log in
Print | Back

Lowenstein Sandler LLP

Mary J. Hildebrand

Mary J. Hildebrand

Founder and Chair, Privacy & Cybersecurity


  • Outsourcing
  • Intellectual Property & Patents
  • Corporate
  • Franchise and Distribution

WSG Practice Industries


WSG Leadership

WSG in North America Group
WSG Main Group
ABA Group
Women's Professional Forum Group

Lowenstein Sandler LLP
New Jersey, U.S.A.


For more than 30 years, Mary has drawn on her deep experience in privacy and data security, tech, and intellectual property to handle sophisticated technology deals from concept to conclusion.

Mary regularly serves as lead counsel to both public and private companies in complex commercial matters involving:

  • Digital and social media
  • Software
  • Clean tech
  • Renewable energy
  • Public utilities
  • Financial services
  • Medical devices
  • Entertainment
  • E-commerce
  • Transportation
  • Universities
  • Not-for-profit organizations 

Additionally, she counsels startups on the transactions and foundational legal structures needed to launch their businesses.

As a leading intellectual property lawyer, Mary has achieved an enviable track record in commercializing, protecting, and managing intellectual property, technology, and database assets around the world. She is also a recognized authority on EU and U.S. data privacy and information security laws, including the California Consumer Privacy Act (CCPA) and the General Data Protection Regulation (GDPR).

A highly regarded "top-notch," "hugely responsive," and "skilled, bright and knowledgeable" practitioner, Mary has been consistently recognized by Chambers USA (2009-2019) for her successful handling of complex transactions involving significant IP assets. Her clients commend her as "a phenomenal client manager" who gives "useful, pragmatic, practical advice."

Mary has served as a member of Lowenstein Sandler's board of directors and Strategic Planning Committee, as well as chair of the firm's Diversity and Inclusion Committee.


Bar Admissions

    New Jersey


Duke University School of Law (J.D.)
Union College of Union University (B.A.), magna cum laude
Areas of Practice

Corporate | Franchise and Distribution | Intellectual Property & Patents | Outsourcing | Patent Counseling & Prosecution | Patents | Privacy & Cybersecurity | Privacy and Information Security | Privacy Law | Seed Stage Investing & Startups | Technology & Media Transactions | The Tech Group | Trademark Prosecution and Enforcement | Trademarks, Copyrights & Trade Secrets | Venture Capital & Tech M&A

Professional Career

Significant Accomplishments

Speaking Engagements

Cathy Serafin and Mary Hildebrand will present a webinar entitled "Insurance Issues in Commercial Contracts: Addressing Unique Risk Profiles for Your Deal." The presentation will discuss specific insurance issues to take into consideration when negotiating your next commercial contract. The speakers will cover how to draft specific provisions to protect your company or client's best interests in numerous situations that nearly all businesses routinely face.

Mary Hildebrand will speak on a panel entitled "EU GDPR and Privacy Shield" at The New EU Data Protection Regulation: Transnational Enforcement and its Effects on US Businesses Symposium. The annual Seton Hall Law Review Symposium brings together members of the judiciary, practicing lawyers, and legal scholars to explore important and timely aspects of the law and society. This is also the inaugural event of the newly established Seton Hall Institute for Privacy Protection.

In early 2018, the European Union will replace its entire privacy framework with the GDPR, which governs any organization that processes the personal data of an EU citizen regardless of geographic location. GDPR has immediate ramifications for U.S. organizations, including those that do not have any affiliates or locations in the EU. We are hosting the first installment of a two-part breakfast series on GDPR focused on the key practical issues associated with implementation and avoidance of penalties. Mary Hildebrand and Matt Oliver, CIPP/US, will speak on a panel in our AVL Center that includes Linda Rush, CIPP/US/C, CIPM, Privacy Officer and Associate General Counsel, AvisBudget Group Inc.

The EU is slated to replace its entire data protection structure in May 2018 with implementation of the General Data Protection Regulation (GDPR). GDPR has jurisdiction over any organization that collects or processes the personal data of EU citizens without regard to the organization's geographic location, so the impact of this complex legislation is worldwide. GDPR is not limited to tech companies – it applies to every private sector organization and many in the public sector.

In December 2016, the EU's Article 29 Working Party (WP29) released guidance on several key provisions of GDPR.

On Wednesday, February 1, we are hosting an update to our two-part GDPR series last fall focused on the new WP29 Guidance. Mary Hildebrand, CIPP/US/E, and Linda Rush, CIPP/US/C, CIPM, Privacy Officer and Associate General Counsel, Avis Budget Group, Inc., will discuss the impact of WP29s guidance, including what's covered and what's not, and recommend practical integration strategies. The February 1 session will be held in our New Jersey office, with similar sessions scheduled in our New York and Washington, D.C. offices.

Lowenstein and the New Jersey Chapter of the Association of Corporate Counsel (NJACC) will team up to host the 3rd Annual Cyber Day at One Lowenstein Drive. Cyber Day is a half-day program designed to help companies navigate current cybersecurity and data privacy issues, two themes that continue to generate press headlines, as well as client concern.

