Perkins Coie’s Privacy & Security group represents some of the world’s leading Internet companies, wired and wireless communications providers, brick-and-mortar retailers and emerging online businesses.

Data and security breaches are increasingly headline news and the current legal climate includes complex and nuanced rules governing the collection, use, storage, and disposal of information that vary by jurisdiction and is continually evolving.  We work closely with our clients to help them stay abreast of national and international regulatory and statutory changes and industry initiatives related to mobile applications, online and mobile advertising, means of capturing location information, and cloud computing.  We are ranked by Chambers USA among the best firms in the nation for privacy and data security.  We also were recognized by Law360 as a “Practice Group of the Year” in 2013. 

Areas of Focus:

Product and General Privacy and Security Counseling

We routinely review products and services to identify and resolve privacy and data security issues.  These reviews cover privacy policies, disclosures and terms, and also include an in-depth understanding of the data flows involved in the company’s products or services.  Representative projects include:

    • Helping clients launch social components to large retail e-commerce sites
    • Advising on product privacy on mobile applications
    • Guiding on roll-outs of new web-based payment processing services
    • Drafting policies for data sharing with cloud service providers
    • Designing compliance programs to launch international services in more than 60 jurisdictions 

We have extensive experience helping clients develop data security policies and programs needed to comply with PCI Data Security Standards, Red Flag Rules, HIPAA, GLBA, COPPA, TCPA, FERPA, FCRA, CAN-SPAM, FTC guidelines, state data protection laws, as well as self-regulatory rules. 

Electronic Surveillance and User Information Requests

We provide training and advice to clients in complying with surveillance laws and responding to requests for customer information.  We also regularly advise clients and litigate on their behalf on issues related to their obligations under the:

    • Wiretap Act
    • Pen/Trap Statute
    • Stored Communications Act
    • Foreign Intelligence Surveillance Act
    • National Security Letters 
    • Communications Assistance for Law Enforcement Act

Online and Mobile Advertising

As advertising models increasingly rely on user data, regulatory scrutiny of the collection and use of information of all types from browsers and mobile apps continues to increase.  Representative experience includes:

    • Helping companies draft meaningful and accurate disclosures of their advertising practices, including how to provide “just in time” notice
    • Counseling on how, and under what circumstances, clients should offer choice with respect to data collection and use practices, and what form such choice should take
    • Training on compliance with self-regulatory rules and state and federal consumer protection statutes, the Children’s Online Privacy Protection Act (COPPA), and state laws governing advertising to minors
    • Counseling major technology companies, web publishers and online retailers on responding to web browser-based “do not track” signals

We counsel advertising technology companies, communications providers, and web and mobile application publishers on how to structure their practices in a manner that is consistent with self-regulatory rules as well as regulatory and legal frameworks.  We have deep experience with self-regulatory bodies, including the Network Advertising Initiative, Digital Advertising Alliance and Better Business Bureau, regarding online behavioral advertising and mobile advertising issues.

Privacy Reviews, Assessments and Data Transfers

Privacy assessments are rapidly becoming an important part of every business that handles customer or user information.  Before a company can fully appreciate its obligations and risks, or implement “privacy by design," it needs to “know its data,” which means that it needs to understand what types of user information it collects and uses, where the data is stored, with whom the data is shared, and when and how the data is disposed. 

To help companies fully understand their collection, use and sharing of personal and other sensitive data, we conduct comprehensive privacy reviews.  Retailers, telecommunication providers, power companies, cloud providers and international companies are among the companies for whom we have provided reviews.  Contexts in which we have performed privacy assessments include:

    • Launch of new and existing products
    • Mergers and acquisitions 
    • Cloud, advertising and other transactions where the transfer of personal information across international boundaries is an issue

Honed during repeated engagements, our approach to gathering data is efficient as we assist in or conduct onsite interviews.  Our custom reports offer specific and practical recommendations and checklists to help our clients quickly understand the data they handle and the myriad laws and regulations that apply to their collection, use, storage and sharing of that data.

