Law firms and lawyers are no strangers to compliance requirements – you watch your CLE’s, make sure that you renew your license registration, and advise your clients on legal entities, contracts, and business licenses. However, an important compliance requirement that often falls through the cracks is the law firm Privacy Policy. Most law firm websites collect Personally Identifiable Information (PII) such as names, emails, and phone numbers through contact forms, where potential clients can contact you and inquire about your services. If you have a contact form on your website or if your website uses an analytics tool such as Google Analytics, you may be legally required to have a law firm Privacy Policy.
There are several privacy laws that protect the PII of consumers, provide those consumers with privacy rights, and require certain websites to have a Privacy Policy that makes very specific disclosures. Privacy laws are relatively unique in that they protect consumers and not businesses. Due to the fact that anyone from anywhere could contact you through your website, you may be required to comply with the privacy laws of multiple states or even countries, even if you do not physically reside there. The privacy laws that may require you to have a law firm Privacy Policy are as follows:
- California Online Privacy and Protection Act of 2003 (CalOPPA), which applies to any commercial website that collects the PII of residents of California;
- California Privacy Rights Act (CPRA), which applies to for-profit entities that do business in California, collect the PII California residents, and meet one or more of the following criteria:
- Has annual gross revenues of $25,000,000 or more;
- Buys, receives, sells, or shares the PII of at least 50,000 California consumers, households, or devices; or
- Derives at least 50% of its annual revenue from selling the PII of California consumers.
- Nevada Revised Statutes Chapter 603A, which applies to operators of commercial websites that collect the PII of Nevada residents and enters into transactions with residents of Nevada or otherwise has sufficient connections with the state;
- Delaware Online Privacy and Protection Act (DOPPA), which applies to any commercial website that collects the PII of residents of Delaware;
- General Data Protection Regulation (GDPR), which applies to you if you:
- Are located in the European Union;
- Offer goods or services to European Union residents, regardless of your location; or
- Monitor the behavior of European Union residents, regardless of your location. This clause will make GDPR applicable to you if you have an analytics tool such as Google Analytics installed on your law firm’s website because analytics tools track the behavior of everyone who visits your website.
- Personal Information Protection and Electronic Documents Act (PIPEDA), which applies to organizations across Canada that collect, use, or disclose PII in the course of commercial activity. This law can also apply to you even if you are not located in Canada, as long as you are collecting the PII of Canadians;
- Quebec Law 25: applies to persons who collect, hold, use or share the personal information of Quebec residents in the course of carrying on an enterprise within the meaning of Article 1525 of the Quebec Civil Code. Article 1525 defines “enterprise” as “the carrying on by one or more persons of an organized economic activity, whether or not it is commercial in nature, consisting of producing, administering or alienating property or providing a service.” This means that Quebec Law 25 will apply to both for-profit and nonprofit organizations that collect, hold, use or share the personal information of residents of Quebec.
- The Australia Privacy Act 1988 applies to organizations outside of Australia that have an Australian link and to Australian organizations with annual turnover of more than AUD $3,000,000. It also applies to the following Australian organizations even if they have turnover that is less than AUD $3,000,000 per year:
- Private sector healthcare providers;
- Businesses that sell or purchase personal information;
- Credit reporting bodies;
- Contracted service providers for Australian government contracts;
- Employee associations registered or recognized under the Fair Work (Registered Organisations) Act 2009;
- Businesses that have opted in to comply with the law;
- Businesses that are related to a business covered by the law; and
- Businesses prescribed by the Privacy Regulation 2013.
- In addition, organizations formed outside of Australia may need to comply with this law, regardless of revenue, if they have an Australian link. Your organization has an Australian link if it carries on business in Australia and collects and holds personal information in Australia.
- Colorado Privacy Act, which applies to controllers of personal data that:
- Conduct business in Colorado or produce or deliver commercial products or services that are intentionally targeted towards residents of Colorado and satisfy one of the following thresholds:
- Control or process the personal data of 100,000 or more Colorado consumers during the calendar year; or
- Derive revenue or receive a discount from the sale of personal data and collect or process the personal data of 25,000 or more Colorado consumers.
- Conduct business in Colorado or produce or deliver commercial products or services that are intentionally targeted towards residents of Colorado and satisfy one of the following thresholds:
- Virginia Consumer Data Protection Act (VCDPA) (goes into effect on January 1, 2023), which applies to persons that conduct business in Virginia or that produce products or services that are targeted to residents of Virginia and that:
- During a calendar year, control or process the personal data of at least 100,000 residents of Virginia; or
- Control or process the personal data of at least 25,000 consumers, and derive 50% of gross revenue from the sale of personal data.
- Utah Consumer Privacy Act , which applies to persons that conduct business in Utah or that produce products or services that are targeted to residents of Utah and that:
- Has annual revenue of $25,000,000 or more; and
- Meets one of the following thresholds:
- During a calendar year, control or process the personal data of 100,000 or more Utah residents; or
- Derive 50% or more of its annual revenue from the sale of personal data and control or process the personal data of 25,000 or more Utah consumers.
- Connecticut SB6, which applies to persons that do business in Connecticut or that provide goods or services that are targeted towards residents of Connecticut and that during the previous year:
- Controlled or processes the personal data of 100,000 or more Connecticut residents; or
- Controlled or processed the personal data of 25,000 or more residents of Connecticut and derived more than 25% of their gross revenue from the sale of personal data.
- Iowa SF262
If they apply to you, all of the privacy laws enumerated above will require your website to have a law firm Privacy Policy. Your Privacy Policy will need to state what PII you collect, what you do with that PII, who you share it with, and many more obscure disclosures required by these laws. Seasoned attorneys will remember the days when a law firm Privacy Policy was quickly drafted and forgotten, with no regular review, nor updates needed. Unfortunately, this practice is no longer a viable option as states are proposing and passing new privacy bills on a regular basis.
In fact, there are currently over twenty privacy bills that have been proposed. All of these bills would apply outside of the states in which they are passed, require firms and lawyers to have a law firm Privacy Policy, and impose heavy fines for non-compliance. In addition, some privacy bills, if passed, would allow consumers to sue businesses directly for not having a compliant Privacy Policy, increasing the risk of litigation. It is important to note that failure to comply with current privacy laws can lead to high penalties, ranging from $2,500 per violation to €20,000,000 or more in total. In this case, per violation means per website visitor whose privacy rights you infringed upon. It is easy to see how these fines could add up to an astronomical amount, even if you only have a few hundred website visitors per month. Therefore, you don’t just need a law firm Privacy Policy that complies with current privacy laws, but a strategy for keeping that policy up to date. Use Termageddon’s Privacy Policy generator to help you determine what privacy laws apply to you, include all of the required disclosures in your law firm Privacy Policy, and keep that policy up to date with changing laws, rules, and regulations.