Lowenstein and NJ LEEP will team up to host a free CLE presentation on Blockchain Technology, Smart Contracts, and Cryptocurrency at One Lowenstein Drive from 5-7pm. The presentation will feature a one hour panel discussion moderated by Mary Hildebrand, with panelists Philip Decker, Vice President and Senior Counsel, Legal Affairs; Jason Mark Anderman, Vice President and Senior Counsel, Technology and Digital Law; and Emily Goodman Binick, Vice President and Senior Counsel, Cryptocurrency, all of American Express. The presentation will be followed by networking and refreshments.

Lowenstein and the New Jersey Chapter of the Association of Corporate Counsel (ACCNJ) will team up to host "The Deep, Dark Web – What is it – and how does it impact your business," a CLE presentation focused on the Dark Web, the local, national, and international repercussions, and how to protect your data from ending up on the deep, dark web. The program will feature a two hour discussion lead by Mary Hildebrand, CIPP/US/E, Founder and Chair, Privacy and Information Security Practice; Partner, The Tech Group; Christine Hoffman, Deputy Director, Division of Criminal Justice in NJ; and Mark Spencer, Regional Sales Manager, AccessIT Group, Inc.

For more information, email [email protected]


Please join us as our panel of specialists from Lowenstein Sandler and ACA Compliance Group lead a discussion of real-time developments related to the following:

  • Data Privacy and GDPR Concerns for Investment Managers
  • The Advertising Rule - Compliance Advice and Practical Approaches
  • Recent SEC Enforcement Actions and Trends

For more information, email 
[email protected]

Lowenstein's Zarema A. Jaramillo introduces opening keynote speaker Valerie Jarrett, former Senior Advisor to the Obama Administration, and Lynda A. Bennett and Mary J. Hildebrand are panel moderators at the Women, Influence & Power in Law conference. 

October 4, 2018

9:15 a.m.: Opening Keynote: Fireside Chat | Staying Nimble, Taking Risks, and Empowering Women to Lead With Authenticity and Confidence

  • Introduction of keynote speaker: Zarema A. Jaramillo, Partner, Lowenstein Sandler LLP
  • Keynote speaker: Valerie Jarrett, former Senior Advisor, Obama Administration

Empathy, intuition, and collaboration are the qualities people are looking for in their leaders today. In this session, hear from our keynote speaker on how she has taken risks to breakthrough gender bias with confidence, authenticity, and effectiveness in her professional journey.

11 a.m.-12 p.m.: GDPR: Assessing Your Organizational Competence and Risk in a Data-Driven World 

  • Moderator: Mary J. Hildebrand, Partner; Founder and Chair, Privacy & Cybersecurity, Lowenstein Sandler LLP
  • Panelists:
    • Li Reilly, Vice President & Deputy General Counsel, Fareportal
    • Ilona Levine, Senior Corporate Counsel, Privacy, Data Protection, Cybersecurity and Compliance, OVH US
    • Jo Ann Lengua Davaris, Chief Privacy Officer, Mercer

The implementation of GDPR–and the potential for regulatory enforcement actions, private causes of action and legal challenges from various quarters–exemplifies the uncertainty that permeates the privacy and cybersecurity world. How can you manage your legal, compliance, and business risks to achieve the best outcome for your organization? This panel will discuss the practical implications of managing against the new organizational requirements, such as accountability measures, breach notification requirements, data subject rights, and processing system assessments.

October 5, 2018

10-11 a.m.: How to Evaluate Exposure to Personal Liability Arising from Recent Enforcement Actions Against Corporate Counsel

  • Moderator: Lynda A. Bennett, Partner; Chair, Insurance Recovery Group, Lowenstein Sandler LLP
  • Panelists:
    • Patricia Barbieri, Senior Vice President, General Counsel and Secretary, Daiichi Sankyo, Inc.
    • Lynn Feldman, EVP and General Counsel, Clear Channel Outdoor
    • Shirin Saks, Assistant General Counsel, Litigation and Employment, Dun & Bradstreet

Corporate counsels are an organization's ethics watchdogs, yet they are often asked to give strategic business advice. This can put in-house lawyers in awkward positions, jeopardize attorney-client privilege, and potentially expose the company and its leaders to liability. This session will provide an ethical framework and best practices to help navigate this dual role, and focus on how to protect corporate counsel and other executives against potential liability risks through insurance coverage and other innovative risk management techniques.

Mary J. Hildebrand speaks alongside Richard Ledgett, Former Deputy Director, National Security Agency, at World Sevices Group's (WSG) 2018 Annual Meeting, scheduled for September 19-21, 2018. The conference features engaging guest speakers and panel perspectives while offering several opportunities for delegates to network among professionals across the WSG Network.

Join us for our 4th Annual Cyber Day. This half-day program features sessions led by Lowenstein lawyers and other industry leaders who will discuss how companies can navigate cybersecurity, blockchain, and data privacy issues as well as the cyber insurance market in order to operate in a post-GDPR business landscape.

