Tracy Shapiro is a partner in Wilson Sonsini’s San Francisco office, where she advises on privacy, data security, artificial intelligence, and advertising issues, and defends clients in investigations and enforcement actions brought by the Federal Trade Commission (FTC), state attorneys general, and Congress.
Tracy has deep expertise in federal privacy laws, including the FTC Act, the Children’s Online Privacy Protection Act (COPPA), HIPAA, the Video Privacy Protection Act (VPPA), DOJ’s Bulk Sensitive Data Rule, and state privacy laws, including the California Consumer Privacy Act (CCPA) and other state comprehensive privacy laws, the Washington My Health My Data Act, biometric privacy laws, state wiretapping and eavesdropping laws, Age Appropriate Design Codes, and student privacy laws.
She also has extensive experience counseling clients on new AI laws and regulations, including the Colorado AI Act, the CCPA automated decision-making rule, and various state AI healthcare laws, and works with companies to establish AI governance frameworks.
Tracy works with companies that range from privately funded start-ups to large, global public companies, including providers of mobile apps, connected devices, digital health providers, ad tech, streaming platforms, ed tech, e-commerce companies and retailers, social media services, SaaS providers, and data providers.
Tracy spent six years as an attorney at the FTC in the Bureau of Consumer Protection's Division of Privacy and Identity Protection and the Division of Advertising Practices, where she brought enforcement actions related to consumer privacy, data security, and advertising. She helped create principles for industry self-regulation and led the FTC’s first enforcement action involving interest-based advertising. After her government service, Tracy worked as in-house privacy and advertising counsel for Yahoo!.
Tracy Shapiro is a partner in Wilson Sonsini’s San Francisco office, where she advises on privacy, data security, artificial intelligence, and advertising issues, and defends clients in investigations and enforcement actions brought by the Federal Trade Commission (FTC), state attorneys general, and Congress.
Tracy has deep expertise in federal privacy laws, including the FTC Act, the Children’s Online Privacy Protection Act (COPPA), HIPAA, the Video Privacy Protection Act (VPPA), DOJ’s Bulk Sensitive Data Rule, and state privacy laws, including the California Consumer Privacy Act (CCPA) and other state comprehensive privacy laws, the Washington My Health My Data Act, biometric privacy laws, state wiretapping and eavesdropping laws, Age Appropriate Design Codes, and student privacy laws.
She also has extensive experience counseling clients on new AI laws and regulations, including the Colorado AI Act, the CCPA automated decision-making rule, and various state AI healthcare laws, and works with companies to establish AI governance frameworks.
Tracy works with companies that range from privately funded start-ups to large, global public companies, including providers of mobile apps, connected devices, digital health providers, ad tech, streaming platforms, ed tech, e-commerce companies and retailers, social media services, SaaS providers, and data providers.
Tracy spent six years as an attorney at the FTC in the Bureau of Consumer Protection's Division of Privacy and Identity Protection and the Division of Advertising Practices, where she brought enforcement actions related to consumer privacy, data security, and advertising. She helped create principles for industry self-regulation and led the FTC’s first enforcement action involving interest-based advertising. After her government service, Tracy worked as in-house privacy and advertising counsel for Yahoo!.
- J.D., The George Washington University Law School, 2001
Magna Cum Laude
- B.A., Political Science, University of California, Berkeley, 1996
- Member, International Association of Privacy Professionals
- Selected for inclusion in the 2024-2026 editions of Lawdragon’s 500 Leading Global Cyber Lawyers guide
- Recipient, FTC Janet D. Steiger Award, 2006
- State Bar of California
- J.D., The George Washington University Law School, 2001
Magna Cum Laude
- B.A., Political Science, University of California, Berkeley, 1996
- Member, International Association of Privacy Professionals
- Selected for inclusion in the 2024-2026 editions of Lawdragon’s 500 Leading Global Cyber Lawyers guide
- Recipient, FTC Janet D. Steiger Award, 2006
- State Bar of California
Select Matters
- Currently representing an AI company responding to an FTC industry study related to AI companion chatbots.
- Represented a provider of mental health-related services in a Washington Attorney General investigation related to Washington’s My Health My Data law and the disclosure of information to third-party tracking technologies. Closed with no enforcement action.
