Consumer Data & Digital Marketing
In addition to spanning geographies and jurisdictions, today’s digital ecosystem is increasingly the focus of regulators who are highly sensitive to the complex issues surrounding online behavioral marketing campaigns and other modern uses of consumer data.
Our lawyers work hand-in-hand with client companies to analyze existing consumer data marketing strategies and develop new approaches — ranging from compliant consent or opt-out processes to targeted digital consumer marketing initiatives — that help them achieve core business objectives. We also advise in-house counsel and privacy officers on how to avoid or minimize regulatory scrutiny and alleviate consumer concerns over the collection, processing and storage of data.
Among other activities that may trigger consumer-protection laws in various jurisdictions, we provide counsel on telemarketing, text messaging, email marketing and promotions, and social media. In particular, our lawyers advise clients on the following:
- Development of compliant privacy policies and terms of use
- Compliance with the Telephone Consumer Protection Act requirements for telemarketing and text communications
- Compliance with CAN-SPAM requirements to ensure consumer-sensitive approaches to email marketing and promotions
- Development of processes for managing consumer data in data-driven businesses
- Assessment of data collection practices and procedures, including for merchants at point of sale using credit and debit cards
- Review and updating online and web data collection practices and protocols
Explore our interactive state privacy law map
Get a quick understanding of the obligations that state consumer privacy laws impose on your company. Visit our Global Privacy & Cybersecurity Resource Center for a summary of each state’s new privacy law.
We dig deeper to keep you informed with the latest legal insights, insightful analyses and events related to privacy.
Chambers Europe
“Out-of-the-box thinking, reliability and sustainable advice.”
- Advised a consumer products company on the implications of its email marketing campaigns under Canadian, US and European electronic-marketing laws
- Assisted clients in implementing and effectuating consumer-choice mechanisms that comply with best practices and regulatory requirements under EU and US law
- Advised a multinational hotelier on creating data analytics strategies, external marketing strategies, and revising online privacy policies to disclose such strategies consistent with legal and regulatory requirements
- Advised an international university regarding GDPR compliance, including the scope of application of the GDPR to activities in the EU, the lawful grounds for processing personal data (such as consent), appointment of a DPO, and various other GDPR compliance issues
- Advised various clients on applicable privacy requirements when using online marketing and tracking technologies
- Advised dozens of clients on standard contractual clauses and similar agreements for transferring personal data from the EU to jurisdictions without EU-level privacy protection standards
- Advised a global fitness products company with the roll-out of mobile and connected health and fitness functionality
Article, Client alert
Better sooner than later: Oklahoma passes a new consumer privacy law
Cross-Border Data Protection
Our privacy lawyers are well established in Germany, France, the UK and Italy, and provide sophisticated privacy advice to domestic and multi-national companies and vendors on a wide spectrum of data protection matters. These include global privacy policies, data transfer mechanisms, Privacy Shield assessments, notifications to in-country data protection authorities, General Data Protection Regulation (GDPR) compliance, reviews of new data laws and other compliance steps.
We work closely with operational data privacy officers, helping them establish and maintain effective relationships and communications with data protection authorities in relevant jurisdictions worldwide.
We have particular experience in EU/US Privacy Shield implementation strategies, with template documents and roadmap protocols to lessen the initial management time. Because we have had experience in FTC enforcement actions with Safe Harbor violations, we can assist clients in avoiding costly mistakes and remedying existing ones.
We also provide timely, effective counsel and strategies in response to multi-country cyberattacks and other security breaches affecting personal information.
We routinely advise on the following:
- Organizational compliance requirements in relation to the GDPR
- International inter- and multi-company agreements to collect, transfer and use customer, employee and other data (including model clauses and binding corporate rules)
- Assessments and implementation of the new US-EU Privacy Shield for data transfer
- Potential implications of the UK “Brexit” on employee data privacy practices (including international data transfers)
- Third party vendor management and contract terms regarding the collection and processing of the personal data in-country and cross-border
- Multinational privacy policies
- Data privacy implications of global whistleblowing hotlines (including obligations arising for certain organizations under the US Sarbanes-Oxley Act)
- Responses to data subject access requests
Data Breach Management
We have guided clients through assessments of and responses to hundreds of data breaches, including some of the largest cyber incidents to date as well as more limited exposures of confidential or proprietary information. We have experience in all types of cyber hazards, including state-sponsored attacks, overseas criminal hackers, ransomware, insider threats and system compromises resulting from misconfigurations.
