Privacy Laws Govern the “Collection” of “Consumer” “Personal Information”
Under data privacy laws like the CCPA, “collection” means obtaining or receiving personal information pertaining to a consumer by any means. Cal. Civ. Code §1798.140(e). But there are nuances to this concept that lawyers should understand by reading the law itself.
Consumers and Clients Are Sometimes Different
“Consumer” means something different than client. A “client” is a person who consults a lawyer to retain the lawyer or secure legal service or advice from them in their professional capacity. See, e.g. Cal. Evid. Code §951. By contrast, a “consumer” is a natural person who is a resident of a certain state. See, e.g., Cal. Civ. Code §1798.140(g).
Distilling this concept down to a Venn diagram, an individual can be both a client and a consumer, but sometimes an individual is a consumer or client, or neither. Clear as mud? For example, if a law firm collects personal information from a Nevada resident, then the CCPA does not apply, regardless of whether that person is a client.
Personal Information and Client Confidences Are Sometimes Different
Privileged information, confidential information and personal information differ. Privilege is an evidentiary rule protecting a lawyer’s communications with their client from disclosure during litigation or another proceeding. Client information confidentiality is broader and may include any information a lawyer has relating to a client’s representation.
Personal information, on the other hand, is an entirely different concept that eclipses even client confidences. Under the CCPA, “‘personal information’ means information that identifies, relates to, describes, is reasonably capable of being associated with, or could reasonably be linked, directly or indirectly, with a particular consumer or household.” Cal. Civ. Code §1798.140(o)(1). Common examples include a postal address, email address, gender, age, and professional information about clients and non-clients that are typically collected by law firms.
Think of it this way—if a law firm obtains third-party witnesses’ contact information, the law firm may have collected personal information from a consumer under data privacy laws. Also, law firm websites may actively or passively collect protected personal information through forms, cookies, or services, such as Google Analytics.
A Law Firm May Be a Covered Business
While professional rules apply to the members of the legal profession, consumer privacy laws govern all businesses that meet certain definitions. The most simplistic example is that a law firm doing business in California may be a CCPA-covered firm if its annual gross revenue exceeds $25 million. But a law firm’s analysis cannot stop there. A law firm that does not meet the revenue threshold may still be a covered business if the law firm annually receives for commercial purposes the personal information of 50,000 or more California residents. If a law firm runs a website, that threshold is easier to meet than one would expect. More importantly, a law firm that is not a covered business may still be a “service provider” governed by the CCPA. See Cal. Civ. Code §1798.140(v).
Reviewing Vendor Contracts Is Critical
Vendor contracts should be reviewed and revised to comply with privacy laws. Under the CCPA, a vendor may be considered a “service provider” if the vendor processes personal information on behalf of a business pursuant to a written contract. See Cal. Civ. Code §1798.140(v). There are nuances to this provision and related regulations that law firms should review to determine whether and to what extent the rules apply.
The above considerations outline just the tip of the iceberg. Data privacy laws are fluid and change frequently. The key takeaways are that lawyers must understand that it is no longer enough to just protect client confidences and privilege; they should also review data privacy laws applicable to their practice. One thing is for sure, the need to respect consumer privacy is here to stay.