Emily S. Tabatabai

Partner

Washington, D.C.


Read full biography at www.orrick.com
Emily S. Tabatabai is a partner and founding member of Orrick’s global Cyber, Privacy & Data Innovation Group, which was named Privacy/Data Security Law Firm of the Year by Chambers USA in 2019. She has been recognized by The Legal 500 for her "extraordinary depth of knowledge in student data privacy matters," and by Chambers USA as "an invaluable resource to have when it comes to data privacy and security." 

Emily advises clients on an array of privacy and data management matters, helping clients navigate the complex web of privacy laws, rules, regulations and best practices governing the collection, use, transfer and disclosure of data and personal information. Emily works closely with client business teams and in-house counsel to assess and manage privacy risks, design and deploy compliance programs and implement privacy-by-design approaches to address key compliance objectives while supporting each client’s data innovation strategies and the development and use of cutting-edge digital technologies. She frequently guides child- and student-directed service providers through the complexities of compliance with the Children’s Online Privacy Protection Act (COPPA), the Family Educational Rights and Privacy Act (FERPA), California’s Student Online Personal Information Protection Act (SOPIPA) and similar state student privacy laws and advises companies across the industry spectrum as they work towards compliance with the California Consumer Privacy Act (CCPA). She also represents clients subject to regulatory investigations and litigation involving a spectrum of federal and state laws, including under Section 5 of the Federal Trade Commission Act (FTC Act), COPPA, the Fair Credit Reporting Act (FCRA), Gramm-Leach-Bliley Act (GLBA), the California Online Privacy Protection Act (CalOPPA) and others.

To make the CCPA more accessible, Emily developed Orrick's CCPA Readiness Assessment Tool. The tool provides companies an opportunity to test their compliance with the CCPA and similar laws as a first step to constructing their strategic compliance roadmap.

Emily also has an active consumer protection practice, focused on marketing and promotional issues. She counsels clients on interest-based advertising, sweepstakes and marketing promotions, retail sales and e-commerce platforms, advertising substantiation, new media and social media integration, and SMS text messaging and telemarketing, including matters involving the Telemarketing Sales Rule (TSR), the Telephone Consumer Protection Act (TCPA), the Restore Online Shoppers’ Confidence Act (ROSCA) and state and federal consumer protection statutes.

Emily is a Certified Information Privacy Professional in both U.S. and European privacy law (CIPP/US and CIPP/E) and member of the International Association of Privacy Professionals (IAPP) Publications Advisory Board. She is a frequent speaker on data privacy matters, with a particular focus on children’s privacy (COPPA), student data privacy and EdTech. She was featured as an “Up and Coming” Privacy & Data Security attorney by Chambers USA 2018, 2019, and 2020 and Chambers Global – USA 2020. Clients tell Chambers,“she's been an excellent partner. She has a very good understanding of the practical realities of implementing privacy policies for large companies.” Citing her expertise in the field of educational privacy, student data and ed-tech matters, Chambers reports that clients regard her as “very knowledgeable and truly and expert in this space,” with some saying, “On the student data side, she is unmatched.”

Posts by: Emily Tabatabai

German DPAs Add Further Pressure to EU-US Data Transfers

International Privacy Law

Yesterday, German federal and state (Länder) data protection authorities (“DPAs”) issued a Position Paper following the recent Court of Justice of the European Union (“CJEU”) ruling that struck down the EU-US Safe Harbor Framework. Read an unofficial translation of the German Position Paper here.

Unfortunately, the Position Paper does little to relieve the pressure many organisations are now facing in relation to their cross-Atlantic data transfer mechanisms, particularly those used to transfer data from Germany to the United States.[1] READ MORE

PRIVACY POLICIES AND THE SALE OF CORPORATE ASSETS: It pays to plan ahead to preserve the value of your data assets

privacy policy

Personal data is a valuable corporate asset.  At times, the personal information collected from customers (such as email address, mailing address, phone number, etc.) can be a company’s most valuable asset.  Unfortunately, when a company attempts to sell this asset, it can find the value of the data significantly diminished due to promises made in a privacy policy the company implemented years before it ever contemplated such a sale.

READ MORE

EU Working Party Issues Statement on CJEU’s Invalidation of Safe Harbor Framework

Safe Harbor

The European Court of Justice’s (CJEU) recent decision striking down the EU-US Safe Harbor framework has created significant marketplace uncertainty and left companies scrambling for alternative cross-Atlantic data transfer mechanisms.

READ MORE

Privacy, Security, Risk: What You Missed At IAPP Conference

data privacy

Earlier this month, privacy and security professionals from around the globe gathered for “Privacy. Security. Risk. 2015”—the second joint conference between the International Association of Privacy Professionals and the Cloud Security Alliance Congress (CSA).  Over four days, the conference focused on the evolving interplay between data privacy and security, and featured keynote speeches by leading security blogger Brian Krebs and data privacy and technology journalist Adam Tanner, as well as a highly anticipated panel featuring two top Washington, D.C., consumer protection enforcers:  the Federal Trade Commission’s Jessica Rich and the Federal Communications Commission’s Travis LeBlanc.

