Reexamining the GDPR's Territorial Scope: Key Takeaways from the European Data Protection Board's New Guidance



In November 2019, the European Data Protection Board (EDPB) issued its final guidance on territorial scope of the General Data Protection Regulation (GDPR), following release of the draft guidelines in November 2018 and a lengthy public consultation period. Comparing the final and draft versions provides critical insight into the EDPB’s current stance on territorial scope, and how its position has changed over the past year. In most cases, the final guidelines clarify a more measured approach to territorial scope, which suggests the EDPB has accepted certain legal and practical limits to the GDPR’s extraterritorial scope. But in some cases, such as how the targeting prong pulls processors not established in the EU into the GDPR’s scope, the guidelines take a more expansive view of the GDPR’s territorial reach. This article explores key takeaways and recommendations from the final guidance.

The GDPR Applies to Processing Activities, Not Organizations

Perhaps the most important general takeaway is the EDPB’s restatement that the GDPR applies to processing activities, not organizations. As the EDPB emphasizes in new language added to the final guidance, this means “certain processing of personal data by a controller or processor might fall within the scope of the Regulation, while other processing of personal data by that same controller or processor might not, depending on the processing activity.” And in new language discussing the scope of the targeting prong, the EDPB stresses “that a controller or processor may be subject to the GDPR in relation to some of its processing activities but not subject to the GDPR in relation to other processing activities.” In determining the GDPR’s application, therefore, we should not analyze whether an organization is subject to the GDPR, but instead whether a particular processing activity in question falls within its scope under Article 3.

The guidance also establishes important limits to Article 3’s “establishment” and ”targeting” prongs that help ensure scope is considered in relation to discrete processing activities, not in relation to an organization as a whole. Take the simple example of a U.S.-based organization with no establishment in the EU that intentionally offers goods to EU data subjects through an e-commerce site (i.e., it “targets” EU data subjects). Although the data processed by the organization in relation to its targeting activity is within the GDPR’s territorial scope (pursuant to Article 3(2)), personal data processed by the organization in any other context, even if it is personal data of EU data subjects, must be separately evaluated to determine whether it is within the GDPR’s scope.

Important considerations for the establishment and targeting prongs are addressed below.

The Establishment Prong

The final guidance retains the EDPB’s generally expansive view of the GDPR’s reach with respect to processing activities by controllers or processors established in the EU. But this reach is not without limits, and the final guidelines emphasize several important limitations on application of the establishment prong under Article 3(1).

  • Where a processing activity is carried out by a controller or processor in the context of the activities of an establishment of that controller or processor in the EU, the EDPB retains an expansive view of the GDPR’s reach. In this scenario, the processing activity is in scope regardless of the actual place of the processing. This means that personal data of non-EU data subjects being processed in a non-EU country may be within the GDPR’s territorial scope under Article 3(1), if the personal data is processed in the context of the activities of an established controller or processor. Many continue to mistakenly believe that a GDPR scoping analysis is tied to a data subject’s EU residency or citizenship. It has nothing to do with either. Where personal data is being processed in the context of the activities of an established controller or processor, the GDPR’s protections apply to personal data of all data subjects whose data is processed, regardless of where those data subjects are located or where the data is processed, and regardless of whether the data subjects have ever set foot in the EU. This follows from the European treatment of data protection as a fundamental right and is a departure from most U.S. state-based data protection and breach notification laws.
  • But an establishment in the EU does not bring every processing activity by an organization within the GDPR’s scope. Processing related to activities of the controller outside the EU remains outside the GDPR’s scope. As the EDPB clarifies in new language, “when an employee is based in the EU but the processing is not being carried out in the context of the activities of the EU-based employee in the Union (i.e. the processing relates to activities of the controller outside the EU), the mere presence of an employee in the EU will not result in that processing falling within the scope of the GDPR.” Therefore, although the bar to determine establishment may be quite low, this does not end the inquiry. To determine whether processing is being carried out in the context of an organization’s establishment in the EU, the guidelines instruct organizations to consider two factors: (1) whether the processing activities of the controller or processor outside the EU are “inextricably linked to the activities of a local establishment in a Member State” and (2) whether “revenue raising” in the EU by the local establishment is “inextricably linked” to the processing of personal data taking place outside the EU and of individuals in the EU.
  • A controller that uses a processor established in the EU is not considered established in the EU solely because it uses a processor established in the EU.
  • Controllers and processors have separate obligations under the GDPR, and scope is considered separately for each entity. For example, a processor established in the EU may be subject to the GDPR’s provisions applicable to processors even though the processing activities of the controller it is working for fall outside the GDPR’s scope.

