Congress Begins Consideration of Comprehensive Federal Privacy Legislation


The enactment in June 2018 of California’s sweeping new privacy law, the California Consumer Privacy Act (CCPA), has both increased momentum for enactment of a general federal privacy law and spurred state legislatures to consider privacy bills of their own. A series of widely publicized incidents involving major technology companies’ data handling practices and the coming into force of the European Union’s General Data Protection Regulation (GDPR) have added urgency to both efforts. This report reviews proposals for federal privacy legislation. A companion report will review proposals at the state level.

Federal lawmakers have put forward at least eight proposals over the past year. Two of the eight have been introduced in the current session of Congress. The rest were unveiled in the prior congressional session, and new versions of many of those will likely appear again in the current Congress. We summarize the current status and key provisions of these bills below.

Congressional debate over these proposals and the principles that may animate additional bills will begin in earnest with hearings by the House Energy and Commerce Committee on February 26 and the Senate Commerce Committee on February 27.

Additional Sources of Proposals: NTIA, FTC, Trade Associations, Advocacy Groups 

Congressional consideration of possible federal privacy legislation will likely draw on the results of processes for soliciting public input undertaken by two Executive Branch agencies in 2018.

In September 2018, the Commerce Department’s National Telecommunications and Information Administration (NTIA) published a request for comments (RFC) addressing how the federal government could “advance consumer privacy while protecting prosperity and innovation.” The NTIA sought input on how seven outcomes in privacy practices could best be achieved: (1) transparency; (2) control; (3) reasonable minimization; (4) security; (5) access and correction; (6) risk management; and (7) accountability. The NTIA also identified eight high-level goals for federal action: (1) harmonize the regulatory landscape; (2) legal clarity while maintaining the flexibility to innovate; (3) comprehensive application; (4) employ a risk- and outcome-based approach; (5) interoperability; (6) incentivize privacy research; (7) FTC enforcement; (8) scalability. The NTIA’s request prompted a staggering 204 comments from companies, trade associations, consumer and privacy advocacy organizations, academics, local governments, and interested citizens. Many of these voices are likely to be heard in congressional hearings, and their recommendations are likely to be used by legislators in constructing bills.

In June 2018, the Federal Trade Commission (FTC) announced it would be undertaking a series of public hearings and requests for public comments over the next 9-12 months addressing “whether broad-based changes in the economy, evolving business practices, new technologies, or international developments might require adjustments to competition and consumer protection enforcement law, enforcement priorities, and policy.” Included among the 11 topics on which the FTC sought input were privacy, big data, and consumer protection. The FTC’s requests drew hundreds of responses

In addition to submitting responses to the NTIA and FTC, many trade associations and advocacy organizations have issued their own sets of principles for general federal privacy legislation.1 These too are likely to provide grist for Congress’s legislative mill, as may the voluntary privacy framework being developed by the Commerce Department’s National Institute of Standards and Technology (NIST) through a process similar to the one used to develop its successful cybersecurity framework.2 Finally, in response to a request from Rep. Frank Pallone (D-NJ), the chairman of the House Energy and Commerce Committee, the Government Accountability Office (GAO) recently issued a report recommending “that Congress consider developing comprehensive Internet privacy legislation to better protect consumers.”

Some Key Issues

Key issues Congress will consider as it crafts privacy legislation include: 