We were there to take it all in, and offer these seven key takeaways.

READ MORE

California Updates its Data Breach Notice Statute (Again)—What You Need to Know

California

On October 6, California Governor Jerry Brown signed legislation updating California’s data breach notice statute for the third time in three years.  The news was quickly overshadowed by the CJEU’s decision invalidating the US-EU Safe Harbor Framework on the same day, but the California law amendments should not be overlooked.  The amendments, which update Cal. Civ. Code § 1789.29 (for state agencies) and § 1789.82 (for businesses), were part of a legislative “package deal” of three separate bills mandating a new breach notice format (S.B. 570), defining “encryption” (A.B. 964), and expanding the definition of “personal information” and clarifying substitute notice requirements (S.B. 34).  The amendments will take effect on January 1, 2016.

READ MORE

Notifying Parties In Username/Password Breaches . . . It’s Not Just the Law

username password breach

As we head into the end of 2015, state legislators across the country continue to strengthen, update and, in some instances, broaden the scope of their respective state data breach notification laws.  Specifically, many legislators are expanding the definition of “personal information” that triggers a company’s breach notification obligations beyond traditional data fields such as Social Security Numbers, financial account numbers, and payment card data.

READ MORE

Third Circuit to Wyndham (Part II): “Deceptive” is also “Unfair” in the Cybersecurity Context

In Part I, we discussed the Third Circuit’s finding that the “unfair” prong of the FTC Act does not require the agency to provide specific cybersecurity standards with “ascertainable certainty” to which companies must conform.  In Part II, we discuss the interplay between the FTC’s prohibition on “deceptive” acts and unfair cybersecurity practices.

The FTC has long applied its “deceptive acts” enforcement power to police representations, omissions or practices that are likely to mislead consumers acting reasonably under the circumstances, [1] and its “unfair acts” enforcement power to police acts that likely injure consumers, but which are not reasonably avoidable by the consumers themselves. [2] In the cybersecurity context, the Third Circuit’s landmark decision in FTC v. Wyndham Worldwide Corporation illustrates the “frequent overlap” between deception and unfairness by explicitly linking alleged overstatements in privacy policies to the question of whether security practices are unfair.  Accordingly, companies should exercise serious care in crafting representations in their privacy policies, terms of use, and other consumer-facing statements to validate that those statements closely conform to actual, internal business practices.

READ MORE

Third Circuit to Wyndham (Part I): FTC Not Required to Delineate “Unfair” Cybersecurity Practices

On Monday, the Third Circuit issued a highly anticipated opinion affirming the Federal Trade Commission’s authority to regulate “unfair” cybersecurity practices under Section 5 of the FTC Act.  In allowing the data breach action against Wyndham Worldwide Corporation to proceed, the Court held that Wyndham was “not entitled to know with ascertainable certainty the cybersecurity standards by which the FTC expected it to conform.”  This ruling confirms what many practitioners already know: companies must be particularly attentive to designing and updating policies and programs that not only consider the status quo patchwork of cybersecurity rules and regulations, but that also adapt to the myriad regulatory consent decrees, frameworks, and guidelines that outline the contours of reasonableness in the context of cybersecurity.

READ MORE

Posted in FTC

Roadmap Offers Important Insights on How to Prepare for FTC Data Breach Investigations

On May 20, 2015, Federal Trade Commission Assistant Director Mark Eichorn of the Bureau of Consumer Protection’s Division of Privacy and Identity Protection (DPIP)[1]offered an inside look into the FTC’s investigative process for significant data breaches.

These statements suggest several important opportunities that companies can take advantage of today to lay the ground work to effectively respond to a regulatory investigation following a data breach.  Specifically, companies should be proactive on a number of fronts:  (1) consider whether pre-breach and post-breach cybersecurity assessments and analyses should be managed under the attorney-client privilege and work product protections; (2) ensure that all public, security-relatedrepresentations reflect actual, internal practices; and (3) prepare to reach out to and cooperate with law enforcement early in a data breach investigation.

READ MORE

Posted in FTC

New California Law for Minors Went Into Effect Jan. 1: What You Need to Know to Comply

California S.B. 568, “Privacy Rights for California Minors in the Digital World” (Cal. Bus. & Prof. Code § 22580-22581) took effect on Jan. 1, 2015. Enacted as an amendment to CalOPPA, the law contains two main provisions: 1) the right for a California minor to request the removal of content or information posted online (nicknamed the “Internet Eraser Law”), and 2) restrictions on the advertising of certain products and services to minors.

READ MORE