What Does the California Consumer Privacy Act Mean for IP Attorneys and Law Firms?
| Author | Dan Goldstein - Adam Rowan |
| Position | Dan Goldstein is a licensed attorney who has practiced law in Colorado and Washington, D.C. He is the president and owner of Page 1 Solutions, LLC, a digital marketing agency serving attorneys throughout North America. He can be reached at dang@ page1solutions.com. Adam Rowan is the content specialist at Page 1 Solutions. He has contributed... |
| Pages | 24-60 |
Published in Landslide® magazine, Volume 11, Number 2, a publication of the ABA Section of Intellectual Property Law (ABA-IPL), ©2018 by the American Bar Association. Reproduced with permission. All rights reserved.
This information or any portion thereof may not be copied or disseminated in any form or by any means or stored in an electronic database or retrieval system without the express written consent of the American Bar Association.
What Does the California
Consumer Privacy Act
Mean for IP Attorneys
and Law Firms?
By Dan Goldstein and Adam Rowan
Image: Getty Images
Published in Landslide® magazine, Volume 11, Number 2, a publication of the ABA Section of Intellectual Property Law (ABA-IPL), ©2018 by the American Bar Association. Reproduced with permission. All rights reserved.
This information or any portion thereof may not be copied or disseminated in any form or by any means or stored in an electronic database or retrieval system without the express written consent of the American Bar Association.
Consumer privacy controversy has dened 2018 for
tech companies. Facebook has appeared in head-
lines repeatedly for its questionable handling of
user data and lax approach to privacy. Consumers
who download their Google history are shocked at
the breadth of information the search giant gathers. Congress
has asked Apple, Alphabet, and other device makers about the
security and privacy of their smartphones.1
Google, Facebook, Apple, and many more leading tech
companies are headquartered in California. The state is a
hotbed for innovative ideas, but the ongoing inquiries and
criticisms from privacy advocates that these companies face
made legislative action an inevitability.
On June 28, 2018, Governor Jerry Brown signed the California
Consumer Privacy Act (CCPA) into law after it passed unopposed
through both houses of the state legislature. When the law goes
into effect in 2020, it will provide unprecedented consumer pri-
vacy protection, requiring many companies that do business in
California to disclose the data they collect from consumers and
giving consumers the right to prohibit websites from gathering
data and to opt out of having their data sold to third parties.
Businesses that fail to abide by the law will be liable for
$100 to $750 in damages per infraction. The attorney general
of California is also empowered to investigate complaints and
prosecute violations.
What Is the CCPA?
The California Consumer Privacy Act is the rst law of its kind
in the United States. It is similar to the General Data Protection
Regulation (GDPR) implemented earlier in 2018 by the Euro-
pean Union. Like the GDPR, the CCPA requires businesses to be
transparent about the data they gather for consumers and enables
consumers to limit the amount and type of data gathered. The
wording of the GDPR is extremely broad, creating a panic among
businesses and brands earlier this year as they updated their web-
sites and privacy policies to be compliant with the regulation.
The entities affected by the CCPA are somewhat clearer.
The law will apply to for-prot businesses that do business in
California and “[h]ave $25 million or more in annual revenue;
or [p]ossess the personal data of more than 50,000 ‘consumers,
households, or devices[;]’ or [e]arn more than half of [their]
annual revenue selling consumers’ personal data.”2
The Act denes personal information as “information that
identies, relates to, describes, is capable of being associated
with, or could reasonably be linked, directly or indirectly,
with a particular consumer or household.”3 The law provides
a vast denition of identifying information that encompasses
personal and digital details including real name, user name,
physical address, IP address, driver’s license number, Social
Security number, and more.
Under the CCPA, consumers in California have the right
to “access the categories and specic pieces of personal
information collected by a covered business, including infor-
mation about where the business collected the personal
information from, the business’s purpose for collecting or
selling the personal information, and the categories of third
parties with whom the business has shared or sold the per-
sonal information.”4 Consumers can opt out of data collection
and request that their personal information be deleted, subject
to exceptions based on the nature of the transaction.
