Image of the entrance to the United States Supreme Court building.

Will the Courts Treat Foreign Data Privacy Laws as Fact or Farce in U.S. Contracts? Whose Law Will Prevail in Privacy Disputes?

Image Credit: MarkThomas from Pixabay.

[Originally published as a Feature Article: Will the Courts Treat Foreign Data Privacy Laws as Fact or Farce in U.S. Contracts?, by Amira Bucklin and Lily Li, in Orange County Lawyer Magazine, May 2021, Vol. 63 No.5, page 40.]

by Amira Bucklin and Lily Li

In 2020, when lockdown and shelter-at-home orders were implemented, the world moved online. Team meetings, conference calls, even court hearings entered the cloud. More than ever, consumers used online shopping instead of strolling through malls, and online learning platforms instead of classrooms. “Zoom” became a way to meet up with friends over a glass of wine, or conduct job interviews in a blouse, suit jacket, and yoga pants.

This has had vast consequences for personal privacy and cybersecurity. While most consumers might recognize the brand of their online learning platform, ecommerce store, or video conference tool of choice, most consumers don’t notice the network of service providers that work in the background. A whole ecosystem of connected businesses and platforms that collect, store, and transfer data and software, all governed by a new set of international privacy rules and contractual commitments. Yet, many of these rules have not been tested in the courts, and they have several implications in the context of privacy.

The Privacy Conundrum

This month marks the three-year anniversary of the EU’s General Data Protection Regulation (GDPR). As expected, its consequences have been far-reaching, and fines for violations have been staggeringly high.

The GDPR requires companies in charge of personal data (“data controllers”) to enter into data processing agreements with their service providers (or “data processors”), including, at times, standard data protection clauses drafted by the EU Commission. These data processing mega-contracts (ranging from 1-100+ pages) impose a series of foreign data protection and security obligations on the parties.

A unique challenge presented by these contracts is the fact that such data processing agreements and model data protection clauses often include their own choice of law provisions, calling for the applicability of EU member state law, and requiring the parties to grant third-party beneficiary rights to individuals in a wholly different country.

This challenge is not just limited to parties contracting with EU companies, either. Due to the GDPR’s extraterritorial scope, two U.S.-based companies can enter into a contract subject to the laws of the State of California, but which includes a data processing addendum or security schedule that is subject to the laws of the United Kingdom, France, or Germany.

What happens if there is a dispute between these parties regarding their rights and responsibilities, which are subject to foreign data protection laws? How will U.S. courts treat these disputes? How much deference will—and should—a U.S. court provide to foreign interpretations of law?

Continue Reading Will the Courts Treat Foreign Data Privacy Laws as Fact or Farce in U.S. Contracts? Whose Law Will Prevail in Privacy Disputes?
Map of the United States - State Privacy Laws

State Privacy Laws in the Wake of the CCPA: A Tough Act to Follow

Image Credit: Free-Photos from Pixabay.

Hard on the heels of the California Consumer Privacy Act of 2018 (CCPA) and updated state privacy laws in Nevada and Maine which took effect in 2019, state data privacy legislation is still on the rise.

In November of 2020, California citizens approved the California Privacy Rights and Enforcement Act (CPRA), further amending the CCPA. The CPRA is intended to strengthen privacy regulations in California by creating new requirements for companies that collect and share sensitive personal information. It also creates a new agency, the California Privacy Protection Agency, that will be responsible for enforcing CPRA violations.

Most recently, the Virginia Governor signed the Consumer Data Protection Act into law, thereby making Virginia yet another U.S. state with a comprehensive state privacy law. 

As momentum builds for state privacy laws, 2021 could be the year that privacy laws gain footing across the country, helping Americans exercise control over their digital lives.

Washington’s Privacy Act 2021, SB 5062
**Update: The WPA did not pass the House by the April 11 deadline. On April 12, however, Senator Carlyle tweeted that the “bill remains alive through the end of the session.” The legislature will close on April 25.

*** Update 4/26: The WPA did not pass for the third year in a row, due to the late introduction of a limited private right of action (for injunctive relief). Jump to the bottom of the page for links to other pending state legislation.

The most notable – due to its furthest progression in state legislation – is the current draft of the Washington Privacy Act 2021 (“WPA”). This draft bill is the third version of the act introduced by Washington state Sen. Reuven Carlyle (D-Seattle) in as many years.