Topics include:

  • Cyber Risks: Where to Find Coverage and How to Maximize Recovery for Cyber Claims 
  • A Global Perspective: Status Report on the Impact of GDPR and What You Need to Know About the Evolving U.S., Federal, and State Data Privacy Laws
  • Government Investigations: How to Prepare and What to Do
  • Beyond Bitcoin: An Introduction to Blockchain

Lowenstein speakers include: 

The program runs 7:30 a.m.-2 p.m. Program location: Lowenstein Sandler LLP, One Lowenstein Drive, Roseland, New Jersey 07068; 973.597.2500. CLE credit available.

In response to GDPR and Privacy Shield changes, Mary J. Hildebrand participates in a webinar panel regarding next steps for entities in the financial services industries that have completed initial gap analyses and modified their public-facing privacy policies.

This session will focus on what these heavily regulated industries will have to do in the next 60 days to establish and maintain a legally defensible position with respect to privacy and security of personal data — not only to comply with regulation but to be poised to do business in the 21st century.


  • Mary J. Hildebrand, Partner; Founder and Chair, Privacy & Cybersecurity, Lowenstein Sandler LLP
  • Ray Ford, Founding Member, GDPR Institute
  • Mark Rasch, Chief Legal Counsel, Digital Risk Management Institute; former head, United States Department of Justice, Cyber and High Technology Crime Unit
  • David Morris, early pioneer in cybersecurity; Managing Partner, Morris Cybersecurity

GDPR recently commanded headlines – and commandeered corporate resources – throughout the world. Several new U.S. state and federal data protection laws create a “one-two punch” for organizations already implementing GDPR and impose new obligations on companies that are out-of-scope for GDPR. This session will discuss these developments and strategies for aligning GDPR with the evolving U.S. privacy landscape. 


  • Mary J. Hildebrand, CIPP/US/E, Partner; Founder and Chair, Privacy & Cybersecurity, Lowenstein Sandler LLP
  • Sundeep Kapur, CIPP/US, Associate, Lowenstein Sandler LLP
  • Mark Faber, Vice President, Corporate Counsel, Cyber and Privacy Law, Prudential Financial

This one-hour webinar takes place at 2 p.m. ET.

This panel discussion will address the impact of the recent U.S. Supreme Court decision, Carpenter v. United States, and its effect on privacy law and law enforcement's ability to track historical or real-time cell phone location. The panelists will also explore how other types of electronically gathered information, such as data stored by wearable technologies and location tracking applications, will be affected in the post-Carpenter era.

This program is co-sponsored by the Rutgers Law School Center for Corporate Law and Governance (cclg.rutgers.edu), the Rutgers Computer and Technology Law Journal (rctlj.org), and Rutgers Institute for Professional Education (rutgerscle.com).


  • Mary J. Hildebrand, CIPP/US/E, Partner; Founder and Chair, Privacy & Cybersecurity, Lowenstein Sandler LLP
  • Douglas S. Eakeley, Of Counsel, Lowenstein Sandler LLP
  • Ronald K. Chen, University Professor, Rutgers Law School
  • Sabrina G. Comizzoli, Assistant U.S. Attorney, U.S. Attorney’s Office, District of New Jersey  
  • Todd Schulman, Associate General Counsel, Verizon

Time: 4-6 p.m.; a networking reception follows the presentation.

Location: Rutgers Law School, Baker Trial Courtroom (Room 125), Center for Law and Justice, 123 Washington Street, Newark, NJ 07102

NJ CLE information: This program has been approved by the Board on Continuing Legal Education of the Supreme Court of New Jersey for 2.4 hours of total CLE credit.

In-house lawyers in industries far beyond the tech world–such as financial services, pharmaceuticals, insurance, and consumer electronics, to name only a few–need practical guidance on the many ways that cybersecurity and privacy issues can affect all stages of business, from the valuation of data as an asset to the allocation of risk.

In response to this need, Lowenstein Sandler has expanded our annual program to include an even deeper dive into cybersecurity issues of special interest to GCs, CPOs, and CIOs. Our interdisciplinary group of privacy and data security specialists has teamed with in-house counsel to develop programming aimed to help corporations and executives navigate the potential risks, regulations, and benefits at stake, as well as best practices to address these issues.

Topics include:

  • Data Protection Law Developments: A Year in Review and What to Expect in 2020
  • Artificial Intelligence: Preparing for the Future of Business
  • Cyber Insurance: What It Covers, Why You Need It, and How To Get It
  • Blockchain Promises Solutions Across Industries, But Will it Deliver?
  • Telehealth and Telemedicine: The Future of Health care?
  • Biometric Data: From Finger Scans to Facial Recognition, a Deeper Dive into Artificial Intelligence
  • State Privacy Laws: A Deeper Dive into New and Amended U.S. State Privacy and Cybersecurity Laws

Program time: 7:30 a.m.-2:15 p.m. 

Program location: Lowenstein Sandler LLP, One Lowenstein Drive, Roseland, New Jersey 07068; 973.597.2500. 

CLE credit available.

Wi-Fi access and conference space will be available to take phone calls and stay connected to your workday.

Mary J. Hildebrand CIPP/US/E will lend her unique expertise to Media Outlook 2020 during her presentation, "Privacy and Cybersecurity Laws Move at Lightning Speed: Top 5 Things You Need to Know for 2020." During her session Hildebrand will discuss new U.S. cybersecurity laws for 2020; provide an overview of recommended actions when a data breach is discovered; outline considerations for business websites; talk about the role of ad tech; and explain why data flow is an important consideration in privacy regulations.

