David A. Zetoony

David Zetoony, Co-Chair of the firm's U.S. Data, Privacy and Cybersecurity Practice, focuses on helping businesses navigate data privacy and cyber security laws from a practical standpoint. David has helped hundreds of companies establish and maintain ongoing privacy and security programs, and he has defended corporate privacy and security practices in investigations initiated by the Federal Trade Commission, and other data privacy and security regulatory agencies around the world, as well as in class action litigation.

David receives regular recognitions from clients and peers for his knowledge and experience in the fields of data privacy and security. The National Law Journal named him a “Cybersecurity and Data Privacy Trailblazer,” JD Supra recognized him four times as one of the most widely read names when it comes to data privacy, cyber security, or the collection and use of data, and Lexology identified him six times as the top “legal influencer” in the area of technology, media, and telecommunications in the United States, the European Union, and in the context of cross-border transfers of information. He is the author of the American Bar Associations primary publication on the European General Data Protection Regulation (GDPR) and is writing the American Bar Associations primary publication on the California Consumer Privacy Act (CCPA).

Follow:

Is an outsourced call center a processor or controller under the GDPR?

By David A. Zetoony on May 14, 2021

Posted in Data collection, Data Privacy & Cybersecurity, GDPR

A controller refers to the entity that determines the “purpose and means” of how personal data will be processed. Determining the “purpose” of processing refers to deciding why information will be processed. Determining the “means” of processing refers to deciding how information will be processed.1 That does not necessarily mean, however, that a controller…

Is a merchant’s bank a processor or controller under the GDPR?

By David A. Zetoony on May 12, 2021

Posted in Data collection, Data Privacy & Cybersecurity, GDPR

Is a market research company a processor or controller under the GDPR?

By David A. Zetoony on May 12, 2021

Posted in Data collection, Data Privacy & Cybersecurity, GDPR

What is considered sensitive personal information?

By David A. Zetoony on May 10, 2021

Posted in CCPA, CPRA, Data collection, European Union, GDPR, Online tracking, Privacy Legislation, Virginia

Some privacy statutes explicitly reference “sensitive” or “special” categories of personal information. While such terms, when used, often include similar data types that are generally considered as raising greater privacy risks to data subjects if disclosed, the exact categories that fall under those rubrics differ between and among statutes. Furthermore, other privacy statutes do not…

Is an accountant a processor or controller under the GDPR?

By David A. Zetoony on May 10, 2021

Posted in Data collection, European Union, GDPR, Online tracking, Privacy Legislation

A controller refers to the entity that determines the “purpose and means” of how personal data will be processed. Determining the “purpose” of processing refers to deciding why information will be processed. Determining the “means” of processing refers to deciding how information will be processed.[1] That does not necessarily mean, however, that a controller…

Is a payroll administrator a processor or controller under the GDPR?

By David A. Zetoony on May 7, 2021

Posted in Data Privacy & Cybersecurity, GDPR

What are the top 10 industries targeted by plaintiffs for CCPA violations?

By David A. Zetoony, Jena M. Valdetero & Sarah C. Schenker on May 6, 2021

Posted in CCPA, Data Privacy & Cybersecurity

The California Consumer Privacy Act provided plaintiffs with a private right of action to pursue statutory damages following data security breaches that impact certain sensitive categories of information and are caused by a business’s failure to institute reasonable and appropriate security. Although the CCPA does not permit private suits with respect to alleged violations of…

Can a processor decide which third parties should have access to personal data?

By David A. Zetoony on May 5, 2021

Posted in Data collection, Data Privacy & Cybersecurity

A controller refers to the entity that determines the “purposes and means” of how personal data will be processed. Determining the “means” of processing refers to deciding “how” information will be processed.1 That does not necessarily mean, however, that a controller must make every decision with respect to the processing of information.

The European…

Can a processor decide whose personal data will be processed?

By David A. Zetoony on May 5, 2021

Posted in Data collection, Data Privacy & Cybersecurity

A controller refers to the entity that determines the “purposes and means” of how personal data will be processed. Determining the “means” of processing refers to deciding “how” information will be processed.1 That does not mean, however, that a controller must make every decision with respect to the processing of information.

The European Data…

What industry is most at risk for CCPA litigation? Hint: It’s not what you think!

By David A. Zetoony, Jena M. Valdetero & Sarah C. Schenker on May 4, 2021

Posted in CCPA, Data Privacy & Cybersecurity, HIPAA

Data Privacy Dish

David A. Zetoony

What are the top 10 industries targeted by plaintiffs for CCPA violations?

Can a processor decide which third parties should have access to personal data?

Can a processor decide whose personal data will be processed?

What industry is most at risk for CCPA litigation? Hint: It’s not what you think!

About Greenberg Traurig