4 Ways Firms Can Keep Compliant With the CCPA

The more regulatory requirements are enacted, the busier lawyers are counseling clients toward compliance. However, law firms aren't immune from the massive data privacy laws themselves, especially the relatively new California Consumer Protection Act.

The CCPA applies to businesses operating California that either have annual revenue surpassing $25,000,000; sell, processes or hold the personal information of 50,000 Californians; or earn half of their revenue is from selling Californians' personal information.

Law firms that fall under the CCPA's scope have a variety of obligations, including updating their website's privacy notices, implementing "reasonable" cybersecurity and being aware of the exemptions unique to legal services.

Below, lawyers provide their top CCPA compliance tips for law firms.

Update the Firm's Website

A law firm's website should describe California residents' rights including their right to authorize personal data deletion, or allow disclosure of information and notice of collection. What's more, a firm must also provide opt-outs for the selling of consumer information.

If a law firm sells such information, it would specifically need to have a "do not sell" button on its website, noted Pillsbury Winthrop Shaw Pittman senior counsel Catherine Meyer.

Check E-Discovery and Outside Vendor Contracts

Law firms leveraging outside vendors, such as e-discovery providers, to store or process data that includes Californians' personal information should update their vendor contracts to ensure that such information is not used for anything outside of specified services, said Jackson Lewis principal Joseph Lazzarotti.

Under the CCPA, a service provider's use of personal information must be "reasonably necessary and proportionate to achieve the operational purposes for which the personal information was collected or processed."

Have Data Subject Requests Procedures 

Law firms need to prepare for data requests, which includes having a system to process such requests and protocols to find data and verify a requester's identify. 

Law firms may face more difficulties in this regard compared to other businesses because of the data large sets corporate clients send them.

"One of the tricky things for law firms is their obligations come from the clients they represent, [and] they may not be even aware of individuals' data they are getting from clients is subject to the CCPA," Lazzarotti said.

Implement 'Reasonable Security Procedures' 

Lazzarotti noted the CCPA provides statutory damages for anyone whose "nonencrypted or nonredacted public information" was breached because a company lacked "reasonable security procedures and practices." Plaintiffs could be awarded $100 to $750 per consumer per incident or actual damages, whichever is greater, and injunctive or declaratory relief.

"That can be substantial. It's really imperative for firms to have reasonable safeguards to maintain the data," he said.

While the CCPA doesn't thoroughly define how a business meets "reasonable security procedures," Lazzarotti noted a 2016 report released by then-California Attorney General Kamala Harris recommended 20 Center for Internet Security security controls as minimum security standards businesses should meet. Still, companies must review and perform ongoing audits of their cybersecurity to assess any exposure.