Time: 8:30 a.m.-12:20 p.m. on Thursday, September 12th. 

Location: Lowenstein Sandler, 1251 Avenue of the Americas, New York, NY 10020

Lowenstein partner Mary J. Hildebrand CIPP/US/E, founder and Chair, Privacy & Cybersecurity, moderates IoT and the Cybersecurity Landscape, a panel taking place as part of Corporate Counsel's General Counsel Conference 2019.

Panel description:

IoT is all the rage in many industries. Property developers, investors, and brokers are increasingly deploying these technologies, as well as automation, to lure potential buyers with connected appliances like refrigerators, water heaters, heating/cooling systems, security cameras, and more -- which can increase operational efficiency in homes and commercial properties. However, there’s an important caveat to the IoT industry that can become a major risk: security. In this session, attorneys discuss the core security principles of IoT devices, the privacy risks associated with IoT infrastructure, and the biggest challenges and opportunities in the IoT landscape.

Moderator: Mary J. Hildebrand CIPP/US/E, partner; founder and Chair, Privacy & Cybersecurity; member, The Tech Group, Technology & Media Transactions, Lowenstein Sandler LLP


  • David Kessler, Public Sector Counsel, Verizon
  • Steven Monroe, Co-General Counsel, Head of US Compliance & Regulatory Affairs, Beazley
  • Fernando Pinguelo, Associate General Counsel, Data Privacy, Willis Towers Watson
  • Lynette Carhart Gladdis, Senior Vice President, Litigation and Regulatory Affairs, Realogy Holdings Corp.

The panel takes place on Thursday, September 26, 2019; 10-11 a.m.

The conference takes place Wednesday, September 25-Thursday, September 26, 2019.

Program location: New York Marriott Marquis, 1535 Broadway, New York, NY 10036

Bruce S. Nathan, Partner, Bankruptcy, Financial Reorganization & Creditors' Rights, and Mary J. Hildebrand CIPP/US/EPartner; Founder and Chair, Privacy & Cybersecurity, are featured speakers in prerecorded webinars produced for the National Association of Credit Management's 2020 Credit Congress & Expo: Online Showcase

Access is available June 15-August 31, 2020.

29040. Data Privacy & Cybersecurity in the Post-Pandemic Era 
Speakers: Val Venable, CCE and Mary J. Hildebrand, Esq., Lowenstein Sandler

This session examines the privacy and cyber impact of COVID-19 on the credit industry, along with applicable laws and best practices.

29064. Cutting-Edge Bankruptcy Training: The Follow-up to Bankruptcy Bootcamp - Part 1 
Speakers: Wanda Borges, Esq., Borges & Associates, LLC and Bruce S. Nathan, Esq., Lowenstein Sandler LLP

Whether you attended Bankruptcy Bootcamp at Credit Congress 2019 or have gained basic bankruptcy knowledge elsewhere or on the job, this program has been prepared to take you to the next level of knowledge. As we see more bankruptcy cases building a nest egg from preference recoveries, the best practices to defend preferences and understanding the nuances of building that preference defense, sometimes with unique “tricks” will be imperative for the next several years. The speakers will discuss the recent changes to the Bankruptcy Code concerning preference claims; recent litigated issues concerning preference claims and defenses, the section 503(b)(9) priority claim in favor of goods sellers, reclamation claims, consignment claims, and involuntary bankruptcy petitions; and the recent amendment to the Bankruptcy Code concerning small business debtors. Also, chapter 11 Plans to best protect your company from the risk of third party releases and the strategy behind opposing such plans will be discussed. The speakers will share the important role that creditors’ committees play in assisting trade creditors that do business with chapter 11 debtors and enhancing trade creditor recoveries.

29074. Cutting-Edge Bankruptcy Training: The Follow-up to Bankruptcy Bootcamp - Part 2 
Speakers: Wanda Borges, Esq., Borges & Associates, LLC and Bruce S. Nathan, Esq., Lowenstein Sandler LLP

Whether you attended Bankruptcy Bootcamp held at NACM’s 2019 Credit Congress or have gained your basic bankruptcy knowledge elsewhere or on the job, this program has been prepared to take you to the next level of knowledge. As we see more bankruptcy cases building a nest egg from preference recoveries, the best practices to defend preferences and understanding the nuances of building that preference defense, sometimes with unique “tricks” will be imperative for the next several years. The speakers will also discuss the recent changes to the Bankruptcy Code concerning preference claims; recent litigated issues concerning preference claims and defenses, the Section 503(b)(9) priority claim in favor of goods sellers, reclamation claims, consignment claims, and involuntary bankruptcy petitions; and the recent amendment to the Bankruptcy Code concerning small business debtors. The speakers will also be dissecting Chapter 11 Plans to best protect your company from the risk of third-party releases and discuss the strategy behind opposing such plans. Finally, the speakers will discuss the important role that creditors’ committees play in assisting trade creditors that do business with Chapter 11 debtors and enhancing trade creditor recoveries.

