What privacy laws apply to attorney websites?
Privacy laws are unique in the sense that they protect consumers and not businesses. In addition, due to the broad reach of websites, privacy laws can apply to businesses outside of the state or country in which the privacy law was originally enacted. Furthermore, websites that collect as little as a name and an email address can be subject to privacy law compliance. In addition to the confidentiality ethical rules that are applied to client-attorney communications, the following privacy laws are those that most commonly apply to attorney websites:
- California Online Privacy and Protection Act of 2003 (CalOPPA): applies to operators of commercial websites that collect the PII of residents of California;
- California Consumer Privacy Act (CCPA): applies to for-profit entities that do business in California and that collect, share or sell the personal information of California residents and that meet one or more of the following criteria:
- Have annual gross revenues of $25,000,000 or more;
- Buy, receive, sell or share the PII of at least 50,000 California consumers, households or devices; or
- Derive at least 50% of its annual revenue from selling the PII of California consumers.
- Nevada Revised Statutes Chapter 603A: applies to owners and operators of a website for commercial purposes that collect and maintain the PII of residents of Nevada and meet one or more of the following:
- Purposefully direct their activities towards Nevada;
- Consummate a transaction with the State of Nevada or a resident of Nevada; or
- Purposefully avail themselves of the privilege of conducting activities in Nevada or otherwise engage in any activity that constitutes sufficient nexus with Nevada to satisfy the requirements of the US Constitution.
- Delaware Online Privacy and Protection Act (DOPPA): applies to any person that owns a commercial website that collects PII through that website about individuals residing in Nevada.
- General Data Protection Regulation (GDPR): applies to you if you:
- Have an establishment in the European Union;
- Offer goods or services to European Union residents, regardless of your location; or
- Monitor the behavior of European Union residents (through tools such as pixels, cookies, or analytics), regardless of your location.
- United Kingdom Data Protection Act 2018 (UK DPA 2018): applies to you if you:
- Have an establishment in the United Kingdom;
- Offer goods or services to United Kingdom residents, regardless of your location; or
- Monitor the behavior of European Union residents (through tools such as pixels, cookies, or analytics), regardless of their location.
- Personal Information Protection and Electronic Documents Act (PIPEDA): applies to organizations across Canada that collect, use, or disclose PII in the course of a commercial activity. Canadian courts and the Canada Office of the Privacy Commissioner have also concluded that PIPEDA can apply to non-Canadian companies that collect, use or disclose the PII of residents of Canada.
- Australia Privacy Act 1988: applies to Australian organizations with annual turnover of more than AUD $3,000,000. It can also apply to Australian organizations with a smaller turnover if they meet certain conditions. Organizations formed outside of Australia if they have an Australian link, meaning that they carry on business in Australia and collect and hold personal information in Australia.
- Your name and contact information;
- What PII is collected by your website;
- Where that PII comes from (e.g. is it submitted directly by the individual or collected through analytics);
- Purposes for which you will be using the PII;
- Whether you share that PII with any third parties and if so, the categories of third parties with whom the PII is shared;
- How your website responds to Do Not Track signals;
- Whether you sell PII;
- Whether you use the PII for targeted advertising;
- The privacy rights that are provided to consumers and how consumers can exercise those privacy rights and appeal any of your decisions made with regard to such requests;
- How individuals can complain to authorities regarding your processing of their PII;
- The legal bases for processing PII;
- How long you store PII;
- Whether you use PII for automated decision-making or profiling;
- Whether you intend to transfer PII to another country or to an international organization;
- If you have a Data Protection Officer, and if so, their contact details;
- Your use of analytics programs;
- Your use of identification or location technologies; and
Do law firm website Privacy Policies need to be updated?
- Virginia Consumer Data Protection Act (VCDPA): goes into effect on January 1, 2023 and applies to persons that conduct business in Virginia or that produce products or services that are targeted to residents of Virginia and that:
- During a calendar year, control or process the PII of at least 100,000 residents of Virginia; or
- Control or process the PII of at least 25,000 residents of Virginia and derive 50% or more of gross revenue from the sale of PII.
- Colorado Privacy Act: goes into effect on July 1, 2023 and applies to controllers of PII that conduct business in Colorado or that produce or deliver commercial products or services that are intentionally targeted towards residents of Colorado and satisfy one or more of the following thresholds:
- Control or process the PII of 100,000 or more residents of Colorado during a calendar year;
- Derive revenue or receive a discount from the sale of PII and control or process the PII of 25,000 or more Colorado residents.
- Utah Consumer Privacy Act: goes into effect on December 31, 2023 and applies to persons who do business in Utah or that produce a product or service that is targeted to Utah residents and that meet one or more of the following criteria:
- Have annual revenue of $25,000 or more; and
- Meets one of the following thresholds:
- During a calendar year, control or process the PII of 100,000 or more residents of Utah; or
- Derive 50% or more of their annual gross revenue from the sale of PII and control or process the PII of 25,000 or more residents of Utah.
- Connecticut SB6: goes into effect on July 1, 2023 and applies to persons that do business in Connecticut or that provide goods or services that are targeted towards residents of Connecticut and that during the previous year:
- Controlled or processed the PII of 100,000 or more residents of Connecticut; or
- Controlled or processed the personal data of 25,000 or more residents of Connecticut and derived more than 25% of their gross revenue from the sale of PII;
- California Privacy Rights Act (CPRA): goes into effect on January 1, 2023 and will replace the CCPA. CPRA will apply to businesses that do business in California and that collect the PII of residents of California and that meet one or more of the following criteria:
- Have annual gross revenue of at least $25,000,000 in the preceding calendar year;
- Buy, receive or sell the PII of 100,000 or more residents of California, households, or devices; or
- Derive 50% or more of their annual revenue from selling or sharing the PII of residents of California.
- Quebec Bill 64: goes into effect on September 1, 2023 and applies to persons who collect, hold, use or share the PII of residents of Quebec in the course of a commercial activity.
What are the penalties for failure to comply with privacy laws?
Disclaimer: Please note that any information provided in this article is provided for informational purposes only and should not be considered legal advice. Please speak to your attorney for assistance with your specific legal issues.
About the Author
Donata Stroink-Skillrud is an attorney and Certified Information Privacy Professional (CIPP). Donata is the President and legal engineer of Termageddon, LLC, a comprehensive Privacy Policies generator that helps law firms and small businesses avoid fines and lawsuits and stay up to date with privacy compliance requirements. Donata is also the Chair of the ePrivacy Committee of the American Bar Association and the Vice-Chair of the Chicago Bar Association’s Privacy and Cybersecurity Committee.