December 21, 2020 Practice Points

Lawyers Beware: How Data Privacy Protections Differ from Privilege and Confidentiality

Navigating current privacy laws is like wandering through a labyrinth. Where should a lawyer start?

By Joanna L. Storey

Respecting consumer data privacy is both business-wise and governed by law. But navigating current privacy laws is like wandering through a labyrinth, especially as the landscape changes while states rush to adopt consumer protections in the absence of federal guidance. Law firms are not immune and applying typical confidentiality and privilege principles is not enough.

While the most well-known data privacy law in the United States is the California Consumer Privacy Act (CCPA), many other states also have privacy laws and requirements for businesses to implement and maintain reasonable security measures.

There is so much to know. So, where should a lawyer without privacy law experience start?

Privacy and Privilege Are Different

As a threshold issue, lawyers should understand that protecting consumer privacy is not the same as maintaining client confidentiality or privilege. This point is significant because lawyers cannot assume that their standard approach is enough to lawfully protect consumer privacy.

Model Rule of Professional Conduct 1.6 addresses confidentiality of information relating to the representation of a client. Evidentiary privileges govern communications between attorney and client and attorney work product. There are also times when attorneys must maintain confidentiality of non-client information under a protective order or other confidentiality agreement.

By contrast, data privacy laws apply to the collection of “personal information” of “consumers,” which may include not only clients but also opposing parties and third parties.

Privacy Laws Govern the “Collection” of “Consumer” “Personal Information”

Under data privacy laws like the CCPA, “collection” means obtaining or receiving personal information pertaining to a consumer by any means. Cal. Civ. Code §1798.140(e). But there are nuances to this concept that lawyers should understand by reading the law itself.

Consumers and Clients Are Sometimes Different

“Consumer” means something different than client. A “client” is a person who consults a lawyer to retain the lawyer or secure legal service or advice from them in their professional capacity. See, e.g. Cal. Evid. Code §951. By contrast, a “consumer” is a natural person who is a resident of a certain state. See, e.g., Cal. Civ. Code §1798.140(g).

Distilling this concept down to a Venn diagram, an individual can be both a client and a consumer, but sometimes an individual is a consumer or client, or neither. Clear as mud? For example, if a law firm collects personal information from a Nevada resident, then the CCPA does not apply, regardless of whether that person is a client.

Personal Information and Client Confidences Are Sometimes Different

Privileged information, confidential information and personal information differ. Privilege is an evidentiary rule protecting a lawyer’s communications with their client from disclosure during litigation or another proceeding. Client information confidentiality is broader and may include any information a lawyer has relating to a client’s representation.

Personal information, on the other hand, is an entirely different concept that eclipses even client confidences. Under the CCPA, “‘personal information’ means information that identifies, relates to, describes, is reasonably capable of being associated with, or could reasonably be linked, directly or indirectly, with a particular consumer or household.” Cal. Civ. Code §1798.140(o)(1). Common examples include a postal address, email address, gender, age, and professional information about clients and non-clients that are typically collected by law firms.

Think of it this way—if a law firm obtains third-party witnesses’ contact information, the law firm may have collected personal information from a consumer under data privacy laws. Also, law firm websites may actively or passively collect protected personal information through forms, cookies, or services, such as Google Analytics.

A Law Firm May Be a Covered Business

While professional rules apply to the members of the legal profession, consumer privacy laws govern all businesses that meet certain definitions. The most simplistic example is that a law firm doing business in California may be a CCPA-covered firm if its annual gross revenue exceeds $25 million. But a law firm’s analysis cannot stop there. A law firm that does not meet the revenue threshold may still be a covered business if the law firm annually receives for commercial purposes the personal information of 50,000 or more California residents. If a law firm runs a website, that threshold is easier to meet than one would expect. More importantly, a law firm that is not a covered business may still be a “service provider” governed by the CCPA. See Cal. Civ. Code §1798.140(v).

Reviewing Vendor Contracts Is Critical

Vendor contracts should be reviewed and revised to comply with privacy laws. Under the CCPA, a vendor may be considered a “service provider” if the vendor processes personal information on behalf of a business pursuant to a written contract. See Cal. Civ. Code §1798.140(v). There are nuances to this provision and related regulations that law firms should review to determine whether and to what extent the rules apply.

Parting Thoughts

The above considerations outline just the tip of the iceberg. Data privacy laws are fluid and change frequently. The key takeaways are that lawyers must understand that it is no longer enough to just protect client confidences and privilege; they should also review data privacy laws applicable to their practice. One thing is for sure, the need to respect consumer privacy is here to stay.

Joanna L. Storey is an associate with Hinshaw & Culbertson LLP in San Francisco, California.


Copyright © 2020, American Bar Association. All rights reserved. This information or any portion thereof may not be copied or disseminated in any form or by any means or downloaded or stored in an electronic database or retrieval system without the express written consent of the American Bar Association. The views expressed in this article are those of the author(s) and do not necessarily reflect the positions or policies of the American Bar Association, the Section of Litigation, this committee, or the employer(s) of the author(s).