Liisa M. Thomas

Liisa Thomas, a partner based in the Chicago and London offices, is Leader of the firm's Privacy and Cybersecurity Team and Office Managing Partner of the firm's Chicago office. She is a member of the Intellectual Property Practice, and focuses on privacy, advertising, and unfair competition law.

"Her business-friendliness and expertise set her apart."
- Chambers (2023)

Areas of Practice

Liisa's clients rely on her ability to provide clarity in a sea of confusing legal requirements and describe her as "extremely responsive, while providing thoughtful legal analysis combined with real world practical advice." She is the author of two treatises: Thomas on Data Breach: A Practical Guide to Handling Worldwide Data Breach Notification, which has been described as "a no-nonsense roadmap for in-house and external practitioners alike;" and Thomas on Big Data, praised for being a "comprehensive and detailed analysis of the complex and rapidly changing world of privacy law."

Known as an industry leader in privacy, data security and advertising law, Liisa has been recognized by Best Lawyers in America, Leading Lawyers Network, Chambers, Super Lawyers, and The Legal 500, for her "broad depth of privacy knowledge." Among other honors, she was named Lawyer of the Year – Privacy and Data Security 2022 by Best Lawyers; one of Crain’s Chicago Business Notable Women in the Law; in the Legal 500 Hall of Fame – Cyber Law from 2020 to 2023; recognized as the 2017 "Data Protection Lawyer of the Year - USA" by Global 100; honored as the 2017 "U.S. Data Protection Lawyer of the Year" by Finance Monthly; and has been recognized as a top intellectual property, media and advertising lawyer from 2018 to 2023 by Super Lawyers.

Liisa, who was born in Finland and previously lived in France, Egypt and Spain, frequently coordinates global efforts privacy, data security and digital advertising matters for her clients. Clients value her global insights and familiarity with business systems outside of the U.S. With Liisa’s assistance, her clients – which include major consumer brands, advertising agencies and consumer research companies – are able to navigate thorny data breach disclosure issues, use emerging interactive advertising techniques and create compliant security programs, all while effectively managing their legal risks. Clients praise Liisa’s ability to add real value to their businesses, and describe her as "keeping [clients] one step ahead of where [they] need to be."

Liisa is an active advocate of women and minorities in the legal industry, received the 2020 Legacy Award from Illinois Legal Aid Online, and was honored for her leadership in the legal field by the Illinois Diversity Council. She is currently an adjunct professor in Northwestern University Law School, where she was the 2021-2022 recipient of the Edward Avery Harriman Law School Lectureship. She formerly taught privacy courses at several other Chicago-area law schools, including her alma mater, the University of Chicago. Liisa is served on the Board of Trustees of the Chicago Symphony Orchestra and plays violin in the Chicago Bar Association Symphony Orchestra, an orchestra made up of lawyers and judges.

Experience

• Selected to serve on multiple IAPP advisory boards, including the education advisory board, helping to develop training content for privacy professionals.
• Serve as a faculty trainer for IAPP, conducting privacy compliance training for global audiences.
• Supported hundreds of clients, including Fortune 100 and 500 firms, launch privacy and data security compliance programs that navigate the complex legal patchwork.
• Develop compliance approach for consumer-facing companies to address the ongoing and developing patchwork of US “comprehensive” laws, including financial incentives assessments, addressing loyalty program requirements, and provision of consumer rights of access, correction and deletion.
• Assisted financial services firm with global privacy and data security assessment, including implementation of remediation plans.
• Served as lead counsel in massive ransomware incident, guiding client through forensic investigation to notification.
• Developed cross-border data transfer programs for multiple Fortune 100 and Fortune 500 companies.
• Helped a U.S.-based multinational corporation create binding corporate rules.
• Created data breach assessment and notification programs (both post-breach and pro-active pre-breach plans) for Fortune 100 companies.
• Provide data incident response coaching for clients for a wide variety of incidents, including phishing, ransomware, malware, and insider threat.
• Assist clients in developing e-mail marketing campaigns, text message campaigns, pre-recorded call campaigns and online information collection programs in compliance with a wide variety of privacy and advertising laws.
• Develop internal policies for safeguarding personally identifiable information gathered online and from employees.
• Develop privacy compliance policies, procedures, monitoring programs and reporting plans.
• Conduct internal trainings for business teams on privacy and advertising law requirements.

