The California Consumer Privacy Act (CCPA) goes into effect on January 1, 2020 and many law firm marketers (and their firms’ privacy attorneys) are scrambling to ensure they are compliant when the law goes into effect next week. If you’re still struggling to understand the law or how it impacts your firm, you’re not alone. While the law goes into effect in January, it’s unlikely that enforcement will begin until July so you still have some time to figure it out. Enforcement of the law will begin in July, so you still have some time to figure it out.
Do I Need to Comply?
The number one question we’ve received at ContactEase is, “Do I have to comply with the CCPA?” The CCPA applies to with businesses with more than $25 million in revenue or access to the personal information of more than 50,000 people. In a recent webinar from the Legal Marketing Association and ILTA, the panelists recommended asking the following:
- Do you have California residents on any of your mailing lists? (Do you know?)
- Do you ever swap contact lists with event co-sponsors or other third-party entities? Do you buy/acquire contacts lists (and import them into your CRM system)?
- Are you collecting user details related to website traffic and or/click tracking on your mailings (analytics, email campaign systems and marketing automation tools, cookies, etc.)?
- Can anyone in your firm download contact information? What about your vendors?
- Does your disclaimer language address how to opt-out from having information sold?
If any of the above apply to your firm and it has annual revenues of over $25 million, you must comply with CCPA. Under the CCPA, California consumers have the right know if companies sell their information, what information companies have already collected on them, and the option to opt out from either or both the sale and collection of their personal information.
Selling Personal Information
Most law firms are not in the business of selling personal information; however, according to the LMA/ILTA webinar, “sold” in this instance may also mean “providing, disclosing or making information available in exchange for consideration or a thing of value.” Many firms receive mailing lists as a sponsorship benefit. Marketers and their attorneys often review these lists to identify persons of interest to connect with or meet at conferences and other events. And while we can’t be certain that this will fall under CCPA, it is better to err on the side of caution.
One of the requirements of the CCPA is a page on a company’s website that provides information on how to opt out of the sale or exchange of personal information. THis page must provide California residents with the ability to say, “Do Not Sell my Personal Information.” This page should include the information you track and how it is used. Here are are few examples:
The CCPA also requires that firms be able to provide information tracked over the past twelve months and that this information be provided upon request within 45 days of the request. This includes cookies as well as personal information and information that you may log in your CRM system (such as Activities and Tracked items in ContactEase). In preparation for CCPA as well as other data privacy regulations such as GDPR and CASL, we have recommended that clients not track anything they would not want to share upon request. This information must be provided within 45 days of the request. In ContactEase, this can be accomplished with a simple search and export.
The number of available CCPA resources seems to grow by the day as the effective date draws near. Firms are being contacted by companies that specialize in compliance to create “do not sell my personal information” buttons on their sites (and ensure they actually work) and companies are setting up email accounts to deal with customer requests. Here are just a few we’ve collected:
If you have questions about the CCPA or the impact it may have on your firm's data, contact us!