Steven B. Roosa

Head of NRF Digital Analytics and Technology Assessment Platform, United States
Norton Rose Fulbright US LLP

New York
United States
T:+1 212 318 3222
New York
United States
T:+1 212 318 3222
Steven B. Roosa

Steven B. Roosa


Related services and key industries


Steven B. Roosa advises companies on a wide spectrum of technology and legal issues pertaining to privacy and data security, including with respect to the CCPA/CPRA, CAN-SPAM Act, COPPA, GDPR, GLBA, HIPAA, TCPA, and VPPA. Steve also codes and develops in-house technical solutions to assist clients with their legal compliance efforts. Steve serves as partner at our New York office and oversees the development of the firm's privacy compliance tool suite, NT Analyzer.

NT Analyzer is a practical tool suite for managing privacy compliance in mobile apps, websites, and IoT. The tool detects and tracks the full range of data, including personally identifiable information, that is collected and shared, and then generates actionable reports through the lens of applicable privacy requirements. Additionally, NT Analyzer analyzes code associated with the "fingerprinting" of browsers as well as data used for "fingerprinting" mobile devices.

In addition to overseeing NT Analyzer, Steve advises clients on privacy and data protection at all stages of the development lifecycle from setting initial specifications up through wireframes, beta versions, and post-release. This work includes consumer-facing applications and sites in financial services, healthcare, rich media content (including OTT video), retail, telecommunications, and hospitality areas to name a few. He also advises clients regarding their own and third party application programming interfaces (APIs) and software development kits (SDKs).

Steve also advises clients on building privacy programs, internal data handling policies, and security planning and policies. When emergency privacy or security issues relating to consumer-facing applications and interfaces arise, he will also work with incident response teams in responding to regulatory investigations, media inquiries, and "bug bounty" security researchers.

Other representative matters include: mobile app privacy compliance; leveraging anonymity solutions to help clients safely unlock the value of large data sets; Internet tracking; web security; geo-fencing; FTC compliance; privacy considerations related to modified network protocols; California best practices for websites and mobile apps; compliance with wiretap statutes and the Electronic Communications Privacy Act (ECPA); public-key infrastructure (PKI) issues; and certification authority matters pertaining to online trust.

Typical clients span jurisdictions and industries and include: global companies, media companies, Fortune 500 corporations, financial services entities, healthcare providers, life sciences companies, privately held companies, large retailers, technology companies, small and medium size businesses, and non-profit entities.

Professional experience

Expand all Collapse all

JD, Rutgers Law School
BA, Cornell University

  • District of Columbia Bar
  • New York State Bar

Technical and specialized engagements:

  • Mobile app privacy testing on Android, iOS, and Kindle devices
  • Website privacy testing and analysis
  • Data Lake privacy controls
  • API testing
  • IoT privacy and feature testing
  • Hard-coding legal decision making in privacy control platforms
  • Privacy and security training
  • Online ad ecosystem training

Privacy-related class action litigation defense and regulatory defense:

  • Represented companies in litigation resulting from use of social network widgets
  • Represented companies in relation to state attorneys general inquiries, Civil Investigative Demands (CIDs), subpoenas and investigations.
  • Represented several companies in class action litigation related to the use of cookies and flash cookies.

General Compliance and Corporate Governance:

  • Provided advice to large retailers with respect to geo-fencing projects
  • Provided strategic advice and counsel on local, national and international privacy and data protection and data transfer laws for numerous companies
  • Assisted numerous companies in drafting, design and implementation of internal company policies, including information security, data and records management and retention, data classification and handling, device management and "Bring Your Own Device" policies, codes of conduct, white papers, marketing materials, vendor white lists and internal policies on Internet tracking.
  • Provided counseling for large communication provider, software companies and mobile app developers with respect to issues pertaining to security, encryption and authentication.
  • Provided advice to numerous companies with respect to the use of geo-location information.
  • Developed privacy training programs.
  • Legal 500, Recommended Lawyer, Cyber law (including data privacy and data protection), The Legal 500, 2022-2023
  • Legal 500, Recommended Lawyer, General Commercial Disputes, The Legal 500, 2021
  • New York Trailblazer, New York Law Journal, 2020
  • Who's Who Legal, Data: Information Technology, Legal Business Research Ltd., 2018
  • Outstanding Lawyer, Nightingale's Healthcare News, 2009
  • Top 40 Under 40, New Jersey Law Journal, 2008
  • International Association of Privacy Professionals (IAPP) Little Big Stage Online, NT Analyzer: Empowering You to Manage Digital Privacy Risk at Every Level, June 3, 2021
  • Webinar - NT Analyzer: Partnering With Your Business to Prepare for the Future of AdTech, May 25, 2021
  • Webinar - Solving Apple's New App Privacy Requirement, November 13, 2020
  • "The Insecure Digital World: Data Breaches and Other Threats to Consumers," Consumer Federation of America Consumer Assembly, May 10-11, 2018
  • "Moral Humans, Immoral Algorithms," Privacy Security Risk (IAPP), San Diego, October 2017
  • Steven Roosa and Josh Kroll, "The Algorithm Made Me Do It: Predictive Power, Ethics and the Law in the Age of Machine Learning, Artificial Intelligence, and Mathematical Perplexity," Highmark Health All-Hands Privacy Workshop, Pittsburgh, PA, January 11, 2017. (Invited).
  • "Moral Humans and Amoral Algorithms: How Machine Learning Creates Privacy and Ethics Exposure and What You Need to Know About It," Privacy + Security Forum, October 24-26, 2016
  •  "New Legal Challenges Resulting from an Escalation of Cyber Risks and Data Breaches," New York Bankers Association's Bank Counsel Seminar, April 23, 2015
  • "AdvaMed's Mobile Health, Wellness and Medical: A Privacy Workshop," Regulatory Oversight of Mobile Medical Devices and Health and Wellness Apps by the FDA and FTC, Hands on Testing of Mobile Apps for Privacy and Security, Shortcomings in De-Identification Schemes, April 22, 2015
  • "Mobile Apps and Network-Aware Devices: Legal Exposure in the Collection of Data and What to Do About It," AdvaMed Webinar, November 4, 2014
  • "Cyber Security Risks that Threaten Corporate Intellectual Property and Client Confidentiality," IP Trademark, Copyright & Licensing Counsel Forum, October 28-29, 2014
  • "Financial Services IT – Avoidance of Risks," Information Security Issues, Practising Law Institute, May 21, 2014
  • Moderator, "Mobile Apps and Privacy: The Hidden Risks," IP Trademark, Copyright & Licensing Counsel Forum, October 22, 2013
  • Moderator, "Compromise and Control at the Perimeter of the Network: Online Trust, Mobile Security and Mitigating Risk in Mergers and Acquisitions," North Virginia Technology Council General Counsel Committee Event, June 7, 2013
  • "Mobile Privacy and Security," The Current Regulatory Landscape and New Risk Threat Model, April 16, 2013
  • "Mobile Privacy and Monetization: Risks and Opportunities in the Era of Networked Data," L2 Blog Social CRM Clinic, April 4, 2013
  • "Privacy and Security in Mobile Apps, the Cloud, and the Internet of Things: The Role of In-House Counsel In Mitigating New Risks," Association of Corporate Counsel, Northeast Chapter, October 3, 2012
  • "Mobile Security & Privacy Best Practices," Online Trust Alliance's Forum, October 1-4, 2012
  • Presenter, "The Devil Is in the Indemnity Agreements: A Critique of the Certificate Authority Trust Model's Putative Legal Foundation," The Center for Information Technology Policy at Princeton University, December 9, 2010