Photo of Gretchen A. Ramos

Gretchen A. Ramos is Co-Chair of the Data, Privacy & Cybersecurity Practice and focuses her practice on privacy, cybersecurity, and information management. A creative problem-solver with a long track record of success in commercial disputes, she never loses sight of the simple fact that she works in a service industry. Clients appreciate not only her legal skills, but also her direct, no-nonsense approach to client service, including her bullet-pointed emails, snapshot executive summaries, and creativity in finding ways to streamline communications for in-house counsel with dozens of other projects—and little time—on their hands.

Gretchen’s clients come from diverse industries, including technology (SaaS), health care and life sciences, consumer products, manufacturing, academic institutions, and non-profits. She provides clients with practical business advice on compliance with state and federal U.S. laws, GDPR, APEC, and other global privacy laws in relation to their external and internal privacy and security procedures, product and app development, and advertising practices. Gretchen also regularly drafts and negotiates contracts concerning data-related vendors, assists clients in assessing privacy risks in corporate transactions, and provides guidance on and conducts privacy and security assessments. She has managed dozens of data breaches, and helps clients prepare for and immediately respond to security incidents and breaches.

On Aug. 30, 2020, the California legislature passed Assembly Bill 1281 (AB-1281), which would extend the exemptions for “employee” information and business-to-business (B2B) transactions from its original expiration date of Jan. 1, 2021, to Jan. 1, 2022, if approved by the governor.

Read the full GT Alert, “Extension to CCPA’s Employment and

In a major plot twist over the last few days, Brazil’s new General Data Protection Law (Lei Geral de Proteção de Dados Pessoais) – Law No. 13,709/2018 (LGPD) will take effect in two short weeks, after a last-minute decision not to delay its rollout.

The Background: A Very Brief Overview of the LGPD

The LGPD is similar to the EU’s General Data Protection Regulation (GDPR), applying data protection obligations to companies processing personal data regarding Brazilian residents. Among other requirements, the LGPD requires certain legal bases for processing data and provides Brazilian residents with many enumerated rights over their personal data. For a helpful overview of the LGPD’s provisions, including the individual rights, legal bases for processing, and sanctions as enumerated in the legislation, see GT Alert, 6 Months Until Brazil’s LGPD Takes Effect – Are You Ready?
Continue Reading Brazil’s Data Protection Law Will Be Effective After All, But Enforcement Provisions Delayed Until August 2021

On August 14, 2020, the California Attorney General (AG) announced that the Office of Administrative Law (OAL) approved the California Consumer Privacy Act (CCPA) regulations, which will take effect immediately. The OAL’s approval concludes the expedited review process requested by the AG on June 1. For more information on the review process, see GT’s June

The Court of Justice of the European Union (CJEU)’s historic decision in Schrems II, in which the EU-U.S. Privacy Shield was invalidated, requires businesses to rethink the mechanism they can rely on to transfer personal data from the EU to the United States and other countries. After several EU data protection authorities (DPAs) published their reactions, the European Data Protection Board (EDPB), an association comprising, inter alia, national DPAs of all EU Member States, presented its guidance in form of an FAQ.

At the time of its publication, the guidance comprises 12 FAQs. It will be updated with further analysis. While the EDPB notes that supplementary measures may be necessary when using standard contractual clauses (SCCs), it fails to specify what that means but promises to provide more guidance in the future. Summarized below are the key takeaways from the EDPB’s guidance.
Continue Reading EDPB Issues Data Transfer FAQs in the Post Privacy Shield Area

The Court of Justice of the European Union (CJEU)’s historic decision in Schrems II, in which the EU-U.S. Privacy Shield was invalidated, requires businesses to rethink the mechanism they can rely on to transfer personal data from the EU to the United States and other countries. However, how the decision will be enforced remains

The Court of Justice of the European Union (CJEU) declares invalid a decision of the European Commission which attested that the EU-U.S. Privacy Shield provided adequate protection to personal data transferred from the EU to the U.S., if the receiving party had self-certified its adherence to the Privacy Shield Principles. At the same time, the

On June 24, the California Secretary of State announced that the California Privacy Rights Act (CPRA) has qualified as a statewide ballot initiative to be listed on this November’s General Election ballot.

The announcement follows official confirmation that the nonprofit group behind the ballot initiative, Californians for Consumer Privacy, obtained in excess of the 623,212

Following much anticipation, the Office of the California Attorney General (OAG) moved one step closer to the California Consumer Privacy Act (CCPA)’s wide-ranging implementing regulations becoming enforceable by law by filing the final CCPA Regulations with the California Office of Administrative Law (OAL) on June 1.

The CCPA grants the OAG the authority to begin

EDPB says that cookie walls require a tracking-free alternative (not necessarily free of charge) and the German Federal Supreme Court rules against opt-out consent for tracking cookies under German law

Introduction

In 2019, various EU member states issued guidance as to whether opt-in consent is necessary for non-essential cookies, with some guidance suggesting opt-in

With the California Attorney General’s enforcement of the California Consumer Privacy Act (CCPA) beginning on July 1, 2020, businesses are eagerly awaiting the forthcoming final version of the CCPA Regulations to ensure that their compliance is in line with the law and its Regulations. Due to the upcoming CCPA enforcement deadline, and California’s shelter-in-place status,