Privacy, Cybersecurity and Consumer Protection



Gibson, Dunn & Crutcher’s Privacy, Cybersecurity and Consumer Protection Practice Group has a demonstrated history of helping companies successfully navigate the complex and rapidly evolving laws, regulations, and industry best practices relating to privacy, cybersecurity and consumer protection.  Our global and interdisciplinary team advises clients across a broad range of industries in high-stakes matters on the full spectrum of issues in these areas.

In the privacy area we have decades of experience with a wide array of counseling, government investigations and litigation.  Our deep roster of lawyers with experience at the highest levels of government is prepared to handle any type of government investigation.  Our elite class action team has successfully litigated scores of issues, including numerous matters of first impression.  Our experience includes advising a broad array of companies large and small, in Silicon Valley, Silicon Alley, and around the world.

We have substantial experience assisting companies with all facets of cybersecurity, including counseling clients through the important steps that must occur immediately after breach situations and navigating the federal and state government investigations and private litigation that increasingly accompany cybersecurity incidents.

With respect to consumer protection, we advise clients on a broad array of issues, including advertising practices, consumer disclosures, and compliance with the myriad laws regulating consumer interactions.  We routinely appear before the U.S. Federal Trade Commission (FTC) and the U.S. Department of Justice (DOJ) on consumer protection matters and have litigated complex consumer protection disputes involving a diverse range of industries.

Our team includes lawyers with significant experience in litigation, government investigations, and corporate matters, many of whom have experience at senior government levels.  The practice group is led in part by a former U.S. Attorney who oversaw prominent high-technology prosecutions, a former Assistant U.S. Attorney with primary responsibility for investigating and prosecuting computer crime and intellectual property cases, and a former senior official at the FTC.  Our team includes numerous other former computer crimes prosecutors, FTC lawyers, senior government officials at the DOJ, and leaders at the European Commission.  Our lawyers are distinguished not only by their substantive capabilities and advocacy skills, but also by their ability to guide clients through major events, deal with all relevant constituencies, and develop and implement a prompt and effective crisis management strategy.

Our litigation and investigations experience includes:

  • Defending companies in regulatory investigations, including FTC and state attorney general investigations
  • Defending companies in class action and other privacy and consumer protection litigation, including that stemming from data breaches
  • Responding to Congressional inquiries related to privacy and cybersecurity

Data breach and crisis management experience includes:

  • Counseling companies, executives and boards of directors on developing and implementing crisis management strategies
  • Coordinating breach notification responses and other regulatory obligations
  • Liaising with federal government, state law enforcement and regulatory officials, and international regulators
  • Assisting companies with prompt and effective media strategies

Counseling and audits experience includes:

  • Counseling related to compliance with federal, state and local laws and regulations governing privacy, social media, data security, online advertising, e-commerce and related issues
  • Overseeing network security, privacy and cybersecurity compliance audits
  • Advising on data compliance strategies and the development of data protection and Internet enforcement compliance programs
  • Conducting assessments of privacy and data security programs

Preparedness and transactional due diligence experience includes:

  • Advising boards of directors and in-house counsel on governance matters, privacy and cybersecurity policies and procedures, risk management frameworks, incident response plans, and best practices related to preparedness
  • Performing privacy and information security due diligence in support of mergers and acquisitions and other corporate transactions
  • Advising on all aspects of technology-, data- and privacy-related corporate transactions
  • Counseling on securities law disclosures
  • Advising on legislative and regulatory developments

Our capabilities are global.  Cybersecurity and privacy are global issues, and Gibson Dunn draws on its international team to seamlessly advise clients on sophisticated multijurisdictional matters.  The practice group includes lawyers in Brussels, London, Paris, Munich, Beijing, Singapore and Hong Kong who are exceptionally knowledgeable not only on relevant data protection and privacy laws at the national level, but are experienced in advising companies on European Union developments and coordinating multinational approaches.