Honors

• Leading Global Cyber Lawyers list, Lawdragon, 2024
• Who's Who Legal: Data, 2024
• Leading Lawyer, Chambers Global, Privacy & Data Security, 2015-2023
• Thought Leading Author, Data Protection - UK, Mondaq, Spring 2024
• Top Author, JD Supra Readers' Choice Awards, 2023-2024
• Best Lawyers in America, Best Lawyers, 2020-2025
• Top Intellectual Property, Media & Advertising Lawyer, Super Lawyers, 2006, 2018-2023
• Named to Cybersecurity Docket's "Incident Response 50" (2023-2024), "Incident Response 40" (2021-2022) and "Incident Response 30" (2016, 2018), honoring the best and brightest data breach response lawyers in the business
• Recommended Lawyer - Cyber Law, Legal 500, 2022
• Sheppard Mullin's Diversity and Inclusion Award, 2022
• Lawyer of the Year - Privacy and Data Security, Best Lawyers, 2022
• Notable Women in Law, Crain’s Chicago Business, 2020, 2022, 2024
• The Legal 500 Hall of Fame – Cyber Law, Legal 500, 2020-2024
• Leading Lawyer, Chambers USA, Nationwide Privacy & Data Security, 2014-2022, 2024
• Leading Lawyer, Leading Lawyers, 2016-2022
• Leading Lawyer, Cyber Law, Legal 500 USA, 2016-2021
• Legacy Award, Illinois Legal Aid Online, 2020
• Notable Minorities in Accounting, Consulting & Law, Crain’s Chicago Business, 2020
• Thought Leader on Cybersecurity, National Law Review, 2019
• Notable Women Lawyers, Crain's Custom Media, 2018
• Leading Lawyer, Chambers Illinois, Media & Entertainment: Transactional, 2013-2018
• Leading Woman Lawyer, Chicago Lawyer Magazine’s Diversity Issue, 2018
• "Data Protection Lawyer of the Year – USA," Global 100, 2017
• "U.S. Data Protection Lawyer of the Year," Finance Monthly, 2017
• "Best in Data Security Law Services," Corporate LiveWire’sGlobal Awards, 2017
• Recipient, National Law Journal's Cybersecurity Trailblazer Award, 2016
• Recipient, Lexology/ILO's Client Choice Award for IT and the Internet, 2016

Articles

Liisa has published extensively in the area of privacy, data security, and digital media and advertising. She is the author of two treatises: Thomas on Data Breach: A Practical Guide to Handling Worldwide Data Breach Notification (Thomson Reuters, 2018), which has been described as "a no-nonsense roadmap for in-house and external practitioners alike;" and Thomas on Big Data (Thomson Reuters, 2021), praised for being a "comprehensive and detailed analysis of the complex and rapidly changing world of privacy law." Liisa is also the editor of the firm’s eyeonprivacy.com blog, a recap of recent developments in the privacy and cyber space. A few of her more recent additional publications include:

• "CNIL Recommends Using US Analytics Tools Only for Anonymous Statistical Data," February 22, 2022
• "Identifying and Preparing for Privacy and Cyber Security Risks," Risk & Compliance Magazine, July-Sept 2021 issue
• Co-Author, "Playing with Privacy? Privacy and Cybersecurity Considerations in Esports," esportsinsider, June 24, 2021
• "Changing the Conversation," Legal Management Magazine, June 16, 2021

• "How to Take a Holistic Approach to Privacy Compliance in an Ever-Changing Legal Landscape," Global Data Review, January 14, 2021

• "2020 Privacy Law Trends And How They Affect Compliance," Law360, December 22, 2020

• "3 Privacy Law Predictions For The New Year," Law360, January 1, 2020
• "4 Privacy Law Predictions for 2019," Law360, January 23, 2019
• Co-Author with A. Thomson, "From Panic to Pragmatism: De-Escalating and Managing Commercial Data Breaches," Cyber Security: A Peer Reviewed Journal, Vol. 2, No. 1, Summer 2018 issue
• "Dealing with US Biometric Laws and Litigation," Data Protection Leader, May 2018
• "USA - Behavioural Advertising," Data Guidance, May 8, 2017
• "CFPB Provides Guidance on Consumer Data Protection," Financial Regulation Journal, November 23, 2017

Consumer Finance and Fintech Blog

• "State Privacy Law Roundup: What Financial Services Entities Need to Know," August 18, 2023

