A headshot of Greg Szewczyk.

Gregory Szewczyk


Greg Szewczyk is a partner in Ballard Spahr’s Denver and Boulder offices and Practice Leader of the Privacy and Data Security Group. Greg leverages a career that includes both high-stakes transactions and litigation to help companies take a practical approach to assessing risk and complying with the ever expanding patchwork of state, federal, and international privacy and data security statutes and regulations.

Greg helps companies of all sizes, from Fortune 500s to start ups, build and maintain their privacy and data security programs. He has advised hundreds of companies on various compliance issues—from the use of artificial intelligence to vendor management to routine data processing matters that arise in day-to-day business—relating to the Colorado Privacy Act (CPA), the California Consumer Privacy Act (CCPA), the California Privacy Rights Act (CPRA), the Virginia Consumer Data Protection Act (VCDPA), the General Data Protection Regulation (GDPR), the Payment Card Industry Data Security Standards (PCI DSS), the Illinois Biometric Information Privacy Act (BIPA), the Gramm-Leach-Bliley Act (GLBA), state financial privacy laws, the Telephone Consumer Privacy Act (TCPA), and various other laws and regulations. Greg also advises clients in connection with corporate transactions, such as mergers, acquisitions, and partnerships. In doing so, he helps his clients assess the potential risks involved and develop creative solutions to data issues.


Representative Privacy and Data Security Matters

  • Advised on various types of transactions—including mergers and acquisitions, business partnerships, co-branded and private label credit cards, and rounds of funding—by conducting due diligence, assessing risks, and negotiating representations and warranties relating to privacy and data security issues
  • Counseled on building and modifying privacy and data security programs, including privacy policies, vendor management policies, information security plans, incident response programs, terms of use, biometric consent and retention policies, and various other policies
  • Advised on the potential legal implications and risks from incorporating artificial intelligence into business operations, including by developing AI governance policies
  • Assisted in performing internal trainings for employees across substantive fields, including executive decision-makers and information technology teams
  • Defended data breach and privacy class action lawsuits, including lawsuits involving international media publications, casinos, industrial manufacturers, and retailers

Representative Litigation Matters

  • Represented the brother-in-law of the King of Jordan in a three-week jury trial involving defense contracts for the transportation of oil to U.S. troops in Iraq, ultimately securing a $28.8 million jury verdict
  • Defended an international media organization in a lawsuit alleging that the website’s use of analytic tools violated state wiretap laws
  • Represented a major U.S. satellite-television distributor in a breach of contract action against a programming provider, ultimately securing a multimillion-dollar jury verdict in federal court
  • Represented an oil company in an action for fraudulent misappropriation of a majority interest in a Russian oil field

Representative Artificial Intelligence Matters

  • Advised clients ranging from Fortune 500 companies to tech startups on identifying whether certain technologies or processing constitute “automated profiling” or “automated decisionmaking” under international and state privacy laws, such as the GDPR, the CCPA, the Colorado Privacy Act, and other state privacy laws.
  • Determined whether certain automated technologies, which are often driven by generative learning, trigger the application of biometric identifiers regulated by various privacy laws.
  • Assessed vendor contracts and licensing agreements involving automated processing to assess how those provisions impact rights, obligations, and compliance regimes.

Professional Highlights

Professional Activities

American Bar Association

Colorado Bar Association

Denver Bar Association

New York City Bar Association, Military Affairs and Justice Committee

Recognition & Accomplishments

Denver Business Journal, "40 Under 40," 2023

JD Supra Readers' Choice Award, Top Author in Cybersecurity and Data Privacy, 2023

Benchmark Litigation, "40 & Under List," - Entertainment, Intellectual Property, Media (Midwest), 2022, 2023

Certified Information Privacy Professional/United States 

Speaking Engagements

Speaker, "Baked-In Bias: Practical steps to avoiding the hidden risks of AI," MyLawCLE, December 7, 2023

Speaker, "The End of the 'See No Evil' Approach to Vendor Management," Colorado Cybersecurity Summit, Denver, September 2018

Speaker, "Inside the Laboratory: State Legislation Impacting Privacy and Data Security," Consumer Data Industry Association Teleseminar, August 8, 2018

Board Memberships & Community Service

Protect Our Winters, Advisory Board


Author, "Navigating the Biggest Privacy Risks Facing Media Companies Today," Headlines and Deadlines, Pennsylvania Newsmedia Association, November 2023

Co-author, "What Is the Potential Liability for Zoombombing, and How Safe Are Zoom Alternatives?,Cybersecurity Law Report, April 29, 2020

Co-author, "Utah Privacy Law Would Be First to Require Search Warrant for Government to Access Stored Data," The National Law Review, March 28, 2019 

Co-author, "What Companies Need to Know About Changes to Colorado's Cybersecurity Law," ColoradoBiz Magazine, September 16, 2018




Harvard Law School (J.D. 2009)

University of Notre Dame (B.A., cum laude, 2006)



New York

U.S. District Court for the District of Colorado

U.S. District Court for the Eastern District of New York

U.S. District Court for the Southern District of New York

U.S. Court of Appeals for the Ninth Circuit

U.S. Court of Appeals for the Tenth Circuit