Recent representations include:

  • Serving as lead outside privacy and data security counsel for Facebook.  We advise the company on privacy and data security issues, private litigation matters including class action matters and FTC investigations.  Among many other representations, we represented Facebook in connection with the FTC investigation and enforcement action involving the company’s online privacy practices – described by the FTC as its largest and most significant privacy investigation to date.
  • Representing a leading international e-commerce site in connection with a data breach impacting potentially hundreds of millions of users, and handling related investigations by the FTC, various state attorneys general, and foreign data privacy authorities, as well as detailed forensic analysis and counseling on a range of privacy and cybersecurity issues.
  • Obtained dismissal on behalf of mobile advertising and analytics networks in nationwide U.S. class action alleging that defendants collected and disclosed data and personal information from mobile devices without users’ knowledge and consent, on grounds that plaintiffs lacked Article III standing and failed to state a viable claim.
  • Represented a leading digital media company facing a full-phase FTC investigation relating to compliance with the Children’s Online Privacy and Protection Act (COPPA).  We obtained closure without conditions notwithstanding a recommendation from the FTC staff to pursue an enforcement action.
    Achieved a complete victory for St. Joseph Health System by securing dismissal of a putative data breach class action.  Asserting claims under California’s Confidentiality of Medical Information Act and the common law, including the right to privacy and negligence, plaintiff alleged that St. Joseph had lost possession of the confidential medical information of more than 33,000 patients.  The California Superior Court agreed with Gibson Dunn that plaintiff had not alleged sufficient facts to proceed and dismissed the case.
  • Serving as U.S. coordinating counsel for data security matters for one of the world’s largest global payment technology companies.
    Represented an executive search firm in response to a sophisticated cyber-attack including advanced persistent threat intrusion and extensive exfiltration of sensitive databases.  We counseled the client on investigation of the intrusion, including supervising digital forensics investigation and data security improvements, handled referral of the incident to law enforcement and coordinated breach notification compliance, as well as public relations and SEC disclosure strategy.
  • Worked with a provider of social media services to ensure that all aspects of its user platform complied with the FTC’s revised COPPA guidance.
    Represented one of the world’s largest engineering design firms in response to network intrusion, involving significant employee data breach.  We counseled the client on investigation of the incident, including supervising digital forensics investigation and data security improvements, coordinated breach notification compliance, public relations strategy, and law enforcement interaction.
  • Represented a Fortune 50 retailer in connection with multiple data security issues and related government investigations, including FTC and Secret Service investigations of a massive data breach impacting millions of credit card holders, and succeeded in persuading the FTC to close the nonpublic investigation without taking any action, based on demonstrated proof that our client had acted reasonably at every key juncture, both before and after the breach.


The Potential Impact of the Upcoming Voter Initiative, the California Privacy Rights Act

-September 29, 2020

California Approves Final CCPA Regulations, and Bill Extending Key Exemptions Moves Forward at the Legislature

-August 20, 2020

Webcast: Schrems II: What are the implications and viable options for international data transfers?

-August 10, 2020

The Court of Justice of the European Union Strikes Down the Privacy Shield but Upholds the Standard Contractual Clauses under Conditions

-July 17, 2020

U.S. Supreme Court to Weigh FTC Restitution Authority

-July 13, 2020

Gibson Dunn Paris | Data Protection – July 2020

-July 9, 2020

Supreme Court Upholds TCPA’s Robocall Ban, But Strikes Government-Debt Exception As Unconstitutional Under First Amendment

-July 7, 2020

As California Consumer Privacy Act Enforcement Commences, a Tougher New Data Privacy Law Will Go Before California Voters in November

-July 2, 2020

GDPR Update: French Administrative Supreme Court Upholds 50 Million Euro Fine Against Google LLC

-June 23, 2020

California Consumer Privacy Act Update: Attorney General Finalizes Regulations and Provides Interpretive Guidance

-June 12, 2020

Gibson Dunn Paris | Data Protection – June 2020

-June 4, 2020

Webcast: Preparing for the California Consumer Privacy Act (CCPA)

-May 26, 2020

Gibson Dunn Paris | Data Protection – May 2020

-May 4, 2020

Webcast: Returning to Work: Health, Employment, and Privacy Considerations and Constraints as Businesses Resume Post-Quarantine Operations in the U.S.