After conducting an assessment, we work closely with clients to prioritize needed remedial efforts.  Privacy assessments make this follow-on work seamless and efficient.  The assessment process provides us with a unique level of detail to thoroughly understand our clients’ data collection and use practices.  Examples of follow-up projects include:

    • Counseling related to individual products that were evaluated during the review
    • Drafting incident response or disaster recovery plans
    • Creating corporate information management programs
    • Helping companies certify in the EU Safe Harbor program in order to lawfully transfer to the United States data about their European customers or employees

Network Intrusions and Data Breaches

Our data breach and network intrusion response team includes several former DOJ cybercrime prosecutors.  We regularly counsel clients with concerns about data breaches and assist with coordinating incident response and required notifications.  We have helped clients, ranging from public FORTUNE 100 companies and retailers with operations and customers nationwide to local nonprofits, school districts and small private companies, work through legal requirements and address their legal, reputational and commercial risks. 

Lost, stolen or inadvertently disclosed electronic or physical records containing the personal information of users, customers or employees - not to mention trade secrets and intellectual property - implicate a web of state and federal laws and regulatory interest. 

While not every breach involves a type of personal information that requires notification or disclosure, every breach requires attention and an individualized response tailored to the facts and nature of the breach, and an evaluation of how processes can be improved to minimize the risk of future breaches. Features of our service include:

    • An efficient approach that includes triaging the initial breach, minimizing legal risk, identifying notification and disclosure obligations, and providing notice to affected individuals, regulators and others where necessary
    • Capabilities to tap into existing relationships with forensics firms and breach notification providers  when the size or nature of the breach warrants
    • Addressing publicly traded companies' need for disclosures in security filings pursuant to the SEC’s guidance on disclosing cybersecurity risks
    • Advice and counsel on network intrusions, such as companies’ obligations as the victim of an attack, and the steps necessary to remediate compromised networks

Perkins Coie's counsel includes extensive experience in helping clients avoid breaches through targeted product advice, privacy assessments and other counseling centered on understanding a company’s data and instituting programs to prevent and detect intrusions.

Privacy Litigation and Regulatory Investigations

Our attorneys help clients respond to regulatory inquiries from the FTC, FCC and state attorneys general.  We assist in favorably resolving regulatory inquiries through our quick understanding of the client’s technology and by providing the agencies with the appropriate information to understand our client’s practices.  Examples of our counsel to technology companies in regulatory investigations include:

    • Represented Google in negotiation of first FTC "privacy by design" and EU Safe Harbor consent decree regarding Google Buzz
    • Defended Google before regulatory bodies worldwide, including the FTC and a multistate attorneys general investigation, in inquiries stemming from Google's Wi-Fi data collection via Street View
    • Represented a FORTUNE 50 company in connection with multiple criminal and civil inquiries by government agencies regarding alleged collection and sharing of subscriber data without consent
    • Protected numerous mobile applications and mobile advertising companies in defense of FTC inquiries presenting issues under Section 5 of the FTC Act and also COPPA

Often, regulatory investigations lead to, or are simultaneous with, private-party class action litigation involving claims based on privacy policy statements, consumer protection laws prohibiting deceptive or unfair practices, collection and disclosure of user information, TCPA, ECPA and SCA, and California Song-Beverly Act claims.  We have specific experience coordinating the defense of both regulatory and class action litigation stemming from the same occurrence, which requires careful navigation of different timelines and different discovery requirements. 

We also routinely collaborate with attorneys in our Class Action Defense group, which has significant experience in managing and successfully defending consumer protection class action litigation. Examples of privacy-related class actions include:

    • Represented Google in multiple nationwide class actions regarding privacy issues, including those regarding Google Buzz and regarding Google Play/Google Wallet
    • Defended Twitter in class action regarding privacy issues related to uploading of mobile device address books
    • Represented Sprint in putative class actions asserting claims under federal and state privacy laws

Cyber Enforcement

Our cyber enforcement group helps clients protect their websites, Internet and mobile services, and keep users safe from abuse.  We have dedicated Internet investigation resources that help us identify, understand and document sophisticated schemes that target our clients and are instigated by spammers, hackers, phishers, scrapers, scammers and other computer system abusers and criminals. 