Covering Your Ads Blog 

• "FTC Increases Scrutiny of Negative Option Marketing," March 23, 2023

Esports and Games: Game Counsel

• "Video Games, AI, and …the Law?," April 28, 2022

Healthcare Law Blog 

• "State Privacy Law Roundup: What Health Care Companies Need to Know," July 26, 2023

Retail Law Blog

• "State Privacy Law Roundup: What Retailers Need to Know," July 26, 2023

Privacy & Cybersecurity: Eye on Privacy Blog

• "California Joins Colorado in the Brain Wave Action," October 1, 2024
• "Promising Decision in Wiretapping Case, Win for Businesses," September 26, 2024

• "California: Age-Appropriate Design Code Act Partially Blocked, New Social Media Law Signed," September 25, 2024

• "Malaysia In Process of Updating Its Privacy Law," September 24, 2024
• "October 1st Reminder – Big Sky Privacy Law Goes into Effect," September 23, 2024

• "New Data Breach Notification Obligations for PA – and a New Reporting Portal," September 17, 2024
• "Brazil’s Data Protection Authority Issues Rules Clarifying Data Transfers," September 20, 2024

• "Camera Company Will Pay $2.95 Million to Settle Security Claims," September 11, 2024
• "Regulators On Both Sides of the Pond Seek Input on Children’s Privacy," September 6, 2024
• "Biotech Company Settles with Three State AGs Over Security Practices," August 27, 2024

• "Illinois Updates Employment Law to Address Artificial Intelligence," August 26, 2024
• "NY AG Releases Website Privacy Guides for Businesses and Consumers," August 22, 2024
• "CARU Settles With KidGeni AI Platform Over Alleged Privacy Violations," August 16, 2024
• "AI Summer Roundup: EU and Colorado Celebrate Summer with AI Legislation," August 13, 2024
• "Colorado’s Privacy Law Gets in on the Brain Wave Action," August 6, 2024
• "Ring, Ring, it’s the FCC Calling- TracFone to Pay $16M to Settle FCC Investigation," August 1, 2024
• "Websites Beware!: FTC Joins Other Regulators in Scrutinizing Alleged Dark Patterns," July 24, 2024

• "Indiana Amends Breach Notification Law Along with New Adult Website Verification Requirement," July 23, 2024
• "Keystone State Tweaks its Data Breach Notification Law Again," July 22, 2024
• "Rhode Island, the Ocean State, Sails the Privacy Waves," July 8, 2024
• "It’s (Almost) July 1!: Did You Remember Oregon and Texas (and Florida)’s New Privacy Laws?" June 25, 2024
• "Impact of Tennessee’s Cybersecurity Class Action Safe Harbor," June 25, 2024
• "Vermont Governor Vetoes Comprehensive Privacy Bill," June 17, 2024
• "What Does an Adaptable Privacy Program Look Like?" June 13, 2024
• "The Land of 10,000 Lakes Adds New Consumer Privacy Law: Minnesota Joins Privacy Fray," June 10, 2024
• "The Privacy Patchwork: Beyond US State 'Comprehensive' Laws," June 3, 2024
• "Mid-Year Recap: Think Beyond US State Laws!" May 29, 2024
• "Tennessee’s ELVIS Act Incorporates AI Considerations into Right of Publicity Protections," May 24, 2024
• "Maryland, the Old Line State, Creates New Lines with Consumer Privacy Law," May 20, 2024