Program notes:

The 2020 Credit Congress education sessions will now be presented in an online format. Registered delegates can earn up to 1.3 CEUs and have access to all available content until August 31, 2020. Instructions and a launch date will be sent to delegates.

Registered delegates will have access to:

  • Sessions via webinar (recorded and live)
  • The ability to listen and learn from unlimited presenters
  • CEUs (continuing education units) and CCE recertification points
  • Expo Showcase, highlighting the vital products and services from our Expo partners
  • Plus free bonus content

Access is available June 15-August 31, 2020.

Lowenstein partner Mary J. Hildebrand CIPP/US/E, Founder and Chair, Privacy & Cybersecurity, presented this webinar as part of TerraLex's 2020 Virtual Global Meeting.

Professional Associations

The International Association of Privacy Professionals (IAPP)
Liberty Science Center, Founder and Member of Board of Directors of the Women’s Leadership CouncilLicensing Executives Society, New Jersey Metro Chapter
  • Co-chair
American Bar AssociationNew Jersey State Bar AssociationExecutive Association of New Jersey
  • Past President and Chair of the Board of Trustees

Professional Activities and Experience

  • Chambers USA (2009-2020) - Mary Hildebrand
  • The Best Lawyers in America - Mary Hildebrand


The EU-U.S. Privacy Shield Invalidated: What it Means for U.S. Companies
Lowenstein Sandler LLP, July 2020

What You Need To Know and Do Now: Europe’s top court has invalidated the EU-U.S. Privacy Shield, effective immediately. For now, other EU-U.S. data transfer mechanisms, such as the Standard Contractual Clauses, remain intact BUT subject to additional, intense scrutiny by EU regulators. The U.S...

Privacy Concerns Multiply as Digital Contact Tracing Spreads: U.S. Tech Industry Takes the Lead as Congress Fails to Act
Lowenstein Sandler LLP, June 2020

What You Need To Know: Digital contact tracing (DCT) is a potential game changer in the COVID-19 pandemic. However, the sensitive personal information collected by DCT applications (“DCT apps”) largely falls through the cracks of existing U.S. data protection laws. The California Consumer Privacy Act (CCPA) may be the only current legal model that encompasses the data privacy aspects of digital contact tracing...

California Attorney General Submits Final Regulations for the California Consumer Privacy Act
Lowenstein Sandler LLP, June 2020

What You Need To Know: The final California Consumer Privacy Act regulations are now under review by the California Office of Administrative Law, and there will be no additional opportunities for public comment. The California Attorney General has requested expedited review of the CCPA regulations, bypassing an executive order issued by the Governor of California extending administrative review periods due to the COVID-19 pandemic...

Additional Articles

It’s easy for philosophical differences between the United States and Europe to seem like intellectual abstractions -- right up until the moment they entail immense financial loss. The European embrace of a right to privacy, a capital “R” Right akin to any that we have enshrined in the Bill of Rights, might not appear to be of consequence to most Americans. However, given pending EU legislation, you could violate this right and incur huge fines without ever setting foot on the continent. Depending on the final shape of a new regulation currently working its way through the European Union, simply advertising online to Europeans in a manner that utilizes their purchasing history could incur a fine equivalent to two percent of your annual global revenues. While this concept may seem far-fetched, if you’re about to conduct any commerce in Europe, you should make it your business to monitor and understand the new regulation.

A recap from Lowenstein Sandler and ACC New Jersey’s 4th Annual Cyber Day Conference.

On October 10, I was delighted to welcome an overflow crowd of in-house counsel for lively discussions on navigating this increasingly complex regulatory and business landscape. As Chair of Privacy & Cybersecurity at Lowenstein, I see first-hand how new U.S. state and federal data protection laws have created a “one-two punch” for companies implementing GDPR (which became effective on May 25 of this year), and imposed new obligations on companies that are out-of-scope for GDPR. Aryeh Friedman, VP, Associate GC and CPO of Dun & Bradstreet, and I addressed these key takeaways on our panel.

GDPR Compliance is a Work in Progress: Surveys show that about 12% of US entities and 27% of EU entities surveyed believe they are ‘fully compliant’ with GDPR. Putting aside for the moment that there’s no consensus on exactly what ‘fully compliant’ means for GDPR, many US-based entities are still in process, and others are just coming to the realization that they are in-scope.

New California Law is a Game-Changer: It’s not a “mini-GDPR,” but the California Consumer Privacy Act (“CCPA”) reflects similar principles and grants broad control to California residents over their personal information. Entities that comply with GDPR need a gap analysis to determine what’s required of them under CCPA, and non-GDPR entities must evaluate their data practices in light of CCPA. With substantial fines and a private cause of action for data breach, CCPA challenges the status quo. US states are acting to fill the void created by the absence of comprehensive federal data protection laws (25% of the states recently adopted new or amended statutes). At this pace, state data protection statutes could go the way of data breach laws – 50 different laws across the country.