The CCPA was drafted as an alternative to a citizens’ bal-
lot measure with even stricter guidelines. In response, both
houses of the California state legislature passed the bill in
less than a week. As a consequence, the law will likely be
amended before its 2020 effective date.
At rst blush, the CCPA will have businesses of any size run-
ning for their in-house counsel or an outside law rm to protect
their interests. An estimated 500,000 companies in the United
States will likely be subject to the law in California, according to
the International Association of Privacy Professionals.5
How IP Attorneys May Be Affected by the CCPA
The challenge for both attorneys in the intellectual property eld
and the businesses they serve will be helping clients walk the
line between protable business operations and compliance with
unprecedented regulation. First and foremost, the CCPA affects
businesses (including law rms) based in or doing businesses in
California. Law rms with no ofce and no business dealings in
California will not be subject to the law’s requirements.
However, businesses operating in California will need to exam-
ine the following to determine their compliance requirements:
• Annual revenue: Businesses with $25 million or more
in annual revenue must comply with the CCPA.
• Consumer data: A business that “buys, receives . . . sells,
or shares . . . the personal information of 50,000 or more
consumers, households, or devices” is subject to the law.
• Percentage of annual revenue: A business subject to the
CCPA “[d]erives 50 percent or more of its annual reve-
nues from selling consumers’ personal information.”6
Given these thresholds, a clearer picture starts to emerge:
“BigLaw” rms will need to take steps toward compliance
by 2020 if they do business in California. However, there are
many more law rms with annual revenues below $25 mil-
lion. Firms in this latter category will likely have to take little
to no action before the CCPA goes into effect.
In addition, law rms that use consumer data for commercial
purposes will not be subject to the CCPA if they collect informa-
tion for fewer than 50,000 “consumers, households, or devices.”
Compliance also does not apply should less than half of the rm’s
annual revenue be derived from the sale of consumer information.
Website Changes
Some of the changes law rms have made on the privacy front
are a result of best-practice pragmatism, rather than legislative
pressure. Many law rms recently have converted their web-
sites to a hypertext transfer protocol secure (HTTPS) format in
order to avoid triggering a “not secure” warning for users on the
Dan Goldstein is a licensed attorney who has practiced law in
Colorado and Washington, D.C. He is the president and owner
of Page 1 Solutions, LLC, a digital marketing agency serving
attorneys throughout North America. He can be reached at dang@
page1solutions.com. Adam Rowan is the content specialist at
Page 1 Solutions. He has contributed content to online and print
publications in the legal industry and other elds for over 10 years.
He can be reached at adamr@page1solutions.com.
Published in Landslide® magazine, Volume 11, Number 2, a publication of the ABA Section of Intellectual Property Law (ABA-IPL), ©2018 by the American Bar Association. Reproduced with permission. All rights reserved.
This information or any portion thereof may not be copied or disseminated in any form or by any means or stored in an electronic database or retrieval system without the express written consent of the American Bar Association.
Google Chrome browser.7 This change signals to visitors that the
law rm hosting the website is committed to securing their pri-
vacy while also protecting the rm from a loss of website trafc
and leads as a result of nonsecure browsing concerns.
However, laws like the CCPA change the conversation around
privacy. Instead of optimal performance, compliance becomes
a matter of legal necessity. In order to comply with the CCPA,
businesses must present consumers with the ability to opt out
of data collection. According to the text of the law, compliant
businesses will “[p]rovide a clear and conspicuous link on the
business’ Internet homepage, titled ‘Do Not Sell My Personal
Information,’ to an Internet Web page that enables a consumer . . .
to opt out of the sale of the consumer’s personal information.”8
The CCPA is agnostic on the exact meaning of “clear and
conspicuous,” but law rms may need to revise the design of
their website home page, embedded contact form, or both to
provide the necessary link. They may also need to revise their
privacy policy page to include language describing the rights
of California consumers under the Act.
Embedded contact forms are a signature lead generation tool
used across attorney and law rm websites. With the advent of the
CCPA, rms will need to create a separate contact form dedicated
to processing visitor requests to opt out of data collection. How
law rms, and businesses in general, will handle opt-out requests
is perhaps the biggest open question of CCPA compliance.
