Multidisciplinary Teams for Complex Privacy Matters

Led by top practitioners in privacy, cybersecurity, financial services, fintech, intellectual property and related regulatory engagements, criminal investigations and civil litigation, S&C's Privacy Group has the depth and experience to advise companies on the full range of privacy issues that can arise in complex matters.
S&C has worked with clients subject to wide-ranging and diverse privacy laws and regulations, which include the California Consumer Privacy Act (CCPA) and other state privacy laws, the European Union General Data Protection Regulation (GDPR), the Gramm-Leach-Bliley Act (GLB), and the Health Insurance Portability and Accountability Act of 1996 (HIPAA).
From startups to well-established companies, clients turn to our multidisciplinary team to collaborate on the development of new products, compliance with local, state, federal and international privacy laws and regulations, and privacy-focused litigation. We help clients incorporate privacy-by-design into their products and product lifecycles and conduct privacy impact assessments that evaluate how they collect, use, disclose and dispose of personal information.
In transactions, we strategize closely with our clients to evaluate personal information at the outset of our engagement and develop creative solutions to avoid potential barriers that might limit the use of that information. We conduct privacy due diligence tailored to a company's data collection practices, industry and geographic scope, revise and negotiate agreements, and assist clients with post-closing data integration or separation.
Areas of focus include:
  • Advising clients on privacy and cybersecurity issues in mergers, acquisitions and joint ventures;
  • Assisting clients in responding to federal, state and international privacy investigations;
  • Developing website, mobile app and offline privacy notices and policies;
  • Providing strategic counseling on privacy issues associated with new business opportunities or consumer marketing programs;
  • Developing cross-border data transfer compliance strategies;
  • Advising on employee privacy issues, including employee monitoring, geolocation tracking and return-to-work programs;
  • Drafting and revising privacy-related disclosures in regulatory filings; and
  • Evaluating the potential impact of privacy-related litigation or investigations on our clients' operations.

Subscribe to receive our insights.
Recent Insights 



Sullivan & Cromwell’s privacy experience has included advising or assisting the following clients:
  • Financial institutions, insurers and manufacturers in describing the impact of new privacy laws, regulations and cross-border data transfer restrictions in their SEC filings.
  • A technology platform in obtaining a preliminary injunction preventing the City of New York from implementing a new ordinance intended to collect personal data about the users of short-term rental platforms.
  • A leading telecommunications provider on data sharing and separation issues following various divestitures, spinoffs and joint ventures.
  • One of Canada’s largest asset managers on financial and employee privacy issues in connection with the opening of a New York office.
  • An online travel website on privacy and cybersecurity issues in connection with an acquisition of a B2B-focused distributor of hotel rooms.
  • A currency settlement services provider on privacy issues in connection with contemplated sales, marketing and promotional activities.
  • A leading global investment bank on cross-border data transfer issues and integration planning in connection with its purchase of a European insurer.
  • A prominent financial institution on data privacy issues in connection with various investments in a number of companies in mobile advertising, real estate, insurance and the business services sectors.
  • One of the largest self-storage facility providers on privacy issues in connection with a sale of assets.
  • Several manufacturers on compliance and disclosure issues associated with the Chinese Personal Information Protection Law and the California Consumer Privacy Act.
  • A large financial institution on conducting a global background check program in accordance with applicable data protection laws and regulations
  • A robotics manufacturer in developing CCPA-compliant privacy notices, terms of use and other website disclosures.
  • A prominent family office on the scope of data subject rights in various data protection laws and regulations across the globe.
  • A technology and mobile app developer in developing CCPA and GDPR compliance procedures and revising privacy policies.
  • A large financial institution on the disclosure of employee personal information in connection with the sale of a subsidiary.
  • Various automobile manufacturers on privacy issues in connection with transactions.
  • A prominent financial institution on international data transfers in connection with U.S. regulatory investigations.
  • An online healthcare platform on privacy compliance obligations associated with a new payment processing initiative.
  • A global investment bank and financial services company on privacy issues in connection with its purchase of an industry-leading, automated wealth management provider.