Expertise

Privacy & Data Protection

The privacy problems that actually keep US and cross-border tech companies up at night: CCPA and the state-law patchwork, do-not-sell and Global Privacy Control, CIPA and pixel litigation, data-broker registration, and automated-decision-making rules. Our IAPP-certified team turns them into a program that ships.

CCPA, CPRA & the US State-Law Patchwork

Twenty-plus state privacy laws are now live, and they don't line up. Instead of gold-plating a European program onto a US-first company, we map where the CCPA/CPRA, Colorado, Texas and the rest actually bite for your specific data flows—then build the smallest program that clears all of them at once.

  • A concrete map of which state laws apply to you today, and at what revenue and record thresholds
  • Sensitive-personal-information limits, purpose limitation and data minimization built into the product, not bolted on
  • Access, deletion, correction and opt-out flows that scale without turning into a support fire drill
  • Service-provider vs. third-party contract terms that keep ordinary vendor use out of “sale/share” territory
  • The risk assessments and cybersecurity audits the CPPA now expects on the record

Do-Not-Sell, Global Privacy Control & Your AdTech Stack

The biggest source of US privacy enforcement isn't a breach—it's your marketing stack. “Sale” and “share” are defined so broadly under CCPA that ordinary pixels, cookies and audience-matching can trigger opt-out obligations you're not meeting. We make your adtech and martech defensible instead of hoping nobody looks.

  • Honoring Global Privacy Control and browser opt-out signals—now mandatory as California's AB 566 takes effect
  • Auditing tags, pixels and SDKs to establish what “sale/share” you are actually doing
  • Consent Mode and server-side tagging configured so measurement survives an opt-out
  • Data-clean-room and audience-matching arrangements structured under the right controller/processor terms
  • Do-not-sell / do-not-share flows that regulators and plaintiffs' firms can't pick apart

CIPA, VPPA & Pixel Litigation—Defense Through Prevention

A wave of wiretap (CIPA), video-privacy (VPPA) and session-replay class actions is targeting companies whose sites load trackers before consent. We don't wait for the demand letter and then sell you litigation—we engineer the exposure out beforehand, at the code and consent layer.

  • Technical audits that surface the trackers, session-replay tools and chat widgets creating wiretap exposure
  • Consent architecture that loads third-party tags only after a valid, provable opt-in
  • Closing the evidence gaps plaintiffs' firms rely on—before they become a complaint
  • VPPA-safe configuration for any site combining video with advertising identifiers
  • A documented, defensible record if a demand letter still arrives

Data-Broker Registration & the California DELETE Act

If you buy, enrich or monetize data about people you don't collect from directly, you may be a “data broker”—and California's DELETE Act now routes consumer deletion requests through a single state platform (DROP). Registration deadlines and fines are real, and the definition catches more companies than expect it.

  • A straight answer on whether you actually meet the data-broker definition in California, Texas, Oregon and Vermont
  • Registration, disclosures and the expanded reporting obligations under SB 361
  • Building the pipeline to process DROP deletion requests at scale
  • Structuring data purchases and enrichment so you don't accidentally back into broker status

Automated Decision-Making, Profiling & AI Rules

Finalized ADMT and profiling rules under the CCPA regulations, Colorado's AI framework and the EU AI Act give consumers rights over algorithmic decisions and require risk assessments before you deploy. This is exactly where privacy work and AI governance meet—so we build one program, not five.

  • ADMT notices, opt-outs and access rights under the finalized CCPA regulations
  • Pre-deployment risk assessments and profiling rules across California and Colorado's revised AI framework
  • Companion-chatbot and AI-toy disclosure rules aimed squarely at consumer-facing AI
  • Alignment with your EU AI Act obligations so the controls map, not multiply

DPAs & Vendor Terms That Reflect How You Actually Operate

Your data processing agreements have to match how modern SaaS really runs—multi-tenant, streaming, AI-in-the-loop—not a decade-old template. We draft and negotiate the terms your enterprise buyers will sign and your regulators won't second-guess.

  • Sub-processor and vendor terms mapped to your real data flows, not a boilerplate annex
  • AI model-training clauses that protect—or deliberately unlock—use of customer data on purpose
  • Cross-border transfer terms, Standard Contractual Clauses and Transfer Impact Assessments
  • Multi-tenant isolation and security addenda enterprise procurement will actually accept

GDPR & International Expansion, When You Need It

When you cross into the EU or UK, our IAPP-certified team (CIPP/E, CIPP/US, CIPT, FIP) runs the classic GDPR program—RoPA, DPIAs, DPO cover, SCCs, Schrems II transfer analysis and the EU-representative decision—scaled to a company that started in the US, not retrofitted in a panic after launch.

  • Fractional or named DPO cover with the credentials regulators recognize
  • RoPA, DPIAs and the records you'll be asked to produce
  • Standard Contractual Clauses, Transfer Impact Assessments and EU/UK representative decisions

Key Questions We Help You Answer

  • ?Are we “selling” or “sharing” data just by running ads and analytics?
  • ?Do we have to honor Global Privacy Control—and are we, right now?
  • ?Are our tracking pixels a CIPA or VPPA lawsuit waiting to happen?
  • ?Could we accidentally be a “data broker” that has to register in California?
  • ?What do the new automated-decision-making rules require before we ship an AI feature?
  • ?Which US state laws actually apply to us, and what's the minimum program that clears them?
Your plan

Outside Counsel

$1,800/quarter

Your outsourced privacy function—CCPA alignment, adtech and pixel risk, RoPA and DPIAs—with DPO Central + vendor.watch included free. Tiers from startup to large-scale.

See plans & tiers

Get Started

Discovery Call

30 min • Video call

Pacific Time (PT) • San Francisco