• "May 1 Brings Another Privacy Law to the Beehive State: The Utah Motor Vehicle Data Protection Act," April 29, 2024
• "Utah’s New AI Disclosure Requirements Effective May 1," April 26, 2024
• "Nebraska Fourth State to Enact Privacy Law in 2024," April 25, 2024
• "Utah Breach Notice Law Amended, Effective May 1," April 22, 2024
• "Kentucky’s New Consumer Privacy Law: Is the Privacy Grass Greener in the Bluegrass State?" April 12, 2024
• "New Hampshire, the Granite State, Joins Privacy Law Deluge: Sets Its Law in Stone," March 27, 2024
• "ICO Has Concerns Over Facial Recognition Use," March 25, 2024
• "FTC Seeks Comments on AI Impersonation Rules," March 20, 2024
• "Sheppard Mullin Creates Privacy Law Resource Center," March 19, 2024
• "DPA 101: Do You Know Where Your Data Is?" February 28, 2024
• "AI-Generated Voice Calls: New Tech, Old Rules," February 27, 2024
• "EDPB Provides Guidance on Determining Primary Supervisory Authority," February 27, 2024
• "UK ICO Uses AI In Cookie Banner Review," February 7, 2024
• "The Garden State Cultivates a Consumer Privacy Law – The First for 2024," January 29, 2024
• "Privacy Day 2024: A Look Back at Developments from 2024," January 26, 2024
• "FTC Continues Focus on Data Brokers and Sensitive Information," January 9, 2024
• "Current Status of US State Privacy Law Deluge: It’s 2024, Do You Know Where Your Privacy Program’s At?" January 9, 2024
• "Bookmark This!: Colorado Launches Universal Opt Out Mechanism List," January 8, 2024
• "FTC Reaches $7 Million Settlement Over Response Tree’s “Consent Farm” Sites," January 4, 2024
• "Data Broker Rulemaking in Texas and Oregon," December 22, 2023
• "California Releases Automated Decision Rules in Draft," December 20, 2023
• "Connected Devices: Eyes on EU Data Act," December 19, 2023
• "FTC Decision with Global Tel*Link Signals Expectations for Use of Testing Environments," November 29, 2023
• "What Is the Privacy Impact of the White House AI Order for Businesses?," November 28, 2023
• "CNIL Fines Canal+ Over Marketing and Data Security Concerns," November 27, 2023
• "Amended Kochava Complaint Gives Insight into FTC’s View of Harm from Data Profiles," November 21, 2023
• "FTC Vocalizes AI Voice Cloning Challenge," November 17, 2023
• "Massachusetts Wagers Big on Privacy in Sports Betting," November 15, 2023
• "No Need to Mind the Gap – UK Extension is a Data Bridge for US-UK Data Transfers," October 10, 2023
• "The Comprehensive Privacy Law Deluge: Impact on Loyalty Programs," October 2, 2023
• "SEC Gives Finality on Cybersecurity Disclosures for Public Companies," September 28, 2023
• "What Do the CPPA’s Draft Regulations on Risk Assessments and Cybersecurity Audits Mean for Companies?," September 14, 2023
• "The 'First State' Officially Becomes the Thirteenth State with a Comprehensive Data Privacy Law," September 13, 2023
• "The Comprehensive Privacy Law Deluge: Record-Keeping and Related Requirements," September 11, 2023
• "Considerations for Participation in the EU-US Data Privacy Framework," September 7, 2023
• "Texas’ SCOPE Act Puts Focus on Social Media and Minors," September 5, 2023
• "Scraping the Bottom of the Barrel: X Corp. Sues Bright Data Over Site Scraping," August 29, 2023
• "OpenAI – FTC OpensAnInvestigation," August 28, 2023
• "In 2024 Oregon Will Join Short List of States Requiring Data Broker Registration," August 16, 2023
• "California Regulator Drives Inquiry into Vehicle Data," August 15, 2023
• "Iowa Joins Growing List to Offer Potential Safe Harbor for Companies With Security Programs," August 10, 2023
• "State Comprehensive Privacy Laws – Beaver State Makes a Dozen," July 21, 2023
• "Impact of the Last Minute CCPA-Enforcement Delay," July 10, 2023
• "EU Adopts Adequacy Decision for EU-US Data Privacy Framework," July 10, 2023
• "The Comprehensive Privacy Law Deluge: Approaching Notice Obligations," July 6, 2023
• "EDPB Adopts Binding Corporate Rules Recommendations," July 5, 2023
• "The Comprehensive Privacy Law Deluge: Updating Vendor Contracts," June 27, 2023
• "The Comprehensive Privacy Law Deluge: What to Do About “Profiling”," June 26, 2023
• "The Lone Star State Joins the Privacy Law Deluge: Another Governor Signs," June 19, 2023
• "The Comprehensive Privacy Law Deluge: Approaching Choice and Rights," June 14, 2023
• "Connecticut Enters AI Fray," June 13, 2023
• "Don’t Forget Deception: FTC and Biometrics," June 13, 2023
• "Another Governor Signs: Florida Privacy Law Will be Effective July 2024," June 12, 2023
• "Where Do We Stand?: EU to US Data Transfers," June 9, 2023
• "The Comprehensive US Privacy Law Deluge: Which US Privacy Laws Apply to Your Company?" May 30, 2023
• "Montana Governor Signs Big Sky’s Privacy Law," May 23, 2023
• "EyeMed Data Breach Multistate Settlement," May 18, 2023
• "Another Governor Signs: Tennessee Volunteers to Join the Privacy Patchwork," May 15, 2023
• "Governor Signs: Hoosier State Adds to the US Privacy Patchwork," May 3, 2023

