pink background and keyboard with lock

Website Privacy Policy Requirements for Attorneys 

By: Donata Stroink-Skillrud, Esq., CIPP

In this modern day and age, most attorneys and law firms have a website where they list the services that they offer, provide valuable insights into novel legal issues, and connect with current and prospective clients. Attorney websites usually achieve these goals through contact forms, email newsletter sign-up forms, appointment setting forms, and analytics tools. What many attorneys do not realize though is that these forms collect Personally Identifiable Information (PII) such as names, emails, phone numbers, and IP addresses. PII is regulated under a variety of privacy laws, which require certain businesses to have a comprehensive Privacy Policy that includes all of the disclosures required by those laws. In this article, we will discuss website Privacy Policy requirements for attorneys, namely what privacy laws can apply to attorneys, what disclosures they require Privacy Policies to contain, and the penalties for failure to comply so that you can take the necessary steps to protect your firm. 

What privacy laws apply to attorney websites? 

Privacy laws are unique in the sense that they protect consumers and not businesses. In addition, due to the broad reach of websites, privacy laws can apply to businesses outside of the state or country in which the privacy law was originally enacted. Furthermore, websites that collect as little as a name and an email address can be subject to privacy law compliance. In addition to the confidentiality ethical rules that are applied to client-attorney communications, the following privacy laws are those that most commonly apply to attorney websites: 

  1. California Online Privacy and Protection Act of 2003 (CalOPPA): applies to operators of commercial websites that collect the PII of residents of California; 
  2. California Consumer Privacy Act (CCPA): applies to for-profit entities that do business in California and that collect, share or sell the personal information of California residents and that meet one or more of the following criteria: 
    • Have annual gross revenues of $25,000,000 or more; 
    • Buy, receive, sell or share the PII of at least 50,000 California consumers, households or devices; or 
    • Derive at least 50% of its annual revenue from selling the PII of California consumers. 
  3. Nevada Revised Statutes Chapter 603A: applies to owners and operators of a website for commercial purposes that collect and maintain the PII of residents of Nevada and meet one or more of the following: 
    • Purposefully direct their activities towards Nevada; 
    • Consummate a transaction with the State of Nevada or a resident of Nevada; or 
    • Purposefully avail themselves of the privilege of conducting activities in Nevada or otherwise engage in any activity that constitutes sufficient nexus with Nevada to satisfy the requirements of the US Constitution. 
  4. Delaware Online Privacy and Protection Act (DOPPA): applies to any person that owns a commercial website that collects PII through that website about individuals residing in Nevada. 
  5. General Data Protection Regulation (GDPR): applies to you if you: 
    • Have an establishment in the European Union; 
    • Offer goods or services to European Union residents, regardless of your location; or 
    • Monitor the behavior of European Union residents (through tools such as pixels, cookies, or analytics), regardless of your location. 
  6. United Kingdom Data Protection Act 2018 (UK DPA 2018): applies to you if you: 
    • Have an establishment in the United Kingdom; 
    • Offer goods or services to United Kingdom residents, regardless of your location; or 
    • Monitor the behavior of European Union residents (through tools such as pixels, cookies, or analytics), regardless of their location. 
  7. Personal Information Protection and Electronic Documents Act (PIPEDA): applies to organizations across Canada that collect, use, or disclose PII in the course of a commercial activity. Canadian courts and the Canada Office of the Privacy Commissioner have also concluded that PIPEDA can apply to non-Canadian companies that collect, use or disclose the PII of residents of Canada. 
  8. Australia Privacy Act 1988: applies to Australian organizations with annual turnover of more than AUD $3,000,000. It can also apply to Australian organizations with a smaller turnover if they meet certain conditions. Organizations formed outside of Australia if they have an Australian link, meaning that they carry on business in Australia and collect and hold personal information in Australia. 

While the above list is not exhaustive, as you can see, having as little as a contact form, a newsletter sign up form, or analytics on your website can subject you to a variety of different privacy laws. Privacy laws provide a variety of privacy rights to individuals, such as the right to request the deletion of their PII, correction of their PII, and the right to transparent information about a business’ privacy practices, usually in the form of a Privacy Policy. 

What disclosures should a Privacy Policy include? 

Due to the fact that each privacy law has a very specific list of disclosures that it requires Privacy Policies to contain, it is imperative to first determine which privacy laws apply to your firm. Once you have determined which privacy laws apply to you, review the requirements of each privacy law and include the disclosures within your Privacy Policy. The following are examples of the disclosures that may be included in Privacy Policies: 

  1. The effective date of the Privacy Policy; 
  2. Your name and contact information; 
  3. What PII is collected by your website; 
  4. Where that PII comes from (e.g. is it submitted directly by the individual or collected through analytics); 
  5. Purposes for which you will be using the PII; 
  6. Whether you share that PII with any third parties and if so, the categories of third parties with whom the PII is shared; 
  7. How your website responds to Do Not Track signals; 
  8. How you will notify users of changes to your Privacy Policy; 
  9. Whether you sell PII; 
  10. Whether you use the PII for targeted advertising; 
  11. The privacy rights that are provided to consumers and how consumers can exercise those privacy rights and appeal any of your decisions made with regard to such requests; 
  12. How individuals can complain to authorities regarding your processing of their PII; 
  13. The legal bases for processing PII; 
  14. How long you store PII; 
  15. Whether you use PII for automated decision-making or profiling; 
  16. Whether you intend to transfer PII to another country or to an international organization; 
  17. If you have a Data Protection Officer, and if so, their contact details; 
  18. Your use of analytics programs; 
  19. Your use of identification or location technologies; and 
  20. Your use of cookies or other tracking technologies. 