The Targeting Prong

The EDPB’s final guidance with respect to the targeting prong under Article 3(2) is mixed. It first limits the GDPR’s reach by emphasizing the intentionality required to trigger Article 3(2). But once that prong is triggered, the guidance expands the GDPR’s reach to any non-EU processor whose processing activity is “related to” targeting activity by a controller.

  • Although the GDPR protects all natural persons in the EU, not just EU citizens, there are limits. With respect to offers of services, the targeting prong captures processing activities only for offers that “intentionally, rather than inadvertently or incidentally, target individuals in the EU.” Likewise, with respect to the offering of both goods and services, the EDPB added new language to emphasize that “when goods or services are inadvertently or incidentally provided to a person on the territory of the Union, the related processing of personal data would not fall within the territorial scope of the GDPR.” Importantly, the guidelines now clarify that “if the processing relates to a service that is only offered to individuals outside the EU but the service is not withdrawn when such individuals enter the EU, the related processing will not be subject to the GDPR.”
  • But once an activity triggers the targeting prong, it can sweep both non-EU controllers and their non-EU processors into the GDPR’s scope. In an entirely new section to the final guidance, the EDPB has taken an expansive view of the GDPR’s scope with respect to processors not established in the EU. The EDPB clarifies that processing by a data processor not established in the EU may be subject to the GDPR under Article 3(2) if the processing activities “are related” to the targeting activities of the controller. That is, “where processing activities by a controller relates [sic] to the offering of goods or services or to the monitoring of individuals’ behavior in the Union (‘targeting’), any processor instructed to carry out that processing activity on behalf of the controller will fall within the scope of the GDPR by virtue of Art 3(2) in respect of that processing” (emphasis added). This is a critical clarification that may bring a non-EU processor within the GDPR’s territorial scope even though the processor is not established in the EU and is not the controller targeting individuals in the EU. The guidelines contain a new example (Example 20) in which a U.S. company (the controller) has developed an app that targets EU data subjects and uses a U.S.-based cloud company (the processor) for data storage related to the app. The controller is obviously within the GDPR’s scope because its app targets EU data subjects. Critically, the EDPB’s example states that the U.S.-based processor is also within the GDPR’s extraterritorial scope under Article 3(2) because it is carrying out a “processing activity ‘relating to’ the targeting of individuals in the EU by its controller.” The boundaries around what constitutes “processing activity ‘relating to’ targeting” is poorly defined by the EDPB’s discussion and examples, but non-EU processors should consider a fresh review of their processing activities in light of this guidance.

A single organization may engage in numerous processing activities, each with a different scope

Considering the guidance in total clarifies that an organization – especially one not established in the EU – must examine each processing activity it undertakes in a separate analysis to determine whether the activity falls within the GDPR’s territorial scope. Consider a U.S.-based organization with a small satellite office in Ireland. Although the Irish office almost certainly satisfies the establishment prong under Article 3(1), only the personal data processed in the context of the Irish office’s activities falls within the GDPR’s territorial scope. The Irish establishment does not bring every processing activity carried out by the organization within the GDPR’s territorial scope, and other processing activities must be evaluated separately under Article 3’s two prongs. It is entirely possible, in this scenario, for the single organization to engage in at least three types of processing activities, each with a different scope:

