Heather Antoine - Stubbs Alderton & Markiles, LLP

Heather Antoine and Jeremy Beutler’s article “Small Updates from the California Attorney General Create Major CCPA Impacts” was published by the National Law Review. The timely piece discusses recent actions taken by the California Attorney General to assist consumers draft noncompliance notices to send to businesses that may have violated the California Consumer Privacy Act (CCPA). It also addresses a business's 30-day cure period, explaining that if a business does not remedy the alleged noncompliance within 30 days, the California Attorney General may bring suit and seek civil penalties or an injunction. The article also details updated guidance from the Office of the California Attorney General, requiring companies that collect personal information from consumers online to honor a consumer’s use of the Global Privacy Control (GPC) as a request to opt-out of the sale of personal information.

To read the full article on the National Law Review website, click here.

Heather Antoine and Jeremy Beutler’s article "How Colorado Fits Into Privacy Legislation Trend" was recently published by Law360. Heather and Jeremy detail how the Colorado Privacy Act (CPA) put Colorado on track to become the third state to adopt a consumer privacy law and examine the comprehensive legislation aimed at providing consumers with greater control over their personal data and compelling businesses to handle customers’ personal data more responsibly. The article also analyzes regulations under the CPA as compared to other states’ laws and the European Union's General Data Protection Regulation and provides business owners with guidance on how to navigate the new legislation.

Visit Law360 to read the full article (subscription required).

The firm is pleased to announce that Karine Akopchikyan, Heather Antoine, John De La Merced, Neil Elan, and Celina Kirchner have been named to Thomson Reuters’ prestigious list of 2021 Southern California “Super Lawyers” Rising Stars. Additionally, Heather received enough votes to place her on the “Up-and-Coming 100: 2021 Southern California Rising Stars” and “Up-and-Coming 50: 2021 Women Southern California Rising Stars” lists.

Every year, “Super Lawyers” profiles attorneys in more than 70 different practice areas who have attained a high degree of peer recognition and personal achievements. The list selects the top lawyers in Southern California based on peer nomination, independent research, and peer evaluation. After the "Super Lawyers" research team has completed the screening process, only 2.5 percent of lawyers under the age of 40 years old are granted the title of Rising Stars.

View the Up-and-Coming 100: 2021 Southern California Rising Stars here.

View the Up-and-Coming 50: 2021 Women Southern California Rising Stars here.

Each month, we will feature a Stubbs Alderton & Markiles, LLP practice area to aid our readers in getting to know our firm, and providing insights into these areas of law that may impact your business most often. This month, we put the Spotlight on the Privacy & Data Security Practice team.

Tell us about your background as Privacy & Data Security attorneys. What spurred your interest in this area of practice?

Heather Antoine, Practice Group Co-Chair

I began my journey into privacy and data security law accidentally, when it was still a burgeoning, undefined field. A client inquired as to whether I could provide guidance on privacy issues his company was facing. I hesitated, but he pressed on, commenting, “no one knows what they are doing in this field yet, I’d rather have you learn it.” The skills I used then are the same I use now. These laws are constantly evolving and the ability to learn, and interpret, a new law quickly is both invaluable and essential. This is also what keeps me engaged. The practice of privacy and data security law requires adaptability and creativity. Every business operates differently and requires advice that suits their needs; there is no cookie cutter approach to this practice.

Kevin DeBré, Practice Group Co-Chair

I became a privacy and data security attorney by accident. I was part of the legal team that took Geocities public in 1998. Geocities was a Web 1.0 precursor to today’s social media companies. Two days after its IPO, Geocities was sued by the FTC alleging that Geocities violated its privacy policy and misled consumers by sharing their personal information with advertisers. The company’s share price dropped 15%. It was the first FTC case involving Internet privacy and my first exposure to what would become a new body of law.