Get Ready For More Disruption: A year from now the data protection landscape is likely to be vastly different. Among other things –

  • GDPR started a global trend, with Brazil and India already falling in line and there’s more to come.
  • The Privacy Shield’s second annual review is happening now, and its future is not assured. Just shy of 4,000 companies currently depend on Privacy Shield to transfer data from Europe to the US. If the Privacy Shield is invalidated there are very few other options especially for B2C businesses. At the same time, standard contractual clauses (a/k/a, Model Contracts) are the subject of a hotly contested legal challenge by Max Schrems (of Safe Harbor fame) against Facebook.
  • Brexit is targeted for March 2019, and the EU is unlikely to issue an adequacy decision (regarding the protection of personal data) for the UK until Brexit is a reality. While other treaties may mitigate the impact, without an adequacy determination the UK (and UK affiliates of US companies) will be required to rely on model contracts, consent or other approved data transfer mechanisms as we do in the US.
  • Finally, foreign entities or individuals seeking to invest in US companies now have another hurdle -- The US Foreign Investment Risk Review Modernization Act of 2018 (FIRRMA) expands the jurisdiction of the Committee on Foreign Investment in the United States (CFIUS) to include non-passive investments in any company that deals with “sensitive personal data of US citizens that may be exploited in a manner that threatens national security.” We are still awaiting regulations, but indications are that “sensitive personal data” will be broadly interpreted resulting in many more transactions being subject to these rigorous reviews.

On June 24, 2019, U.S. Sen. Mark Warner, D-Va., and Sen. Josh Hawley, R-Mo., introduced the Designing Accounting Safeguards to Help Broaden Oversight and Regulations on Data, or Dashboard, Act, which mandates transparency by major platforms such as Facebook Inc., Google LLC, Amazon.com Inc. and Twitter Inc. regarding the monetization of user data.

A bipartisan effort, the bill would require broad disclosures to consumers and the U.S. Securities and Exchange Commission of exactly what data is collected, how it’s used and shared and its worth in dollars and cents. To encourage a uniform approach, the act also authorizes the SEC to develop methods for calculating the value of data across platforms. This novel approach, among the first of its kind, has important implications for the digital economy and the status of “data” as a discrete asset governed by a new and rapidly evolving body of law.

Specifics of the Act

The act requires commercial data operators (entities that generate a material amount of revenue from user data with more than 100,000,000 unique users or visitors) to provide each user with detailed information on a quarterly basis. Specifically, each user will receive a description of the types of data collected, any use of his or her data unrelated to the online services he or she patronizes and the economic value placed on the data by the commercial data operator. With limited exceptions, commercial data operators must also provide users with the ability to delete their data through a single setting or another “clear and conspicuous mechanism.”

In contrast to the personal nature of disclosures to users, public companies that qualify as commercial data operators under the act are required to make broad disclosures to the SEC. At least annually, commercial data operators must submit a written report to the SEC setting forth the “aggregate value” of user data they hold, contracts with third parties that collect such data on their behalf, and any other items that the SEC deems “necessary or useful.”

The act empowers the SEC to develop data valuation methodologies to encourage standardization across different users, sectors and business purposes. Within a year after passage, the act requires additional disclosures to the SEC including, among others, data security, aggregate revenue derived from user data, and a description of each revenue generating activity dependent on user data.

Enforcement of the act falls squarely within the jurisdiction of the Federal Trade Commission under Section 5 of the FTC Act. Any violation of the Dashboard Act is deemed an “unfair or deceptive act,” invoking the full range of the FTC’s investigatory and enforcement powers. Perhaps more significant, the FTC would be responsible for issuing regulations under the act. Commercial data operators will be confronting enhanced scrutiny and regulation from the SEC and the FTC, two formidable federal agencies.

Why This Bill Matters

By recognizing “data” as a valuable asset in its own right, the act would disrupt the existing dynamic between consumers, the technology industry and federal regulators. If “knowledge is power,” then consumers would have an unprecedented ability to control their data. As an example, consumers may begin demanding financial compensation for data formerly provided just for the privilege of using online services.

Adoption and implementation of the act would have an immediate impact on the technology industry at an already challenging time in its evolution. Additional scrutiny by the FTC and a newly empowered SEC could have significant financial repercussions and accelerate calls to break up these “monopolies.”

Other state and federal regulators are likely to become involved, particularly with activist attorneys general and state legislatures already promoting (and passing) new data protection legislation such as the California Consumer Privacy Act. No one can predict all the consequences, but we can be certain that if the sensitive information sought by the act becomes public, there’s simply no going back.

Whether or not the act becomes law, its underlying premise that “data” is an asset in its own right has other important implications. Viewed from this perspective, data assets may be licensed, purchased, processed and shared for any number of commercial and other activities. However, data is governed by its own unique and rapidly growing body of laws and regulations that did not exist a few years — or even a few months — ago. Current models for monetizing other intangible assets, such as intellectual property, may fail to take these new developments into account.

In the midst of legal uncertainty, commercial and business activities involving data continue apace across our economy. The private sector allocates the risks associated with commercializing data every day from scope of use issues to data breach liability and everything in between. In fact, there’s a distinct possibility that the development of commercial norms surrounding data and risk allocation may outstrip the pace of legislation or significantly influence its future course. There’s no doubt that when it comes to data assets, different rules apply and they’re changing every day.