It is imperative that your Privacy Policy contains all of the disclosures required by the privacy laws that apply to you. Otherwise, you may subject yourself and your firm to privacy-related fines and lawsuits. 

Do law firm website Privacy Policies need to be updated? 

Once you create your Privacy Policy, you may be wondering whether you are all set or whether you will need to update your Privacy Policy in the future. As technologies and the use of PII changes over time, new privacy laws are proposed and passed and existing privacy laws are amended. In fact, there are over a dozen proposed privacy bills in the United States alone and countries such as Canada, Australia, and the United Kingdom are proposing to amend their privacy laws to include new requirements, including new requirements for the disclosures contained within Privacy Policies. 

The following new privacy laws will be going into effect in 2023 and will affect Privacy Policy disclosures: 

  1. Virginia Consumer Data Protection Act (VCDPA): goes into effect on January 1, 2023 and applies to persons that conduct business in Virginia or that produce products or services that are targeted to residents of Virginia and that: 
    • During a calendar year, control or process the PII of at least 100,000 residents of Virginia; or 
    • Control or process the PII of at least 25,000 residents of Virginia and derive 50% or more of gross revenue from the sale of PII. 
  2. Colorado Privacy Act: goes into effect on July 1, 2023 and applies to controllers of PII that conduct business in Colorado or that produce or deliver commercial products or services that are intentionally targeted towards residents of Colorado and satisfy one or more of the following thresholds: 
    • Control or process the PII of 100,000 or more residents of Colorado during a calendar year; 
    • Derive revenue or receive a discount from the sale of PII and control or process the PII of 25,000 or more Colorado residents. 
  3. Utah Consumer Privacy Act: goes into effect on December 31, 2023 and applies to persons who do business in Utah or that produce a product or service that is targeted to Utah residents and that meet one or more of the following criteria: 
    • Have annual revenue of $25,000 or more; and 
    • Meets one of the following thresholds: 
      1. During a calendar year, control or process the PII of 100,000 or more residents of Utah; or 
      2. Derive 50% or more of their annual gross revenue from the sale of PII and control or process the PII of 25,000 or more residents of Utah. 
  4. Connecticut SB6: goes into effect on July 1, 2023 and applies to persons that do business in Connecticut or that provide goods or services that are targeted towards residents of Connecticut and that during the previous year: 
    • Controlled or processed the PII of 100,000 or more residents of Connecticut; or 
    • Controlled or processed the personal data of 25,000 or more residents of Connecticut and derived more than 25% of their gross revenue from the sale of PII; 
  5. California Privacy Rights Act (CPRA): goes into effect on January 1, 2023 and will replace the CCPA. CPRA will apply to businesses that do business in California and that collect the PII of residents of California and that meet one or more of the following criteria: 
    • Have annual gross revenue of at least $25,000,000 in the preceding calendar year; 
    • Buy, receive or sell the PII of 100,000 or more residents of California, households, or devices; or 
    • Derive 50% or more of their annual revenue from selling or sharing the PII of residents of California. 
  6. Quebec Bill 64: goes into effect on September 1, 2023 and applies to persons who collect, hold, use or share the PII of residents of Quebec in the course of a commercial activity. 

As more privacy laws go into effect and are proposed and passed, the requirements for Privacy Policies are changing at an increasing pace. Thus, it is important to not just have a Privacy Policy that complies with today’s privacy laws, but to also have a strategy to keep that policy up to date with changing legislation. 

What are the penalties for failure to comply with privacy laws? 

While using a template or copying and pasting someone else’s Privacy Policy may seem like a decent idea at first, the penalties for failure to have a Privacy Policy that contains all of the required disclosures and that fits your business and privacy practices are steep. Privacy law fines start at $2,500 per website visitor whose privacy rights were infringed upon and can mean fines of €20,000,000 or more in total. 

Thus, it is imperative that your law firm considers having a comprehensive Privacy Policy that complies with all of the privacy laws that apply to you as that is the best way to avoid non-compliance. 

Disclaimer: Please note that any information provided in this article is provided for informational purposes only and should not be considered legal advice. Please speak to your attorney for assistance with your specific legal issues.

About the Author

Donata Stroink-Skillrud is an attorney and Certified Information Privacy Professional (CIPP). Donata is the President and legal engineer of Termageddon, LLC, a comprehensive Privacy Policies generator that helps law firms and small businesses avoid fines and lawsuits and stay up to date with privacy compliance requirements. Donata is also the Chair of the ePrivacy Committee of the American Bar Association and the Vice-Chair of the Chicago Bar Association’s Privacy and Cybersecurity Committee.