chevron-down Created with Sketch Beta.
Feature

What Does the California Consumer Privacy Act Mean for IP Attorneys and Law Firms?

By Dan Goldstein and Adam Rowan

Published in Landslide Vol. 11 No.2, ©2018 by the American Bar Association. Reproduced with permission. All rights reserved. This information or any portion thereof may not be copied or disseminated in any form or by any means or stored in an electronic database or retrieval system without the express written consent of the American Bar Association.

Consumer privacy controversy has defined 2018 for tech companies. Facebook has appeared in headlines repeatedly for its questionable handling of user data and lax approach to privacy. Consumers who download their Google history are shocked at the breadth of information the search giant gathers. Congress has asked Apple, Alphabet, and other device makers about the security and privacy of their smartphones.1

Getty Images

Google, Facebook, Apple, and many more leading tech companies are headquartered in California. The state is a hotbed for innovative ideas, but the ongoing inquiries and criticisms from privacy advocates that these companies face made legislative action an inevitability.

On June 28, 2018, Governor Jerry Brown signed the California Consumer Privacy Act (CCPA) into law after it passed unopposed through both houses of the state legislature. When the law goes into effect in 2020, it will provide unprecedented consumer privacy protection, requiring many companies that do business in California to disclose the data they collect from consumers and giving consumers the right to prohibit websites from gathering data and to opt out of having their data sold to third parties.

Businesses that fail to abide by the law will be liable for $100 to $750 in damages per infraction. The attorney general of California is also empowered to investigate complaints and prosecute violations.

What Is the CCPA?

The California Consumer Privacy Act is the first law of its kind in the United States. It is similar to the General Data Protection Regulation (GDPR) implemented earlier in 2018 by the European Union. Like the GDPR, the CCPA requires businesses to be transparent about the data they gather for consumers and enables consumers to limit the amount and type of data gathered. The wording of the GDPR is extremely broad, creating a panic among businesses and brands earlier this year as they updated their websites and privacy policies to be compliant with the regulation.

The entities affected by the CCPA are somewhat clearer. The law will apply to for-profit businesses that do business in California and “[h]ave $25 million or more in annual revenue; or [p]ossess the personal data of more than 50,000 ‘consumers, households, or devices[;]’ or [e]arn more than half of [their] annual revenue selling consumers’ personal data.”2

The Act defines personal information as “information that identifies, relates to, describes, is capable of being associated with, or could reasonably be linked, directly or indirectly, with a particular consumer or household.”3 The law provides a vast definition of identifying information that encompasses personal and digital details including real name, user name, physical address, IP address, driver’s license number, Social Security number, and more.

Under the CCPA, consumers in California have the right to “access the categories and specific pieces of personal information collected by a covered business, including information about where the business collected the personal information from, the business’s purpose for collecting or selling the personal information, and the categories of third parties with whom the business has shared or sold the personal information.”4 Consumers can opt out of data collection and request that their personal information be deleted, subject to exceptions based on the nature of the transaction.

The CCPA was drafted as an alternative to a citizens’ ballot measure with even stricter guidelines. In response, both houses of the California state legislature passed the bill in less than a week. As a consequence, the law will likely be amended before its 2020 effective date.

At first blush, the CCPA will have businesses of any size running for their in-house counsel or an outside law firm to protect their interests. An estimated 500,000 companies in the United States will likely be subject to the law in California, according to the International Association of Privacy Professionals.5

How IP Attorneys May Be Affected by the CCPA

The challenge for both attorneys in the intellectual property field and the businesses they serve will be helping clients walk the line between profitable business operations and compliance with unprecedented regulation. First and foremost, the CCPA affects businesses (including law firms) based in or doing businesses in California. Law firms with no office and no business dealings in California will not be subject to the law’s requirements.

However, businesses operating in California will need to examine the following to determine their compliance requirements:

  • • Annual revenue: Businesses with $25 million or more in annual revenue must comply with the CCPA.
  • • Consumer data: A business that “buys, receives . . . sells, or shares . . . the personal information of 50,000 or more consumers, households, or devices” is subject to the law.
  • • Percentage of annual revenue: A business subject to the CCPA “[d]erives 50 percent or more of its annual revenues from selling consumers’ personal information.”6

Given these thresholds, a clearer picture starts to emerge: “BigLaw” firms will need to take steps toward compliance by 2020 if they do business in California. However, there are many more law firms with annual revenues below $25 million. Firms in this latter category will likely have to take little to no action before the CCPA goes into effect.

In addition, law firms that use consumer data for commercial purposes will not be subject to the CCPA if they collect information for fewer than 50,000 “consumers, households, or devices.” Compliance also does not apply should less than half of the firm’s annual revenue be derived from the sale of consumer information.

Website Changes

Some of the changes law firms have made on the privacy front are a result of best-practice pragmatism, rather than legislative pressure. Many law firms recently have converted their websites to a hypertext transfer protocol secure (HTTPS) format in order to avoid triggering a “not secure” warning for users on the Google Chrome browser.7 This change signals to visitors that the law firm hosting the website is committed to securing their privacy while also protecting the firm from a loss of website traffic and leads as a result of nonsecure browsing concerns.

However, laws like the CCPA change the conversation around privacy. Instead of optimal performance, compliance becomes a matter of legal necessity. In order to comply with the CCPA, businesses must present consumers with the ability to opt out of data collection. According to the text of the law, compliant businesses will “[p]rovide a clear and conspicuous link on the business’ Internet homepage, titled ‘Do Not Sell My Personal Information,’ to an Internet Web page that enables a consumer . . . to opt out of the sale of the consumer’s personal information.”8

The CCPA is agnostic on the exact meaning of “clear and conspicuous,” but law firms may need to revise the design of their website home page, embedded contact form, or both to provide the necessary link. They may also need to revise their privacy policy page to include language describing the rights of California consumers under the Act.