- Represented Gravy Analytics and Venntel in an FTC investigation related to location privacy. Successfully negotiated consent agreement resolving allegations.
- Represented Nomi Technologies in an FTC investigation related to the company’s retail Wi-Fi tracking services. Successfully negotiated consent agreement resolving allegations.
- Represented a social media platform in responding to an FTC industry study relating to platform advertising.
- Represented a TV streaming provider in an FTC COPPA investigation. Closed with no enforcement action.
- Represented a child gaming app in an FTC COPPA and data security investigation. Closed with no enforcement action.
- Represented a genetic testing company in an FTC investigation related to treatment of genetic information. Closed with no enforcement action.
- Represented a smart-apartment technology provider in an FTC data security investigation. Closed with no enforcement action.
- Represented an advertising network in an FTC investigation related to location privacy. Closed with no enforcement action.
- Represented multiple online review providers in FTC investigations related to compliance with FTC Endorsement Guides and the Consumer Reviews and Testimonials Rule. Closed with no enforcement action.
- Represented a mobile app in a California Attorney General inquiry related to call recording practices. Closed with no enforcement action.
- Represented a TV streaming platform in a California Attorney General inquiry relating to CCPA compliance. Closed with no enforcement action.
- Represented an identity verification provider in an New Hampshire Attorney General inquiry related to compliance with the New Hampshire Data Privacy Act. Closed with no enforcement action.
- Represented a provider of smart home security products in a Virginia Attorney General inquiry related to data security. Closed with no enforcement action.
- Represented a fraud prevention platform in a Virginia Attorney General inquiry related to Virginia Consumer Data Protection Act. Closed with no enforcement action.
- Represented a ride-sharing app in a congressional investigation relating to privacy practices. Closed with no further action.
- Represented a music streaming platform in a congressional investigation relating to privacy practices. Closed with no further action.
- Represented an advertising network in a self-regulatory body inquiry. Closed with no enforcement action.
- Represented Gillette in an FTC investigation of Made in the USA claims. Closed with no enforcement action.
- Represented Vogue International in a National Advertising Division Dispute Resolution complaint. Successfully negotiated settlement agreement.
Select Matters
- Currently representing an AI company responding to an FTC industry study related to AI companion chatbots.
- Represented a provider of mental health-related services in a Washington Attorney General investigation related to Washington’s My Health My Data law and the disclosure of information to third-party tracking technologies. Closed with no enforcement action.
- Represented Gravy Analytics and Venntel in an FTC investigation related to location privacy. Successfully negotiated consent agreement resolving allegations.
- Represented Nomi Technologies in an FTC investigation related to the company’s retail Wi-Fi tracking services. Successfully negotiated consent agreement resolving allegations.
- Represented a social media platform in responding to an FTC industry study relating to platform advertising.
- Represented a TV streaming provider in an FTC COPPA investigation. Closed with no enforcement action.
- Represented a child gaming app in an FTC COPPA and data security investigation. Closed with no enforcement action.
- Represented a genetic testing company in an FTC investigation related to treatment of genetic information. Closed with no enforcement action.
- Represented a smart-apartment technology provider in an FTC data security investigation. Closed with no enforcement action.
- Represented an advertising network in an FTC investigation related to location privacy. Closed with no enforcement action.
- Represented multiple online review providers in FTC investigations related to compliance with FTC Endorsement Guides and the Consumer Reviews and Testimonials Rule. Closed with no enforcement action.
- Represented a mobile app in a California Attorney General inquiry related to call recording practices. Closed with no enforcement action.
- Represented a TV streaming platform in a California Attorney General inquiry relating to CCPA compliance. Closed with no enforcement action.
- Represented an identity verification provider in an New Hampshire Attorney General inquiry related to compliance with the New Hampshire Data Privacy Act. Closed with no enforcement action.
- Represented a provider of smart home security products in a Virginia Attorney General inquiry related to data security. Closed with no enforcement action.
- Represented a fraud prevention platform in a Virginia Attorney General inquiry related to Virginia Consumer Data Protection Act. Closed with no enforcement action.
- Represented a ride-sharing app in a congressional investigation relating to privacy practices. Closed with no further action.
- Represented a music streaming platform in a congressional investigation relating to privacy practices. Closed with no further action.
- Represented an advertising network in a self-regulatory body inquiry. Closed with no enforcement action.
