Maneesha Mithal
  • Partner
  • Wilson Sonsini Goodrich & Rosati
United States of America
Maneesha Mithal

Maneesha Mithal

  • Partner
  • Wilson Sonsini Goodrich & Rosati
United States of America

It’s been a very exciting time to work on data privacy and security issues, and to be involved in shaping federal laws and addressing issues of first impression in this space. I helped to develop rules and provide businesses with guidance in interpreting the Children’s Online Privacy Protection Act (COPPA), Gramm-Leach-Bliley Act, the Fair Credit Reporting Act (FCRA), and the FTC Act. I led the negotiation of over 100 privacy and data security settlements. I also led the Federal Trade Commission (FTC) enforcement action against Wyndham hotels, which resulted in the first litigated FTC decision on cybersecurity issues. And I managed workshops, reports, and industry studies on such issues as broadband privacy, the data broker industry, cross-device tracking, connected cars, facial recognition, and the internet of things.

Data differs from other practice areas in that laws addressing privacy and security have not been around long, so practitioners have the opportunity to exercise creativity in ways that are unique. And because data is the engine that powers so many diverse business models and affects so many legal disciplines, a career in this space gives practitioners the opportunity to learn about a variety of different fields, including information technology, data science, economics, marketing, antitrust, and civil rights.

There are some uncertainties in the legal landscape that create challenges for clients. For example, the FTC recently issued guidance stating that its Health Breach Notification Rule, which on its face applies to vendors of personal health records, applies to a broad array of health apps, many of whom may not have previously considered themselves subject to the rule. More generally, companies are struggling with how to comply with new state and federal laws which apply to vastly different business models. Businesses that don’t get it right – even if they attempt to comply in good faith – face severe consequences. These consequences can range from class action lawsuits with significant damages, as under the Illinois Biometric Privacy Act, to requirements to delete algorithms, as the FTC has mandated in recent cases. Businesses may struggle with requirements to delete entire algorithms, even if the vast majority of information used to create the algorithm was legally collected.

We advise companies to take compliance seriously on the front end, and not just through written policies and procedures. Though documentation is important and necessary, it is not sufficient for a strong compliance program, which typically should include employee training, technical controls, and testing. We also encourage companies to stay abreast of pending legislation so that they can hit the ground running to meet the compliance effective date. If they do find themselves to be the target of an investigation, we urge them to cooperate, provide context, and engage with staff of the relevant enforcement agency.  

Let me mention a few emerging trends I’m following closely. The first is the intersection between competition and privacy. The FTC’s antitrust complaint against Facebook includes references to how Facebook’s allegedly anticompetitive conduct interfered with potential competition on privacy. The second is an increased focus on how data could be used to further racial inequities. Last year, the FTC issued business guidance to highlight that the use of racially biased algorithms could be an unfair practice under the FTC Act. The FTC’s forthcoming rulemaking on privacy will likely address this issue. Third is an emphasis on protecting workers from surveillance by their employers. Biden’s nominee for FTC commissioner, Alvaro Bedoya, has focused on the importance of this issue. And finally, people are talking about the application of privacy laws to NFTs, the metaverse, and other so-called web3 issues.

I would like to see more visibility for women in cybersecurity. There are already so many talented women practising in this space, but at cybersecurity events, I often still see overwhelmingly male-dominated panels. I urge conference organisers to be attuned to this issue and look for opportunities to create more gender-balanced panels. I also urge panel participants to ask about this issue. When I was organising a panel at the FTC, one of the invited panellists stated that he would not agree to be on panels that were not appropriately balanced in terms of racial and gender composition. I’d like to see more of this kind of attention to this issue.

With the general growth in the profession, the number of women in the field has skyrocketed. And it is such a supportive community, with women supporting other women. When I left the FTC to come to private practice, the outpouring of support from my colleagues – even those who would be considered competitors – was overwhelming. And substantively, there is a lot women in the privacy profession can do to help women. When I was at the FTC, I was proud to work on the agency’s first revenge porn cases, as well as cases involving stalkerware apps used by perpetrators of domestic violence to surveil their partners. I think we have opportunities to give back and ensure the safety and security of women through our work on privacy issues.  

A piece of advice I would give aspiring data lawyers is to be flexible, because you never know where your career will take you. You also can’t predict which business models and public policy issues will come to the forefront. When I started my career as an international litigator, I came across the FTC by fluke, when I represented a trade association client. I could never have predicted that as I was joining the FTC, I would be working on issues arising from the EU-US Safe Harbor, which introduced me to privacy, and I could never have predicted that the FTC would create a new privacy division that I would have the privilege to lead. Even today, with privacy being a much more established field, a recent law school graduate may know they want to work on privacy, but they may not know whether they’ll be called on to become an expert in children’s privacy, health privacy, or the FCRA. The advice to be open to new opportunities has served me well, and is virtually a prerequisite for success in this field.

Unlock unlimited access to all Global Data Review content