  • Covered businesses and other organizations. Will the organizations subject to the law be limited to those with certain kinds of online presences or activities? Will there be thresholds in terms of economic size or of the number of individuals whose personal information is handled? Will non-commercial organizations be covered? Will there be exemptions for certain kinds of businesses or industries based on their coverage by other regulatory frameworks?
  • Definition of covered personal information. The trend in amendments to state data breach laws has been to broaden the kinds of personal information triggering obligations concerning collection, sharing, and disclosure. The CCPA builds on that trend with a definition (akin to that used in the GDPR) under which not only specific data fields are covered but also any information that can be linked to particular individuals (or even households) is included. The federal proposals vary both in the kinds of data they enumerate as covered and in the extent to which they contain a catchall provision reaching broader and perhaps less readily identified types of data. 
  • Rights of individuals. The federal bills vary both in the kinds of data handling they would address—collection, storage, use for marketing, disclosing or selling to third parties—and the kinds of control they would give individuals over their personal data, e.g., correction, restrictions on handling, or deletion. They also vary in establishing opt-in or opt-out consent requirements for different uses of personal information. 
  • FTC authority. Most of the federal proposals entrust their enforcement to the FTC, under its mandate to prevent “unfair or deceptive acts or practices.” State attorneys general are also generally permitted to sue on behalf of their citizens. But the bills are divided on what authority the FTC should be given to promulgate rules to shape the substance of the governing legal framework and on whether the FTC or state attorneys general should be empowered to seek civil penalties for violations. Currently, the FTC does not have the authority to seek civil penalties for privacy or data security violations under Section 5 of the FTC Act in the first instance.
  • Preemption. One of the central impetuses for federal privacy legislation is to avoid a patchwork of inconsistent state laws. But the federal bills released so far vary considerably in whether they address preemption directly and, if so, the scope of the preemptive effect provided.
  • Private right of action. Will affected individuals be permitted to sue over alleged violations and, if so, with what remedies? The CCPA permits private claims over data breaches but not privacy violations, and the federal proposals floated so far have refrained from authorizing private suits.

Proposed Federal Bills

1. American Data Dissemination (ADD) Act (S. 142)

Current status: Introduced by Sen. Rubio (R-FL) in January 2019, the bill has been referred to the Committee on Commerce, Science, and Transportation.

Key provisions:

  • Would not impose substantive requirements, but would create a process for establishing requirements for companies that “provide services using the Internet” akin to the requirements that apply to federal agencies under the Privacy Act.
  • The FTC would have six months from the ADD Act’s enactment to submit recommendations to Congress for privacy legislation that would be “substantially similar, to the extent practicable, to the requirements applicable to agencies under the Privacy Act of 1974.”
  • If Congress fails to enact a qualifying law within two years of the ADD Act’s enactment, the FTC would be required to promulgate final regulations in the following three months based on the ADD Act’s specifications.
  • Those specifications include:
    • a prohibition on disclosure without prior consent except under specific exemptions, including when the use is compatible with the purpose of collection;
    • an obligation to keep records of disclosures;
    • access and correction rights;
    • an exemption for certain small, newly formed businesses;
    • exemptions for personal information governed by the Health Insurance Portability and Accountability Act (HIPAA) and its regulations or by the Family Educational Rights and Privacy Act of 1974 (FERPA);
    • FTC authority to resolve possible conflicts between the ADD Act, on the one hand, and the Children’s Online Privacy Protection Act (COPPA) or Gramm-Leach Bliley Act (GLBA) and their implementing regulations, on the other; and
    • enforcement by the FTC.
  • The ADD Act or regulations issued pursuant to it would supersede state law “relating to a covered provider, to the extent that the provision relates to the maintenance of: (1) records covered by [the ADD] Act; or (2) any other personally identifiable information or personal identification information.”

2. Social Media Privacy and Consumer Rights Act (S. 189)

Current status: Originally introduced by Sen. Klobuchar (D-MN) and Sen. Kennedy (R-LA) in April 2018 (as S. 2728), the bill was reintroduced in January 2019 and referred to the Committee on Commerce, Science, and Transportation.

Key provisions:

  • Operators of “covered online platforms,” defined as “any public-facing website, web application, or digital application (including a mobile application),” would be required:
    • to give consumers prior notice and the ability to opt out of collection and use by third parties of “personal data of the user produced during the online behavior of the user, whether on the online platform or otherwise,” both when the user first opens an account and whenever a new product results in new forms of data collection or use;
    • to disclose terms of service, including concerning collection and use of personal data, in a form that is “easily accessible,” “of reasonable length,” “clearly distinguishable from other matters,” and stated in “language that is clear, concise, and well organized”;
    • to maintain and publish a description of their privacy and data security program, including who would have access to users’ personal data and for what purposes and how privacy risks of new products will be addressed;
    • to provide consumers, upon request, with a copy of their personal data and a list of persons who received the data from the operator, free of charge and in an easily accessible form;
    • to notify affected users of transfers of personal data in violation of the operator’s privacy or data security policies within 72 hours of the company's becoming aware of the violation and provide options to prevent the company’s further collection, use, storage, and/or sharing of the consumer’s personal data; and
    • to audit their privacy and data security program every two years.
  • Many of the bill’s requirements would not apply to the development of “privacy-enhancing technology.”
  • The FTC, state attorneys general, and other state consumer protection officials could enforce the law; the FTC’s authority would extend to nonprofit organizations and common carriers.