 What You Should Do Now

 Be Alert

The ultimate fate of the act is not clear, but the concept of data as a discrete asset with economic value is not disappearing from the public or legislative landscape. In particular, states are promulgating laws governing data privacy and security at an unprecedented pace (dozens in the last 24 months), covering far more entities than the act.

The CCPA, for example, sets the bar for coverage at $25 million in revenue or meeting threshold amounts of data under management, and the pending New York Privacy Act covers any legal entity that conducts business in New York state or produces products or services that “intentionally target” New York State residents with no financial or data standard.

Coverage under Europe’s General Data Protection Regulation, which strongly influenced the CCPA, the NYPA and other legislation in the U.S., is independent of the size of the company or the amount of data it holds. In other words, the act’s focus on tech behemoths does not preclude others from replicating the key concepts and applying them to a broad range of companies.

Stay Ahead of the Curve With Your Users

It’s a truism in some circles that data is the centerpiece of the digital economy, but the users that deliver that commodity may benefit from some attention now. Stay ahead of the trend by offering your users enhanced transparency regarding their data, and ensure that your public facing terms and policies are user friendly and easy to access. Taking reasonable steps now to encourage loyalty may mitigate the impact of future laws on user retention and your business.

Acknowledge Data as a Valuable Asset in Your Business Portfolio

  • Know, understand and implement the new laws and regulations that impact your licensing, purchasing, sharing and monetizing of data in all areas of your business.
  • Ensure that key personnel are appropriately trained with the legal, technical and business resources necessary to obtain, protect and capitalize data assets.
  • Respect and preserve data assets with the same care and attention as any other material asset of your business.

The COVID-19 pandemic has had a disparate effect on privacy regulators, with varying levels of enforcement advocated by different government entities. The California Attorney General, the U.S. Department of Health and Human Services (HHS), European data protection authorities, and other regulators have taken different, often contradictory, approaches to dealing with the competing interests of a struggling economy and the threat of increased privacy and cybersecurity violations. These contradictions are likely to persist, as competing privacy legislation was recently introduced in Congress to regulate the collection and use of personal information during the COVID-19 pandemic.

Businesses struggling with the virus’s economic impact are striving to allocate resources for maximum financial benefit; simultaneously, risks to personal information and privacy rights have increased in a remote global workforce where phishing, malware, and other cyberattacks proliferate and the political pressure to collect and track medical information regarding COVID-19 infections mounts. With the seemingly competing interests of protecting the bottom line and addressing a heightened threat to privacy, some privacy regulators are responding to these new realities by relaxing enforcement efforts, while others decline to do so in recognition of the current risk to privacy and information security.

Below is an update on how different regulators have responded regarding enforcement since the COVID-19 national emergency was declared.


The California Attorney General has declared that despite the pandemic, it will not delay enforcement of the California Consumer Privacy Act (CCPA), which is set to begin on July 1.

In late March, as the extent of the COVID-19 pandemic was becoming clear, a joint industry letter by advertising and adtech trade associations asked the Attorney General’s office to delay enforcement of the CCPA until 2021. The letter highlighted that “[t]he public health crisis brought on by COVID-19 juxtaposed with the quickly approaching enforcement date for the CCPA places business leaders in a difficult position. They are forced to consider trade-offs between decisions that are best for their employees and the world at-large and decisions that may help the organizations they lead avoid costly and resource intensive enforcement actions.”

In an email to Forbes magazine, an advisor to the Attorney General responded, “Right now, we’re committed to enforcing the law upon finalizing the rules or July 1, whichever comes first … We’re all mindful of the new reality created by COVID-19 and the heightened value of protecting consumers’ privacy online that comes with it. We encourage businesses to be particularly mindful of data security in this time of emergency.”

On June 2, 2020, the Office of the Attorney General announced that it had submitted the Final Text of the Proposed Regulations to the California Office of Administrative Law (OAL) for approval. The Office of the Attorney General requested an expedited review period of thirty (30) business days which, if approved, means the Final Text of the Proposed Regulations could become effective in mid-July. With less than 30 days until the planned enforcement date, businesses subject to the CCPA should ensure that their CCPA compliance efforts remain on track. As a further incentive to ensure your compliance framework is in place, the California Privacy Rights Act (CPRA), commonly referred to as CCPA 2.0, has garnered enough signatures to appear on the November 2020 ballot in the state of California. Among other measures, the CPRA would create a new enforcement agency (the California Privacy Protection Agency), expand data breach liability, and impose additional obligations on service providers, third parties, and contractors. In a nod to the business community, the CPRA would extent the current moratoriums on certain employee and business-to-business data from 2021 to 2023.


The European Data Protection Board (EDPB), an agency created under the General Data Protection Regulation, issued a statement on the processing of personal data in the context of COVID-19. The EDPB stated that even during this pandemic, data controllers and processors must ensure the lawful processing of personal data, but it also noted that an “emergency” might legitimize “the restriction of freedoms provided these restrictions are proportionate and limited to the emergency period.”

The EDPB provided clarification on how public health authorities and employers can process personal data in the context of a pandemic, pointing to legal bases such as processing pursuant to a legal mandate of a public authority and compliance with health and safety obligations that are in the public interest.

