacy practices and/or modify their privacy notices to avoid commission of "deceptive" or "unfair" trade practices
  • Advising clients on worldwide media campaigns, including email and telephone marketing
  • Assisting clients in designing text-message marketing campaigns that comply with the Telephone Consumer Protection Act
  • Engaging with the Federal Trade Commission on behalf of client complaining of deceptive and unfair trade practices of other companies in a related industry sector

Electronic Surveillance

We counsel companies on the requirements of federal, state, and foreign laws governing electronic surveillance by government officials and private companies, including the USA PATRIOT Act, Foreign Intelligence Surveillance Act, Computer Fraud and Abuse Act, Electronic Communications Privacy Act, Stored Communications Act, Wiretap Act, and their state equivalents.

Representative matters include:

  • Advising communications companies on the application of surveillance laws to "big data" information collection efforts, including tracking of consumers both online and offline
  • Drafting a compliance manual for use by client employees in responding to surveillance requests from law enforcement and third-party subpoenas for customer information from private litigants
  • Advising online companies on application of the Computer Fraud and Abuse Act and Electronic Communications Privacy Act to "screen scraping" activities
  • Counseling numerous clients on Wiretap Act and state two-party consent statutes with respect to monitoring of employee and customer communications

Health Privacy

Our work for healthcare providers, health plans, pharmaceutical and biotechnology companies, equipment suppliers, information technology vendors, consultants, and service providers encompasses the full range of health data regulatory considerations. We advise a broad range of stakeholders in the healthcare system on privacy, data security, and breach notification matters, including the regulatory standards imposed pursuant to the Health Insurance Portability and Accountability Act (HIPAA), Health Information Technology for Economic and Clinical Health (HITECH) Act, and supplemental state regulations. For clients involved in clinical research, we provide counsel on human research protections imposed pursuant to the Common Rule and related regulations.  

Representative matters include:

  • Developing and implementing HIPAA compliance policies and procedures for HIPAA-covered entities and their business associates
  • Negotiating business associate agreements for service providers and covered entities
  • Developing patient consent and patient privacy documentation for clinical research
  • Advising numerous clients on health data issues in corporate mergers and acquisitions, including restrictions on transfers of health data as corporate assets
  • Advising clients on potential HIPAA concerns raised by production of materials in litigation and investigations

Transactions and Contracts

We routinely draft terms to allocate and manage data-related responsibilities in agreements with a privacy dimension. We also conduct due diligence and prepare representations regarding privacy and consumer protection issues in a wide range of transactions, including acquisitions and venture capital financing.

Representative matters include:

  • Negotiating cloud computing contracts, with complex privacy terms and international data protection implications, on behalf of both cloud computing providers and companies outsourcing their data to the cloud
  • Representing numerous companies licensing consumer data to and from business partners
  • Conducting privacy and data protection due diligence on numerous online companies on behalf of investors or purchasers
  • Drafting representations, indemnity provisions, and privacy clauses in many corporate transaction agreements
  • Representing a company with large online behavioral advertising business in the sale of its advertising assets and licensing of ongoing data flows from the company to the purchaser

Mobile Privacy

We counsel clients on a range of mobile privacy issues, including the design and operation of mobile apps and the tracking of consumers' physical locations and movements through their mobile devices. 

Representative matters include:

  • Advising a hedge fund on permissible uses of mobile tracking data in making investment decisions
  • Counseling communications providers on permissible uses of mobile calling information, mobile browsing data, and location information in "big data" analysis and marketing campaigns
  • Assisting a client in designing, deploying, and marketing mobile wallet application and service
  • Analyzing mobile applications for a wide range of companies to ensure compliance with FTC, California AG, and other legal obligations concerning mobile apps
  • Advising communication providers on application of Customer Proprietary Network Information (CPNI) rules to customer location data

Publications & News

View

May 1, 2014

White House “Big Data” Report Calls for New Privacy, Data Breach Legislation, Renewed Attention to Discrimination

The White House this afternoon released a much anticipated report on “big data,” which represents the results of a 90-day review the President asked Counselor to the President John Podesta to conduct on his behalf.

April 22, 2014

SEC To Examine Cybersecurity Preparedness at More Than 50 Registered Broker-dealers and Investment Advisers

On April 15, 2014, the Securities and Exchange Commission's Office of Compliance Inspections and Examinations issued a "Risk Alert" announcing steps being taken to assess cybersecurity preparedness in the securities sector.

February 13, 2014

NIST and DHS Release Final Cybersecurity Framework, Roadmap, and Voluntary Program for Cybersecurity Assistance

Yesterday, the National Institute of Standards and Technology (NIST) released the final version of the voluntary federal cybersecurity standards known as the Cybersecurity Framework, along with a “Roadmap” explaining how the government will work with the private sector, other countries, and international organizations to refine and improve the Framework over the next several years.

January 27, 2014

Defense Department and GSA Issue Recommendations for Improving Cybersecurity in Government Contracting

On January 23, the Department of Defense and the General Services Administration published their joint recommendations to the President “on the feasibility, security benefits, and relative merits of incorporating security standards into acquisition planning and contract administration . . . [including] what steps can be taken to harmonize and make consistent existing procurement requirements related to cybersecurity.”

December 16, 2013

Legal 500 Germany 2014 Recognizes WilmerHale Lawyers and Practice Areas

The Legal 500 launched its new edition Legal 500 Deutschland, Germany's guide to outstanding lawyers, and recognizes WilmerHale in seven categories.

November 21, 2013

Defense Department Publishes Final Rule Implementing Enhanced Information Protection and Cyber Incident Reporting Requirements

September 30, 2013

California Adopts "Do Not Track" and Expanded Data Breach Notification Laws

On Friday California Governor Jerry Brown signed into law the second and third of a cluster of four privacy and data security bills recently passed by the state legislature, continuing California’s role as among the most active states in extending the reach of on-line privacy and information security regulation.

August 30, 2013

NIST Issues Discussion Draft of Preliminary Cybersecurity Framework

The National Institute of Standards and Technology ("NIST") has posted a discussion draft of the preliminary version of the voluntary federal cybersecurity standards NIST was directed to develop under the executive order on critical infrastructure cybersecurity issued by President Obama in February.

February 13, 2013

President Obama Issues Cybersecurity Executive Order

June 7, 2012

Chambers USA 2012 Final Results Announced

Events

November 5, 2014

Surveillance Laws and Workplace Privacy

Charlotte, North Carolina

June 3, 2014

Bloomberg Government Cybersecurity Summit

Washington, DC

May 30, 2014

TiECON East

Cambridge, Massachusetts

May 27, 2014

NACD Spring Forum

Washington, DC

May 21-22, 2014

Georgetown Law Center: Cybersecurity Law Institute 2014

Washington, DC

March 24, 2014

Cyber Security, Data Privacy, and the Law

New York, New York

March 13-14, 2014

The Georgetown Law Center: 18th Annual Corporate Counsel Institute

Washington, DC

October 23, 2013

WilmerHale FinTech Webinar Series: Cybersecurity & Data Privacy

Webinar

October 3, 2013

Washington Post Live Forum on Cybersecurity 2013

Webinar

September 30, 2013

SIFMA Compliance & Legal Society Charlotte Regional Seminar

Charlotte, North Carolina