3. Data Care Act (S. 3744)

Current status: Introduced by Sen. Schatz (D-HI) and 14 other Democratic Senators in December 2018, the bill has not been re-introduced in the current congressional session.

Key provisions:

  • “Online service providers,” defined as entities “engaged in interstate commerce over the internet or any other digital network” and that “in the course of business, collect[] individual identifying data about end users,” would be required to fulfill fiduciary duties of care, loyalty, and confidentiality.
    • The duty of care would require service providers to “reasonably secure individual identifying data from unauthorized access” and promptly notify affected end users of a breach of that duty.
    • The duty of loyalty would prohibit a service provider from using individual identifying data or data derived from individual identifying data to benefit the service provider to the detriment of an end user and that would result in reasonably foreseeable and material physical or financial harm to an end user or would be unexpected and highly offensive to a reasonable end user.
    • The duty of confidentiality would prohibit service providers from disclosing or sharing individual identifying data except as consistent with the duties of care and loyalty; require the service provider to enter into a contract with the recipient imposing on the recipient the same fiduciary duties; and require the service provider to audit the practices of the recipient to ensure its fulfillment of the duties.
  • The FTC would be given rulemaking authority to exempt categories of online service providers from the law—considering the privacy risks based on such factors as size, complexity and nature of offerings, and sensitivity of consumer information handled and the costs and benefits of coverage—and to create more detailed breach notification requirements.
  • The FTC, state attorneys general, and state consumer protection officials would have enforcement authority; the FTC’s authority would extend to nonprofit organizations and common carriers.
  • The bill explicitly states that it would not preempt state laws or regulations (or supersede other federal laws or regulations).

4. Consumer Data Protection Act

Current status: Sen. Wyden (D-Or) released a discussion draft in November 2018. The bill has not yet been introduced.

Key provisions:

  • “Covered entities” would be defined as persons, partnerships or corporations over which the FTC has jurisdiction and which (i) had at least $50 million in average annual gross receipts for the three prior years; (ii) had personal information on at least 1 million consumers and 1 million consumer devices; and (iii) was a data broker or other commercial entity that, “as a substantial part of its business, collects, assembles, or maintains personal information personal information concerning an individual who is not a customer or an employee of that entity in order to sell or trade the information or provide third-party access to the information.”
  • The FTC would be given rulemaking authority to define and enforce:
    • reasonable cybersecurity and privacy practices and procedures,
    • consumer access and correction rights for stored personal information, and
    • disclosure to consumers of third parties with whom data is shared.
  • Covered entities that have not less than $1 billion in annual revenue and that collect, store, or use personal information on more than 1 million consumers or consumer devices or ones that collect, use, or store personal information of more than 50 million consumers or consumer devices would be required to submit to the FTC annual data protection reports—certified to by their CEO and Chief Information Security Officer (CISO)—describing in detail how they were in compliance with regulations issued by FTC.
  • The FTC would be required within two years of enactment to create a “Do Not Track” website that would allow consumers to opt out of the sharing, storage, and use of their personal information.
  • Covered entities would be able to offer free services in exchange for being allowed to share consumers’ information, but they would be required to provide a paid option and clear and conspicuous notice of the terms; the price of the paid option could not be greater than the value to the company of the consumer’s data.
  • The FTC would be given civil penalty authority, up to $50,000 per violation or 4% of annual gross revenue, whichever is greater.

5. Consumer Online Notification for Stopping Edge-provider Network Transgressions (CONSENT) Act (S. 2639/H.R. 5815)

Current status: Introduced by Sen. Markey (D-MA) and Sen. Blumenthal (D-CT) in April 2018, the bill was referred to the Committee on Commerce, Science, and Transportation.