  1. A processing activity related to the context of the Irish office’s activities (e.g., a service offered in Ireland only and administered out of the Irish office), which is within the GDPR’s scope under Article 3(1), regardless of where the processing takes place.
  2. A processing activity related to the targeting of EU data subjects (e.g., an app created by the U.S. office that has nothing to do with the Irish activity and targets EU data subjects generally), which is within the GDPR’s scope under Article 3(2).
  3. A processing activity in the context of the organization’s activities outside the EU (e.g., an app created by the U.S. office that targets U.S. or other non-EU data subjects), which is not within the GDPR’s scope.
Interaction With GDPR Chapter V (Data Transfers)

Disappointingly, the EDPB failed to clarify the interaction between Article 3’s provisions on territorial scope and Chapter V’s provisions on international data transfers, despite public commentary requesting such clarification. This is unfortunate but perhaps expected given the uncertainties on international transfers raised by Brexit and the Schrems II litigation working its way through the Court of Justice of the European Union. In new language added to the final guidelines, the EDPB ducked the question, stating that “the EDPB will further assess the interplay between the application of the territorial scope of the GDPR as per Article 3 and the provisions on international data transfers as per Chapter V. Additional guidance may be issued in this regard, should this be necessary.” Indeed, as noted by public commentary, it is necessary.

In the meantime, controllers and processors should continue to use standard contractual clauses; Privacy Shield, where appropriate; and binding corporate rules, where available to corporate groups. Controllers and processors may also rely on guidance issued by the U.K. Information Commissioner’s Office (ICO) regarding “restricted transfers,” which advises that an international transfer to an organization whose processing of the transferred data is also subject to the GDPR is not a restricted transfer and requires no additional safeguards. But note that this is the ICO’s guidance only; other supervisory authorities may disagree, and the U.K. will likely soon not be a member of the EU.

Article 27 Representatives and Enforcement Against Non-EU Organizations

One of the more interesting clarifications in the final guidelines comes buried in the last section, dealing with representatives of controllers or processors not established in the EU.

This section begins with the expected statement that data controllers or processors subject to the GDPR under Article 3(2) (the targeting prong) must designate a representative in the EU under Article 27, unless one of the limited exceptions in Article 27(2) applies.

The guidance then adds new language that significantly limits the role and potential liability of the representative, in two ways. First, where the draft guidance described maintenance of the Article 30 record of processing activities as a “joint obligation” of the controller or processor and the representative, the final guidance strikes the word “joint” and clarifies that “the controller or processor not established in the Union is responsible for the primary content and update of the record.”

Second, and most important, the final guidance reverses the draft guidance’s suggestion that supervisory authorities may take enforcement action against a representative for a controller’s or processor’s GDPR violations. Edits to the draft language clarify that (1) “[t]he GDPR does not establish a substitutive liability of the representative in place of the controller or processor it represents in the Union” and (2) the representative concept was introduced to “facilitate the liaison with” controllers and processors.

Additional edits replaced aggressive language allowing direct enforcement against representatives with more benign language clarifying that the representative is merely a liaison in the enforcement process: “[I]t was the intention to enable enforcers supervisory authorities to initiate enforcement action against a proceedings through the representative in designated by the same way as against controllers or processors not established in the Union. This includes the possibility to impose for supervisory authorities to address corrective measures or administrative fines and penalties , and to hold representatives liable imposed on the controller or processor not established in the Union to the representative, in accordance its articles 58(2) and 83 of the GDPR. The possibility to hold a representative directly liable is however limited to its direct obligations referred to in article 30 and article 58(1) of the GDPR.” (Stricken language deleted in the final guidelines; italicized language added).

This about-face on direct enforcement against an Article 27 representative has two important consequences. First, eliminating the option for direct enforcement against an Article 27 representative begs the question of how, exactly, supervisory authorities intend to enforce the GDPR against controllers and processors not established in the EU. It seems the EDPB has not yet resolved this question, as the guidance notes in new language that it is currently “considering” the development of “further international cooperation mechanisms” to enforce the GDPR in relation to third countries and international organizations.

Second, because the Article 27 representative is no longer an enforcement hook against a nonestablished controller or processor, organizations that once hesitated to appoint a representative for fear of exposing the organization to enforcement liability may wish to reconsider this decision and check this box in order to avoid noncompliance with Article 27’s requirements.