I view information and data as a fifth form of intellectual property (the others being patents, copyrights, trademarks and trade secrets). Whether it’s preparing a privacy policy for a website or app, negotiating privacy and data security representations and warranties for the seller in M&A transaction or advising a client on notifying customers of a security breach, privacy and data security has become a critical component of my practice. And, its importance will continue to grow.

Jeremy Beutler:

I think for me, my interest in privacy and data security was spurred by my interest in technology and the impact it has had in areas like business and communications. In college I studied finance and information systems and after college, I took a job in the technology risk management group of a large global bank. I was responsible for conducting various risk assessments on new applications. It was interesting to be there at a time when the bank was moving toward developing a significantly larger mobile app portfolio. As such, there was a strong emphasis on security and privacy issues. Over the course of my time at the bank, I became more closely involved in regulatory issues that impacted the bank's technology and risk department. I enjoyed the subject matter so much I decided to go to law school and become a technology attorney.

Mallory Petroli:

I started my career in Europe working on transatlantic issues. Right around the time I moved back to the United States, the General Data Protection Regulation (GDPR) in Europe was passed, which affected numerous US companies. Because of my transatlantic experience, my practice naturally gravitated to the GDPR and global privacy and technology. I ultimately decided to stay in privacy and technology because it is exciting to be a part of an industry with so much innovation that affects our daily lives on a global scale.

What is the difference between privacy and data security?

The difference is an important one because although they intersect, privacy and data security do not overlap completely.

Privacy is generally viewed as protecting individuals' personal information and the rights individuals have over that information. Privacy laws concern how data is collected, shared, and stored. Privacy laws are typically highly regulatory in nature and include regimes such as the California Consumer Privacy Act, the Health Insurance Portability and Accountability Act, the General Data Protection Regulation (EU/EEA), and the Personal Information Protection and Electronic Documents Act (Canada), to name a small few. These laws create a patchwork of overlapping and sometimes contradictory rules for companies to follow.

Data security is generally viewed as a broader term that relates to safeguarding the confidentiality, integrity and availability of information. Data security applies to more than just personal information - it applies to any data that a company may hold, particularly sensitive information like trade secrets or material nonpublic information. Data security standards are often less formally regulated and can vary from industry to industry and state to state. However, in the event of a data breach, the severity of damages, fines, and other remediation measures may be dependent on the data security standards implemented at your business.

Why is it important that I have an attorney draft my company’s Privacy Policy?

One of the most important things about a privacy policy is that it accurately describes your company's practices with respect to the collection, handling and disclosure of personal information. The policy needs to be drafted to not only comply with laws such as the California Consumer Privacy Act, and General Data Protection Regulation, but also be tailored to your company's specific practices. A lawyer can help to ensure your privacy policy does both of these things.

Moreover, we have seen an increased focus on privacy issues over the past decade, which will only grow in the future. There is a real risk when it comes to privacy policies. The first place regulators will often look to evaluate your privacy compliance is your website. Regulators have opened investigations and fined companies for failing to accurately describe the company’s handling of personal information and consumers have filed claims, including class action suits, when companies fail to handle personal information in the manner described in a privacy policy. That said, your privacy policy is just the start. Privacy must be embedded into the company’s IT, marketing practices, and security. Otherwise, it is just window dressing.

If I think there has been a data breach or cyber incident at my company – what are the first steps that I need to take?

This is a tough question to answer as cyber incidents or breaches come in many forms. The most important steps should be taken even before an incident occurs. Company's should be thinking about developing an incident response plan and creating an incident response team – the team may include members from the IT, operations, HR and communications functions as well as a digital forensics team and outside counsel. The company should also test the incident response plan so that when an incident occurs, it is set up to respond quickly and efficiently.

If a company has experienced a breach, one of the first steps is to assemble of team to respond to the incident. For various reasons, this team should include outside counsel. The next steps after that can vary and may require a few different workstreams, including forensics, remediation, developing and updating a communications plan, and assessing legal obligations and notification requirements. In the event of a suspected breach, please do not delay in taking action.