Key provisions:

  • “Edge providers” would be defined as providers of a service over the Internet, or using a software program, mobile application or connected device, that requires subscribers to share various kinds of personal information, requires users to sign up for an account, requires users to purchase the service without an account, or provides a search function
  • The FTC would be required to promulgate regulations within one year of enactment that would require edge providers:
    • to notify consumers about the types of sensitive personal information they collect, use, and share, and for what purposes;
    • to provide opt-in consent for the use, sharing, or sale of sensitive personal information;
    • to ensure that deidentified sensitive personal information cannot be re-identified;
    • to assess the reasonableness of any discounts or incentives they offer consumers in exchange for consent to use or share their sensitive personal information;
    • to serve consumers regardless of whether they consent to the use and sharing of their data;
    • to maintain reasonable data security practices; and
    • to notify customers of a breach of sensitive personal information when harm is reasonably likely.
  • Various federal agencies would have enforcement authority over companies within their jurisdiction; the FTC would have jurisdiction outside those jurisdictions, including over telecommunications companies; state attorneys general would also have enforcement authority.

6. Information Transparency & Personal Data Control Act (H.R. 6864)

Current status: Introduced by Rep. DelBene (D-WA-1) and Rep. Jeffries (D-NY-8) in September 2018, the bill was referred to the Committee on Energy and Commerce.

Key provisions:

  • The FTC would be required to promulgate regulations within one year of enactment requiring operators of websites or online services that are within the FTC’s jurisdiction or that are common carriers within the jurisdiction of the Federal Communications Commission (FCC) and that collect, buy, or use sensitive personal information:
    • to provide users with notice of a privacy and data use policy in clear, concise, intelligible form and in clear and plain language, which must identify the types of information collected, used, and shared, with which third parties, and for what uses;
    • to provide users with express opt-in consent to any functionality involving the collection, storage, use, or sharing of sensitive personal information (except where consistent with the company’s relationship with the user);
    • to provide users with opt-out consent for the collection, storage, use, or sharing of other personal information; and
    • to undertake annual privacy audits by outside evaluators.
  • Several kinds of operations would be exempted: those necessary for preventing and detecting fraud; protecting the security of people or systems; protecting the health, safety, rights or property; providing information in response to valid legal process; and monitoring and enforcing agreements between a covered operator and another party.
  • The FTC, state attorneys general, and other authorized state officers would have enforcement authority.

7. Application Privacy, Protection, and Security (APPS) Act (H.R. 6547)

Current status: Introduced by Rep. Johnson (D-GA-4) and four other Representatives from both parties in July 2018, the bill was referred to the Subcommittee on Digital Commerce and Consumer Protection of the House Energy and Commerce Committee.

Key provisions:

  • Developers of mobile apps subject to the jurisdiction of the FTC would be required:
    • to provide notice to users of their personal data collection, use, storage, and sharing practices before collecting personal data about the user, including identifying the types of personal data collected, the parties with which personal data is shared, and the uses for which the data is used and shared;
    • to get users’ consent before collecting personal data about them;
    • to provide users with a method to withdraw consent; and
    • to take reasonable and appropriate steps to prevent unauthorized access to personal data and de-identified data collected by the app.
  • The FTC would be required to issue implementing regulations within one year of enactment, including with respect to the form of the required notice.
  • Both the FTC and state attorneys general would have enforcement authority.
  • The bill contains a safe harbor for companies that comply with a code of conduct developed through the NTIA's multi-stakeholder process and approved by the FTC.
  • The bill states that it and its implementing regulations would preempt only state laws that conflict with them, specifically relate to the treatment of personal data or de-identified data, and provide a level of transparency, user control, or security in the treatment of personal data or de-identified data lower than that provided by the bill.

8. Data Broker Accountability and Transparency Act (H.R. 6548/S. 1815)

Current status: The House version was introduced by Rep. Johnson (D-GA-4) and three other Democratic Representatives in July 2018. It was referred to the Subcommittee on Digital Commerce and Consumer Protection. The Senate version was introduced by Sen. Markey (D-MA), Sen. Sanders (I-VT), and three other Democratic Senators in September 2017. It was referred to the Committee on Commerce, Science, and Transportation.

