Megan A. Bowman, CIPP, AIGP

Megan provides clients smart and business-centered advice on data and technology matters.

Megan supports clients on data privacy, data use and ownership, and data security issues. As both a Certified Artificial Intelligence Governance Professional (AIGP) and a Certified Information Privacy Professional (CIPP), Megan routinely counsels businesses engaged in the building and deployment of technology services that involve the processing of regulated data, including personal information or protected health information. She then marries this expertise with her experience negotiating complex commercial intellectual property agreements to help clients maximize their assets and establish trustworthy and compliant systems. As a result, Megan is a go-to resource for clients and colleagues on artificial intelligence issues.

Megan’s practice includes creating clients’ privacy notices and disclosures in compliance with AI-specific laws and regulations (e.g., the EU AI Act), comprehensive U.S. state privacy laws (e.g., the CCPA), biometric information privacy laws (e.g., BIPA), children’s privacy laws (e.g., COPPA), and global privacy laws (e.g., the GDPR and LGPD); advising clients on their development or procurement of AI systems, including drafting and negotiating clients’ customer, vendor, and business partner contracts; documenting data protection impact assessments; conducting gap assessments to determine areas of compliance remediation; drafting and negotiating data processing agreements; acting as an outside counsel resource to internal privacy or product counsel; counseling clients on future-state technology strategies and helping clients plan for a future corporate exit.

Megan also has significant experience working with our Corporate Division as a subject-matter-expert in the areas of intellectual property, technology, software, and data privacy and security, advising on more than 450 mergers and acquisitions, investment, and financing transactions in the past four years.

Megan serves on the Firm’s Technology Committee, Business Continuity Committee, and Generative AI Working Groups. She also teaches in an adjunct capacity at the University of St. Thomas School of Law on the topic of, “AI and the Law.”

Representative Artificial Intelligence Experience

• Analyzed the terms of a proposed agreement from a multinational technology company looking to access a publishing company’s content for the purposes of training its large-language models and algorithms. Drafted a summary of legal issues and considerations for discussion at the board level.
• Advised client on the risks associated with using a phone system that contractually permitted the vendor to use audio files and video recordings for training proprietary models and algorithms.
• Drafted guide of legal considerations when using artificial intelligence tools for client’s internal use and training.
• Negotiated license agreement with data broker providing data for use in modeling and scoring the value of marketing leads and for verifying the accuracy of various third party’s customer relationship management (“CRM”) system data.
• Negotiated specialty healthcare provider practice’s ground-level participation agreement in a multi-tenant data lake and related software system that included the training of models using de-identified data derived from PHI.
• Diligenced the development of various algorithms and models used by a target company to provide its software services to customers for the purposes of identifying any ownership, infringement, or FTC Act risks.

Representative Transactions Experience

• Overhauled client’s entire contracting process (from customer to vendor to operational partner) to address risks specific to being a software company in a highly-regulated industry looking for an exit in 1-3 years.
• Acted as key outside counsel for software company launching a novel product into the restaurant industry, ensuring that exposure was appropriately limited in each potential customer engagement and ever-adapting the contracting process to meet the technical nuances of depending upon third-party systems.
• Provided software company using global service providers’ application programming interfaces (“APIs”) advice regarding limitations of applicable license agreements and potential challenges certain terms present in the context of a future exit.
• Provided cryptocurrency mining services company advice regarding how to structure terms of a service agreement to ensure the company owns the software and technology built in connection with a particular customer engagement.
• Represented globally prominent healthcare system in its procurement of several technology products and services, including on-premise software, SaaS solutions and capital equipment.
• Represented private equity investment firm in its acquisition of a digital fundraising services company that operates a data lake and leverages several proprietary applications, algorithms and models in its business.

Representative Data Privacy & Security Services

• Advised online retailer on the use of pixels, gifs, and other tracking technologies, including how to structure website and app functionality to process opt-out requests.
• Assisted education technology company with developing and publishing privacy notices in compliance with Children’s Online Privacy Protection Act of 1998 (“COPPA”) and new product license terms that address institutional customer’s Family Educational Rights and Privacy Act (“FERPA”) and state-specific (e.g., New York State Education Law Section 2-D) obligations related to student data.
• Advised media organization on a process for responding to consumer requests made under various privacy laws, including the California Consumer Privacy Act of 2018 (“CCPA”), the EU/UK General Data Protection Regulation (“GDPR”).
• Advised a multi-location healthcare provider on considerations to be made when adopting a new process for accepting credit card payments and ensuring compliance with the Payment Card Industry Data Security Standard (“PCI DSS”).
• Drafted language for use by a fintech software company in its standard customer contracts to establish its role as a service provider for the purposes of the CCPA.
• Advised victim of credential stuffing regarding reportability requirements under applicable data breach laws.

Education

• Certified Artificial Intelligence Governance Professional, International Association of Privacy Professionals, 2024
• Certified Information Privacy Professional/United States, International Association of Privacy Professionals, 2021
• LegalBizDev Certified Legal Project Manager^® Program, 2019
• University of St. Thomas School of Law, J.D., concentration in Organizational Ethics and Compliance, magna cum laude
• DePaul University, B.A.

Admissions

• Minnesota, 2015

Clerkships

• Law Clerk, Honorable William H. Koch, State of Minnesota, 2016-2017

• Living the Mission Award, University of St. Thomas School of Law, 2024

Professional Activities

• Minnesota State Bar Association, Member
• Hennepin County Bar Association, Member

Community

• University of St. Thomas School of Law, Adjust Professor, “AI and the Law”
• University of St. Thomas School of Law IP and Technology Law Advisory Committee, Member
• University of St. Thomas School of Law First Year Curriculum, ROADMAP Coach