Privacy Policies for law firms

Law firms and lawyers are no strangers to compliance requirements – you watch your CLE’s, make sure that you renew your license registration, and advise your clients on legal entities, contracts, and business licenses. However, an important compliance requirement that often falls through the cracks is the law firm Privacy Policy. Most law firm websites collect Personally Identifiable Information (PII) such as names, emails, and phone numbers through contact forms, where potential clients can contact you and inquire about your services. If you have a contact form on your website or if your website uses an analytics tool such as Google Analytics, you may be legally required to have a law firm Privacy Policy.

There are several privacy laws that protect the PII of consumers, provide those consumers with privacy rights, and require certain websites to have a Privacy Policy that makes very specific disclosures. Privacy laws are relatively unique in that they protect consumers and not businesses. Due to the fact that anyone from anywhere could contact you through your website, you may be required to comply with the privacy laws of multiple states or even countries, even if you do not physically reside there. The privacy laws that may require you to have a law firm Privacy Policy are as follows:

  • California Online Privacy and Protection Act of 2003 (CalOPPA), which applies to any commercial website that collects the PII of residents of California;
  • California Consumer Privacy Act (CCPA), which applies to for-profit entities that do business in California, collect the PII California residents, and meet one or more of the following criteria:
    • Has annual gross revenues of $25,000,000 or more;
    • Buys, receives, sells, or shares the PII of at least 50,000 California consumers, households, or devices; or
    • Derives at least 50% of its annual revenue from selling the PII of California consumers.
  • Nevada Revised Statutes Chapter 603A, which applies to operators of commercial websites that collect the PII of Nevada residents and enters into transactions with residents of Nevada or otherwise has sufficient connections with the state;
  • Delaware Online Privacy and Protection Act (DOPPA), which applies to any commercial website that collects the PII of residents of Delaware;
  • General Data Protection Regulation (GDPR), which applies to you if you:
    • Are located in the European Union;
    • Offer goods or services to European Union residents, regardless of your location; or
    • Monitor the behavior of European Union residents, regardless of your location. This clause will make GDPR applicable to you if you have an analytics tool such as Google Analytics installed on your law firm’s website because analytics tools track the behavior of everyone who visits your website.
  • Personal Information Protection and Electronic Documents Act (PIPEDA), which applies to organizations across Canada that collect, use, or disclose PII in the course of commercial activity. This law can also apply to you even if you are not located in Canada, as long as you are collecting the PII of Canadians.

If they apply to you, all of the privacy laws enumerated above will require your website to have a law firm Privacy Policy. Your Privacy Policy will need to state what PII you collect, what you do with that PII, who you share it with, and many more obscure disclosures required by these laws. Seasoned attorneys will remember the days when a law firm Privacy Policy was quickly drafted and forgotten, with no regular review, nor updates needed. Unfortunately, this practice is no longer a viable option as states are proposing and passing new privacy bills on a regular basis.

In fact, there are currently over twenty privacy bills that have been proposed. All of these bills would apply outside of the states in which they are passed, require firms and lawyers to have a law firm Privacy Policy, and impose heavy fines for non-compliance. In addition, some privacy bills, if passed, would allow consumers to sue businesses directly for not having a compliant Privacy Policy, increasing the risk of litigation. It is important to note that failure to comply with current privacy laws can lead to high penalties, ranging from $2,500 per violation to €20,000,000 or more in total. In this case, per violation means per website visitor whose privacy rights you infringed upon. It is easy to see how these fines could add up to an astronomical amount, even if you only have a few hundred website visitors per month. Therefore, you don’t just need a law firm Privacy Policy that complies with current privacy laws, but a strategy for keeping that policy up to date. Use Termageddon’s Privacy Policy generator to determine what privacy laws apply to you, include all of the required disclosures in your law firm Privacy Policy, and keep that policy up to date with changing laws, rules, and regulations.