For more information about our Privacy & Data Security practice at Stubbs Alderton & Markiles, contact Heather Antoine at or Kevin Debré at

Stubbs Alderton & Markiles attorneys Heather Antoine and Mallory Petroli were featured in the Daily Journal for their article “The Rise and Fall of the EU-US Privacy Shield." On July 16, the Court of Justice of the European Union announced its much-awaited decision in the Schremms II case, The court declared that the EU-U.S. Privacy Shield Framework invalid. Finding that the United States cannot provide the requisite level of protection to EU residents' personal data will undoubtedly significantly affect businesses here in the U.S.

To read the full article “The Rise and Fall of the EU-US Privacy Shield" ” visit here.

Heather A. Antoine is a Partner and Chair of the Firm’s Trademark & Brand Protection practice and Co-Chair of the Privacy & Data Security practice group. Heather’s practice focuses on protecting a company’s intellectual property; a fundamental feature of every business. Heather’s practice includes trademark clearance and selection, domestic and foreign trademark prosecution, enforcement, proceedings before the Trademark Trial and Appeal Board (TTAB), licensing, trade secret protection, copyright, rights of publicity, domain names disputes, and general client counseling. Heather believes in supporting companies at each stage – from due diligence when choosing a name, to ongoing brand management, to ensuring portfolios are safeguarded and ready for sale. Heather is also focused on guiding businesses through the ever-expanding maze of privacy laws, both domestically and internationally. This includes drafting website policies, compliance with specific privacy laws (such as the General Data Protection Regulation (GDPR), the Children’s Online Privacy and Protection Act (COPPA), and the California Consumer Privacy Act (CCPA)). Heather works with companies to design and strengthen their privacy and data security policies and practices, to help them prevent data security breaches, and to minimize the risks associated therein.

Mallory Petroli is an Associate in the Firm’s Privacy & Data Security and Intellectual Property & Technology Transactions practice groups. Mallory’s practice focuses on global data privacy, data protection, cybersecurity, digital media, direct marketing information management, and other legal and regulatory issues. She focuses on these issues in the context of: (i) advisory matters, such as new privacy and security laws and regulations around the globe (e.g. GDPR, CCPA, COPPA, PIPEDA, GLBA and others) including the enforcement of foreign judgments, as well as (ii) domestic and international technology transactions related to IoT, blockchain, mobile, cloud, data monetization, and other initiatives, including mergers & acquisitions, sourcing, distributor, business partner, and other third party arrangements. Mallory also counsels companies in crisis matters, such as data security events, regulatory and governmental inquiries related to privacy and security issues, internal investigations, litigation-related matters, and prevention measures. Mallory also regularly assists clients on transactional intellectual property matters such as structuring and negotiating technology commercialization deals and IP license agreements. These include strategic alliances, research and development collaborations, trademark licensing and brand merchandising agreements and manufacturing, distribution and marketing arrangements.

For more information on the EU-U.S. Privacy Shield or our Privacy & Data Security Practice contact Heather Antoine at .

Stubbs Alderton & Markiles attorneys Mallory Petroli and Heather Antoine were featured in the Daily Journal for their article "CCPA Enforcement and Final Regulations." Since the California Consumer Privacy Act went into effect on Jan. 1, many businesses have been eager to receive the promised accompanying regulations. Without the final version of regulations, varying interpretations of the CCPA, and the need to revise policies and procedures on a rolling basis, have been quite burdensome. But the wait is over.

To read the full article "CCPA Enforcement and Final Regulations” visit here.

For more information on our Privacy & Data Security Practice contact Heather Antoine at

Stubbs Alderton & Markiles, LLP is pleased to announce that eight lawyers have been named to the 2020 Southern California Super Lawyers. Super Lawyers is a rating service of outstanding lawyers from more than 70 practice areas who have attained a high-degree of peer recognition and professional achievement. The patented selection process includes independent research, peer nominations and peer evaluations.