We maintain three incident response teams (IRTs), each focused on a particular type of data that implicates a different legal regime. Our teams are available to respond to client issues seven days per week, at all times.
Our General Data IRT includes lawyers who have been recognized among the nation’s leading practitioners in cyber incident response. This team has handled breaches involving consumer, employee or proprietary information for a diverse range of clients, including technology companies, telecommunications providers, financial service institutions and retailers.
Our Health IRT includes lawyers from our Health Industry Advisory Practice Group, the only such practice to receive top-tier ratings from The Legal 500 USA, U.S. News-Best Lawyers and Chambers USA. Members of our team possess a deep understanding of health data privacy issues and deliver comprehensive breach response advice to health providers, health technology companies, life sciences companies and others in the health industry.
Our International IRT brings together attorneys from the United States, Europe and Asia and has handled breaches that have involved laws and regulations of more than 100 countries.
Each of our teams is experienced in handling all phases of a data breach response, including:
- Participation in and leadership of incident response teams
- Retention and coordination with forensic, cybersecurity, public-relations, and notification firms
- Notice to affected persons such as consumers and business partners as well as to US federal, state and non-US regulators
- Coordination with US Attorney offices, Federal Bureau of Investigation (FBI), Secret Service, Federal Trade Commission (FTC), Federal
- Communications Commission (FCC), state attorney generals, regulators and other government agencies
- Coordination with auditors, senior executives and boards of directors
- Development of public-relations strategies
- Management of post-breach cyber assessments and remediation counseling
- Responses to governmental investigations
- Defense of class-action and multidistrict litigation
Data Licensing & Strategies
We are a leading provider of legal advice regarding regulatory and transactional issues raised by the development and implementation of big-data strategies and platforms. We use a multidisciplinary approach to identify the goals and address the legal needs of clients with valuable data assets. This coordinated methodology distinguishes us from other firms that may view data solely as a regulatory or intellectual property concern.
Our team advises data sources and data aggregators on the myriad data privacy and consumer protection law compliance issues raised by the collection, aggregation and use of personally identifiable information and other data from consumers, customers or other data sources. For example, we routinely help clients implement data strategies consistent with the regulatory requirements and expectations of the Federal Trade Commission (FTC) and other federal and state regulators.
Our team advises data sources in connection with agreements for which the primary purpose is the licensing of rights to aggregate and use data. We also counsel clients on service and other agreements where the vendor requests data rights for secondary data uses, and on the following:
- Research compliance, research program structure, and operational and compliance infrastructure
- Complex research affiliation agreements and arrangements
- Scientific review and research misconduct proceedings and investigations (internal and with government involvement)
- Biobanking and registry development and compliance, including emerging issues involving the future, unspecified use of biospecimens and genomic data
- Development and implementation of data-sharing strategies and platforms to achieve business objectives, particularly in connection with biomedical innovation, health care reform, electronic health record implementation and quality assurance requirements
- Data privacy, data mapping and data use strategies for mobile apps and other mHealth and digital technologies
Employer Data Privacy
Our leading employer data privacy practice provides sophisticated advice to domestic and international employers and vendors on a wide spectrum of employee data privacy matters, including employee data protection policies, the international transfer of employee data and employee data subject access rights. We work closely with operational data privacy officers, helping them establish and maintain effective relationships and communications with data privacy authorities in relevant jurisdictions worldwide.
We have particular experience in the regulation of employee benefit plans, including requirements for the protection of the privacy and security of Social Security Numbers and other employee personal information. We also provide timely, effective counsel in response to cyberattacks and other security breaches affecting employee personal information.
We routinely advise on the following:
- International inter- and multi-company agreements to collect, transfer and use employee data (including model clauses and binding corporate rules)
- Ramifications for employee data transfer of the new EU/US Privacy Shield
- Organizational compliance requirements in relation to the impending EU
- General Data Protection Regulation
- Potential implications of the UK “Brexit” on employee data privacy practices (including international data transfers)
- Separation, where required, of employee data on group servers
- Individual contract terms regarding the collection and processing of the personal data of executives and other employees
- Employee data privacy policies
- Data privacy implications of the implementation of global whistleblowing hotlines (including obligations arising for certain organizations under the US Sarbanes-Oxley Act
- Responses to employee data subject access requests
Data, Privacy & Cybersecurity
Data gives businesses the power to make informed decisions and compete more effectively – but collecting, storing, and using data can result in legal and regulatory exposure. Our cybersecurity lawyers help you navigate that risk while supporting the strategic use of data to enhance your business operations.
