Stephanie A. Lucas

Associate

Los Angeles
T +1.310.442.8847
F +1.310.820.8859

Overview

Stephanie Lucas focuses her practice on data privacy, data protection, intellectual property transactions, cybersecurity, advertising and consumer protection law. Stephanie works closely with clients on understanding their data collection and sharing procedures, and she conducts a holistic review of companies’ data usage and disclosure practices to ensure compliance with state and federal law. Her experience also includes advising clients on the relevant state and federal privacy laws for particular industries, such as the healthcare, educational, financial, software and e-commerce industries, and implementing tailored privacy policies in line with legal obligations and company business practices. A Certified Information Privacy Professional (CIPP/US) by the International Association of Privacy Professionals, Stephanie helps clients understand the practical privacy implications of their business and data collection practices, and offers pragmatic solutions for each client’s privacy and cybersecurity needs.

Select Experience

  • Counsels clients a variety of industries, including healthcare-covered entities and business associates, educational institutions, multinational companies and social media companies on the privacy practices relevant to each industry, including the Health Insurance Portability and Accountability Act (HIPAA), Family Educational Rights and Privacy Act (FERPA), the EU General Data Protection Regulation (GDPR) and the Children’s Online Privacy Protection Act (COPPA).
  • Regularly advises clients on the privacy, data sharing and marketing, and disclosure obligations for the California Shine the Light Act and the California Online Privacy Protection Act (CalOPPA).
  • Conducts data security training and tabletop exercises with companies in a variety of industries to help companies understand how to effectively develop their cybersecurity and incident response plans, the legal individual and regulatory notification obligations resulting from a security incident, and the potential litigation and class action implications resulting from security incidents.
More »

Experience

  • Counsels clients a variety of industries, including healthcare-covered entities and business associates, educational institutions, multinational companies and social media companies on the privacy practices relevant to each industry, including the Health Insurance Portability and Accountability Act (HIPAA), Family Educational Rights and Privacy Act (FERPA), the EU General Data Protection Regulation (GDPR) and the Children’s Online Privacy Protection Act (COPPA).
  • Regularly advises clients on the privacy, data sharing and marketing, and disclosure obligations for the California Shine the Light Act and the California Online Privacy Protection Act (CalOPPA).
  • Conducts data security training and tabletop exercises with companies in a variety of industries to help companies understand how to effectively develop their cybersecurity and incident response plans, the legal individual and regulatory notification obligations resulting from a security incident, and the potential litigation and class action implications resulting from security incidents.
  • Advises companies on data storage, retention and consumer privacy obligations under the California Consumer Protection Act (CCPA), and performs framework analysis with a variety of clients to ensure compliance with the CCPA.
  • Regularly designs and conducts data practice assessments for a variety of clients including financial institutions, retail establishments, social media companies, non-profit organizations and e-commerce websites to discern clients’ data storage and data sharing practices with respect to internal operations, affiliates, vendors and service providers.
  • Performs gap analysis on client privacy policies and terms of use, and designs comprehensive privacy, data protection and information governance programs that appropriately disclose data sharing practices, licensing of user created content and use of third-party services and social media platforms, tracking technologies, geo-location and biometric information, and interest-based advertising.
  • Advises on HIPAA compliance issues with covered entities and business associates, and defends clients in responding to Office of Civil Rights (OCR) inquiries related to client healthcare storage, protection and sharing of protected health information.
  • Counsels clients on print and online promotional marketing, including advising on the appropriate disclosures and compliance issues with contests, sweepstakes, social media promotions and influencer campaigns, as well as developing state compliant rules and guidance documents for promotional campaigns.
  • Develops security incident response programs for clients affected by malware, network intrusion, social engineering, phishing and hacking incidents. Also, regularly advises clients on notification obligations and regulatory investigations for potential security incidents, and defends clients in regulatory inquiries from federal authorities and state attorneys general.
  • Counsels clients regarding compliance with the Telephone Consumer Protection Act (TCPA), Controlling the Assault of Non-Solicited Pornography And Marketing Act (CAN-SPAM) and the appropriate disclosures for transactional and promotional e-mail and text message marketing campaigns.
  • Regularly advises clients about the Federal Trade Commission’s (FTC) regulation of social media influencer programs and the appropriate disclosures for endorsements of programs, products and companies.

Recognitions and Memberships

Memberships

  • American Bar Association
  • International Association of Privacy Professionals
    • Certified Information Privacy Professional (CIPP/US)

Community

  • University of California, Los Angeles Law Alumni Association
  • Women for Office

Pro Bono

  • Provided legal assistance to volunteers through the Freedom Writers Foundation.

Admissions

  • U.S. Court of Appeals, Ninth Circuit
  • U.S. District Court, Central District of California
  • U.S. District Court, Eastern District of California
  • U.S. District Court, Northern District of California
  • U.S. District Court, Southern District of California
  • California

Education

  • J.D., University of California, Los Angeles School of Law, 2016, Order of the Barristers, Moot Court Honors Board
  • B.A., Political Science, University of California, Los Angeles, 2011, Student Body Vice President

Blog

In The Blogs

Previous Next
Data Privacy Monitor
FTC Takes Action Against Individual Social Media Influencers
By Stephanie A. Lucas
September 26, 2017
Advertisers’ and brands’ use of social media influencers has continued to grow in importance as brands seek to reach new consumers while marketing to a widespread demographic. Traditionally, influencers are known as people who leverage...
Read More ->
Data Privacy Monitor
Coming Soon: Two-Factor Authentication for Social Security Website
By Stephanie A. Lucas
May 11, 2017
The Social Security Administration recently announced that beginning June 10, two-factor authentication will be required for all account holders logging into the “My Social Security” portal. To comply with this new rule, account holders...
Read More ->
Copyright, Content, and Platforms
FTC Turns Attention to Social Media Influencers Working for Advertisers
By Stephanie A. Lucas
May 5, 2017
For years the Federal Trade Commission (FTC) has made clear to advertisers that they are responsible for messages on social media by their employers or by consumers and celebrities and other influencers with which they have a material...
Read More ->
Data Privacy Monitor
Massachusetts AG Settlement Bars Geofencing Near Medical Facilities
By Stephanie A. Lucas, Melinda L. McLellan
April 10, 2017
On April 4, 2017, the Massachusetts Attorney General’s office announced that it had settled with a digital advertiser following allegations the company was using geolocation technology to target ads to women visiting reproductive health...
Read More ->