Super Lawyers Magazine features the list and profiles of selected attorneys and is distributed to attorneys in the state or region and the ABA-accredited law school libraries. Super Lawyers is also published as a special section in leading city and regional magazines across the country. Lawyers are selected to a Super Lawyers list in all 50 states and Washington, D.C.

Stubbs Alderton & Markiles, LLP would like to congratulate the following attorneys named to the 2020 Super Lawyers list –

Greg Akselrud is a founder and Partner of the firm and a member of the firm’s executive committee. He Chairs the firm’s Internet, Digital Media and Entertainment Practice group. Greg advises clients across a wide range of industries, including companies in the entertainment, digital media, Internet, technology, software, mobile, venture capital and consumer electronics industries.

Scott Alderton is a founding partner of the Firm, Managing Partner, and a member of the Firm’s Executive Committee. Scott is co-chair of the Firm’s Venture Capital and Emerging Growth Practice Group and chair’s the Firm’s Interactive Entertainment and Video Games Group. Scott advises both public and private clients across a number of industries, including technology, manufacturing and distribution of goods in commerce, finance, the Internet, interactive video games, and new media industries.

Kevin D. DeBré is the chair of the Firm’s Intellectual Property & Technology Transactions Practice Group. Kevin advises entrepreneurs and companies that use intellectual property to build their businesses. Kevin has particular expertise in structuring and negotiating technology commercialization and patent licenses, strategic alliances, research and development collaborations, trademark licensing and brand merchandising agreements and manufacturing, distribution and marketing arrangements. He also counsels clients on compliance with data security and privacy laws and regulations.

Jeffrey Gersh is a Partner of the Firm in the Business Litigation Practice. He has litigated, arbitrated, or mediated complex business and commercial matters, for both plaintiffs and defendants, whether individuals, public or private corporations, partnerships, limited liability companies and/or its members, shareholders and partners, involving various types of disputes, including contract matters, trade secrets, intellectual property (trademarks, copyrights and trade dress) negligence and fraud, employment, real estate, license agreements, the apparel and garment industry, and general business matters.

Crystal Jonelis is Senior Counsel in the Firm’s Business Litigation Practice. Crystal is well-versed in all aspects of business and commercial litigation, having overseen numerous cases from inception to winning verdicts (and even the subsequent winning appeals). However, her primary focus is in the area of entertainment and media litigation, with particular emphasis in the anti-SLAPP arena.

Daniel Rozansky is a Partner of the Firm in the Business Litigation Practice. Dan concentrates his practice on entertainment, privacy, First Amendment and complex business and real estate disputes. Dan’s areas of focus are entertainment finance, anti-SLAPP motions, unfair competition, trade secrets, intellectual property, surreptitious tape recording, reality television, profit participation, rights of privacy and publicity, real estate, partnership disputes and First Amendment issues. He represents clients both at the trial and appellate levels in state and federal court on a wide array of issues.

Michael Sherman is an accomplished trial lawyer in high-stakes, “bet-the-company” litigation, and has represented both large and early-stage companies as well as entrepreneurs in all facets of business and complex commercial litigation. He has evenly split his litigation practice on both the plaintiff and defense side of cases, has first-chaired numerous trials in complex matters in industries as varied as energy, securities, healthcare, environmental, consumer products, technology, project development/finance, advertising, real estate and apparel, and is highly skilled in class actions and unfair competition law.

The official Super Lawyers 2020 publication can be read in its entirety here.

For more information about Stubbs Alderton & Markiles, contact Heidi Hubbeling at or (310) 746-9803.

Stubbs Alderton & Markiles' Attorneys Heather Antoine and Karine Akopchikyan have been featured in the Los Angeles Business Journal's "Perspective" column discussing the Patagonia lawsuit dismissal based on claims of fame. The article is titled "Patagonia Survives Dismissal in Trademark Suit Based on Claims of Fame" and to read the full article, click here.