We advise on all aspects of data, privacy, and cybersecurity, from developing compliance frameworks and implementing defensible security standards to counseling on product development, AI integration, digital marketing, and data monetization strategies. We also help clients navigate cross-border data transfers, incident response and data breach matters, investigations, regulatory scrutiny, and litigation.
Privacy, cybersecurity, and data governance issues touch every part of your business. Our cybersecurity lawyers collaborate across key practice areas including technology, transactions, litigation, employment, investigations, and regulatory to address risk wherever it arises. The team also includes engineers and computer coders, former in-house counsel, and former senior government officials, including cybercrime prosecutors.
Our lawyers helped shape major privacy frameworks – including the California Privacy Rights Act (CPRA) and the European Union’s General Data Protection Regulation (GDPR). We also advise on other evolving state, federal, and international privacy laws, including the California Consumer Privacy Act (CCPA), the e-Privacy regulation, and sector-specific requirements.
We work with you to assess cybersecurity maturity, identify gaps, and develop tailored risk mitigation strategies. When incidents occur, we help you respond to data breaches, ransomware attacks, insider threats, and other cybersecurity incidents with a focus on limiting business disruption and financial exposure. Our cybersecurity lawyers also guide you through sensitive investigations, regulatory scrutiny, litigation, and other disputes that arise from the misuse, loss, or theft of data.
Managing the legal and regulatory exposure associated with data use has become more complex as technologies advance and cyber threats become more sophisticated. We help you mitigate data, privacy, and cybersecurity risk through integrated strategies designed to protect your business, advance innovation, and support growth.
Health Information Privacy
We are the premier firm for the healthcare sector and the only health law practice to receive top-tier ratings from The Legal 500 USA, U.S. News-Best Lawyers and Chambers USA. We provide sophisticated counsel to clients on the gamut of healthcare data privacy and security issues and regularly develop comprehensive health information privacy and security compliance programs for entities regulated by the Health Insurance Portability and Accountability Act (HIPAA), the Health Information Technology for Economic and Clinical Health (HITECH Act) and related state laws.
We routinely conduct, develop or provide health-related:
- Customized privacy, security and incident-response policies
- Day-to-day compliance counseling
- Privacy compliance audits and security risk assessments
- Compliance training
- Privacy and security incident response guidance
- Data and health information technology license agreements
A cornerstone of our health information privacy and security compliance practice is our suite of template HIPAA Materials.
Our lawyers have helped companies successfully resolve all aspects of countless security breaches and other privacy incidents, including hundreds of matters involving protected health information (PHI) under HIPAA. From cyberattacks and malicious insiders to lost laptops, unsecured data and mailing mishaps, we have handled the full spectrum of PHI incidents. We also regularly negotiate settlements and resolution agreements with the HHS Office for Civil Rights (OCR) arising out of complaint investigations and security breach reports, including serving as lead counsel in connection with multiple OCR investigations of breach matters affecting 500 or more individuals.
We are at the forefront of the design, negotiation and implementation of license agreements and other collaborations among health industry stakeholders for the development and deployment of big-data strategies and cutting-edge health IT. Our team provides seamless advice to clients’ privacy and IT professionals by combining our deep understanding of privacy and security laws and our practical experience in the acquisition and implementation of electronic health record (EHR) systems, enterprise-resource planning systems, data-warehouse technology and other IT systems.
Information Security & Risk Mitigation
Our attorneys are experienced in advising corporate counsel and companies’ IT security teams on the complexity of security requirements and evolving best practices. We help clients manage privacy and cybersecurity risks in nearly all aspects of their operations. We have hands-on experience advising on the most challenging issues, including:
Incident Response Preparedness and After-Action Remediation
Our attorneys have extensive experience in the development and implementation of cyber incident response plans and data-breach response procedures. We regularly help identify gaps after a security incident and assess and construct tailored remediation plans and protocols.