Key provisions:

  • Covered data brokers, defined as commercial entities that collect, assemble, or maintain personal information about individuals who are not customers or employees in order to sell or provide third parties access to that information, would be:
    • prohibited from obtaining or disclosing or attempting to obtain or disclose personal information or any other information relating to a person by making a false, fictitious, or fraudulent representation;
    • prohibited from soliciting any other person to obtain or disclose such information in such fraudulent ways;
    • required to provide individuals with a means to review at the individual’s request at least once per year information that specifically identifies the individual and to dispute the accuracy of such information;
    • required to correct inaccurate information within a period specified by the FTC by regulation;
    • required to give individuals a reasonable opportunity to express their preference that their information not be used or shared for marketing purposes;
    • required to maintain a website providing individuals with clear notice about the access, dispute, and correction process in a form specified by the FTC by regulation; and
    • required to establish measures that facilitate auditing its compliance.
  • The FTC would have rulemaking authority to flesh out the law’s requirements, including modifying the definition of “personal information,” and to create exceptions.
  • Both the FTC and state attorneys general would have enforcement authority.
  • Companies subject to the Fair Credit Reporting Act (FCRA) would remain subject to FCRA rather than this law.


WilmerHale’s Cybersecurity and Privacy Practice will continue to track and provide periodic reports on the development of federal privacy legislation over the course of 2019. 

Footnotes -

  1. See, e.g., US Chamber of Commerce; Internet Association; Business Software Alliance; National Retail Federation; American Bar Association; American Bankers Association; Center for Democracy & Technology; Center for Democracy & Technology; Electronic Frontier Foundation; Information Technology & Innovation Foundation. The US Chamber of Commerce has also recently issued a draft model federal privacy bill.
  2. Our alert on the NIST privacy framework process is here.

DISCLAIMER: Because of the generality of this update, the information provided herein may not be applicable in all situations and should not be acted upon without specific legal advice based on particular situations.

© WilmerHale | Attorney Advertising

Written by:


WilmerHale on:

Readers' Choice 2017
Reporters on Deadline

"My best business intelligence, in one easy email…"

Your first step to building a free, personalized, morning email brief covering pertinent authors and topics on JD Supra:
*By using the service, you signify your acceptance of JD Supra's Privacy Policy.
Custom Email Digest
- hide

JD Supra Privacy Policy

Updated: May 25, 2018:

JD Supra is a legal publishing service that connects experts and their content with broader audiences of professionals, journalists and associations.

This Privacy Policy describes how JD Supra, LLC ("JD Supra" or "we," "us," or "our") collects, uses and shares personal data collected from visitors to our website (located at (our "Website") who view only publicly-available content as well as subscribers to our services (such as our email digests or author tools)(our "Services"). By using our Website and registering for one of our Services, you are agreeing to the terms of this Privacy Policy.

Please note that if you subscribe to one of our Services, you can make choices about how we collect, use and share your information through our Privacy Center under the "My Account" dashboard (available if you are logged into your JD Supra account).

Collection of Information

Registration Information. When you register with JD Supra for our Website and Services, either as an author or as a subscriber, you will be asked to provide identifying information to create your JD Supra account ("Registration Data"), such as your:

  • Email
  • First Name
  • Last Name
  • Company Name
  • Company Industry
  • Title
  • Country

Other Information: We also collect other information you may voluntarily provide. This may include content you provide for publication. We may also receive your communications with others through our Website and Services (such as contacting an author through our Website) or communications directly with us (such as through email, feedback or other forms or social media). If you are a subscribed user, we will also collect your user preferences, such as the types of articles you would like to read.

Information from third parties (such as, from your employer or LinkedIn): We may also receive information about you from third party sources. For example, your employer may provide your information to us, such as in connection with an article submitted by your employer for publication. If you choose to use LinkedIn to subscribe to our Website and Services, we also collect information related to your LinkedIn account and profile.