The WPA would apply to legal entities that:

Continue Reading State Privacy Laws in the Wake of the CCPA: A Tough Act to Follow
Privacy nutrition label

Opt-Out Icons and Apple Privacy Labels: The Visual Privacy Policy

Image Credit: FDA Nutrition Label, modified by Metaverse Law

The growing frequency and severity of privacy incidents within the past decade—the Facebook-Cambridge Analytica data scandal and Equifax data breach, to name just a few—has made consumer privacy a topic of public attention and concern.

In response to consumers’ increased wariness regarding their private data, some companies are trying to use privacy labels and icons to signal a commitment to privacy protection. The ultimate goal is to make privacy more accessible, transparent, and understandable.

This article reviews the history and current trends around privacy icons and labels.

Privacy Visuals Part I: Icons

In 2010, the Digital Advertising Alliance (DAA) rolled out its “YourAdChoices” icon – a clickable blue triangular icon found on ads. This was one of the first privacy icons available. The DAA developed this icon in response to speculated federal regulation in the advertising industry.

Digital Advertising Alliance (DAA) YourAdChoices icon, appears as blue outlined triangle with inset letter 'i'
YourAdChoices icon. Image taken from

To address Congressional inquiries into consumer privacy (and any possible resulting legislative efforts), the DAA formed a self-regulatory program with a set of privacy principles for participating companies and developed the YourAdChoices icon. Participating companies can voluntarily elect to place this symbol on their advertisements. By its nature, the DAA self-regulatory program and use of the YourAdChoices icon is not enforced by law. However, the DAA enforces the program by offering a consumer complaint process, public investigation procedure, and if necessary, escalation to a government agency, which happened in the case of SunTrust Bank in 2014.

Typically, the YourAdChoices icon is placed on cross-context behavioral ads—that is, ads targeted to consumers based on a profile of that consumer’s characteristics, preferences, and internet activity. If a browsing consumer views an ad that was targeted to them, they can click the YourAdChoices icon next to the ad to control whether ads should be personalized to them while browsing and to learn why that certain ad was displayed to them.

When the California Consumer Privacy Act (CCPA) came into effect in 2020, it created new privacy requirements for over 500,000 business nationwide . One of the requirements is to prominently display a “Do Not Sell My Personal Information” link on a business’ homepage, if a business is subject to CCPA, and “sells” or discloses a consumer’s personal information for valuable consideration. If a consumer submits a request through the link, the business must allow consumers to opt-out of the sale of that consumer’s personal information.

In response to this new requirement, the DAA designed a green version of the YourAdChoices icon for CCPA use. This is called the Privacy Rights Icon.

Digital Advertising Alliance (DAA) Privacy Rights icon, appears as green outlined triangle with inset letter 'i'
Privacy Rights icon. Image taken from

When implemented correctly by participating companies, the green Privacy Rights icon brings consumers to, a website set up by the DAA to help centralize and facilitate “Do Not Sell” requests across all participating companies.

While the two DAA icons above are forms of industry self-regulation, the California Office of the Attorney General (OAG) has also designed a “Do Not Sell” button to accompany the Do Not Sell link.

Continue Reading Opt-Out Icons and Apple Privacy Labels: The Visual Privacy Policy
Group of stars around the text GDPR

Data Privacy Matters

How Will GDPR Affect Business Marketing Approaches in The Digital Age

The General Data Protection Regulation (GDPR) has approaches that impact today’s marketing strategies. With the increasing interplay between internal and external regulation and increasingly intrusive practices by law enforcement authorities, digital marketing’s future may involve significant changes. At the same time, the European Union (EU) is making efforts to strengthen its regulatory regime and pass several laws to improve its relationship with the US. It is essential to consider the potential social, political, and legal impact of GDPR on your business. Furthermore, certain restrictions dictate the way companies can conduct their business online. Given all this, it is clear that if you want to continue to enjoy the benefits of doing business online within the EU, you need to be fully aware of the implications of GDPR and how it impacts your marketing techniques.

What is GDPR? 

The GDPR is a set of rules developed by the European Commission to enable citizens to have more control over personal data. Several reforms are created to prepare regulations, laws, and obligations of data privacy and consent involving individuals, businesses, and entities. Some of these regulations cover consumer credit, advertising, information protection, payment data transfer and schemes, and more. 

This framework sets out general guidelines for ensuring the protection of personal information. In particular, GDPR protects against the unnecessary, unethical, and illegal use of personal data. However, it is essential to note that GDPR addresses different aspects of the whole regulatory framework, which means that every reform is examined separately for its relevance and applicability.

Regulation on personal information processing is vital to the reforms related to the GDPR’s subject matter. It sets out the rules and procedures that ensure personal information processing occurs within the Commission’s data protection frameworks.

