How Tech Transaction Lawyers Help Clients Comply with Data Privacy Laws

Use these links to jump to different sections:

• A Shifting Legal Environment for Data Security
• The Importance of Keeping Clients Informed
• The Role of Tech Transactions Attorneys: Prevention and Response
• Finding a Qualified Tech Transactions Lawyer

“It seems like every time I turn around, another state is enacting a privacy law or changing the one they already have,” says Michael Oliver, a technology transactions attorney with Oliver & Grimsley in Towson, Maryland. “[Data privacy] is a very dynamic area of the law.”

Given the rapid legal advancements around data protection and cybersecurity law, Oliver says that any company engaged in “collecting personal information or processing, storing, or transmitting it should have legal counsel.”

Technology transactions attorneys like Oliver bring a unique skill set combining legal and technical knowledge to counsel clients and keep them informed on regulatory compliance issues and the legalities of business agreements involving technology.

A Shifting Legal Environment for Data Security

Failing to comply with data privacy laws can have significant legal and financial consequences for companies that collect, store, or share people’s personal information — from E-commerce platforms to financial services to retailers and beyond.

Oliver cites the example of Norway’s plan to fine Meta Platforms, Facebook’s parent company, for their data privacy breaches. According to Datatilsynet, Norway’s data protection authority, Meta may not collect user data such as physical location in order to target them with advertisements on social media apps. Failure to comply with this ruling would cost Meta approximately $100,000 per day.

Even though there is currently no U.S. federal data privacy law akin to the European Union’s General Data Protection Regulation (GDPR), state laws are constantly developing, creating new legal challenges for companies.

“I think you’re going to start seeing bigger and bigger fines,” Oliver says, “and more robust state privacy laws.”

For example, the California Privacy Rights Act (CPRA), which expands on the California Consumer Privacy Act (CCPA), was just held up by an injunction, but it will go into effect at least by 2024, he says. Among other things, the CPRA protects employee personal data in addition to consumer personal data and applies to a broader range of businesses.

“Additionally, there are the lawsuits and class actions arising from Illinois’ Biometric Information Privacy Act,” which regulates how companies can collect, use, and share people’s biometric data such as facial images, voice matching, and fingerprints.

Oliver notes the new legal hazards arising at the intersection of biometric privacy laws, data management, intellectual property rights, and new artificial intelligence applications. “Are companies going to breach biometric privacy laws by using an image of something to train artificial intelligence? Lawyers help keep clients out of trouble when they use AI.”

The Importance of Keeping Clients Informed

“In my legal practice, I try to keep clients up-to-date with developments in technology and the law,” says Oliver. “Larger firms have dedicated departments that track every news story. I primarily track data security and privacy issues across various jurisdictions.”

Keeping up with legal developments is only part of the task. Lawyers then have to relay information relevant to their client’s business operations. “Of everything you keep track of, how much do you tell a client? It’s tough,” says Oliver.

“You don’t want to scare them, and you don’t want to make it look like you’re trying to get legal work. You also don’t want to overload them with too much information. If there’s too much, you have to sift it down into something relevant to their business goals that they can digest.

“All the clients I’ve worked with are smaller companies, and they’re all super busy. So you can’t pepper them with every interesting case that was recently discussed. You have to get it down to relevant information.”

The Role of Tech Transactions Attorneys: Prevention and Response

Keeping clients informed is only one aspect of a tech transaction lawyer’s role. Attorneys in this legal area assist clients with many tasks, including:

• Risk management and creating safeguards to protect the client’s information security;
• Incident response in the event of a data breach;
• Internal audits to ensure regulatory compliance;
• Legal representation during regulatory investigations—for example, by the Federal Trade Commission (FTC) or state attorneys general;
• Structuring service agreements, technology transfers, outsourcing, digital assets, or software as a service (SaaS);
• Due diligence in merger and acquisition deals.

“All of the developments in privacy and data security are challenging for companies to keep up with,” says Oliver. Meanwhile, “Insurance companies have mostly figured it out—meaning that they have mostly changed their policies to more or less restrict what coverage you have in many scenarios.”

“Say you have a data breach—thankfully, that’s not something that happens for me very often, but maybe once or twice a quarter, I’ll get a call that there was a breach. A data breach triggers a number of critical questions,” he says:

• What immediate steps do you take?
• Who do you have to tell about the breach?
• Where are all the individuals impacted by the breach physically located? Often, they’re all over the world. How do you notify them and address those logistical challenges?
• Do you check in with your insurance carrier and make a claim?
• What computer forensic experts do you call to analyze what happened and how it happened?

Answering these questions and formulating a plan requires legal guidance. “I have some clients who collect no personal information, and they have a completely different risk profile from clients who collect healthcare information, for example, which is highly sensitive personal information subject to HIPAA and other laws. These clients are in a completely different situation with regard to risk assessment and regulatory compliance.”

Finding a Qualified Tech Transactions Lawyer

What should you look for in a good technology transactions lawyer? Oliver, who has practiced in the legal area for over 25 years, suggests three things:

• Experience. “First, you want to look for an attorney with prior experience dealing with legal issues in the tech industry.” There isn’t necessarily a specific number of years to look for. However, Oliver says becoming an expert generally takes at least a few years of experience.
• Relevant knowledge. “Say you’re a healthcare company with data privacy needs. Do you need a healthcare lawyer to handle your data privacy concerns? No, because healthcare law and data security are distinct fields. You need someone who understands data privacy laws. Do you need someone with personal experience in technology? I’d say it’s helpful but not required.”
• Type of clients. “If you have litigation needs, look at a lawyer’s court-related experience. If you need more transactional work—things like legal advice or consulting—you’ll be looking less at the type of lawsuit and more at the type of client they’ve worked with in the past. Have they previously worked with clients facing technology issues similar to your business?”

To start your search for an experienced technology transactions lawyer, search the Super Lawyer’s directory by your location. From there, you can research attorneys and law firms specializing in this area of law to see if they would be a good fit for your legal issue.

To learn more about this legal area, read our overview of technology transactions law and related legal resources.