- Represented Gillette in an FTC investigation of Made in the USA claims. Closed with no enforcement action.
- Represented Vogue International in a National Advertising Division Dispute Resolution complaint. Successfully negotiated settlement agreement.
Select Publications
- Co-author, “State AGs Unveil Investigation Sweep Targeting Businesses Ignoring Consumer Opt-Out Signals,” Wilson Sonsini Alert, September 10, 2025
-
Co-author, “U.S. Federal Court Allows CIPA Class Action Against AI Customer Service Provider to Proceed,” Wilson Sonsini Alert, September 4, 2025
-
Co-author, “CPPA Approves New CCPA Regulations on AI, Cybersecurity, and Risk Governance, and Advances Updated Data Broker Regulations,” Wilson Sonsini Alert, July 30, 2025
-
Co-author, “Texas District Court Vacates 2024 HIPAA Rule Designed to Enhance Reproductive Healthcare Privacy, Effective Nationwide,” Wilson Sonsini Alert, July 3, 2025
-
Co-author, “Nebraska and Vermont Pass Age-Appropriate Design Codes,” Wilson Sonsini Alert, June 24, 2025
-
Co-author, “HHS Announces New Director of Office for Civil Rights: What to Watch from the New Health Privacy Leader,” Wilson Sonsini Alert, June 11, 2025
- Co-author, “CPPA Board Grapples with Public Concerns: Key Updates on Upcoming AI, Risk Assessment, and Cybersecurity Regulations,” Wilson Sonsini Alert, April 16, 2025
- Co-author, “Lessons from the CPPA's $632,500 Settlement with Connected Vehicle Manufacturer,” Wilson Sonsini Alert, March 19, 2025
- Co-author, “CPPA Votes Out Proposed Delete Request and Opt-Out Platform (DROP) Data Broker Regulations,” Wilson Sonsini Alert, March 12, 2025
-
Co-author, “New Federal Children's Privacy Requirements Are Not Child's Play: FTC Amends COPPA Rule, Imposing New Obligations on Child-Directed Services,” Wilson Sonsini Alert, January 29, 2025
- Co-author, “HHS-OCR Announces Proposed Modifications to the HIPAA Security Rule,” Wilson Sonsini Alert, January 14, 2025
- Co-author, “California’s Privacy Regulatory Odyssey Continues: Formal CCPA Rulemaking on the Horizon Amidst Expanded Data Broker Requirements,” The WSGR Data Advisor, November 18, 2024
- Co-author, “Maryland Age-Appropriate Design Code Effective October 1, 2024,” Wilson Sonsini Alert, October 7, 2024
- Co-author, “Colorado Department of Law Proposes Amendments to the Colorado Privacy Act Regulations Regarding Biometric and Minors’ Data,” Wilson Sonsini Alert, October 3, 2024
- Co-author, “Ninth Circuit Ruling Paves the Way for California Age-Appropriate Design Code to Partially Come into Effect,” Wilson Sonsini Alert, August 20, 2024
- Co-author, “Video Game App Developer Agrees to Pay $500,000 for Children’s and Minors’ CCPA, COPPA, and Ads Violations,” Wilson Sonsini Alert, June 27, 2024
- Co-author, “Texas District Court Vacates OCR’s HIPAA Bulletin on Online Tracking Technologies, But Issues Mixed Decision,” Wilson Sonsini Alert, June 25, 2024
- Co-author, “FTC Final Rule Officially Broadens Health Breach Notification Rule, Targets Health and Wellness Apps,” Wilson Sonsini Alert, May 14, 2024
- Co-author, “FTC Announces Proposed Settlement Agreements with Two Digital Health Companies for Disclosing Consumers’ Health Information to Third-Party Advertisers, Among Other Violations,” Wilson Sonsini Alert, May 1, 2024
- Co-author, “OCR at HHS Updates Guidance on Use of Online Tracking Technology by HIPAA-Regulated Entities,” Wilson Sonsini Alert, March 25, 2024
- Co-author, “California Appeals Court Moves Up Enforcement Date for Latest CCPA Regulations,” Wilson Sonsini Alert, February 13, 2024
- Co-author, “Draft California AI Regulations Become One Step Closer to Reality: An Analysis of Requirements on the Horizon,” Wilson Sonsini Alert, December 18, 2023
- Co-author, “California Enacts One-Stop Mechanism for Data Broker Deletion Requests,” Wilson Sonsini Alert, October 25, 2023