This regulation aims to protect individuals from unfair and unwarranted discrimination when taking up jobs, accessing services, performing online transactions, and other related digital activities. It covers the unwarranted use of collected data for criminal prosecution and employee protection from unfair dismissal and other workers’ compensation claims.The security requirements defend corporate clients and enterprises from data protection risks and ensure that their companies comply with the principles laid down in the GDPR. All these aims are governed through the various bodies that constitute the Commission’s regulatory bodies and state data protection agencies.

What is GDPR compliance? 

GDPR compliance involves ensuring the legal process of data collection, processing, and maintenance.

All entities under the GDPR scope, digital-based or not, will have to comply with this particular regulation. It requires companies to take necessary measures and create protocols to protect the personal data of the organization, employees, and clients involved for their legitimate purposes, or other lawful bases, in line with the EU data protection regulation and directives. 

Several regulations are addressed in the GDPR. You need to keep in mind that all organizations and their processors and controllers are obliged to ensure they do not breach any of the provisions within the regulation and prepare measures that they can take to protect their users.


Under Article 4, section 7 of the General Data Protection Regulation,” ‘controller’ means the natural or legal person, public authority, agency or other body which, alone or jointly with others, determines the purposes and means of the processing of personal data; where the purposes and means of such processing are determined by Union or Member State law, the controller or the specific criteria for its nomination may be provided for by Union or Member State law.”


Under Article 4, section 8 of the General Data Protection Regulation,” ‘processor’ means a natural or legal person, public authority, agency or other body which processes personal data on behalf of the controller.”

How Will GDPR Affect Business Marketing

The main aim of GDPR is to ensure that unauthorized third parties cannot misuse all personal information kept by company processors and controllers. For instance, organizations must ensure that they inform their clients about the procedures they follow to process their data, the additional risks they face if they fail to comply with the regulations, and how they can benefit from it. The regulation also addresses how companies and controllers can implement suitable systems to handle their clients’ data according to the different regulations. With all these in mind, it’s clear that understanding the GDPR compliance requirements is vital for those within the scope to stay in business.

Who does GDPR apply to?

The EU General Data Protection Regulation (GDPR) has implications for many organizations, particularly those controlling or processing personal information in the European Union or EU data subjects.

The compliance scope includes regulations in data processing for direct marketing purposes by the companies’ advertising agencies through telemarketing and other means and using data to generate ad campaigns. 

Application of the GDPR to Organizations

The GDPR will apply to the personal data processing by organizations established in the EU, regardless of where the data processing transpires. It will also apply to the personal data processing by organizations that control or process data in connection with (1) offering goods or services (with or without charge) to, or (2) monitoring individuals in the EU.

Data Consent According to the GDPR

Under the GDPR, controllers or processors can process personal data in specific limited, designated circumstances with consent. There are particular requirements of valid consent provided by the GDPR:

  • Children under 16 will require parental guidance and permission in giving consent.
  • Consent must be a voluntarily given, specific, informed, and unambiguous indication through a statement or clear confirmation. 
  • Consent must be just as easy to withdraw and to provide. 

How GDPR Affects Marketing

GDPR Affect Business Marketing Approaches in The Digital Age

Many businesses are scrambling to prepare and implement effective marketing strategies to comply with the GDPR. In our internet-connected age, most of them require digital marketing efforts while also needing to maintain identity, privacy, and reputation protection. Therefore many companies have already begun to prepare their plan to ensure they comply.

Marketing significantly involves data collection. Without data gathering and collection practices, marketers can’t do much work achieving advertising goals. 

For marketing strategies to work under the compliance of the GDPR, organizations need to follow six elements for data processing, such as the following:

  1. Rights of Individuals
  2. Right to be Informed
  3. Right to Erasure (“Right to be Forgotten”)
  4. Data Protection Officer (DPO)
  5. Obligations on data processor / processors
  6. Data Protection Impact Assessment

To all ends, you need to seek consent for all data you need to collect from audiences or individuals, or find another legal basis for processing, and provide necessary information on how you intend to use such data for your marketing purposes. Unsolicited data and communications are strictly against the GDPR when applied to the marketing landscape, unless you can show that you fall within an exception.

Learn more about the General Data Protection Regulation (GDPR) applications for your business marketing approaches. Metaverse Law focuses exclusively on privacy, data protection, and cybersecurity law with practical solutions for today’s online businesses, including GDPR compliance. Visit us here to inquire about our services!

Individuals behind a password screen.

The Importance of Data Privacy For Protecting Business and Client Information

If you own a business that demands you to understand what data privacy is and how it affects you, then now is the time for you to get informed. It has much to do with maintaining an acceptable level of trust between organizations and clients. Data privacy compliance has a framework involving a set of guidelines that require business institutions to integrate into their security system as per several state and federal laws on varying levels.

