Trellis White paper Ad 770 Spot #6
share TWEET PIN IT share share 0

What Lawyers Need to Know About CCPA, California’s New Privacy Law

By Ruth Carter

The California Consumer Privacy Act (CCPA) went into effect January 1. This landmark law, likely a reaction to the Facebook-Cambridge Analytica scandal of 2018, will have a radical impact on consumer privacy in the United States and likely inspire other state or federal laws on this issue.


Do Law Firms Have to Worry About CCPA?

Probably not. Most law firms don’t have to comply with this law. The CCPA, unlike other privacy laws, was written so that only a narrow sliver of businesses are required to actually comply with it. What law firms do need to know is which businesses those are and how to advise them.

CCPA Flowchart

One of the upsides of not making $25 million per year is you don’t have to comply with this law’s complex requirements. Many business owners breathed a sigh of relief about not being in the $25 Million Club.

Questions Lawyers Should Ask About Privacy

As lawyers, we have ethical obligations regarding client confidentiality. While this extends to the security of client records, we should be asking additional questions about privacy and data security:

  • What administrative, technical and physical measures do we take to protect confidential information?
  • How often do we have to change our passwords? Are our password requirements sufficient?
  • Do we have employees who are not lawyers who need access to client files and other confidential information? Is there a confidentiality agreement on file for each one?
  • Do we have third-party vendors who need access to our files in order to do their job — such as IT? Is their access limited only to the areas necessary for the tasks we’ve hired them to do? Do we have nondisclosure agreements with them?
  • How do we redact documents? (You know that text that has been lined over with a black marker can still be seen when the paper’s held up to the light, right?)
  • What information and documents will we be sharing with our clients?
  • What steps do we take to ensure that past employees and vendors no longer have access to our records?

Data Security Extends to Your Email List

If you have an e-newsletter or email marketing list, make sure you’re using a provider like MailChimp or Constant Contact that uses sufficient data security measures and complies with all applicable privacy laws.

Speaking of privacy, let’s talk about those email lists. Do not add anyone to your email marketing list without first giving notice and getting the person’s consent. This isn’t an ethical requirement of the legal profession, but it should be an unspoken rule in every profession. It is one of my nail-on-the-chalkboard pet peeves. When someone adds me without notice or consent, it indicates disrespect.

It’s All About Integrity

The core issue underlying privacy and data security is integrity. We are entrusted with people’s information, and that situation deserves respect. Our clients trust us with their lives and livelihoods. In return, we have an obligation to treat their information with the same level of care that we’d want for our closest relative or friend.

For more information on CCPA …

I created a CCPA Cheat Sheet that I use with my clients and update as more information and guidelines are provided about this new law. My cheat sheet is available for free to anyone who asks. I will not add you to my email list. (I will invite you to add yourself, but it’s completely voluntary.) If you want a copy, please send me an email.

Subscribe to Attorney at Work

Get really good ideas every day for your law practice: Subscribe to the Daily Dispatch (it’s free). Follow us on Twitter @attnyatwork.

Image ©

Categories: Managing a Law Firm, Nothing But The Ruth!
Originally published April 29, 2022
Last updated July 26, 2023
share TWEET PIN IT share share
Ruth Carter Ruth Carter

Ruth Carter — lawyer, writer and professional speaker — is Of Counsel with Venjuris, focusing on intellectual property, business, internet and flash mob law. Named an ABA Journal Legal Rebel, Ruth is the author of “The Legal Side of Blogging for Lawyers,” as well as “Flash Mob Law: The Legal Side of Planning and Participating in Pillow Fights, No Pants Rides, and Other Shenanigans.” Ruth blogs at and

More Posts By This Author
MUST READ Articles for Law Firms Click to expand

Welcome to Attorney at Work!

Sign up for our free newsletter.


All fields are required. By signing up, you are opting in to Attorney at Work's free practice tips newsletter and occasional emails with news and offers. By using this service, you indicate that you agree to our Terms and Conditions and have read and understand our Privacy Policy.