Your interactions with our Website and Services: As is true of most websites, we gather certain information automatically. This information includes IP addresses, browser type, Internet service provider (ISP), referring/exit pages, operating system, date/time stamp and clickstream data. We use this information to analyze trends, to administer the Website and our Services, to improve the content and performance of our Website and Services, and to track users' movements around the site. We may also link this automatically-collected data to personal information, for example, to inform authors about who has read their articles. Some of this data is collected through information sent by your web browser. We also use cookies and other tracking technologies to collect this information. To learn more about cookies and other tracking technologies that JD Supra may use on our Website and Services please see our "Cookies Guide" page.

How do we use this information?

We use the information and data we collect principally in order to provide our Website and Services. More specifically, we may use your personal information to:

  • Operate our Website and Services and publish content;
  • Distribute content to you in accordance with your preferences as well as to provide other notifications to you (for example, updates about our policies and terms);
  • Measure readership and usage of the Website and Services;
  • Communicate with you regarding your questions and requests;
  • Authenticate users and to provide for the safety and security of our Website and Services;
  • Conduct research and similar activities to improve our Website and Services; and
  • Comply with our legal and regulatory responsibilities and to enforce our rights.

How is your information shared?

  • Content and other public information (such as an author profile) is shared on our Website and Services, including via email digests and social media feeds, and is accessible to the general public.
  • If you choose to use our Website and Services to communicate directly with a company or individual, such communication may be shared accordingly.
  • Readership information is provided to publishing law firms and authors of content to give them insight into their readership and to help them to improve their content.
  • Our Website may offer you the opportunity to share information through our Website, such as through Facebook's "Like" or Twitter's "Tweet" button. We offer this functionality to help generate interest in our Website and content and to permit you to recommend content to your contacts. You should be aware that sharing through such functionality may result in information being collected by the applicable social media network and possibly being made publicly available (for example, through a search engine). Any such information collection would be subject to such third party social media network's privacy policy.
  • Your information may also be shared to parties who support our business, such as professional advisors as well as web-hosting providers, analytics providers and other information technology providers.
  • Any court, governmental authority, law enforcement agency or other third party where we believe disclosure is necessary to comply with a legal or regulatory obligation, or otherwise to protect our rights, the rights of any third party or individuals' personal safety, or to detect, prevent, or otherwise address fraud, security or safety issues.
  • To our affiliated entities and in connection with the sale, assignment or other transfer of our company or our business.

How We Protect Your Information

JD Supra takes reasonable and appropriate precautions to insure that user information is protected from loss, misuse and unauthorized access, disclosure, alteration and destruction. We restrict access to user information to those individuals who reasonably need access to perform their job functions, such as our third party email service, customer service personnel and technical staff. You should keep in mind that no Internet transmission is ever 100% secure or error-free. Where you use log-in credentials (usernames, passwords) on our Website, please remember that it is your responsibility to safeguard them. If you believe that your log-in credentials have been compromised, please contact us at

Children's Information

Our Website and Services are not directed at children under the age of 16 and we do not knowingly collect personal information from children under the age of 16 through our Website and/or Services. If you have reason to believe that a child under the age of 16 has provided personal information to us, please contact us, and we will endeavor to delete that information from our databases.

Links to Other Websites

Our Website and Services may contain links to other websites. The operators of such other websites may collect information about you, including through cookies or other technologies. If you are using our Website or Services and click a link to another site, you will leave our Website and this Policy will not apply to your use of and activity on those other sites. We encourage you to read the legal notices posted on those sites, including their privacy policies. We are not responsible for the data collection and use practices of such other sites. This Policy applies solely to the information collected in connection with your use of our Website and Services and does not apply to any practices conducted offline or in connection with any other websites.

Information for EU and Swiss Residents

JD Supra's principal place of business is in the United States. By subscribing to our website, you expressly consent to your information being processed in the United States.