- Co-author, “CPPA Posts Draft Rules on Cybersecurity Audits and Risk Assessments – Significant New CCPA Compliance Requirements Likely on the Way,” Wilson Sonsini Alert, September 1, 2023
- Co-author, “OCR and FTC Issue Joint Letter to Healthcare Companies Warning About Online Tracking Technologies,” Wilson Sonsini Alert, July 31, 2023
- Co-author, “Texas, Oregon, and Delaware Join the Comprehensive U.S. State Privacy Law Landscape,” Wilson Sonsini Alert, July 21, 2023
- Co-author, “FTC Announces Proposed Settlement with 1Health.io Genetic Testing Firm for Privacy and Security Violations,” Wilson Sonsini Alert, July 5, 2023
-
Co-author, "Colorado Attorney General's Office Releases Modified Draft Rules for Colorado Privacy Act: Key Takeaways," Intellectual Property & Technology Law Journal, March 2023
- Co-author with L. Weingarten, “FTC Settles COPPA Action Against ‘Coloring Book for Adults,’” Privacy & Cybersecurity Law Report, Vol. 7, No. 8, October 2021
- “CCPA proposed modified regs 2.0 in California,” International Association of Privacy Professionals, February 2020
- “California Senate committee updates CCPA amendments,” International Association of Privacy Professionals, July 2019
- "Hello, Dolly: What You Need to Know About Connected Smart Toys and Privacy," CyberSpace Lawyer, 2017
- Co-author with L. Parnes, T. Shapiro, M. Staples, and E. Durrette, "FTC Recommends Consumer Protections for Mobile Payment Industry," Wolters Kluwer Intellectual Property and Technology Law Journal, June 2013
Select Speaking Engagements
- Speaker, 2023 BCLT Privacy Law Forum: Life Science, November 14, 2024
- Panelist, “The Impact of Digital Health Innovation,” DigiMed Showcase: Powering the Future of Healthcare Through Digital Technology, January 8, 2024
- Moderator, Silicon Valley General Counsel Association All Hands Meeting, “California Here We Come: Getting Ready for the CCPA,” November 2019
- Speaker, "Privacy: Preparing for the California Consumer Privacy Act," Fullstack GC Conference, May 10, 2019
- Panelist, "Current Approaches to Privacy," FTC Hearing on Competition and Consumer Protection in the 21st Century, Washington, D.C., April 9, 2019
- Speaker, "California Consumer Privacy Act: Key Compliance Points for Business," World Federation of Advertisers / Digital Governance Exchange, February 7, 2019
- Speaker, “Data Security: Build A Strategy Before There’s A Problem,” Nasdaq Entrepreneurial Center April 12, 2016
- Speaker, “EU Safe Harbor: What Next?” Privacy, Security, and Freedom of Expression – Learning Day, Global Network Initiative and the Stanford Center for Internet and Society, December 2, 2015
- Speaker, Internet of Things Panel, “Programming the Law: Privacy, Security, and Innovation,” UC Hastings Privacy Symposium, February 26, 2016
- Speaker, "IoT Agreements," 27th Annual All Hands Meeting, Santa Clara, California, October 29, 2015
- Speaker, “Data Security for Startups,” NASDAQ Center, October 21, 2015
- Speaker, ABA Privacy and Information Security Committee, October Update, October 14, 2015
- Moderator, “It’s Time! What You Need to Know about the DAA’s New Mobile Guidelines,” IAPP Privacy. Security. Risk Conference, October 1, 2015
- Speaker, “Developments in Student Privacy and Security,” American Bar Association, March 25, 2015
- Speaker, “From Google Glass to Celebrity iCloud Leaks – Can Privacy Law Keep Up with Technology?” Association of Business Trial Lawyers, October 28, 2014
- Speaker, “Open Source Issues In Cybersecurity” San Francisco Bar Association, the Intellectual Property Section and Insurance Practice Section, August 14, 2014
- Speaker, "Privacy on the Invisible Internet," Berkeley Center for Law & Technology Roundtable, October 16, 2013