• "May 2nd Marks Effective Date of Pennsylvania Breach Law Amendments," May 1, 2023
• "Utah Amends Data Breach Law, Creates Cyber Center," April 21, 2023
• "The Beehive State Joins the Buzz Around Minors and Social Media," April 12, 2023
• "Colorado Privacy Law Regulations Finalized: Time to Review Information Practices," March 28, 2023
• "UK App Code Provides Privacy and Security Compliance Direction," February 9, 2023
• "CNIL Weighs in On GDPR Applicability to US Company," February 7, 2023
• "Graduation Goods Settlement: A Good Reminder of AGs’ Data Security Priorities," February 1, 2023
• "EU’s Initial Response to US Proposed Data Transfers Framework," December 22, 2022

• "Lessons From New York AG Scrutiny of Breach Investigation and Response," November 14, 2022

• "FTC Action Against Drizly and CEO Provides Insight Into Its Security Expectations," November 3, 2022

• "IAB Steps In State Signal Morass," October 25, 2022
• "Comparing and Contrasting the Opt Out Preference Signal Across States," October 24, 2022
• "State Comprehensive Privacy Laws: Status of the Regulations," October 20, 2022
• "EU To Review New EU-US Data Transfers Framework," October 10, 2022
• "Impact on Companies of California’s Children’s Privacy Law – Effective 2024," September 28, 2022
• "FTC Renews Focus on Dark Patterns," September 27, 2022
• "Children’s App Settles with CARU Over COPPA and Guideline Violation Allegations," August 25, 2022
• "NAD Examines Privacy Statements Made By DuckDuckGo in Online Ads," July 28, 2022
• "Preparing for US State Privacy Law Compliance: The Six Month Mark," July 25, 2022
• "Wegmans Settles With NYAG for $400,000 Over Data Incident," July 14, 2022
• "Privacy and Cybersecurity Training: Addressing Regulatory Concerns," July 12, 2022
• "UK ICO and NCSC Issue Caution About Making Ransomware Payments," July 11, 2022
• "What Should We Do About the Draft CPRA Regulations?: Choice," June 27, 2022
• "Maryland Amends Data Security and Breach Notice Obligations," June 22, 2022
• "FTC Weighs In On Data Breach Notification," June 16, 2022
• "FTC Continues Focus on Children’s Privacy," May 27, 2022
• "What’s the Big Deal About Dark Patterns?," May 25, 2022
• "Connecticut Fifth State to Pass a Comprehensive Privacy Law," May 12, 2022
• "Formation of CBPR Forum Signals Continued Movement," May 2, 2022
• "Arizona Expands Regulator Data Breach Notification Obligations," April 11, 2022
• "Indiana Breach Notification Law Amended, Changes Effective July 1, 2022," April 5, 2022
• "DAA Issues Warning On Device Fingerprinting," March 23, 2022
• "Keeping Both Eyes on Cybersecurity," March 22, 2022
• "FTC Continues to Signal Interest in Digital Health Industry, Publishing Updated Resources," March 15, 2022

Books

Media Mentions

Speaking Engagements

• Speaker, "Which Rights for Which Data? A Legal Take on the Big Data Landscape," INTA The Business of Data Conference, March 22, 2023
• Coffee Chat with Liisa Thomas
  Northwestern Law and Technology Initiative, July 12, 2022
• Panelist, “Legal trends to watch: from influencer missteps to privacy pitfalls,” Ad Age Next: CMO Conference, December 1, 2021
• Speaker and faculty, “Technotainment” 2021: Distributing Content Across Multiple Platforms, Practising Law Institute, September 17, 2021

Events

Memberships

• Training Advisory Board, International Association of Privacy Professionals (IAPP)

• Member of the Board of Trustees, Chicago Symphony Orchestra (CSO)
• Board member, FGLI (First-Generation, Lower-Income) Consortium
• Subcommittee Chair, INTA Building Bridges Committee, International Trademark Association
• Member, International Association of Privacy Professionals
• Member, Women’s Foodservice Forum
• Adjunct Professor, Northwestern University School of Law
• Member, Leading Lawyers Network
• Violinist, Chicago Bar Association Symphony Orchestra

Digital Media