Embedded contact forms are a signature lead generation tool used across attorney and law firm websites. With the advent of the CCPA, firms will need to create a separate contact form dedicated to processing visitor requests to opt out of data collection. How law firms, and businesses in general, will handle opt-out requests is perhaps the biggest open question of CCPA compliance.

Infrastructure Updates

Unlike tech giants and other companies that make significant profits from the sale of consumer data, law firms are expected to protect clients’ private information. Therefore, though the guidelines presented by the CCPA may be onerous for eligible businesses, the implicit security of the attorney-client relationship may ease the burden of compliance.

However, researching and implementing changes to comply with privacy laws and regulations takes time, resources, and money. Compliance with the GDPR was a massive undertaking for businesses worldwide, requiring principals to apply the ambiguous and obscure wording of the regulation to update their privacy policies accordingly. Similarly, to comply with the CCPA, law firms and other businesses will need to designate employees and establish internal processes to handle consumer inquiries. These companies should also ensure that their staff understands the specific requirements of the law.

Ultimately, continued concerns about consumer privacy and the seemingly never-ending series of high-profile data breaches will likely result in more legislation like the CCPA. Most likely, other states will soon follow California’s lead. Law firms and other businesses will be expected to pick up the costs of compliance posed by hours of work and infrastructure changes.

Marketing Returns

Targeted advertising through platforms like Facebook, Google AdWords, and more serve as powerful marketing and lead generation tools for law firms. These advertising tools present businesses with the option to deliver ads to a specific set of users based on narrowly defined characteristics related to demographics and online behavior.

Granular consumer data makes highly targeted ads possible. For ethical businesses, the relationship is a symbiotic one: Consumers are able to learn about goods and services when they are most interested in making a purchasing decision, while businesses can improve their visibility among consumers and drive leads through well-timed and personalized ads.

Many consumers who use these websites may opt out of data collection on third-party websites now that the CCPA presents a visible option to do so. This in turn could reduce the effectiveness of digital advertising channels that rely on consumer information. This could force law firms to rely more on search engine optimization and content marketing rather than direct-to-consumer advertising. If certain digital advertising channels become less effective, the cost of marketing may increase, resulting in a lower return on investment and possibly fewer leads. Fortunately, many consumers enjoy seeing the right ads at the right time for the services and products in which they are interested. Many others won’t take the time to opt out.

Regardless of the changes third parties make to ensure that their advertising services are compliant, law firms can still benefit by creating ad campaigns that strive to serve prospective clients. Smart marketing will generate leads and cases, no matter the availability of granular consumer data.

Conclusion

Knowledge is power. Now that consumers know the level and amount of data gathered by online providers, they are demanding better protection for their privacy. California is the first state in the nation to oblige, and more states will likely follow that example.

The year 2020 might seem like a long way off, but law firms with a business presence in California need to start taking action now to ensure that they are compliant with the CCPA. Attorneys should anticipate changes to their infrastructure and digital marketing, and stay abreast of inevitable amendments that will revise the CCPA before it goes into effect.

Law firms that prepare for the future presented by the push for greater online privacy will protect their business operations. Preparations will also enable firms to update their website, handle client information, and market their services successfully while maintaining compliance.

Endnotes

1. David Shepardson, House Republicans Demand Answers from Apple, Alphabet on Privacy, Data Practices, Reuters (July 9, 2018), https://www.reuters.com/article/congress-privacy-tech/house-republicans-demand-answers-from-apple-alphabet-on-privacy-data-practices-idUSL1N1U50Y1.

2. Sara H. Jodka, California’s Data Privacy Law: What It Is and How to Comply (A Step-by-Step Guide), Nat’l L. Rev. (July 17, 2018), https://www.natlawreview.com/article/california-s-data-privacy-law-what-it-and-how-to-comply-step-step-guide.

3. Lindsey Tonsager & Weiss Nusraty, California Adopts Expansive Consumer Privacy Law, Nat’l L. Rev. (July 2, 2018), https://www.natlawreview.com/article/california-adopts-expansive-consumer-privacy-law.

4. Michael G. Morgan et al., California Enacts a Groundbreaking New Privacy Law, Nat’l L. Rev. (June 29, 2018), https://www.natlawreview.com/article/california-enacts-groundbreaking-new-privacy-law.

5. Rita Heimes & Sam Pfeifle, New California Privacy Law to Affect More Than Half a Million US Companies, Int’l Ass’n Privacy Profs. (July 2, 2018), https://iapp.org/news/a/new-california-privacy-law-to-affect-more-than-half-a-million-us-companies/.

6. California Consumer Privacy Act of 2018, A.B. 375, 2017–2018 Leg., Reg. Sess. § 1798.140, https://leginfo.legislature.ca.gov/faces/billTextClient.xhtml?bill_id=201720180AB375.

7. Bill Fukui, July Deadline: Google to Shame HTTP Websites and Warn Visitors, Page 1 Solutions (Feb. 10, 2018), https://www.page1solutions.com/blog/july-deadline-google-to-shame-http-websites-and-warn-visitors.html.

8. A.B. 375, § 1798.135(a)(1).

Dan Goldstein is a licensed attorney who has practiced law in Colorado and Washington, D.C. He is the president and owner of Page 1 Solutions, LLC, a digital marketing agency serving attorneys throughout North America.

Adam Rowan is the content specialist at Page 1 Solutions. He has contributed content to online and print publications in the legal industry and other fields for over 10 years.

Entity:
Topic:
The material in all ABA publications is copyrighted and may be reprinted by permission only. Request reprint permission here.