The EDPB’s final guidance on territorial scope contains important new clarifications and examples that constrain the GDPR’s reach in some cases and expand it in others. Controllers and processors should consider these key takeaways and actions in light of the final guidance:

Applying Article 3’s provisions to a controller’s or processor’s activities requires a nuanced analysis focused on (1) specific processing activities and (2) activities of controllers and processors in separate analyses. The correct analysis is important because it determines the controller’s and processor’s respective obligations as well as the processing agreements and data transfer mechanisms that must be in place.

A similar nuanced analysis is required in the case of a personal data breach to determine (1) whether the data in question is within the GDPR’s scope and (2) the respective notice obligations of a controller and processor, and whether those obligations arise from contractual terms only or direct application of Article 33 (notice to supervisory authorities) and Article 34 (notice to individuals) to the controller or processor.

Controllers and processors that have not revisited how the GDPR applies to their processing activities since 2018 should do so, taking this new guidance into account. This is especially important for controllers and processors based outside the EU.

Processors based outside the EU whose activities are related to a controller’s targeting activity should reexamine how the GDPR may apply to their activities and ensure they are complying with all direct obligations imposed on a processor.

Controllers and processors outside the EU that have not appointed an Article 27 representative should consider appointing one now to satisfy Article 27’s requirement.

DISCLAIMER: Because of the generality of this update, the information provided herein may not be applicable in all situations and should not be acted upon without specific legal advice based on particular situations.

© BakerHostetler | Attorney Advertising

Written by:


BakerHostetler on:

Readers' Choice 2017
Reporters on Deadline

"My best business intelligence, in one easy email…"

Your first step to building a free, personalized, morning email brief covering pertinent authors and topics on JD Supra:
*By using the service, you signify your acceptance of JD Supra's Privacy Policy.
Custom Email Digest
- hide

JD Supra Privacy Policy

Updated: May 25, 2018:

JD Supra is a legal publishing service that connects experts and their content with broader audiences of professionals, journalists and associations.

This Privacy Policy describes how JD Supra, LLC ("JD Supra" or "we," "us," or "our") collects, uses and shares personal data collected from visitors to our website (located at (our "Website") who view only publicly-available content as well as subscribers to our services (such as our email digests or author tools)(our "Services"). By using our Website and registering for one of our Services, you are agreeing to the terms of this Privacy Policy.

Please note that if you subscribe to one of our Services, you can make choices about how we collect, use and share your information through our Privacy Center under the "My Account" dashboard (available if you are logged into your JD Supra account).

Collection of Information

Registration Information. When you register with JD Supra for our Website and Services, either as an author or as a subscriber, you will be asked to provide identifying information to create your JD Supra account ("Registration Data"), such as your:

  • Email
  • First Name
  • Last Name
  • Company Name
  • Company Industry
  • Title
  • Country

Other Information: We also collect other information you may voluntarily provide. This may include content you provide for publication. We may also receive your communications with others through our Website and Services (such as contacting an author through our Website) or communications directly with us (such as through email, feedback or other forms or social media). If you are a subscribed user, we will also collect your user preferences, such as the types of articles you would like to read.

Information from third parties (such as, from your employer or LinkedIn): We may also receive information about you from third party sources. For example, your employer may provide your information to us, such as in connection with an article submitted by your employer for publication. If you choose to use LinkedIn to subscribe to our Website and Services, we also collect information related to your LinkedIn account and profile.

Your interactions with our Website and Services: As is true of most websites, we gather certain information automatically. This information includes IP addresses, browser type, Internet service provider (ISP), referring/exit pages, operating system, date/time stamp and clickstream data. We use this information to analyze trends, to administer the Website and our Services, to improve the content and performance of our Website and Services, and to track users' movements around the site. We may also link this automatically-collected data to personal information, for example, to inform authors about who has read their articles. Some of this data is collected through information sent by your web browser. We also use cookies and other tracking technologies to collect this information. To learn more about cookies and other tracking technologies that JD Supra may use on our Website and Services please see our "Cookies Guide" page.