-May 1, 2020

European Perspective on Tracing Tools in the Context of COVID-19

-April 28, 2020

Supreme Court to Resolve Longstanding Circuit Split Over Scope of Federal Anti-Hacking Statute

-April 23, 2020

Gibson Dunn Paris | Data Protection – April 2020

-April 9, 2020

The Cybersecurity and Infrastructure Security Agency of the Department of Homeland Security Updates Essential Critical Infrastructure Workforce Guidance

-April 2, 2020

Privacy and Cybersecurity Issues Related to COVID-19

-March 21, 2020

California Consumer Privacy Act Update: Attorney General Proposes Further Revisions to CCPA Regulations

-March 17, 2020

4 Questions That May Signal The End Of TCPA Class Actions

-February 27, 2020

California Consumer Privacy Act Update: Attorney General Proposes Regulations Version 2.0

-February 19, 2020

International Cybersecurity and Data Privacy Outlook and Review – 2020

-January 31, 2020

Ashley Rogers Named to Dallas Business Journal 40 Under 40

-January 30, 2020

Law360 Names Gibson Dunn Among Its 2019 Cybersecurity & Privacy Practice Groups of the Year

-January 28, 2020

U.S. Cybersecurity and Data Privacy Outlook and Review – 2020

-January 27, 2020

Gibson Dunn Named a 2019 Law Firm of the Year

-January 13, 2020

2019 Year-End German Law Update

-January 10, 2020

California Consumer Privacy Act: Compliance Heading into the New Year

-December 14, 2019

Law360 Names Joshua Lipshutz a Cybersecurity MVP

-November 26, 2019

Law360 Names Nine Gibson Dunn Partners as 2019 MVPs

-November 13, 2019

FTC Brings First Case Against Tracking Apps

-November 1, 2019

GDPR: Fining Guidelines Will Increase Exposure in Germany

-October 30, 2019

California Consumer Privacy Act: 2019 Final Amendments Signed

-October 16, 2019

California Consumer Privacy Act Update: Regulatory Update

-October 11, 2019

The Court of Justice of the European Union rules that there is no obligation for Google to carry out de-referencing on non-EU versions of its search engine

-October 2, 2019

Ninth Circuit Issues Decision in Closely Watched Data Scraping Case

-September 17, 2019

Google and YouTube Reach Historic Settlement with FTC and New York AG Over Alleged COPPA Violations

-September 9, 2019

Can GDPR Hinder AI Made in Europe?

-July 16, 2019

Former Special Counsel Prosecutor Zainab Ahmad to Join Gibson Dunn as Partner in New York

-July 10, 2019

Best Lawyers in France 2020 Recognizes 16 Gibson Dunn Attorneys

-July 1, 2019

The EU Introduces a New Sanctions Framework in Response to Cyber-Attack Threats

-June 19, 2019

Should Consumer Data Privacy Laws Apply To The Gov’t?

-June 7, 2019

California Consumer Privacy Act Update — California State Committees Vote on Amendments

-May 1, 2019

Illinois Supreme Court Finds BIPA Violations Actionable, Even With No “Actual Injury”

-January 29, 2019

International Cybersecurity and Data Privacy Outlook and Review – 2019

-January 29, 2019

U.S. Cybersecurity and Data Privacy Outlook and Review – 2019

-January 28, 2019

The French Data Protection Authority Imposes a 50 Million Euros Fine on Google LLC

-January 25, 2019

Law360 Names Gibson Dunn Among Its Cybersecurity & Privacy 2018 Practice Groups of the Year

-January 23, 2019

Kristin Linsley Named Top Cyber Lawyer 2019 by Daily Journal

-January 23, 2019

Gibson Dunn Named a 2018 Law Firm of the Year

-January 16, 2019

Ninth Circuit Judges Call for En Banc Review of the Federal Trade Commission’s Authority to Obtain Monetary Relief

-January 15, 2019

U.S. Department of Health and Human Services Issues New Guidance on Voluntary Cybersecurity Practices for Health Care Industry

-January 14, 2019

How Calif. Privacy Act Could Prompt Private Plaintiff Suits

-January 11, 2019

Law360 Names Eight Gibson Dunn Partners as MVPs

-November 28, 2018

Lessons from FTC’s Loss in, and Subsequent Abandonment of, DirecTV Advertising Case