  • Our Legal Basis for Processing: Generally, we rely on our legitimate interests in order to process your personal information. For example, we rely on this legal ground if we use your personal information to manage your Registration Data and administer our relationship with you; to deliver our Website and Services; understand and improve our Website and Services; report reader analytics to our authors; to personalize your experience on our Website and Services; and where necessary to protect or defend our or another's rights or property, or to detect, prevent, or otherwise address fraud, security, safety or privacy issues. Please see Article 6(1)(f) of the E.U. General Data Protection Regulation ("GDPR") In addition, there may be other situations where other grounds for processing may exist, such as where processing is a result of legal requirements (GDPR Article 6(1)(c)) or for reasons of public interest (GDPR Article 6(1)(e)). Please see the "Your Rights" section of this Privacy Policy immediately below for more information about how you may request that we limit or refrain from processing your personal information.
  • Your Rights
    • Right of Access/Portability: You can ask to review details about the information we hold about you and how that information has been used and disclosed. Note that we may request to verify your identification before fulfilling your request. You can also request that your personal information is provided to you in a commonly used electronic format so that you can share it with other organizations.
    • Right to Correct Information: You may ask that we make corrections to any information we hold, if you believe such correction to be necessary.
    • Right to Restrict Our Processing or Erasure of Information: You also have the right in certain circumstances to ask us to restrict processing of your personal information or to erase your personal information. Where you have consented to our use of your personal information, you can withdraw your consent at any time.

You can make a request to exercise any of these rights by emailing us at or by writing to us at:

Privacy Officer
JD Supra, LLC
10 Liberty Ship Way, Suite 300
Sausalito, California 94965

You can also manage your profile and subscriptions through our Privacy Center under the "My Account" dashboard.

We will make all practical efforts to respect your wishes. There may be times, however, where we are not able to fulfill your request, for example, if applicable law prohibits our compliance. Please note that JD Supra does not use "automatic decision making" or "profiling" as those terms are defined in the GDPR.

  • Timeframe for retaining your personal information: We will retain your personal information in a form that identifies you only for as long as it serves the purpose(s) for which it was initially collected as stated in this Privacy Policy, or subsequently authorized. We may continue processing your personal information for longer periods, but only for the time and to the extent such processing reasonably serves the purposes of archiving in the public interest, journalism, literature and art, scientific or historical research and statistical analysis, and subject to the protection of this Privacy Policy. For example, if you are an author, your personal information may continue to be published in connection with your article indefinitely. When we have no ongoing legitimate business need to process your personal information, we will either delete or anonymize it, or, if this is not possible (for example, because your personal information has been stored in backup archives), then we will securely store your personal information and isolate it from any further processing until deletion is possible.
  • Onward Transfer to Third Parties: As noted in the "How We Share Your Data" Section above, JD Supra may share your information with third parties. When JD Supra discloses your personal information to third parties, we have ensured that such third parties have either certified under the EU-U.S. or Swiss Privacy Shield Framework and will process all personal data received from EU member states/Switzerland in reliance on the applicable Privacy Shield Framework or that they have been subjected to strict contractual provisions in their contract with us to guarantee an adequate level of data protection for your data.

California Privacy Rights

Pursuant to Section 1798.83 of the California Civil Code, our customers who are California residents have the right to request certain information regarding our disclosure of personal information to third parties for their direct marketing purposes.

You can make a request for this information by emailing us at or by writing to us at:

Privacy Officer
JD Supra, LLC
10 Liberty Ship Way, Suite 300
Sausalito, California 94965

Some browsers have incorporated a Do Not Track (DNT) feature. These features, when turned on, send a signal that you prefer that the website you are visiting not collect and use data regarding your online searching and browsing activities. As there is not yet a common understanding on how to interpret the DNT signal, we currently do not respond to DNT signals on our site.

Access/Correct/Update/Delete Personal Information

For non-EU/Swiss residents, if you would like to know what personal information we have about you, you can send an e-mail to We will be in contact with you (by mail or otherwise) to verify your identity and provide you the information you request. We will respond within 30 days to your request for access to your personal information. In some cases, we may not be able to remove your personal information, in which case we will let you know if we are unable to do so and why. If you would like to correct or update your personal information, you can manage your profile and subscriptions through our Privacy Center under the "My Account" dashboard. If you would like to delete your account or remove your information from our Website and Services, send an e-mail to

Changes in Our Privacy Policy

We reserve the right to change this Privacy Policy at any time. Please refer to the date at the top of this page to determine when this Policy was last revised. Any changes to our Privacy Policy will become effective upon posting of the revised policy on the Website. By continuing to use our Website and Services following such changes, you will be deemed to have agreed to such changes.