About Patagonia
Patagonia, Inc. is an American clothing company that markets and sells outdoor clothing. The company was founded by Yvon Chouinard in 1973, and is based in Ventura, California. Its logo is the outline of Mount Fitz Roy, the border between Chile and Argentina, in the region of Patagonia visit https://www.patagonia.com/

Heather Antoine is a Partner and Chair of the Firm’s Trademark & Brand Protection practice and Co-Chair of the Privacy & Data Security practice group. Heather’s practice focuses on protecting a company’s intellectual property; a fundamental feature of every business. Heather is also focused on guiding businesses through the ever-expanding maze of privacy laws, both domestically and internationally.

Karine Akopchikyan is a Litigator in the Firm’s Business Litigation Practice group. Karine has extensive experience representing and advising plaintiffs and defendants in a wide range of business and commercial disputes in state and federal courts. She focuses her practice on resolving complex contractual disputes, intellectual property disputes (including copyright, trademark, patent, right of publicity, and trade secret claims), cyber insurance coverage disputes, and disputes involving unfair competition, fraud, and other business torts. In large part, Karine’s success lies in her integrity, diligence, and ability to bring people together.

For more information about our Trademark Practice, contact Heather Antoine at .

Nevada recently voted to amend its existing privacy law, Nevada Revised Statutes: Chapter 603A (“NRS 603A”). This comes on the heels of California’s landmark new law, the California Consumer Privacy Act, more commonly referred to as the “CCPA”, which you can read about here. Starting on October 1, 2019, SB 220 creates new obligations for owners and operators of websites or online businesses. Essentially, it grants consumers the right to restrict operators from engaging in a sale of the consumers information.

Does SB 220 apply to my business?
SB220 may apply if you own or operate a website or online service, collect “covered information” (such as name, address, phone number, etc.) from residents of Nevada, and sell that information to another party. Keep in mind, while some exceptions exist, a “sale” is broadly defined as the exchange of information for monetary gain.

If your business has a website that collects personal information from visitors, and you sell such information to third parties, you will likely be affected by SB 220.

How does SB 220 affect my business?
SB 220 provides consumers the right to opt-out of the sale of their covered information by submitting a request to the operator.

Currently, Nevada law requires operators to post a privacy notice that informs visitors of things like what types of information about them is collected through the website or online service, and with whom the operator might share that information, among others. Now it also requires operators to provide a way for visitors whose information is collected to submit such opt-out requests, such as a dedicated email, website or toll-free number.

The operator must respond to a request within a designated time frame, and then must not “make any sale of any covered information the operator has collected or will collect about that consumer.” The penalties for non-compliance can be severe, as the Attorney General may issue an injunction, or civil penalties of up to $5,000 per violation.

If you believe SB 220 impacts your business or if you would like more information, please contact Heather Antoine at (818) 444-4500.

Effective January 1, 2020, the California Consumer Privacy Act (the “CCPA”) will grant new rights to California residents and impose restrictions on certain businesses that collect “personal information” from residents.

Many will assume they don’t collect personal information, however, under the CCPA, “personal information” is defined broadly as anything that directly or indirectly identifies, describes, or can reasonably be linked to a particular person or household. While some of what is classified as “personal information” may seem apparent (name, street address, email address, credit card numbers, etc.), “personal information” under the CCPA also includes wide-ranging identifiers that are not so apparent, such as account name, physical description, inferences drawn from other available information, as well as technical information such as internet browsing history, IP address, geolocation data, website preferences, etc. Under this standard, most business that operates anything but the simplest of websites will likely be collecting personal information within the meaning of the CCPA.

Does the CCPA apply to your business?

The CCPA applies to any business that transacts business in California (which includes online sales to a California resident) and meets any one of the following criteria:

Has annual gross revenues in excess of $25 million;
Alone or in combination, annually buys, receives for the business's commercial purposes, sells, or shares for commercial purposes, alone or in combination, the personal information of 50,000 or more consumers, households, or devices; or
Derives 50% or more of its annual revenues from selling personal information.

