4 Ways Firms Can Keep Compliant With the CCPA
From updating their websites to understanding exemptions, lawyers offer their suggestions on how law firms can meet their new CCPA requirements.
February 18, 2020 at 10:00 AM
3 minute read
The more regulatory requirements are enacted, the busier lawyers are counseling clients toward compliance. However, law firms aren't immune from the massive data privacy laws themselves, especially the relatively new California Consumer Protection Act.
The CCPA applies to businesses operating California that either have annual revenue surpassing $25,000,000; sell, processes or hold the personal information of 50,000 Californians; or earn half of their revenue is from selling Californians' personal information.
Law firms that fall under the CCPA's scope have a variety of obligations, including updating their website's privacy notices, implementing "reasonable" cybersecurity and being aware of the exemptions unique to legal services.
Below, lawyers provide their top CCPA compliance tips for law firms.
|Update the Firm's Website
A law firm's website should describe California residents' rights including their right to authorize personal data deletion, or allow disclosure of information and notice of collection. What's more, a firm must also provide opt-outs for the selling of consumer information.
If a law firm sells such information, it would specifically need to have a "do not sell" button on its website, noted Pillsbury Winthrop Shaw Pittman senior counsel Catherine Meyer.
|Check E-Discovery and Outside Vendor Contracts
Law firms leveraging outside vendors, such as e-discovery providers, to store or process data that includes Californians' personal information should update their vendor contracts to ensure that such information is not used for anything outside of specified services, said Jackson Lewis principal Joseph Lazzarotti.
Under the CCPA, a service provider's use of personal information must be "reasonably necessary and proportionate to achieve the operational purposes for which the personal information was collected or processed."
Have Data Subject Requests Procedures
Law firms need to prepare for data requests, which includes having a system to process such requests and protocols to find data and verify a requester's identify.
Law firms may face more difficulties in this regard compared to other businesses because of the data large sets corporate clients send them.
"One of the tricky things for law firms is their obligations come from the clients they represent, [and] they may not be even aware of individuals' data they are getting from clients is subject to the CCPA," Lazzarotti said.
|Implement 'Reasonable Security Procedures'
Lazzarotti noted the CCPA provides statutory damages for anyone whose "nonencrypted or nonredacted public information" was breached because a company lacked "reasonable security procedures and practices." Plaintiffs could be awarded $100 to $750 per consumer per incident or actual damages, whichever is greater, and injunctive or declaratory relief.
"That can be substantial. It's really imperative for firms to have reasonable safeguards to maintain the data," he said.
While the CCPA doesn't thoroughly define how a business meets "reasonable security procedures," Lazzarotti noted a 2016 report released by then-California Attorney General Kamala Harris recommended 20 Center for Internet Security security controls as minimum security standards businesses should meet. Still, companies must review and perform ongoing audits of their cybersecurity to assess any exposure.
This content has been archived. It is available through our partners, LexisNexis® and Bloomberg Law.
To view this content, please continue to their sites.
Not a Lexis Subscriber?
Subscribe Now
Not a Bloomberg Law Subscriber?
Subscribe Now
NOT FOR REPRINT
© 2024 ALM Global, LLC, All Rights Reserved. Request academic re-use from www.copyright.com. All other uses, submit a request to [email protected]. For more information visit Asset & Logo Licensing.
You Might Like
View AllLaw Firms Mentioned
Trending Stories
- 1Clark Hill Acquires L&E Boutique in Mexico City, Adding 5 Lawyers
- 26th Circuit Judges Spar Over Constitutionality of Ohio’s Ballot Initiative Procedures
- 3On The Move: Polsinelli Adds Health Care Litigator in Nashville, Ex-SEC Enforcer Joins BCLP in Atlanta
- 4After Mysterious Parting With Last GC, Photronics Fills Vacancy
- 5Latham Lures Restructuring Partners From Weil, Paul Weiss
Who Got The Work
Michael G. Bongiorno, Andrew Scott Dulberg and Elizabeth E. Driscoll from Wilmer Cutler Pickering Hale and Dorr have stepped in to represent Symbotic Inc., an A.I.-enabled technology platform that focuses on increasing supply chain efficiency, and other defendants in a pending shareholder derivative lawsuit. The case, filed Oct. 2 in Massachusetts District Court by the Brown Law Firm on behalf of Stephen Austen, accuses certain officers and directors of misleading investors in regard to Symbotic's potential for margin growth by failing to disclose that the company was not equipped to timely deploy its systems or manage expenses through project delays. The case, assigned to U.S. District Judge Nathaniel M. Gorton, is 1:24-cv-12522, Austen v. Cohen et al.
Who Got The Work
Edmund Polubinski and Marie Killmond of Davis Polk & Wardwell have entered appearances for data platform software development company MongoDB and other defendants in a pending shareholder derivative lawsuit. The action, filed Oct. 7 in New York Southern District Court by the Brown Law Firm, accuses the company's directors and/or officers of falsely expressing confidence in the company’s restructuring of its sales incentive plan and downplaying the severity of decreases in its upfront commitments. The case is 1:24-cv-07594, Roy v. Ittycheria et al.
Who Got The Work
Amy O. Bruchs and Kurt F. Ellison of Michael Best & Friedrich have entered appearances for Epic Systems Corp. in a pending employment discrimination lawsuit. The suit was filed Sept. 7 in Wisconsin Western District Court by Levine Eisberner LLC and Siri & Glimstad on behalf of a project manager who claims that he was wrongfully terminated after applying for a religious exemption to the defendant's COVID-19 vaccine mandate. The case, assigned to U.S. Magistrate Judge Anita Marie Boor, is 3:24-cv-00630, Secker, Nathan v. Epic Systems Corporation.
Who Got The Work
David X. Sullivan, Thomas J. Finn and Gregory A. Hall from McCarter & English have entered appearances for Sunrun Installation Services in a pending civil rights lawsuit. The complaint was filed Sept. 4 in Connecticut District Court by attorney Robert M. Berke on behalf of former employee George Edward Steins, who was arrested and charged with employing an unregistered home improvement salesperson. The complaint alleges that had Sunrun informed the Connecticut Department of Consumer Protection that the plaintiff's employment had ended in 2017 and that he no longer held Sunrun's home improvement contractor license, he would not have been hit with charges, which were dismissed in May 2024. The case, assigned to U.S. District Judge Jeffrey A. Meyer, is 3:24-cv-01423, Steins v. Sunrun, Inc. et al.
Who Got The Work
Greenberg Traurig shareholder Joshua L. Raskin has entered an appearance for boohoo.com UK Ltd. in a pending patent infringement lawsuit. The suit, filed Sept. 3 in Texas Eastern District Court by Rozier Hardt McDonough on behalf of Alto Dynamics, asserts five patents related to an online shopping platform. The case, assigned to U.S. District Judge Rodney Gilstrap, is 2:24-cv-00719, Alto Dynamics, LLC v. boohoo.com UK Limited.
Featured Firms
Law Offices of Gary Martin Hays & Associates, P.C.
(470) 294-1674
Law Offices of Mark E. Salomone
(857) 444-6468
Smith & Hassler
(713) 739-1250
