Photo of Lindsey Tonsager

Lindsey Tonsager

Lindsey Tonsager is a recognized leader in representing companies before federal and state regulators, and is renowned for advising on minor protection, AI, and state comprehensive privacy laws.

Lindsey chairs the firm’s global Data Privacy and Cybersecurity practice. She advises clients in their strategic and proactive engagement with the Federal Trade Commission, the U.S. Congress, the California Privacy Protection Agency, and State Attorneys General on proposed changes to data protection laws, and regularly represents clients in responding to investigations and enforcement actions involving their privacy and information security practices.

Lindsey’s practice focuses on helping clients launch new products and services that implicate the laws governing the use of artificial intelligence; data processing for robotics, autonomous vehicles, and other connected devices; biometrics; online advertising; the collection of personal information from children, teens, and students online; e-mail marketing; disclosures of video viewing information; and new technologies.

Lindsey also assesses privacy and data security risks in complex corporate transactions where personal data is a critical asset or data processing risks are otherwise material. In light of a dynamic regulatory environment where new state, federal, and international data protection laws are always on the horizon and enforcement priorities are shifting, she focuses on designing risk-based global privacy programs for clients that can keep pace with evolving legal requirements and efficiently leverage the clients’ existing privacy policies and practices. She conducts data protection assessments to benchmark against legal requirements and industry trends and proposes practical risk mitigation measures.

Contact:Read more about Lindsey TonsagerEmail

On November 2, 2016, California Attorney General Kamala Harris released a report outlining best practices for the education technology industry (“Ed Tech”).  In Ready for School: Recommendations for the Ed Tech Industry to Protect the Privacy of Student Data, Attorney General Harris noted the need to implement robust safeguards
Continue Reading California Attorney General Issues Recommendations for Privacy in Ed Tech

The Digital Advertising Alliance (DAA), a consortium of the nation’s largest media and marketing associations that has established self-regulatory standards for online behavioral advertising, announced on October 13 that the Council of Better Business Bureaus and the Direct Marketing Association will begin enforcement of the Application of the DAA Principles
Continue Reading Digital Advertising Alliance Will Begin Enforcing its Cross-Device Guidance February 1, 2017

In a blog post published on the Federal Trade Commission (FTC) website, Jessica Rich, Director of the FTC’s Bureau of Consumer Protection, recently stated that:

“we regard data as ‘personally identifiable,’ and thus warranting privacy protections, when it can be reasonably linked to a particular person, computer, or device. In many cases, persistent identifiers such as device identifiers, MAC addresses, static IP addresses, or cookies meet this test.”

The post (which reiterates Ms. Rich’s remarks at the Network Advertising Initiative’s April meeting) suggests a shift in the FTC’s treatment of IP addresses and other numbers that identify a browser or device.   The FTC previously has taken the position that browser and device identifiers are deserving of privacy protections, but the FTC generally has avoided classifying these identifiers as equivalent to personally identifiable information (such as name, email, and address) except in the narrow context of children’s privacy.  (The FTC’s rule implementing the Children’s Online Privacy Protection Act defines “personal information” to include a “persistent identifier that can be used to recognize a user over time and across different Web sites or online services.”)
Continue Reading FTC’s Jessica Rich Argues IP Addresses and Other Persistent Identifiers Are “Personally Identifiable”

By Lindsey Tonsager and Megan Rodgers

The FTC held its “Start with Security” conference in San Francisco, California, last week, launching an initiative to provide companies with practical resources for implementing effective data security strategies.

The event was targeted at tech start-ups and small- and medium-sized businesses, but the panelists included representatives from companies with mature and well-resourced data security programs.

The panelists agreed that achieving greater data security is cheaper and easier to accomplish when it is considered early in the secure app development lifecycle. At the same time, panelists also acknowledged that companies face a myriad of potential security risks that must be balanced and prioritized, and that it may be more difficult for larger companies with complicated systems to adapt their practices to address evolving security risks.

Below are some practical tips the panelists provided for building a culture of “security by design”:
Continue Reading Start With Security: Key Takeaways from the FTC’s Data Security Conference

On Thursday, January 29, Covington’s Global Privacy and Data Security Practice Group will host a webinar on the Internet of Things (IoT).  The webinar will cover the full federal, state, and international legal landscape governing IoT technology. While the Federal Trade Commission (FTC) is expected to release a report soon 
Continue Reading Covington Webinar on the Internet of Things

In late December 2014, the FTC staff sent China-based mobile app developer BabyBus a letter warning the company that several of its apps may violate the FTC’s Children’s Online Privacy Protection Act (COPPA) Rule. Staff alleged that the apps are marketed for young children and “use cartoon characters to teach children letters, counting, shapes, music, and matching.” The FTC claimed the company must comply with the COPPA Rule’s notice, verifiable parental consent, and other requirements because some of the apps collect precise geolocation information that is shared with third parties, such as advertising networks or analytics companies. The letter warned that staff will review the apps again and encouraged the developer to take steps to comply with COPPA.
Continue Reading FTC Warns Foreign Mobile-App Developer To Comply With COPPA

Making good on its warnings that mobile apps will be an enforcement priority under the revised Children’s Online Privacy Protection Act (“COPPA”) Rule, the FTC has announced two settlements with mobile app developers:

  1. TinyCo., the developer of several child-directed mobile apps, will pay $300,000 to settle charges that it violated


Continue Reading What the FTC’s Latest COPPA Settlements Mean for Mobile Apps

The FTC staff has posted revisions to three Frequently Asked Questions (“FAQs”) related to obtaining verifiable parental consent under its COPPA Rule. For a comparison of the old and new FAQs, click here.

Although the changes (which include a new FAQ H.16) may appear substantial, they mostly reaffirm the
Continue Reading FTC Staff Updates COPPA FAQs on Verifiable Parental Consent Methods

The FTC has denied AssertID’s request to recognize a new method for obtaining verifiable parental consent for the online collection, use, and disclosure of personal information from children under 13.  The application was the first of its kind to be filed since the FTC added a voluntary parental consent approval process

Continue Reading FTC Denies First Request For More Flexible Parental Consent Methods

The FTC has announced its agenda and panelists for its workshop on connected devices, which will be held on November 19, 2013.

The workshop will focus on three industries that increasingly rely on the Internet of Things: (1) homes equipped with “smart” home appliances and connected devices; (2) health and

Continue Reading FTC Releases Agenda for November 19th “Internet of Things” Workshop