Emily S. Tabatabai

Partner

Washington, D.C.


Read full biography at www.orrick.com
Emily S. Tabatabai is a partner and founding member of Orrick’s global Cyber, Privacy & Data Innovation Group. She has been recognized by Chambers USA as “an invaluable resource to have when it comes to data privacy and security,” particularly in matters involving state privacy laws, education technology (EdTech) and children’s privacy.

Emily provides strategic counseling and advice on privacy, consumer protection and online safety matters to clients across industries, including retail, ecommerce, mobile apps, gaming, social media, advertising technology (adtech), financial services, education, business services and technology. She also represents clients subject to regulatory investigations, including before the FTC and States Attorneys General, Congressional committees and other regulatory agencies and groups.

Emily provides proactive compliance guidance, and regulatory investigation defense, on a variety of privacy and consumer protection laws, including:

  • U.S. state privacy laws in California, Colorado, Connecticut, Utah, Virginia and other states
  • Children’s Online Privacy Protection Act (COPPA)
  • Online safety laws for kids and teens, including California Age-Appropriate Design Code Act (AADC), Utah Social Media Regulation Act and others
  • Section 5 of the Federal Trade Commission Act (FTC Act) and state unfair and deceptive acts and practices (UDAP) laws
  • Family Educational Rights and Privacy Act (FERPA)
  • California’s Student Online Personal Information Protection Act (SOPIPA), New York’s Education Law 2-d and other state student data privacy laws
  • Illinois’ Biometric Information Privacy Act (BIPA) and other biometric privacy laws
  • Washington My Health My Data Act and other state health privacy laws
  • Fair Credit Reporting Act (FCRA)
  • Gramm-Leach-Bliley Act (GLBA)
  • Telephone Consumer Protection Act (TCPA)
  • Telemarketing Sales Rule (TSR)
  • Restore Online Shoppers’ Confidence Act (ROSCA)

Emily is a frequent speaker on data privacy matters, with a particular focus on children’s privacy (COPPA), student data privacy and EdTech and online safety laws for kids and teens. She has been featured as an “Up and Coming” Privacy & Data Security attorney by Chambers USA and Chambers Global. Clients tell Chambers, “She’s been an excellent partner. She has a very good understanding of the practical realities of implementing privacy policies for large companies.” Citing her expertise in the field of educational privacy, student data and EdTech matters, Chambers reports that clients regard her as “very knowledgeable and truly an expert in this space,” with some saying, “On the student data side, she is unmatched,” and The Legal 500 notes that Emily “is the first port of call for child- and student-directed service providers for compliance advice with COPPA, SOPIPA and CalOPPA regulations.”

Emily also has an active consumer protection practice, focused on marketing and promotional issues. She counsels clients on advertisements and endorsements, retail sales and e-commerce, advertising substantiation, SMS and telemarketing, social media and online advertising.

Posts by: Emily Tabatabai

Privacy Policies and the Sale of Corporate Assets: It pays to plan ahead to preserve the value of your data assets

Personal data is a valuable corporate asset.  At times, the personal information collected from customers (such as email address, mailing address, phone number, etc.) can be a company’s most valuable asset.  Unfortunately, when a company attempts to sell this asset, it can find the value of the data significantly diminished due to promises made in a privacy policy the company implemented years before it ever contemplated such a sale.

A company’s privacy policy sets forth the company’s promises to its consumers as to how it will collect, store, maintain, and share the consumers’ personal data.  In an attempt to appeal to customer privacy concerns, it is common for a company to proclaim in such policies:

We share your personal data only in the ways described in this policy,”

or

We care about our customers and we will never sell or share your personal data.”

Most companies include these statements to highlight their promise not to capitalize on a consumer’s data by selling to third party marketers.  However, many companies do not realize that statements such as these could also severely restrict the company’s ability to sell data as a corporate asset in a company sale, merger, bankruptcy, or similar corporate transaction, unless there is also a clear statement within the policy which permits data to be transferred during the course of such events.

There are steps a company can take leading up to the corporate transaction to smooth the transfer of customer data, such as updating its privacy policy, providing additional notice to consumers, requesting opt-out or opt-in consent to the revised policy and/or the data sale.  Companies that fail to take these steps and attempt to transfer data in a manner that conflicts with promises made in its privacy policy may face regulatory scrutiny or litigation, both of which would ultimately diminish the value of their data assets in any eventual sale.

READ MORE