Skip to content
Photo of David A. Zetoony

David Zetoony, Co-Chair of the firm's U.S. Data, Privacy and Cybersecurity Practice, focuses on helping businesses navigate data privacy and cyber security laws from a practical standpoint. David has helped hundreds of companies establish and maintain ongoing privacy and security programs, and he has defended corporate privacy and security practices in investigations initiated by the Federal Trade Commission, and other data privacy and security regulatory agencies around the world, as well as in class action litigation.

David receives regular recognitions from clients and peers for his knowledge and experience in the fields of data privacy and security. The National Law Journal named him a “Cybersecurity and Data Privacy Trailblazer,” JD Supra recognized him four times as one of the most widely read names when it comes to data privacy, cyber security, or the collection and use of data, and Lexology identified him six times as the top “legal influencer” in the area of technology, media, and telecommunications in the United States, the European Union, and in the context of cross-border transfers of information. He is the author of the American Bar Associations primary publication on the European General Data Protection Regulation (GDPR) and is writing the American Bar Associations primary publication on the California Consumer Privacy Act (CCPA).

Virginia is poised to be the second state, after California, to pass comprehensive data privacy legislation.  The Virginia Consumer Data Protection Act passed the Senate and the House of Delegates on Feb. 24, 2021, and now awaits the approval of Governor Northam.

Although the Virginia statute will not take effect until Jan. 1, 2023, companies

The California Attorney General was asked to clarify whether the use of “website cookies shared with third parties” constituted the sale of personal information. The Attorney General declined to answer, stating only that whether a particular situation constitutes the sale of information “raises specific legal questions that would require a fact-specific determination, including whether or

Virginia is poised to be the second state, after California, to pass comprehensive data privacy legislation. The Virginia Consumer Data Protection Act passed the Senate and the House of Delegates on Feb. 24, 2021, and now awaits the approval of Governor Northam.

Although the Virginia statute will not take effect until Jan. 1, 2023, companies

While there is relatively little publicly available empirical data concerning website visitors’ interactions with cookie banners, the data that does exist indicates that user acceptance rates are significantly greater depending upon how many options are presented to a website visitor. For example, in one study researchers placed a cookie banner on a website that provided

Businesses often struggle with how to display cookie banners given the complexities of conveying information to individuals that may lack technical expertise, and “banner fatigue” – a term which describes the reality that consumers presented with pop-ups and cookie banners across different websites may not spend time to read each banner before attempting to close

Generally, most cookie banners fall within four broad categories:

  1. Notice-Only Cookie Banners. A notice-only cookie banner discloses to website visitors that the website deploys cookies (and potentially other tracking technologies), but the banner does not give the visitor any direct control concerning the use of cookies. In other words, the website visitor is not

No.

The regulations implementing the CCPA only require that a business utilize reasonable security in the context of personal information collected or processed for specific purposes – i.e., consumer requests and information provided in response to access requests. The Office of the Attorney General (OAG) has stated that what constitutes “reasonable security measures” in these

No.

The CCPA permits consumers to “institute a civil action” only where consumer “nonencrypted or nonredacted personal information” is “subject to an unauthorized access and exfiltration, theft, or disclosure.” [1] The CCPA does not provide a private right of action, nor does it provide statutory damages, if a company violates its obligation to disclose to

The CCPA contains several references to the obligation of a business to, in response to an access request, provide the “specific pieces of personal information” that it has collected about a California resident.1 Each of those sections is modified by California Civil Code Section 1798.130(a)(2), which states that “the disclosure” required by a business

During the rulemaking process, the Office of the Attorney General was requested to clarify that a business is not required to search for, and produce, “unstructured data” such as paper records in response to an access request.1 The Attorney General declined the request, stating that the exclusion of “all unstructured data is not as