Whether clients seek to capitalize on the innovative business opportunities that digital technologies present or to manage the accompanying risks, we provide practical legal guidance relating to the challenges of using both established and emerging technologies.

Our lawyers strive to provide a legal framework that supports our clients in meeting their strategic, business, and technology objectives.

Our attorneys routinely advise clients on day-to-day operational issues involving privacy and security matters.

Compliance Counseling and Regulatory Guidance
Privacy and data security are regulated at the international, federal, state, and local levels. Our lawyers provide advice to clients across a spectrum of compliance considerations, ranging from international to local:

  • Section 5 of the Federal Trade Commission Act (FTC Act)
  • California Consumer Privacy Act (CCPA)
  • Controlling the Assault of Non-Solicited Pornography and Marketing Act (CAN-SPAM)
  • Children's Online Privacy Protection Act (COPPA)
  • European Union Privacy Issues (including GDPR and Privacy Shield framework)
  • Telephone Consumer Protection Act (TCPA)
  • Health Insurance Portability and Accountability Act (HIPAA)
  • Health Information Technology for Economic and Clinical Health Act (HITECH)
  • Gramm-Leach-Bliley Act (GLBA)
  • Electronic Communications Privacy Act (ECPA)
  • Computer Fraud and Abuse Act (CFAA)
  • Payment Card Industry Data Security Standard (PCI-DSS) and Payment Application Data Security Standard (PA-DSS)
show more

Privacy and Information Security Client Results

Representative Matters
  • Holland & Hart acts as privacy counsel and advises a number of US-based clients in relation to their regulatory and compliance obligations, including GDPR and CCPA. Recent examples of advice have included: mechanisms for legal transfer of personal data from the EU to the US utilizing the EU/US Privacy Shield program, standard contractual clauses, binding corporate rules and consent, review of online privacy policies to ensure compliance with the laws of multiple jurisdictions, data mapping, and advice regarding the legality of employee monitoring in the EU.

    The following are examples of the types of privacy and information security work we have done and continue to do for certain of our clients:

    • Provide analysis of GDPR and CCPA applicability to organizations across a wide range of industries, including fraud monitoring, airlines, automotive, online retail, consumer goods, and telecommunications.
    • Advise on the territorial reach of GDPR and, in particular, how it applies to US-based organizations without an EU presence.
    • Draft policies and procedures, data breach response obligations, and data subject rights.
    • Counsel and advise on data breach response obligations for both US and international data breaches.
    • Provide guidance and regulatory review of promotional and marketing campaigns involving social media, digital, and Internet programs directed to consumers; advise on consumer protection issues and evolving national privacy regulations and best practices; and draft agreements with service providers including interactive advertising agencies, app developers, and promotions companies.
    • Advise on data protection issues arising in connection with international multimedia promotions for film properties, including providing strategic counseling on international compliance with online data collection requirements, with a particular focus on social media campaigns and websites targeted at children.
    • Develop international privacy programs and strategies that address the collection, use, and processing of personal information of patients, customers, vendors, and business partners; draft policies, operating procedures, and processes that address the use of personal information; prepare training materials for seminars on social media, communications, and privacy issues; draft templates and schedules that address data security and personal information for use with vendors and service providers; and provide ongoing counseling on domestic and international privacy matters.
    • Provide guidance and regulatory review of clients' data collection and processing functions and advise on privacy strategy both within the US and Europe. Advise on the potential impact of proposed US "Do Not Track" legislation and changes to EU laws arising out of the EU Cookie Directive.
    • Provide comprehensive support for multichannel retailers operating in multiple states in connection with retail stores, catalog sales, and online merchandising. Counseling includes consumer protection and privacy issues, implementation of consumer loyalty programs, customer acquisition and business intelligence components, promotional and marketing programs including sweepstakes, product reviews, coupons, and gift cards.
    • Provide counseling and advice in relation to employee monitoring in the UK and the transfer of employee data to the US.
    • Provide counseling and advice in relation to international (including EU) regulations and laws applicable to data protection and information security.
    • Provide counseling and advice in relation to the use of Privacy Shield, model contract clauses, and other consent models as a means of transferring PII from the EU to the US.
Experienced and Certified: International Association of Privacy Professionals

Craig Stewart - CIPP/US Certification from IAPP

250+ Data Breach Incidents: Resolved

Holland & Hart has helped organizations from emerging start-ups to established Fortune 100 companies resolve more than 250 data breach incidents

BTI's Best at Cybersecurity 2017

Recognized as a “strong cybersecurity performer” by Corporate Counsel


Unless you are a current client of Holland & Hart LLP, please do not send any confidential information by email. If you are not a current client and send an email to an individual at Holland & Hart LLP, you acknowledge that we have no obligation to maintain the confidentiality of any information you submit to us, unless we have already agreed to represent you or we later agree to do so. Thus, we may represent a party adverse to you, even if the information you submit to us could be used against you in a matter, and even if you submitted it in a good faith effort to retain us.