Partner; Chair – Global Data Privacy and Security Practice; and Global Practice Group Leader – Technology, Commercial & Data, Boulder
Data Privacy & Security
Overview
BCLP’s Global Data Privacy and Security team is composed of lawyers located across the United States, the United Kingdom and continental Europe. We routinely advise clients in a variety of sectors, including hospitality, consumer services, healthcare, software and technology, financial services, travel, manufacturing, and retail. We coordinate advice across multiple jurisdictions for clients working to achieve the most streamlined international data privacy strategy as possible, and we excel at helping companies achieve their business goals while balancing and addressing privacy and security obligations in a practical, business-focused approach. We pride ourselves on our responsiveness and building teams shaped to meet our clients’ needs.
AI legislation & regulation trackers
US state-by-state
To help companies achieve their business goals while minimizing regulatory risk, our team actively tracks proposed and enacted AI regulatory bills from across the United States to enable our clients to stay informed in this rapidly-changing regulatory landscape.
UK and EU
UK and EU take divergent approaches to AI regulation
As companies increasingly integrate AI into their products, services, processes, and decision-making, they will need to do so in ways that comply with the varying regulatory approaches in the UK and EU. Our UK and EU AI Regulation Tracker will keep you updated on legislation that, if passed, would directly impact businesses’ development or deployment of AI solutions in the UK and EU.
Privacy Advisory
Our team has extensive experience handling the full scope of complex privacy and security issues. From a data privacy perspective, we advise clients on the development of comprehensive privacy and data protection programs, data sharing and international mobilization of data, complex transactions involving monetization and licensing of data, as well as with conducting gap assessments to align with international privacy standards, responding to regulatory investigations and inquiries, and defending companies in court and before government agencies in enforcement actions.
This counseling spans the gamut of US and non-US privacy laws, including the EU General Data Protection Regulation (GDPR), the California Consumer Privacy Act (CCPA) and the California Privacy Rights Act (CPRA), the Health Insurance Portability and Accountability Act, the Children’s Online Privacy Protection Act, the Gramm-Leach-Bliley Act, the Fair Credit Reporting Act, state privacy and data breach laws, FTC and state law enforcement issues, as well as emerging laws and regulations around the world.
Incident Response and Preparedness
In the context of incident response and preparedness, we have a world class incident response practice that has helped clients navigate major security incidents and data breaches, including ransomware attacks, O365 mailbox intrusions, malware, credential harvesting, insider threats, and inadvertent disclosure. We leverage that experience to help companies identify and remediate gaps in their readiness and to train companies how to respond to breaches effectively. Our experience and practical approach to data breach response uniquely equip us to assist organizations by understanding both the law and the business implications of data breaches. We help clients get ahead of incident response issues by a providing range of offerings, including bespoke “drill” exercises with c-suite executives, analysis of insurance coverage, contractual analysis to identify business partners and customers who require notification of a breach, and evaluation and engagement of third party providers under privilege (forensics, PR, call centers).
We are continually working to understand new privacy and security issues and to partner with our clients to shape practical, risk-based solutions that can be adapted over time to ever-changing technologies, business priorities and laws.
Meet The Team
Partner; Chair – Global Data Privacy and Security Practice; and Global Practice Group Leader – Technology, Commercial & Data, Boulder
Areas of Focus
-
General Data Protection Regulation
-
California Consumer Privacy Act
Experience
- Defending a major online fashion retailer in a lawsuit alleging violation of the Video Privacy Protection Act. The suit alleges that the client hosts video content on its website and that by also using Facebook pixels on its website to track usage statistics, it is unlawfully sharing personally identifiable information concerning videos viewed by users with a third party, in violation of the VPPA.
- Defending a provider of crypto currency trading software in a class action lawsuit filed in the wake of disclosures that the company was the victim of criminal hacking. The hacking resulted in the unauthorized disclosure of API keys, which were allegedly used by the hackers to consummate unauthorized trades in user accounts on various crypto currency exchanges.