Contacting JD Supra

If you have any questions about this Privacy Policy, the practices of this site, your dealings with our Website or Services, or if you would like to change any of the information you have provided to us, please contact us at:

JD Supra Cookie Guide

As with many websites, JD Supra's website (located at (our "Website") and our services (such as our email article digests)(our "Services") use a standard technology called a "cookie" and other similar technologies (such as, pixels and web beacons), which are small data files that are transferred to your computer when you use our Website and Services. These technologies automatically identify your browser whenever you interact with our Website and Services.

How We Use Cookies and Other Tracking Technologies

We use cookies and other tracking technologies to:

  1. Improve the user experience on our Website and Services;
  2. Store the authorization token that users receive when they login to the private areas of our Website. This token is specific to a user's login session and requires a valid username and password to obtain. It is required to access the user's profile information, subscriptions, and analytics;
  3. Track anonymous site usage; and
  4. Permit connectivity with social media networks to permit content sharing.

There are different types of cookies and other technologies used our Website, notably:

  • "Session cookies" - These cookies only last as long as your online session, and disappear from your computer or device when you close your browser (like Internet Explorer, Google Chrome or Safari).
  • "Persistent cookies" - These cookies stay on your computer or device after your browser has been closed and last for a time specified in the cookie. We use persistent cookies when we need to know who you are for more than one browsing session. For example, we use them to remember your preferences for the next time you visit.
  • "Web Beacons/Pixels" - Some of our web pages and emails may also contain small electronic images known as web beacons, clear GIFs or single-pixel GIFs. These images are placed on a web page or email and typically work in conjunction with cookies to collect data. We use these images to identify our users and user behavior, such as counting the number of users who have visited a web page or acted upon one of our email digests.

JD Supra Cookies. We place our own cookies on your computer to track certain information about you while you are using our Website and Services. For example, we place a session cookie on your computer each time you visit our Website. We use these cookies to allow you to log-in to your subscriber account. In addition, through these cookies we are able to collect information about how you use the Website, including what browser you may be using, your IP address, and the URL address you came from upon visiting our Website and the URL you next visit (even if those URLs are not on our Website). We also utilize email web beacons to monitor whether our emails are being delivered and read. We also use these tools to help deliver reader analytics to our authors to give them insight into their readership and help them to improve their content, so that it is most useful for our users.

Analytics/Performance Cookies. JD Supra also uses the following analytic tools to help us analyze the performance of our Website and Services as well as how visitors use our Website and Services:

  • HubSpot - For more information about HubSpot cookies, please visit
  • New Relic - For more information on New Relic cookies, please visit
  • Google Analytics - For more information on Google Analytics cookies, visit To opt-out of being tracked by Google Analytics across all websites visit This will allow you to download and install a Google Analytics cookie-free web browser.

Facebook, Twitter and other Social Network Cookies. Our content pages allow you to share content appearing on our Website and Services to your social media accounts through the "Like," "Tweet," or similar buttons displayed on such pages. To accomplish this Service, we embed code that such third party social networks provide and that we do not control. These buttons know that you are logged in to your social network account and therefore such social networks could also know that you are viewing the JD Supra Website.

Controlling and Deleting Cookies

If you would like to change how a browser uses cookies, including blocking or deleting cookies from the JD Supra Website and Services you can do so by changing the settings in your web browser. To control cookies, most browsers allow you to either accept or reject all cookies, only accept certain types of cookies, or prompt you every time a site wishes to save a cookie. It's also easy to delete cookies that are already saved on your device by a browser.

The processes for controlling and deleting cookies vary depending on which browser you use. To find out how to do so with a particular browser, you can use your browser's "Help" function or alternatively, you can visit which explains, step-by-step, how to control and delete cookies in most browsers.

Updates to This Policy

We may update this cookie policy and our Privacy Policy from time-to-time, particularly as technology changes. You can always check this page for the latest version. We may also notify you of changes to our privacy policy by email.

Contacting JD Supra

If you have any questions about how we use cookies and other tracking technologies, please contact us at:

- hide

This website uses cookies to improve user experience, track anonymous site usage, store authorization tokens and permit sharing on social media networks. By continuing to browse this website you accept the use of cookies. Click here to read more about how we use cookies.