Infrastructure Updates
Unlike tech giants and other companies that make signicant
prots from the sale of consumer data, law rms are expected
to protect clients’ private information. Therefore, though the
guidelines presented by the CCPA may be onerous for eli-
gible businesses, the implicit security of the attorney-client
relationship may ease the burden of compliance.
However, researching and implementing changes to com-
ply with privacy laws and regulations takes time, resources,
and money. Compliance with the GDPR was a massive under-
taking for businesses worldwide, requiring principals to apply
the ambiguous and obscure wording of the regulation to update
their privacy policies accordingly. Similarly, to comply with
the CCPA, law rms and other businesses will need to des-
ignate employees and establish internal processes to handle
consumer inquiries. These companies should also ensure that
their staff understands the specic requirements of the law.
Ultimately, continued concerns about consumer privacy and
the seemingly never-ending series of high-prole data breaches
will likely result in more legislation like the CCPA. Most likely,
other states will soon follow California’s lead. Law rms and
other businesses will be expected to pick up the costs of compli-
ance posed by hours of work and infrastructure changes.
Marketing Returns
Targeted advertising through platforms like Facebook,
Google AdWords, and more serve as powerful marketing and
lead generation tools for law rms. These advertising tools
present businesses with the option to deliver ads to a specic
set of users based on narrowly dened characteristics related
to demographics and online behavior.
Granular consumer data makes highly targeted ads possible.
For ethical businesses, the relationship is a symbiotic one:
Consumers are able to learn about goods and services when
they are most interested in making a purchasing decision, while
businesses can improve their visibility among consumers and
drive leads through well-timed and personalized ads.
Many consumers who use these websites may opt out of data
collection on third-party websites now that the CCPA presents
a visible option to do so. This in turn could reduce the effec-
tiveness of digital advertising channels that rely on consumer
information. This could force law rms to rely more on search
engine optimization and content marketing rather than direct-
to-consumer advertising. If certain digital advertising channels
become less effective, the cost of marketing may increase, result-
ing in a lower return on investment and possibly fewer leads.
Fortunately, many consumers enjoy seeing the right ads at the
right time for the services and products in which they are inter-
ested. Many others won’t take the time to opt out.
Regardless of the changes third parties make to ensure that
their advertising services are compliant, law rms can still
benet by creating ad campaigns that strive to serve prospec-
tive clients. Smart marketing will generate leads and cases,
no matter the availability of granular consumer data.
Conclusion
Knowledge is power. Now that consumers know the level
and amount of data gathered by online providers, they are
demanding better protection for their privacy. California is
the rst state in the nation to oblige, and more states will
likely follow that example.
The year 2020 might seem like a long way off, but law
rms with a business presence in California need to start taking
action now to ensure that they are compliant with the CCPA.
Attorneys should anticipate changes to their infrastructure and
digital marketing, and stay abreast of inevitable amendments
that will revise the CCPA before it goes into effect.
Law rms that prepare for the future presented by the push
for greater online privacy will protect their business opera-
tions. Preparations will also enable rms to update their
website, handle client information, and market their services
successfully while maintaining compliance. n
Endnotes
1. David Shepardson, House Republicans Demand Answers
from Apple, Alphabet on Privacy, Data Practices, R (July
9, 2018), https://www.reuters.com/article/congress-privacy-tech/
house-republicans-demand-answers-from-apple-alphabet-on-
privacy-data-practices-idUSL1N1U50Y1.
2. Sara H. Jodka, California’s Data Privacy Law: What It Is
and How to Comply (A Step-by-Step Guide), N’ L. R. (July
17, 2018), https://www.natlawreview.com/article/california-s-data-
privacy-law-what-it-and-how-to-comply-step-step-guide.
3. Lindsey Tonsager & Weiss Nusraty, California
Adopts Expansive Consumer Privacy Law, N’ L. R.
(July 2, 2018), https://www.natlawreview.com/article/
california-adopts-expansive-consumer-privacy-law.
4. Michael G. Morgan et al., California Enacts a
Groundbreaking New Privacy Law, N’ L. R.
Continued on page 58
To continue reading
Request your trial