How do we use this information?

We use the information and data we collect principally in order to provide our Website and Services. More specifically, we may use your personal information to:

  • Operate our Website and Services and publish content;
  • Distribute content to you in accordance with your preferences as well as to provide other notifications to you (for example, updates about our policies and terms);
  • Measure readership and usage of the Website and Services;
  • Communicate with you regarding your questions and requests;
  • Authenticate users and to provide for the safety and security of our Website and Services;
  • Conduct research and similar activities to improve our Website and Services; and
  • Comply with our legal and regulatory responsibilities and to enforce our rights.

How is your information shared?

  • Content and other public information (such as an author profile) is shared on our Website and Services, including via email digests and social media feeds, and is accessible to the general public.
  • If you choose to use our Website and Services to communicate directly with a company or individual, such communication may be shared accordingly.
  • Readership information is provided to publishing law firms and authors of content to give them insight into their readership and to help them to improve their content.
  • Our Website may offer you the opportunity to share information through our Website, such as through Facebook's "Like" or Twitter's "Tweet" button. We offer this functionality to help generate interest in our Website and content and to permit you to recommend content to your contacts. You should be aware that sharing through such functionality may result in information being collected by the applicable social media network and possibly being made publicly available (for example, through a search engine). Any such information collection would be subject to such third party social media network's privacy policy.
  • Your information may also be shared to parties who support our business, such as professional advisors as well as web-hosting providers, analytics providers and other information technology providers.
  • Any court, governmental authority, law enforcement agency or other third party where we believe disclosure is necessary to comply with a legal or regulatory obligation, or otherwise to protect our rights, the rights of any third party or individuals' personal safety, or to detect, prevent, or otherwise address fraud, security or safety issues.
  • To our affiliated entities and in connection with the sale, assignment or other transfer of our company or our business.

How We Protect Your Information

JD Supra takes reasonable and appropriate precautions to insure that user information is protected from loss, misuse and unauthorized access, disclosure, alteration and destruction. We restrict access to user information to those individuals who reasonably need access to perform their job functions, such as our third party email service, customer service personnel and technical staff. You should keep in mind that no Internet transmission is ever 100% secure or error-free. Where you use log-in credentials (usernames, passwords) on our Website, please remember that it is your responsibility to safeguard them. If you believe that your log-in credentials have been compromised, please contact us at

Children's Information

Our Website and Services are not directed at children under the age of 16 and we do not knowingly collect personal information from children under the age of 16 through our Website and/or Services. If you have reason to believe that a child under the age of 16 has provided personal information to us, please contact us, and we will endeavor to delete that information from our databases.

Links to Other Websites

Our Website and Services may contain links to other websites. The operators of such other websites may collect information about you, including through cookies or other technologies. If you are using our Website or Services and click a link to another site, you will leave our Website and this Policy will not apply to your use of and activity on those other sites. We encourage you to read the legal notices posted on those sites, including their privacy policies. We are not responsible for the data collection and use practices of such other sites. This Policy applies solely to the information collected in connection with your use of our Website and Services and does not apply to any practices conducted offline or in connection with any other websites.

Information for EU and Swiss Residents

JD Supra's principal place of business is in the United States. By subscribing to our website, you expressly consent to your information being processed in the United States.

  • Our Legal Basis for Processing: Generally, we rely on our legitimate interests in order to process your personal information. For example, we rely on this legal ground if we use your personal information to manage your Registration Data and administer our relationship with you; to deliver our Website and Services; understand and improve our Website and Services; report reader analytics to our authors; to personalize your experience on our Website and Services; and where necessary to protect or defend our or another's rights or property, or to detect, prevent, or otherwise address fraud, security, safety or privacy issues. Please see Article 6(1)(f) of the E.U. General Data Protection Regulation ("GDPR") In addition, there may be other situations where other grounds for processing may exist, such as where processing is a result of legal requirements (GDPR Article 6(1)(c)) or for reasons of public interest (GDPR Article 6(1)(e)). Please see the "Your Rights" section of this Privacy Policy immediately below for more information about how you may request that we limit or refrain from processing your personal information.
  • Your Rights
    • Right of Access/Portability: You can ask to review details about the information we hold about you and how that information has been used and disclosed. Note that we may request to verify your identification before fulfilling your request. You can also request that your personal information is provided to you in a commonly used electronic format so that you can share it with other organizations.
    • Right to Correct Information: You may ask that we make corrections to any information we hold, if you believe such correction to be necessary.
    • Right to Restrict Our Processing or Erasure of Information: You also have the right in certain circumstances to ask us to restrict processing of your personal information or to erase your personal information. Where you have consented to our use of your personal information, you can withdraw your consent at any time.

