Andrew Gray

Andrew Gray advises multinational and emerging companies alike on a variety of information security, workplace privacy, cybersecurity, background checks and credit reporting, and other data-related issues, with a particular emphasis on data security incident response and compliance with U.S. and international privacy laws. He is a core member of Littler’s market-leading Privacy and Data Security and Background Checks practice groups.

Andrew has focused his practice on these areas since joining Littler directly out of law school, and leverages his experience to offer a practical approach in helping clients with: 

  • Building and operationalizing privacy and data protection programs, in compliance with U.S. state and federal privacy laws and regulations, health privacy laws and other sector-specific requirements, and global privacy developments and legislative changes;
  • Managing all facets of data security incident response and breach notification, including initial containment and investigation, liaising with third-party experts and law enforcement, drafting individual notifications, FAQs and communication strategies, and reporting to government regulators and credit reporting agencies;
  • Handling responses to breach-related inquiries from Attorneys General, other U.S. state and federal regulators, and global data protection authorities;
  • Drafting and negotiating data processing agreements, business associate agreements, and other privacy-related contracts provisions with service providers and other third parties;
  • Establishing compliant employee background checks and screening programs, preparing applicable notices, forms, and other required documentation, and providing strategic advice to navigate the patchwork of federal, state, and local “ban-the-box,” consumer reporting, and “fair chance” laws;
  • Assessing and implementing new AI tools, biometric technologies, “bring-your-own-device” programs, wearable devices, employee monitoring and surveillance, cookies and similar online tracking tools, and other data-driven consumer or workplace technologies;
  • Developing workplace policies and procedures, website privacy policies and other consumer- or employee-facing notices, outsourcing agreements and other vendor contracts, and related privacy and compliance functions;
  • Advising on multinational compliance issues, including conducting risk assessments, cross-border data transfer requirements, and implementations related to global expansions and other corporate transactions;
  • Taking proactive steps to prevent fraud, insider threats, and other security risks throughout the hiring and employment lifecycle; and
  • Training legal, compliance, security, HR and marketing teams on key privacy, data security, and background checks issues.

As a Certified Information Privacy Professional (CIPP/US), Andrew understands clients’ businesses and the complex legal and regulatory challenges they face. This includes regularly counselling clients on: 

  • The California Consumer Privacy Act (CCPA), Colorado Privacy Act, Texas Data Privacy and Security Act, and other comprehensive state data protection laws;
  • The EU General Data Protection Regulation (GDPR), Brazilian Data Protection Law (LGPD), Mexico’s Federal Law on the Protection of Personal Data, and other global data protection laws;
  • The Health Insurance Portability and Accountability Act (HIPAA), California Confidentiality of Medical Information Act, the Washington My Health My Data Act, and related health privacy laws;
  • The Fair Credit Reporting Act (FCRA), California’s Investigative Consumer Reporting Agency Act (ICRAA), and similar consumer reporting laws;
  • Various state and local fair chance, ban-the-box, and employment screening laws and regulations;
  • The Illinois Biometric Information Privacy Act (BIPA) and other biometric privacy laws;
  • The Electronic Communications Privacy Act (ECPA), Stored Communications Act, and numerous state wiretapping, recording, surveillance, and tracking laws, such as the California Invasion of Privacy Act (CIPA);
  • U.S. state and federal information security and data breach notification laws, and similar global breach notification requirements;
  • Legal and regulatory requirements on artificial intelligence and machine learning, including the Colorado AI Act, and New York City’s Automated Employment Decision Tool regulations; and
  • Social media, electronic marketing, and other communications laws, including the Telephone Consumer Protection Act (TCPA) and CAN-SPAM Act.

Andrew also brings experience advising clients and collaborating with Littler colleagues on matters intersecting with privacy and data security, including issues involving state and federal laws and regulations on labor and employment, employee benefits, consumer protection, and national security. He is also a frequent speaker and writer on subjects relating to workplace privacy and information security.

Andrew is an Austin native, and received his J.D. from the University of Texas School of Law, where served as managing editor of the American Journal of Criminal Law. He is also a former NCAA baseball player, and an Eagle Scout.

Credentials & Recognition

Speaking Engagements

Data Security for Employers in the Era of AI, Remote Work, and Ransomware

  • May 8, 2025
  • Littler Executive Employer Conference, Phoenix, AZ

Key Issues in Employment Privacy

  • February 8-9, 2024
  • California Lawyers Association Annual Privacy Summit, Los Angeles, CA

7 Things Every Arbitrator and Advocate Needs to Know About Privacy and Data Security Law

  • January 16, 2024
  • Central Ohio Labor and Employment Relations Association

Privacy Issues Through the LoD Lens – Compliant Solutions for the Questions You Have Today

  • December 14, 2023
  • Webinar

The Robot Made Me Do It! – AI in the Workplace

  • July 18, 2019
  • 2019 Dallas Regional Employer Conference

Texas Anti-Slapp in Employment Cases: From Innovative to Expected (Except Maybe in Federal Court)

  • January 17-18, 2019
  • 27th Annual Advanced Employment Law Course, State Bar of Texas

Texas Anti-Slapp in Employment Cases: Landmines for Plaintiffs and Opportunities for Defendants

  • January 18-19, 2018
  • 26th Annual Advanced Employment Law Course, State Bar of Texas

Additional Thought Leadership

Eight Key Steps Toward Preventing a Damaging Data Breach

  • December 2019
  • Printing Industries of America Magazine

Managing Data Privacy: Collection and Protection of Employee Data

  • October 25, 2019
  • American Employment Law Council

SafeHer, But Not For Him: Title VII Discrimination In Ridesharing

  • 2017
  • 26 Stanford Law and Policy Review 13

The Unanimity Rule: “Black Swans” and Common Questions in FLSA Collective Actions

  • 2017
  • 10 Federal Courts Law Review 1
  • Allan King

Saving the Jury Trial Waiver Through Forum Selection

  • Fall 2017
  • 67 DePaul Law Review 1

“Cloud” Atlas - A Map to Amending Metadata Privacy Law in the Modern Era

  • 2016/2017
  • 52 Gonzaga Law Review 147

Let us know how we can help you navigate your particular workplace legal issues.