What Is Data Privacy? 

Data privacy is a general concept that governs the handling, storage, access, and preservation of sensitive information or data. It is also referred to as information security or information control. 

In technical terms, it is a system designed to govern the handling, processing, distribution, safety management, and ownership of valuable digital information. This information may include personal details, such as credit card numbers, financial transaction details, and other facts accessible through digital systems that privately belong to individuals or organizations.

Data safety protocols and processes are imposed by the privacy protection laws in different countries. These laws ensure the legality of the use of sensitive personal information and provide guidelines for proper handling, storage, and transmission of such information. This ensures that the benefits derived from the various programs implemented by the organizations are legit and are not being abused to serve selfish ends. The process of implementation varies from each country or region and thus, different laws are governing data privacy issues in different parts of the world. 

Data Security

Protecting Business and Client Information

Data security is the practice of protecting data and maintaining the privacy of information, which obligates an organization to secure data at its source or to ensure the privacy of data in transit and throughout its lifecycle. This practice protects confidential information whether it is transmitted over the internet or through private networks. It also governs how organizations can safeguard corporate assets against corruption and unauthorized access. These have become more important with the growth of sophisticated data encryption technologies, which have made the transmission of sensitive corporate information more secure.

There are certain conditions recognized by countries across the world and are enforced by each government. They include the responsibilities of service providers to take reasonable measures to ensure the confidentiality of communications and related data, protection against data leaks and interference, and protection against the abuse of personal information. Aside from these, several laws address the rights of businesses to protect their clients’ private information. These include the right to secure network systems, secure the confidentiality of information, and providing clients with the right to access and see the documents that have been sent to them.

Data Compliance

Data compliance ensures the correct practice of data privacy along with legal and governmental regulations. If organizations are not complying with the regulations stated by the federal or state government, then they are going to find themselves out of compliance, and the clients, customers, and employees might also be bound to some legal stipulations. 

Companies that fail to comply with the legal conditions of data privacy may be sanctioned, which may include fines or other penalties. There are many legal defenses available to business owners who are accused of not being able to guarantee the confidentiality of their data. For example, a business owner may use a server that is situated abroad to facilitate trade for his company. Similarly, a person who has concerns about how a product or service obtained by purchasing online could use data protection tools and safeguard his privacy.

Businesses need to stay abreast of any changes to data protection laws and the only way for a business to satisfy data compliance is to adhere to the latest privacy law of a particular state. 

Why Is Data Privacy Important?

For starters, data privacy equips an organization to responsibly handle and protect the information of an entity or individual. Therefore, it implies the accountability of the responsible party, whether the organization, government, or a private entity, to protect any information that may be related to all transactions from unauthorized use, mishandling, and/or disclosure. 

How Does One Understand and Appreciate The Need For Privacy? 

A company’s data privacy can be interpreted as the confidence towards the organization in communicating sensitive data or information to its customers and partners. As such, companies that want to be considered most trustworthy will have to be reliable enough and have the integrity to follow data privacy protocols. This way, consumers can be reassured that their data is taken care of while they are using the company’s services. Secondly, data privacy also has to do with keeping suppliers and other business operations well within the law by ensuring compliance with regulatory requirements.

Data Privacy For Businesses and Organizations

Importance of Data Privacy

A business or organization must establish certain rules governing the use of private data for marketing, product research, customer contact, and evaluation, etc. For instance, when these valuable data are stored in company computer systems, the company and its employees are bound to respect the privacy set by data protection laws and make it impossible for anyone to commit unethical and illegal breaches. 

Whether you are a business or a consumer, how do you ensure your data is protected? 

You can guarantee security for your data through a security program installed into the organization’s computer and network system. There are many companies providing data security services to keep private information private and safe and ensure that the protocols follow state or federal laws. An organization’s IT department should be able to maintain the data privacy protocols regularly. This will keep the system running as smoothly as possible without the constant imminent threat of a data breach. 


Data privacy compliance is highly necessary for organizations to avoid breaking the law or risking their businesses and their clients’ personal information. Users are advised to follow basic personal data protection like using passwords whenever they transfer personal information online and use safety protocols when using public networks. It is up to the user to implement data privacy into the system and follow professional data security advice.

Find out which privacy laws impact your business. Metaverse Law specializes in privacy, data protection, and cybersecurity law to assist startups and multinationals across the country in the high-tech, digital marketing, healthcare, and e-commerce industries with their privacy and data security obligations. Visit us here today to learn more!

1 2 3 4 5 12