Representative Clients
- Red Robin – Casual dining restaurant chain operating in the U.S.
- Delaware North – Manages and provides food and beverage concessions, dining, entertainment and lodging at high-profile locations throughout the world
- Best Western International – One of the top five largest hotel chains in the world.
- World Wide Technology, Inc. – One of the 100 largest privately held companies in the United States; provides technology needs to national and multi-national companies with revenues in excess of $7.4 billion annually
- Grindr LLC – Grindr is the premiere platform for the global LGBTQ+ community to connect, learn and champion their rights. With more than 3.8 million daily active users in more than 190 countries, Grindr empowers people to be themselves in a safe and meaningful way. Given the sensitive nature of information disclosed in-app, the company is focused on global compliance with data privacy and security laws.
- Washington University in St. Louis. – Washington University is routinely ranked as one of the top 15 universities within the United States, and one of the top 5 medical schools in the United States.
- IHS Markit Ltd. – Global diversified provider of critical information, analytics, and solutions
- Dillard’s Inc. – An upscale department store chain in the U.S. with more than 325 stores in 28 states
- eClinicalWorks – One of the main providers of electronic medical records to physicians and health groups
- Backstop Solutions – Provider of portfolio management technology to financial advisors and hedge funds
Related Insights
Insights
Oct 27, 2025
Oct 27, 2025
New Notice of Proposed Rulemaking for the TCPA – What Could Change?
Insights
Oct 24, 2025
Oct 24, 2025
Is the Price Right? New York and California Escalate Legal Pressure on Pricing Algorithms
In recent weeks, there have been significant developments in the legal landscape of pricing and pricing algorithm laws in New York and California. In light of the quickly changing law on pricing, clients should be thinking about reviewing their pricing programs with antitrust counsel and taking other practical steps to decrease the likelihood that these programs might be found to violate state antitrust laws.
Insights
Oct 09, 2025
Oct 09, 2025
A timely reminder of the importance of staff training on data protection
Over the summer, the High Court considered a case concerning employer liability for the disclosure of personal data belonging to a former employee. The judgment in Danielle Raine v JD Wetherspoon plc serves as a reminder of the risks associated with breaches of data protection and the misuse of private information.
Insights
Oct 07, 2025
Oct 07, 2025
Connecticut Quietly Adds AI Disclosure Mandate to Consumer Privacy Law
Insights
Oct 02, 2025
Oct 02, 2025
The HIPAA Trap (Part 2): Are You Actually a Business Associate?
News
Sep 26, 2025
Sep 26, 2025
BCLP advises Safran Defense and Space on Attollo Engineering acquisition
Insights
Sep 08, 2025
Sep 08, 2025
The EU-US Data Privacy Framework Survives an Annulment Challenge
On 3 September 2025, the European Court of Justice (“CJEU”) dismissed the action of a Member of the French Parliament, Mr. Philippe Latombe, who had sought annulment of the EU-U.S. Data Privacy Framework (“DPF”). Had he been successful, data transfers between the EU and US would have, yet again, faced challenges and uncertainty, as was the case following the 2020 Schrems II decision. This decision confirms that the European Commission is empowered to continue to review whether the DPF is sufficiently protective of EU data subjects’ rights, as the US legal landscape evolves. However, at this time, the safeguards offered in the US for EU personal data have been deemed sufficient to ensure the DPF has weathered this annulment challenge.
Insights
Aug 19, 2025
Aug 19, 2025
What is the European Accessibility Act and what impact will it have on your business?
The European Accessibility Act (EAA) came into force on 28 June 2025. It requires that all in-scope products and services placed on the market or provided after that date in the EU must meet specified accessibility requirements. These are requirements to help people with disabilities make use of certain products and services and will require businesses who offer these products or services to ensure they are accessible to all users.
Insights
Aug 05, 2025
Aug 05, 2025
The HIPAA Trap: Are You Actually a Covered Entity?