We advise clients on effective enforcement strategies that may include referrals to regulatory agencies, referrals to law enforcement, or filing civil lawsuits against the wrongdoers.  Perkins Coie also efficiently implements enforcement programs and readily adapts services to meet client needs.  These programs may range from a single cease and desist letter and follow-up, to multifaceted, multiyear programs where a company outsources its enforcement work to our dedicated team of Internet enforcement lawyers.

International Privacy and Data Flows

Our clients operate around the world, which requires global guidance that allows them to move data in compliance with international privacy laws. Worldwide privacy challenges include data transfers, cross-border evidence gathering, investigations, civil discovery, employment matters, processing agreements, and mergers and acquisitions. Perkins Coie provides international privacy counsel in areas such as: 

  • Compliance with non-U.S. law enforcement data requests and Mutual Legal Assistance Treaty requests 
  • eDiscovery outside the U.S., and response to civil demands, Section 1782 requests and other civil matters 
  • Defense of multijurisdictional privacy inquiries
  • Global product launches

We work with local counsel around the world to meet domestic privacy requirements, and we assist companies to conduct global data assessments and respond to data breaches.

TCPA Compliance and Defense

Any company that places calls or sends text messages to customers does so against the backdrop of an extremely aggressive plaintiffs’ class action bar eager to bring claims under the Telephone Consumer Protection Act (TCPA). Perkins Coie counsels companies on avoiding TCPA lawsuits and defending them when facing TCPA claims, and we represent companies before the FCC in rulemaking and enforcement proceedings.

With a team bolstered by former FCC, in-house, and industry advertising group attorneys, and a national class action defense practice, we counsel clients regarding all aspects of TCPA compliance. This includes compliance with recent TCPA amendments regarding prior express written consent and novel technologies, such as group texting, refer-a-friend features, lead generation and the interplay between TCPA and HIPAA, among other issues. We also regularly represent a wide variety of organizations in TCPA lawsuits and regulatory proceedings.

Representative matters in which we have provided TCPA counsel include:

  • Defended Google in a TCPA class action relating to a group messaging platform
  • Represented Limited Brands in a TCPA class action in the Northern District of Illinois
  • Represented NASCAR in defense of a TCPA class action claim relating to text messages
  • Represented Quicken Loans in successfully moving to dismiss three of four causes of action and obtaining discovery sanctions on a TCPA cause of action resulting in dismissal of remaining TCPA claim
  • Obtained a dismissal with prejudice for Redbox in a TCPA class action in California federal court
  • Defended Career Education Corporation in two separate class actions alleging violations of the TCPA for the sending of text messages promoting educational institutions
  • Represented Sprint and achieved a settlement on a class-wide basis, obtained preliminary approval and final approval of the settlement, and worked with a claim administrator to receive and settle claims
  • Represented a communications provider in an FCC investigation regarding TCPA issues and negotiated a settlement with the FCC’s Enforcement Bureau
  • Filed petitions for declaratory rulings with the FCC on behalf of Outspoken and TextMe
  • Represented Obama for America in a TCPA class action alleging that robocalls were made to cell phones without consent

To keep clients current on litigation and regulatory developments, we produce a newsletter on emerging issues on TCPA and related privacy issues.

We regularly advise clients on how to implement "privacy by design" principles into their organizations, and how to best respond to law enforcement and civil requests for user information, sophisticated network attacks and other security breaches. Our data breach and network intrusion response team, including several former DOJ cybercrime prosecutors, regularly counsels clients with concerns about data breaches and assists with coordinating incident response and required notifications.

"Privacy by design," privacy assessments, security breach response plans, insurance coverage and contractual provisions for transferring data and securing it, are all tools for developing a successful privacy program. Privacy plans also must address responding to consumer complaints, litigation or regulatory inquiries. We help our clients respond to immediate issues and understand that it is never too late to address privacy and security matters.