I figured it might be useful for me to do a quick thread on what a privacy lawyer is and what a privacy lawyer does (plus, I need to redline a contract later and procrastination and all that). So, we're off!
Privacy law is an interesting area. Not only is it tough to describe to non-lawyers and non-tech people, I frequently get this type of response from other lawyers as well:
First: privacy lawyers work A LOT with technology, but not exclusively. Tech pulls in a lot of information and is so pervasive, we deal with it a ton, but privacy extends to visual surveillance, non-digital documents, physical privacy, etc.
In addition, while there are some privacy lawyers that also can code, program, fix your device, hack, etc., many (HELLO) do not have those skills. If you're calling me to fix an IT problem, I have terrible news for you.
Privacy lawyers absolutely should be talking with technologists and engineers ALL. THE. TIME. A ton of them are great people, PLUS they will save your ass over and over by being able to explain to you how the stuff you are trying to safeguard physically and practically works.
When people ask what I do, I often start with the example that is in the news most frequently: I help deal with data breaches.
I'm at a law firm and have clients, so if they get hacked/lose data/have a tech gap/however else they might get breached, I help them address it.
I'm at a law firm and have clients, so if they get hacked/lose data/have a tech gap/however else they might get breached, I help them address it.
We walk them through how to make sure the gap is sealed, look at what data was affected, tell them what notifications they legally have to make and other legal requirements, help draft those/make sure they get to the right authority and people, deal with fallout and PR, etc.
However, data breaches are fairly infrequent and though they're all-hands-on-deck when they happen, the vast majority of my job is other stuff.
Stuff like keeping track of privacy laws for our clients so we know what standards they have to meet/what they can and can't do.
Stuff like keeping track of privacy laws for our clients so we know what standards they have to meet/what they can and can't do.
Some countries and regions have wide-spread rules that are easier to track. The EU has established a baseline privacy law (the GDPR, praise and curse it) and each member-state must meet that standard, but implements it however it chooses (and can make their requirements tougher).
The U.S. is sectoral: there are federal laws in certain areas (HIPAA for medical information, COPPA for kids' information, etc.) and there are several requirements that differ by state (Illinois has fascinating biometric privacy laws, California has strong consumer protection).
Keeping up with all of these and making sure we can clearly and correctly explain to clients what they have to do for certain types of information or for certain consumers is a huge part of the job.
Another part of my job is drafting the Privacy Policies and Terms of Use that nobody reads (HOW DARE YOU, I WORKED SO HARD). These have to be structured in a very specific way - too simple and you're not being honest about use, too complex and it's unreadable and useless.
This balance is obviously very clear and easy to hit each time and I definitely don't do multiple drafts constantly while weeping into coffee.
We also help our clients track how they use data: what they collect and why, how they use it, how they store it, who they share it with, how they protect it, when they delete it, etc.
You should see the flowcharts. Glorious flowcharts.
You should see the flowcharts. Glorious flowcharts.
In ensuring information is protected properly, I deal with a lot of contracts: making sure that vendors our clients use are protecting data, making sure we are allowed to share data and clients are aware, dealing with liability, indemnity, confidentiality, consent, etc.
Finally (and a lot of this is personal to me because of my privacy feelings and background at IAPP and the FTC), I try to do a lot of privacy advocacy and education. Privacy and tech can feel very intimidating and I want it to be accessible and interesting. I want people to care.
So I seek out and discuss new tech, data collection, new laws and terms, etc. and try to distill it where I can so people know how to control their data and demand better from companies and agencies misusing it. As part of that, please ask questions! I love talking about this.
If I'm not responding, either I missed it because my notifications are still messed up (SWEET GOD, WHY) or I am dealing with a work deadline. But ask again! Truly there aren't dumb questions - this is a massive and complex area of law and tech and it is constantly evolving.
Thanks for joining. Cover your webcams.