Risk Management in M&A Transactions
We work with our M&A clients to assess the cybersecurity risks of proposed transactions and to structure deal terms to mitigate that risk. We conduct legal due diligence that may include a review of the client’s privacy and cybersecurity policies, and provide advice on a range of legal issues, including steps that may be taken to mitigate privacy and cybersecurity risk in connection with the transaction. Where appropriate, we partner with leading cybersecurity risk firms to conduct cybersecurity due diligence on potential target companies. This due diligence can include assessing deficiencies in technical controls, establishing benchmarks against best practices and providing recommendations for improvements.
Risk Management for Benefit Plans
We advise benefit plans on the management of cyber risks. Our work often includes a review of the plan’s privacy and cybersecurity policies, an assessment of legal responsibility for losses, recommendations on training policies to reinforce data security, and advising the client on measures to reduce cyber risk. Where appropriate, we partner with leading cybersecurity risk firms to conduct technical assessments of the plan’s systems.
Privacy/Cybersecurity Compliance Programs
We build privacy and data security programs for clients facing the intricacies of collecting, storing, processing, transmitting and disposing of data, and have particular depth assisting multinational organizations. We assist in developing strategies in the data collection arena and assess compliance in notices, privacy policies and backend processes. We regularly perform audits of existing policies, procedures and systems to identify compliance gaps. Following the completion of these audits, we recommend business-minded solutions and help companies implement internal and external controls that can fill those compliance gaps. With our clients’ business objectives in mind, we engage in strategic planning to help them maximize the value and use of consumer data for the benefit of the company. We also draft internally and externally facing privacy and information security policies.
International Privacy Compliance
We advise global clients on compliance with the complex array of privacy and cybersecurity obligations affecting data that crosses borders or relates to foreign employees and individuals. We regularly assist clients with international data transfer mechanisms, including the EU/US Privacy Shield, responses to global data breaches, and compliance with the EU’s data protection laws and General Data Protection Regulation and other non-US privacy laws.
Privacy Litigation & Governmental Investigations
The collection, use and disclosure of personal data trigger a range of privacy and cybersecurity laws and regulations, all of which are enforced by aggressive plaintiffs’ lawyers and government agencies. The retention of sensitive proprietary information pertaining to business partners also implicates a range of legal obligations, and exposure of such information often results in litigation and strained business relationships.
Our lawyers have handled hundreds of data breaches and draw on this experience to routinely represent clients in litigation and governmental investigations arising out of large, complex data breaches, including major incidents involving millions of personal, financial or patient records. We have also represented clients in complex class actions in courts around the country and in governmental investigations by the US Federal Trade Commission (FTC), Office for Civil Rights (OCR) and Federal Communications Commission (FCC), and by state attorneys general. We have also advised clients in disputes with vendors and business partners over losses arising out of cyber incidents.
We are the health-industry market leader with respect to handling responses to OCR investigations. Our lawyers have unparalleled experience negotiating resolution agreements with OCR on behalf of health clients, including major academic medical centers, health plans and provider networks.
We have litigated some of the most important privacy cases in recent years and have obtained landmark rulings, including the US Supreme Court’s 2015 ruling in Gobeille v. Liberty Mutual. We have defended clients in scores of federal and state cases across the country, including dozens of class actions involving claims under federal and state privacy laws, the Fair Credit Reporting Act, the Telephone Consumer Protection Act, the Fair Debt Collection Practices Act, and unfair and deceptive practices statutes, as well as numerous common-law privacy and security claims. We have also represented companies in data collection matters, disputes and class actions involving personal information acquired at point of sale using credit and debit cards in a number of states, including Song Beverly and other state statutes.
Disclaimer
Do not send any information or documents that you want to have treated as secret or confidential. Providing information to McDermott Will & Schulte via email links on this website or other introductory email communications will not create an attorney-client relationship; will not preclude McDermott Will & Schulte from representing any other person or firm in any matter; and will not obligate McDermott Will & Schulte to keep confidential the information you provide. McDermott Will & Schulte cannot enter into an attorney-client relationship with you until McDermott Will & Schulte has determined that doing so will not create a conflict of interest and until you and McDermott Will & Schulte have entered into a written agreement or engagement letter that sets forth the terms of our relationship.