You can make a request to exercise any of these rights by emailing us at or by writing to us at:

Privacy Officer
JD Supra, LLC
10 Liberty Ship Way, Suite 300
Sausalito, California 94965

You can also manage your profile and subscriptions through our Privacy Center under the "My Account" dashboard.

We will make all practical efforts to respect your wishes. There may be times, however, where we are not able to fulfill your request, for example, if applicable law prohibits our compliance. Please note that JD Supra does not use "automatic decision making" or "profiling" as those terms are defined in the GDPR.

  • Timeframe for retaining your personal information: We will retain your personal information in a form that identifies you only for as long as it serves the purpose(s) for which it was initially collected as stated in this Privacy Policy, or subsequently authorized. We may continue processing your personal information for longer periods, but only for the time and to the extent such processing reasonably serves the purposes of archiving in the public interest, journalism, literature and art, scientific or historical research and statistical analysis, and subject to the protection of this Privacy Policy. For example, if you are an author, your personal information may continue to be published in connection with your article indefinitely. When we have no ongoing legitimate business need to process your personal information, we will either delete or anonymize it, or, if this is not possible (for example, because your personal information has been stored in backup archives), then we will securely store your personal information and isolate it from any further processing until deletion is possible.
  • Onward Transfer to Third Parties: As noted in the "How We Share Your Data" Section above, JD Supra may share your information with third parties. When JD Supra discloses your personal information to third parties, we have ensured that such third parties have either certified under the EU-U.S. or Swiss Privacy Shield Framework and will process all personal data received from EU member states/Switzerland in reliance on the applicable Privacy Shield Framework or that they have been subjected to strict contractual provisions in their contract with us to guarantee an adequate level of data protection for your data.

California Privacy Rights

Pursuant to Section 1798.83 of the California Civil Code, our customers who are California residents have the right to request certain information regarding our disclosure of personal information to third parties for their direct marketing purposes.

You can make a request for this information by emailing us at or by writing to us at:

Privacy Officer
JD Supra, LLC
10 Liberty Ship Way, Suite 300
Sausalito, California 94965

Some browsers have incorporated a Do Not Track (DNT) feature. These features, when turned on, send a signal that you prefer that the website you are visiting not collect and use data regarding your online searching and browsing activities. As there is not yet a common understanding on how to interpret the DNT signal, we currently do not respond to DNT signals on our site.

Access/Correct/Update/Delete Personal Information

For non-EU/Swiss residents, if you would like to know what personal information we have about you, you can send an e-mail to We will be in contact with you (by mail or otherwise) to verify your identity and provide you the information you request. We will respond within 30 days to your request for access to your personal information. In some cases, we may not be able to remove your personal information, in which case we will let you know if we are unable to do so and why. If you would like to correct or update your personal information, you can manage your profile and subscriptions through our Privacy Center under the "My Account" dashboard. If you would like to delete your account or remove your information from our Website and Services, send an e-mail to

Changes in Our Privacy Policy

We reserve the right to change this Privacy Policy at any time. Please refer to the date at the top of this page to determine when this Policy was last revised. Any changes to our Privacy Policy will become effective upon posting of the revised policy on the Website. By continuing to use our Website and Services following such changes, you will be deemed to have agreed to such changes.