- Speaker, “Best Practices Regarding Employment Issues”, The Stanford Program in Law, Science & Technology hosted its 10th Annual E-Commerce Best Practices Conference at Stanford Law School, June 28, 2013
Select Publications
- Co-author, “State AGs Unveil Investigation Sweep Targeting Businesses Ignoring Consumer Opt-Out Signals,” Wilson Sonsini Alert, September 10, 2025
-
Co-author, “U.S. Federal Court Allows CIPA Class Action Against AI Customer Service Provider to Proceed,” Wilson Sonsini Alert, September 4, 2025
-
Co-author, “CPPA Approves New CCPA Regulations on AI, Cybersecurity, and Risk Governance, and Advances Updated Data Broker Regulations,” Wilson Sonsini Alert, July 30, 2025
-
Co-author, “Texas District Court Vacates 2024 HIPAA Rule Designed to Enhance Reproductive Healthcare Privacy, Effective Nationwide,” Wilson Sonsini Alert, July 3, 2025
-
Co-author, “Nebraska and Vermont Pass Age-Appropriate Design Codes,” Wilson Sonsini Alert, June 24, 2025
-
Co-author, “HHS Announces New Director of Office for Civil Rights: What to Watch from the New Health Privacy Leader,” Wilson Sonsini Alert, June 11, 2025
- Co-author, “CPPA Board Grapples with Public Concerns: Key Updates on Upcoming AI, Risk Assessment, and Cybersecurity Regulations,” Wilson Sonsini Alert, April 16, 2025
- Co-author, “Lessons from the CPPA's $632,500 Settlement with Connected Vehicle Manufacturer,” Wilson Sonsini Alert, March 19, 2025
- Co-author, “CPPA Votes Out Proposed Delete Request and Opt-Out Platform (DROP) Data Broker Regulations,” Wilson Sonsini Alert, March 12, 2025
-
Co-author, “New Federal Children's Privacy Requirements Are Not Child's Play: FTC Amends COPPA Rule, Imposing New Obligations on Child-Directed Services,” Wilson Sonsini Alert, January 29, 2025
- Co-author, “HHS-OCR Announces Proposed Modifications to the HIPAA Security Rule,” Wilson Sonsini Alert, January 14, 2025
- Co-author, “California’s Privacy Regulatory Odyssey Continues: Formal CCPA Rulemaking on the Horizon Amidst Expanded Data Broker Requirements,” The WSGR Data Advisor, November 18, 2024
- Co-author, “Maryland Age-Appropriate Design Code Effective October 1, 2024,” Wilson Sonsini Alert, October 7, 2024
- Co-author, “Colorado Department of Law Proposes Amendments to the Colorado Privacy Act Regulations Regarding Biometric and Minors’ Data,” Wilson Sonsini Alert, October 3, 2024
- Co-author, “Ninth Circuit Ruling Paves the Way for California Age-Appropriate Design Code to Partially Come into Effect,” Wilson Sonsini Alert, August 20, 2024
- Co-author, “Video Game App Developer Agrees to Pay $500,000 for Children’s and Minors’ CCPA, COPPA, and Ads Violations,” Wilson Sonsini Alert, June 27, 2024
- Co-author, “Texas District Court Vacates OCR’s HIPAA Bulletin on Online Tracking Technologies, But Issues Mixed Decision,” Wilson Sonsini Alert, June 25, 2024
- Co-author, “FTC Final Rule Officially Broadens Health Breach Notification Rule, Targets Health and Wellness Apps,” Wilson Sonsini Alert, May 14, 2024
- Co-author, “FTC Announces Proposed Settlement Agreements with Two Digital Health Companies for Disclosing Consumers’ Health Information to Third-Party Advertisers, Among Other Violations,” Wilson Sonsini Alert, May 1, 2024
- Co-author, “OCR at HHS Updates Guidance on Use of Online Tracking Technology by HIPAA-Regulated Entities,” Wilson Sonsini Alert, March 25, 2024
- Co-author, “California Appeals Court Moves Up Enforcement Date for Latest CCPA Regulations,” Wilson Sonsini Alert, February 13, 2024
- Co-author, “Draft California AI Regulations Become One Step Closer to Reality: An Analysis of Requirements on the Horizon,” Wilson Sonsini Alert, December 18, 2023
- Co-author, “California Enacts One-Stop Mechanism for Data Broker Deletion Requests,” Wilson Sonsini Alert, October 25, 2023
- Co-author, “CPPA Posts Draft Rules on Cybersecurity Audits and Risk Assessments – Significant New CCPA Compliance Requirements Likely on the Way,” Wilson Sonsini Alert, September 1, 2023