-October 24, 2018

SEC Warns Public Companies on Cyber-Fraud Controls

-October 18, 2018

New California Security of Connected Devices Law and CCPA Amendments

-October 5, 2018

Kristin Linsley, Christina Greenberg and Jennifer Rho Named Among Women Leaders in Tech Law

-September 18, 2018

Timothy Loose Named Among Global Data Review’s 40 Under 40

-September 18, 2018

California Consumer Privacy Act of 2018

-July 12, 2018

Supreme Court Holds That Individuals Have Fourth Amendment Privacy Rights In Cell Phone Location Records

-June 22, 2018

A Closer Look At Barnes & Noble Data Breach Ruling

-May 8, 2018

Supreme Court Holds That Recent Legislation Moots Dispute Over Emails Stored Overseas

-April 17, 2018

Trump Administration Imposes Unprecedented Russia Sanctions

-April 12, 2018

The Convergence of Law and Cybersecurity

-March 14, 2018

Law360 Names Gibson Dunn Among its Privacy 2017 practice Groups of the Year

-February 2, 2018

International Cybersecurity and Data Privacy Outlook and Review – 2018

-January 30, 2018

Kristin Linsley and Eric Vandevelde Named Top Cyber/Artificial Intelligence Lawyers 2018

-January 27, 2018

U.S. Cybersecurity and Data Privacy Outlook and Review – 2018

-January 25, 2018

2017 Trade Secrets Litigation Round-Up

-January 19, 2018

2017 Year-End E-Discovery Update

-January 18, 2018

2017 Year-End German Law Update

-January 7, 2018

Cybersecurity & Critical Infrastructure

-December 30, 2017

A GDPR Primer For U.S.-Based Cos. Handling EU Data: Part 2

-December 13, 2017

A GDPR Primer For U.S.-Based Cos. Handling EU Data: Part 1

-December 12, 2017

The General Data Protection Regulation: A Primer for U.S.-Based Organizations That Handle EU Personal Data

-December 4, 2017

Webcast: Hot Topics in Securities and Governance

-November 17, 2017

Cybersecurity & Data Privacy: An Overview for Health Care, Pharmaceutical, and Biotech Companies

-August 8, 2017

Will “Kokesh v. SEC” Put a Kink in the Federal Trade Commission’s Disgorgement Hose?

-July 12, 2017

Trump Administration Prioritization of Cybersecurity

-June 7, 2017

Zufallsfunde bei Videoüberwachung

-March 1, 2017

Webcast: IPO and Public Company Readiness: Cybersecurity

-February 28, 2017

French Legal Briefing – France Continues to Adopt the Highest International Standards to Attract Investors

-February 21, 2017

International Cybersecurity and Data Privacy Outlook and Review: 2017

-January 31, 2017

2016 Trade Secrets Litigation Round-Up

-January 27, 2017

U.S. Cybersecurity and Data Privacy Outlook and Review: 2017

-January 27, 2017

2016 Year-End German Law Update

-January 13, 2017

New York State Department of Financial Services Revises Proposed Cybersecurity Regulations

-January 5, 2017

President Obama Announces New Russian Sanctions in Response to Election-Related Hacking

-December 30, 2016

California Continues to Take the Lead on Consumer Privacy – Attorney General Issues New Guidance to the Ed Tech Sector About Student Data

-November 10, 2016

FCC Votes to Adopt New Regulations Governing Use of Customers’ Proprietary Information by Providers of Broadband Internet Access Service

-November 7, 2016

New Cybersecurity Requirements for Defense Contractors Take Effect

-October 31, 2016

Federal Banking Regulators Announce New Proposed Cybersecurity Standards

-October 24, 2016

New York State Department of Financial Services Announces Proposed Cybersecurity Regulations

-September 19, 2016

New EU-Wide Rules on Cybersecurity: Watch the Fine Print

-July 22, 2016

The Consumer Financial Protection Bureau and the Future of Class Action Waivers

-July 7, 2016

Teaching an Old Law New Tricks: The 1988 Video Privacy Protection Act in the Modern Era

-July 4, 2016

Drone Privacy: Voluntary Best Practices Released by Multi-Stakeholder Group

-June 13, 2016

The EU-US Privacy Shield

-June 9, 2016