While receiving information from 50,000 consumers may sound like a high number, it comes out to just under 140 consumers, households, or devices per day. Keep in mind, each “device” may count separately.

The CCPA applies to my business, what are my obligations?

Under the CCPA, California consumers have several overarching rights. These include the right to know what personal information is being collected, whether their personal information is sold or disclosed and to whom, and the right to say “no” to the sale of that information. Californians also have the right to access their personal information, and the right to equal service and price, even if they exercise their privacy rights.

More specifically, consumers can:

Request that a business that collects a consumer’s personal information disclose the categories and specific pieces of personal information the business has collected.
Request that a business deletes any personal information about the consumer which the business has collected from the consumer. (This is a limited right as businesses may utilize exceptions when it is necessary to maintain information.)
Request that a business that collects personal information about the consumer disclose to the consumer the following:
- (1) The categories of personal information it has collected.
- (2) The categories of sources from which the personal information is collected.
- (3) The business or commercial purpose for collecting or selling personal information.
- (4) The categories of third parties with whom the business shares personal information.
- (5) The specific pieces of personal information it has collected.
Request that a business that sells the consumer’s personal information, or that discloses it for a business purpose, disclose to that consumer:
- (1) The categories of personal information that the business collected about the consumer.
- (2) The categories of personal information that the business sold about the consumer and the categories of third parties to whom the personal information was sold, by category or categories of personal information for each third party to whom the personal information was sold.
- (3) The categories of personal information that the business disclosed about the consumer for a business purpose.
Direct a business to not to sell the consumer’s personal information. This right may be referred to as the right to opt out. (Keep in mind, the definition of “sell” is broad and includes items of non-monetary value, such as coupons or discount codes.

Of note, there are a number of proposed amendments pending before the California legislature. The amendments are as diverse as they are contentious. However, there are many that appear likely to pass that are largely intended to provide clarification to the CCPA, which was hastily passed. If you believe the CCPA impacts you, you should follow these developments.

With six months to go before the CCPA takes effect, the time to start preparations for compliance is now. The requirements of the new CCPA are cumbersome and will take time to implement. In most cases, online businesses will need substantial modification to their existing privacy policies and terms of use. Preparation is important as penalties for non-compliance can be severe. A business that is found in violation of the CCPA may be liable for up to $2,500 per violation, and $7,500 per intentional violation.

For more information, including an assessment of your existing policies, please contact Heather Antoine at or (818) 444-4500.

Stubbs Alderton & Markiles’ Partner Heather Antoine and Associate Alia Delpassand were published in the Daily Journal for their article entitled "Millennials Changed Marketing; Will they Change our Approach to Trademarks, too?" Heather and Alia discuss marketing to millennials, trademarking hashtags and emojis, the rise of subscription boxes, and how all these topics might affect trademark laws.

To view a digital copy of the article published in the Daily Journal visit here: Millenials Changed Marketing... - Heather Antoine and Alia Delpassand

Heather serves as Vice Chair of the California Lawyers Association Intellectual Property Section. Heather frequently speaks and writes about IP, Internet, tech, and privacy issues. She has been quoted in publications such as the Los Angeles Times and CNBC. Heather has been recognized by her peers for excellence in her practice, having been selected as Southern California Super Lawyers Rising Star® multiple times.

Alia Delpassand is an Associate of the Firm. Alia’s practice focuses on corporate transactions, including mergers and acquisitions, securities law compliance, private equity transactions and general corporate matters for both public and private clients, focusing on middle-market and emerging growth companies.

Prior to joining the firm, Alia interned at the U.S. Securities and Exchange Commission in Washington, D.C. where she worked on insider trading liability and misappropriation cases. She also previously served as an extern for two federal judges, the Honorable Catherine E. Bauer in the U.S. Bankruptcy Court, Central District of California, and the Honorable Frances H. Stacy in the U.S. District Court of the Southern District of Texas.

For more information about our Trademark and Brand Protection Practice, contact Heather at