Build a privacy program that wins trust and closes deals. We provide CIPP-certified legal expertise for CCPA and GDPR compliance through robust documentation.
Fill out the form below to schedule a 1-to-1 consultation call with me!
Privacy is now a core requirement for doing business. Enterprise buyers will not sign contracts without proof of your data security commitments. A single regulatory mistake can cost your company millions and stall your product roadmap.
Uncommon Counsel is a data privacy law firm that understands the technical side of the law. We don’t just write policies; we map your data flows legally and review your tracking disclosures. As your privacy compliance counsel in NYC, we make sure your public-facing promises match your legal obligations, protecting you from the FTC and helping your sales team pass security reviews.
The firm regularly advises clients on a wide range of data security agreements, including:
Clients often seek legal support when reviewing a contract presented by another party, negotiating key terms in a business deal, or developing standardized contract templates for their company.
With nearly 15 years of experience and a sharp focus on intellectual property, data privacy, and commercial contracts, I help businesses navigate complex legal landscapes.
I handle drafting, redlining, and negotiating agreements, including MSAs, Corporate Contracts, Vendor Agreements, DPAs, and Ad-Tech Agreements, as well as designing and implementing full-scale privacy programs. I provide strategic legal support ideal for the fast-moving tech industry.
I’m licensed in California, New York, and Florida and hold CIPP/US and CIPP/E data privacy credentials, as well as the Artificial Intelligence Governance Professional (AIGP) certification.
I work with in-house legal teams and law firms to streamline commercial legal work.
Let’s connect and get things done.
Many contract disputes arise not because a party intended to act unfairly, but because the agreement itself was unclear or incomplete. Common issues that arise in data security contracts include:
We tailor your legal documentation for CCPA, VCDPA, and every other state-specific requirement.
You are responsible for your vendors. We draft and review service provider contracts to protect your user data.
We help you establish legal protocols for handling user data requests so your team stays compliant.
We review your user interface disclosures to ensure your consent banners are legally transparent.
Careful contract drafting and review can prevent these issues before they become disputes.
Uncommon Counsel works with clients at all stages of the contracting process, including:
Many clients engage the firm on an ongoing basis to provide transactional support similar to outside general counsel.
If you need assistance reviewing, drafting, or negotiating a commercial contract, you may schedule a consultation to discuss your matter and determine the appropriate next steps.
A data privacy lawyer helps a business understand what personal data it collects, where risk exists, and what legal steps make sense for the company’s size, products, and customer base. We often help clients draft or update privacy policies, build internal privacy processes, review product flows, advise on consumer rights requests, and negotiate privacy language in vendor and customer agreements. For technology companies, privacy work often overlaps with product counseling, security coordination, marketing practices, and contract strategy. In many companies, privacy questions also intersect with AI law and intellectual property when product design, training data, ownership, and customer commitments all overlap. The right legal support is not about creating drag. It is about helping teams move forward with clearer guardrails and stronger documentation.
A business usually needs a privacy policy as soon as it starts collecting personal information through its website, app, sales process, analytics stack, customer onboarding, or hiring pipeline. The exact requirements depend on the business model, the jurisdictions involved, and the categories of data collected, but many companies wait too long and treat the policy like a website formality. In practice, the policy should match what the business actually does with personal information, who receives it, how long it is kept, and what rights individuals may have. If the document is copied from another site or falls out of date after product changes, it can create unnecessary exposure. We generally recommend treating the privacy policy as part of a broader compliance strategy, not as a one-time publishing task.
The privacy laws that apply depend on where your users are, what information you collect, how you use it, and whether your business meets specific legal thresholds. California privacy law, European data protection law, and other state privacy frameworks may all become relevant depending on how your business operates and grows. The key point is that privacy compliance is rarely just about where a company is incorporated. It is about the actual facts on the ground. A focused review can help determine which laws matter now, which ones may matter next, and where contracts, notices, internal processes, and product decisions should be prioritized first.
In many cases, yes, a startup that shares personal information with service providers, subprocessors, analytics vendors, or customer-requested tools will need a data processing agreement. These agreements often allocate responsibilities around processing instructions, security controls, confidentiality, subprocessor use, deletion or return of data, and support for legal rights requests. We often see startups sign DPAs without checking whether the language actually matches their product architecture or day-to-day operations. That can create obligations the business cannot realistically meet. Privacy terms also need to work alongside the main services agreement, security commitments, and customer-facing promises. For New York businesses negotiating privacy-heavy customer or vendor agreements, our New York commercial contract lawyer work can also be relevant when privacy terms need to align with the broader deal structure.
Data privacy governs how personal information is collected, used, shared, and retained, while data security focuses on protecting that information from unauthorized access, loss, misuse, or disclosure. The two are closely connected, but they are not the same thing. A business can have strong security tools and still have privacy problems if it collects too much data, uses it in ways it never disclosed, or cannot honor consumer rights. On the other side, a polished privacy policy will not fix weak access controls or poor vendor oversight. We usually help clients connect these issues so contracts, disclosures, product decisions, incident planning, and internal responsibilities all work together instead of solving one problem while ignoring another.
A business should review its privacy policy and privacy practices whenever it changes what it collects, how it uses data, which vendors it relies on, where it sells, or what products it offers. A set-it-and-forget-it approach rarely works for growing companies. Product launches, ad tech changes, AI features, customer expansion, new integrations, and international growth can all create a mismatch between real practices and written disclosures. Even when the business model seems stable, a regular review is still wise because laws, guidance, and enforcement priorities continue to evolve. The better question is not whether the document looks current. It is whether the company’s actual data flows, contracts, and internal processes still match what it is telling customers, users, and partners.
A business should look for clear, workable terms on data use, security commitments, subprocessors, incident notice, and end-of-relationship obligations. It should also understand what data the vendor receives, whether the vendor acts as a processor or an independent controller, and whether the contract quietly expands the vendor’s rights to use customer data for its own analytics, training, or product improvement. That issue matters even more in AI and data-heavy environments. We often see vendor review connect directly with privacy, data use rights, and ownership questions, especially when those issues show up together in the same deal.
Yes, a US business can still face GDPR-related questions even if it does not have a European office. The analysis usually turns on how the business operates, which users it targets, whether it offers goods or services in Europe, whether it tracks user behavior there, and how data moves through the product and vendor stack. Companies sometimes assume GDPR does not matter unless they physically expand into Europe, but that is often too narrow. That does not mean every US company needs a full international privacy program on day one. It does mean businesses should avoid blanket assumptions and get a grounded assessment before making public promises or signing broad customer terms.
The first step is to get organized quickly, understand what happened, and preserve facts while assessing whether notice obligations may be triggered. A company needs to understand what systems or vendors were involved, what categories of information may have been affected, and which internal decision-makers need to be looped in right away. At the same time, teams need to avoid inconsistent communications and coordinate legal, technical, and operational responses. In many situations, businesses also need to review customer agreements, vendor contracts, and internal policies for notice and cooperation obligations. We usually find that the most effective incident response starts before an incident happens, with a realistic plan, clear roles, and contract language that supports a workable response.
A growing company can build privacy compliance without slowing teams down by using a lean, repeatable process around its highest-risk workflows. Instead of treating privacy as a last-minute blocker, we usually recommend building practical review steps around product changes, new vendors, customer contracting, marketing practices, and incident response. That may include a current data inventory, a workable legal intake process, standard contract positions, and clear ownership across legal, security, product, and operations. For some businesses, this is exactly where fractional support becomes useful. When privacy is integrated early, deals tend to move more smoothly, product teams make cleaner decisions, and the business is better prepared for customer diligence.
