Privacy Law
The policy is a promise. Keep it.
Privacy law in the United States is a patchwork, with no single federal statute covering most consumer data and a growing roster of state laws that reach any business collecting personal information from state residents. Hank advises online and offline businesses on what they can collect, what they have to disclose, and what they owe a customer who asks to see, correct, or delete their data.
Your privacy policy is an enforceable promise, and the fastest way into trouble is to publish one that doesn't match what you do with data. Hank writes the policy to your data practices, what you collect, why, who you share it with, and the rights you have to offer. Texas businesses now answer to the Texas Data Privacy and Security Act, effective July 1, 2024, which gives consumers the right to access, correct, delete, and opt out of the sale of their personal data and of targeted advertising. California, Virginia, Colorado, and a dozen more states impose their own versions, so a company selling nationwide has to satisfy the strictest rule that reaches its customers.
A policy on the website is only the visible part of privacy compliance. Hank drafts the data-processing terms that bind the vendors and platforms that touch your customers' information, builds the process for handling consumer requests within the deadlines the statutes set, and prepares for the breach notification obligations that follow a security incident under Texas law and the laws of every other state. When you collect data from children, sell to European customers, or run promotions that gather entries, he folds COPPA, the GDPR, and the disclosure rules into the same compliance picture instead of treating each as a separate fire.
Hank has counseled eCommerce companies, software and SaaS businesses, marketers, and service providers on building privacy practices that withstand a regulator and a contract audit alike. Every engagement works toward the same result, data practices you can describe accurately, defend if challenged, and rely on as the law keeps changing.
Services Include
- Privacy policies
- Website disclosures
- Data collection practices
- Vendor and platform issues
- Online promotions
- eCommerce compliance support
- Contract privacy provisions
Privacy Law Insights
Privacy Policies for Online Businesses: What the Law Requires and What Platforms Demand
No single federal statute requires every U.S. website to have a privacy policy. But the combined effect of state privacy laws, FTC enforcement authority, and platform requirements means that every online business collecting personal information from users needs one, and the policy must accurately describe the business's data practices.
Read articleCOPPA Compliance for Websites and Apps: What You Must Do Before Collecting Data from Children Under 13
COPPA (the Children's Online Privacy Protection Act, 15 U.S.C. §§ 6501-6506) places parents in control of what personal information is collected from their children online. If your website, app, or online service is directed to children under 13 or has actual knowledge that it's collecting personal information from a child under 13, you must comply with COPPA's notice, consent, and data protection requirements before any collection occurs.
Read articleTexas Data Privacy and Security Act: What It Requires, Who It Covers, and How Texas Businesses Comply
Most Texas businesses that collect personal data from consumers are subject to the Texas Data Privacy and Security Act (TDPSA), codified at Texas Business and Commerce Code Chapter 541. Effective July 1, 2024, the TDPSA regulates how businesses collect, use, store, sell, share, and process the personal data of Texas residents.
Read articleData Breach Notification Under Texas Law: What You Must Do When Personal Information Is Compromised
When a business discovers that sensitive personal information in its possession has been accessed by an unauthorized person, two clocks start running simultaneously. Under Texas Business and Commerce Code § 521.053, the business must notify affected individuals within 60 days of determining that the breach occurred.
Read articleData Processing Agreements: What Your Vendor Contracts Must Include When Third Parties Handle Customer Data
When a business shares customer data with a vendor (a payment processor, a cloud hosting provider, an analytics platform, a CRM system, an email marketing service, or any other third party that receives, stores, or processes personal information on the business's behalf), the relationship must be governed by a written contract that specifies how the vendor handles the data, what it can and can't do with it, and what happens when the relationship ends.
Read articleState Privacy Laws Beyond Texas: What Businesses That Sell Nationwide Must Comply With
As of mid-2026, 20 states have enacted comprehensive consumer data privacy laws, with more legislation pending. There's no federal comprehensive privacy statute, which means every business that collects personal data from customers in multiple states must navigate a patchwork of state laws with different applicability thresholds, different consumer rights, different enforcement mechanisms, and different cure periods.
Read articleRelated Work
Ready to make the right legal move?
Share the issue. Get direct attorney review. Receive a concrete recommendation.
Submit an Inquiry