The California Consumer Privacy Act (CCPA) went into effect January 1. This landmark law, likely a reaction to the Facebook-Cambridge Analytica scandal of 2018, will have a radical impact on consumer privacy in the United States and likely inspire other state or federal laws on this issue.
Do Law Firms Have to Worry About CCPA?
Probably not. Most law firms don’t have to comply with this law. The CCPA, unlike other privacy laws, was written so that only a narrow sliver of businesses are required to actually comply with it. What law firms do need to know is which businesses those are and how to advise them.
One of the upsides of not making $25 million per year is you don’t have to comply with this law’s complex requirements. Many business owners breathed a sigh of relief about not being in the $25 Million Club.
Questions Lawyers Should Ask About Privacy
As lawyers, we have ethical obligations regarding client confidentiality. While this extends to the security of client records, we should be asking additional questions about privacy and data security:
- What administrative, technical and physical measures do we take to protect confidential information?
- How often do we have to change our passwords? Are our password requirements sufficient?
- Do we have employees who are not lawyers who need access to client files and other confidential information? Is there a confidentiality agreement on file for each one?
- Do we have third-party vendors who need access to our files in order to do their job — such as IT? Is their access limited only to the areas necessary for the tasks we’ve hired them to do? Do we have nondisclosure agreements with them?
- How do we redact documents? (You know that text that has been lined over with a black marker can still be seen when the paper’s held up to the light, right?)
- What information and documents will we be sharing with our clients?
- What steps do we take to ensure that past employees and vendors no longer have access to our records?
Data Security Extends to Your Email List
If you have an e-newsletter or email marketing list, make sure you’re using a provider like MailChimp or Constant Contact that uses sufficient data security measures and complies with all applicable privacy laws.
Speaking of privacy, let’s talk about those email lists. Do not add anyone to your email marketing list without first giving notice and getting the person’s consent. This isn’t an ethical requirement of the legal profession, but it should be an unspoken rule in every profession. It is one of my nail-on-the-chalkboard pet peeves. When someone adds me without notice or consent, it indicates disrespect.
It’s All About Integrity
The core issue underlying privacy and data security is integrity. We are entrusted with people’s information, and that situation deserves respect. Our clients trust us with their lives and livelihoods. In return, we have an obligation to treat their information with the same level of care that we’d want for our closest relative or friend.
For more information on CCPA …
I created a CCPA Cheat Sheet that I use with my clients and update as more information and guidelines are provided about this new law. My cheat sheet is available for free to anyone who asks. I will not add you to my email list. (I will invite you to add yourself, but it’s completely voluntary.) If you want a copy, please send me an email.
Subscribe to Attorney at Work
Get really good ideas every day for your law practice: Subscribe to the Daily Dispatch (it’s free). Follow us on Twitter @attnyatwork.