- Co-author, “OCR and FTC Issue Joint Letter to Healthcare Companies Warning About Online Tracking Technologies,” Wilson Sonsini Alert, July 31, 2023
- Co-author, “Texas, Oregon, and Delaware Join the Comprehensive U.S. State Privacy Law Landscape,” Wilson Sonsini Alert, July 21, 2023
- Co-author, “FTC Announces Proposed Settlement with 1Health.io Genetic Testing Firm for Privacy and Security Violations,” Wilson Sonsini Alert, July 5, 2023
-
Co-author, "Colorado Attorney General's Office Releases Modified Draft Rules for Colorado Privacy Act: Key Takeaways," Intellectual Property & Technology Law Journal, March 2023
- Co-author with L. Weingarten, “FTC Settles COPPA Action Against ‘Coloring Book for Adults,’” Privacy & Cybersecurity Law Report, Vol. 7, No. 8, October 2021
- “CCPA proposed modified regs 2.0 in California,” International Association of Privacy Professionals, February 2020
- “California Senate committee updates CCPA amendments,” International Association of Privacy Professionals, July 2019
- "Hello, Dolly: What You Need to Know About Connected Smart Toys and Privacy," CyberSpace Lawyer, 2017
- Co-author with L. Parnes, T. Shapiro, M. Staples, and E. Durrette, "FTC Recommends Consumer Protections for Mobile Payment Industry," Wolters Kluwer Intellectual Property and Technology Law Journal, June 2013
Select Speaking Engagements
- Speaker, 2023 BCLT Privacy Law Forum: Life Science, November 14, 2024
- Panelist, “The Impact of Digital Health Innovation,” DigiMed Showcase: Powering the Future of Healthcare Through Digital Technology, January 8, 2024
- Moderator, Silicon Valley General Counsel Association All Hands Meeting, “California Here We Come: Getting Ready for the CCPA,” November 2019
- Speaker, "Privacy: Preparing for the California Consumer Privacy Act," Fullstack GC Conference, May 10, 2019
- Panelist, "Current Approaches to Privacy," FTC Hearing on Competition and Consumer Protection in the 21st Century, Washington, D.C., April 9, 2019
- Speaker, "California Consumer Privacy Act: Key Compliance Points for Business," World Federation of Advertisers / Digital Governance Exchange, February 7, 2019
- Speaker, “Data Security: Build A Strategy Before There’s A Problem,” Nasdaq Entrepreneurial Center April 12, 2016
- Speaker, “EU Safe Harbor: What Next?” Privacy, Security, and Freedom of Expression – Learning Day, Global Network Initiative and the Stanford Center for Internet and Society, December 2, 2015
- Speaker, Internet of Things Panel, “Programming the Law: Privacy, Security, and Innovation,” UC Hastings Privacy Symposium, February 26, 2016
- Speaker, "IoT Agreements," 27th Annual All Hands Meeting, Santa Clara, California, October 29, 2015
- Speaker, “Data Security for Startups,” NASDAQ Center, October 21, 2015
- Speaker, ABA Privacy and Information Security Committee, October Update, October 14, 2015
- Moderator, “It’s Time! What You Need to Know about the DAA’s New Mobile Guidelines,” IAPP Privacy. Security. Risk Conference, October 1, 2015
- Speaker, “Developments in Student Privacy and Security,” American Bar Association, March 25, 2015
- Speaker, “From Google Glass to Celebrity iCloud Leaks – Can Privacy Law Keep Up with Technology?” Association of Business Trial Lawyers, October 28, 2014
- Speaker, “Open Source Issues In Cybersecurity” San Francisco Bar Association, the Intellectual Property Section and Insurance Practice Section, August 14, 2014
- Speaker, "Privacy on the Invisible Internet," Berkeley Center for Law & Technology Roundtable, October 16, 2013
- Speaker, “Best Practices Regarding Employment Issues”, The Stanford Program in Law, Science & Technology hosted its 10th Annual E-Commerce Best Practices Conference at Stanford Law School, June 28, 2013
- Privacy Policy
- Terms of Use
- Accessibility