The EDPB also issued two new guidelines: (1) "Guidelines 03/2020" on the processing of data concerning health for the purpose of scientific research in the context of the COVID-19 outbreak and (2) "Guidelines 04/2020"on the use of location data and contact tracing tools in the context of the COVID-19 outbreak. "Guidelines 03/2020" allows health data to be processed for the purpose of scientific research with the consent of the data subject, as long as there is not a significant power imbalance, or without consent for the purpose of complying with national legislation. "Guidelines 04/2020" discusses the use and collection of location data to map the spread of the virus and contact tracing for notification purposes. The guidelines provide that contact tracing applications should be voluntary, rely on proximity information regarding users rather than tracing individual movements, and grant preference to processing anonymized data where possible. The EDPB emphasized in its guidance that response to the crisis and protection of the right to privacy are not mutually exclusive.

Data protection authorities in nearly all EU member states and the United Kingdom have issued similar guidance on the processing and sharing of personal data related to COVID-19. Organizations should continue to monitor guidance issued by the EDPB, the United Kingdom, and national data protection authorities in the countries in which organizations have a presence.


Perhaps the most critical response to the COVID-19 pandemic has been from the Office of Civil Rights in HHS, which is charged with the enforcement of the Health Insurance Portability and Accountability Act (HIPAA). Compounding the conflict between the conservation of resources to protect the bottom line and heightened privacy concerns in the crisis is a third element in play under HIPAA: the critical role of protecting the privacy and security of personal medical and health information as the crisis escalated.

While covered health care entities must continue to comply with the privacy and security rules under HIPAA, HHS has issued guidance and relied on its discretion to relax enforcement and waive penalties for community-based testing sites, public health and health oversight activities conducted by business associates, disclosures made to law enforcement and first responders, and telehealth service providers. With the proliferation of telehealth services during the pandemic, it remains to be seen whether HHS will extend its policy of relaxed enforcement after the emergency has subsided.


On May 19, the Federal Trade Commission (FTC) issued a public warning regarding scammers posing as contact tracers hired by state governments to obtain personal information such as Social Security Numbers from unsuspecting individuals. A few days later, in coordination with the Federal Communications Commission, the FTC instructed service providers that enable robocalling to terminate services to any customers exploiting the pandemic to obtain sensitive information from individuals, threatening such providers with “serious consequences” for failure to comply. These recent statements by the FTC follow warnings of surging complaints since the beginning of the year (upward of 18,000 as of mid-April) related to the coronavirus and signals of increased enforcement activity by the agency.


Reflecting the larger clash of interests, conflicting privacy legislation is currently pending in both houses of Congress. The COVID-19 Consumer Data Protection Act, introduced by Republican senators in May, seeks to regulate the collection and processing of personal health information, geolocation data, identifiers, and other data during the health emergency. Shortly thereafter, Democratic members of the House proposed the Public Health Emergency Privacy Act, which would broadly regulate “data linked or reasonably linkable to an individual or device, including data inferred or derived about an individual or device.” Most notably, the House bill includes a private right of action (a right not included in the Senate bill). Then, on June 1, 2020, Senators from both sides of the aisle introduced another Senate bill called the Exposure Notification Privacy Act (ENPA), which would regulate contact tracing and exposure-notification apps. Among other obligations, the ENPA would require affirmative express consent to collect data from an individual including COVID-19 status and geolocation, and includes restrictions on how such data may be used. Despite their differences, the speed at which these three bills were introduced underscores the urgency in Congress to address contact tracing technologies and holding government and businesses accountable for how collected personal information is used. Congress has not yet succeeded in passing national privacy legislation. Nonetheless, given the current exigent circumstances, if any one of the proposed bills is passed, it could form the basis for a future, more expansive general privacy legislation at the federal level.


  • The CCPA is set to become enforceable on July 1. If your business is regulated by the CCPA, you have a limited window to comply.
  • Government authorities have pursued different, frequently contradictory, approaches to enforcing data privacy and cybersecurity regulations during the COVID-19 pandemic.
  • It is imperative that you understand the data privacy and cybersecurity regulations applicable to your business and develop creative compliance programs that respect the integrity and security of personal information and maximize its value to your business.
  • If the potential for new federal privacy legislation is realized, additional regulations will be forthcoming, including regulation of contact tracing programs to combat the COVID-19 pandemic.


Reprinted with permission from the June 8, 2020, issue of Business Law Today© 2020 American Bar Association. All Rights Reserved. Further duplication without permission is prohibited.

To see our other material related to the pandemic, please visit the Coronavirus/COVID-19: Facts, Insights & Resources page of our website by clicking here.


Big Thoughts/Quick Reads Antitrust Blog
Lowenstein Sandler LLP 

Triggered by current issues or by long-settled issues that we think need to be unsettled and reconsidered

Capital Markets Litigation
Lowenstein Sandler LLP 

Litigation News for the Global Financial Community

WSG's members are independent firms and are not affiliated in the joint practice of professional services. Each member exercises its own individual judgments on all client matters.

HOME | SITE MAP | GLANCE | PRIVACY POLICY | DISCLAIMER |  © World Services Group, 2020