Contacting JD Supra

If you have any questions about this Privacy Policy, the practices of this site, your dealings with our Website or Services, or if you would like to change any of the information you have provided to us, please contact us at:

JD Supra Cookie Guide

As with many websites, JD Supra's website (located at (our "Website") and our services (such as our email article digests)(our "Services") use a standard technology called a "cookie" and other similar technologies (such as, pixels and web beacons), which are small data files that are transferred to your computer when you use our Website and Services. These technologies automatically identify your browser whenever you interact with our Website and Services.

How We Use Cookies and Other Tracking Technologies

We use cookies and other tracking technologies to:

  1. Improve the user experience on our Website and Services;
  2. Store the authorization token that users receive when they login to the private areas of our Website. This token is specific to a user's login session and requires a valid username and password to obtain. It is required to access the user's profile information, subscriptions, and analytics;
  3. Track anonymous site usage; and
  4. Permit connectivity with social media networks to permit content sharing.

There are different types of cookies and other technologies used our Website, notably:

  • "Session cookies" - These cookies only last as long as your online session, and disappear from your computer or device when you close your browser (like Internet Explorer, Google Chrome or Safari).
  • "Persistent cookies" - These cookies stay on your computer or device after your browser has been closed and last for a time specified in the cookie. We use persistent cookies when we need to know who you are for more than one browsing session. For example, we use them to remember your preferences for the next time you visit.
  • "Web Beacons/Pixels" - Some of our web pages and emails may also contain small electronic images known as web beacons, clear GIFs or single-pixel GIFs. These images are placed on a web page or email and typically work in conjunction with cookies to collect data. We use these images to identify our users and user behavior, such as counting the number of users who have visited a web page or acted upon one of our email digests.

JD Supra Cookies. We place our own cookies on your computer to track certain information about you while you are using our Website and Services. For example, we place a session cookie on your computer each time you visit our Website. We use these cookies to allow you to log-in to your subscriber account. In addition, through these cookies we are able to collect information about how you use the Website, including what browser you may be using, your IP address, and the URL address you came from upon visiting our Website and the URL you next visit (even if those URLs are not on our Website). We also utilize email web beacons to monitor whether our emails are being delivered and read. We also use these tools to help deliver reader analytics to our authors to give them insight into their readership and help them to improve their content, so that it is most useful for our users.

Analytics/Performance Cookies. JD Supra also uses the following analytic tools to help us analyze the performance of our Website and Services as well as how visitors use our Website and Services:

  • HubSpot - For more information about HubSpot cookies, please visit
  • New Relic - For more information on New Relic cookies, please visit
  • Google Analytics - For more information on Google Analytics cookies, visit To opt-out of being tracked by Google Analytics across all websites visit This will allow you to download and install a Google Analytics cookie-free web browser.

Facebook, Twitter and other Social Network Cookies. Our content pages allow you to share content appearing on our Website and Services to your social media accounts through the "Like," "Tweet," or similar buttons displayed on such pages. To accomplish this Service, we embed code that such third party social networks provide and that we do not control. These buttons know that you are logged in to your social network account and therefore such social networks could also know that you are viewing the JD Supra Website.

Controlling and Deleting Cookies

If you would like to change how a browser uses cookies, including blocking or deleting cookies from the JD Supra Website and Services you can do so by changing the settings in your web browser. To control cookies, most browsers allow you to either accept or reject all cookies, only accept certain types of cookies, or prompt you every time a site wishes to save a cookie. It's also easy to delete cookies that are already saved on your device by a browser.

The processes for controlling and deleting cookies vary depending on which browser you use. To find out how to do so with a particular browser, you can use your browser's "Help" function or alternatively, you can visit which explains, step-by-step, how to control and delete cookies in most browsers.

Updates to This Policy

We may update this cookie policy and our Privacy Policy from time-to-time, particularly as technology changes. You can always check this page for the latest version. We may also notify you of changes to our privacy policy by email.

Contacting JD Supra

If you have any questions about how we use cookies and other tracking technologies, please contact us at:

- hide

This website uses cookies to improve user experience, track anonymous site usage, store authorization tokens and permit sharing on social media networks. By continuing to browse this website you accept the use of cookies. Click here to read more about how we use cookies.