Your Website May Be Ethically Compliant, But Does It Conform to Privacy Law?
Six years ago, the ABA released Formal Opinion 10-457, which discusses the ethical obligations that lawyers must address in considering the content and features of their websites. Though undoubtedly late to the party — by 2010, many state regulators had already issued their own ethics rulings on websites — the ABA offered authoritative and important guidance in Opinion 10-457, which to the ABA’s credit, hasn’t been barricaded behind a paywall as I initially assumed. Since that time, however, there’s been radio silence from the ABA on whether law firms should include a privacy policy on their website given that consumers now expect, and the FTC strongly recommends increased protection of personal information collected by websites.
Before we get into whether law firm websites need a privacy policy, lets take a step back and talk about what a website privacy policy is. Most likely, you’ve encountered a privacy policy in your forays on the web since these days, they are ubiquitous at commercial websites (think Amazon or Google) as well as most big law firm sites (not so much at solo and small sites, but I’ll get to that point later).
Essentially, a privacy policy discloses to consumers how any personally identifiable information (PII) (which includes full names, phone numbers, e-mail addresses) collected by a website will be used. A privacy policy won’t necessarily prevent potential abuses of personal information – for example, a website that harvests sensitive information to profit from by sales to third parties, or that publicly posts the information and jeopardizes a user’s security – but at least it puts consumers on notice of what they’re getting into when they sign up for that free ebook or newsletter.
Significantly, privacy policies aren’t universally required by statute yet – except for sites that target California consumers under the California Online Privacy Protection Act . The FTC’s Fair Information Privacy Principles require disclosure of site use of personal information, but those principles are only recommendations and are not enforceable — except where a site makes representations that it won’t release personal information and does so anyway.
Nevertheless, because privacy policies are so pervasive, consumers now expect them and pay closer attention to what they say. Given the heightened concern over privacy, consumers visiting a law firm that doesn’t have a privacy policy may be reluctant to provide information (or at least, accurate information) .
Ironically, even though solos and smalls heavily rely on their websites to generate leads by encouraging visitors to provide personal information in exchange for a freebie like a legal checklist or phone consult, they are far less likely to have privacy policies on their websites than biglaw. My general observation regarding the absence of privacy policies from solo/small firm sites was corroborated by a quick review of Lawyerist’s Twelve Best Law Firm Websites for 2016. Of the ten U.S. sites (I didn’t review the 2 Canadian firm sites), only three had a privacy policy. Of the seven that didn’t, at least one was designed by a company that specializes in law firm design while the other, inexplicably, belonged to an attorney who deals with data security.
It’s possible that most solo and small law firms don’t have privacy policies on their site because generally, privacy policies are not legally required — except for sites that target California consumers (or the 13-and-under crowd under the COPPA ). Yet, it’s more likely that the lack of solo and small firm privacy policies arises from lawyers’ misconception that they don’t need to pay any attention to the FTC privacy principles because so long as their sites are ethically compliant, nothing else matters.
But that’s just not so. As I wrote here , ethics are only one fifth of what lawyers need to understanding in a digital age; statutes, 3rd party website terms of service and netiquette – which encompasses consumer expectations – all matter as much, if not more. The ABA’s and state regulators’ myopic focus on ethics rules, without consideration of general consumer expectations or emerging regulatory guidance (such as the FTC principles and other state laws) neither helps lawyers nor protects consumers.
For the record, a privacy policy is very different from the recommended website disclaimers under legal ethics rules — for example how use of a law firm site does not create an attorney client relationship and that information provided on the site is not legal advice. If anything, law firm website disclaimers are the OPPOSITE of privacy policies – because whereas privacy policies endeavor to protect site visitors by committing to narrow use of information provided, disclaimers abrogate any responsibility by telling potential clients that they can’t expect that any data they submit will be kept confidential because the attorney client privilege doesn’t apply. Which is my point: when law firms host websites and write blogs, we act not just in our capacity as lawyers subject to ethics rules but also as businesses that need to be sensitive to the public’s concerns.
If you decide to put a privacy policy on your law firm website, you won’t find many resources though bar associations which don’t have much information for lawyers on privacy policies (believe me, I have searched for it!) But the web abounds with other resources.
For starters,why not consult with big law? What I mean is that you can take a look at various big law firm sites, particularly those that have data security and information law practices (for example Sidley Austin , with a privacy policy here or Proskauer with a privacy policy here. As you read through a number of law firm policies, the key points will quickly emerge and you can use a mash-up to develop a policy that best suits your firm.
Another approach is to use one of the many free online privacy policy generators like FreePrivacyPolicy.com or PrivacyPolicyGenerator.info. Again, take the time to read the policy before pasting it up on your website.
Finally, you can pool your resources with a couple of other solos and hire an information privacy lawyer for a consult or private training on the basics of law firm privacy policies.
A few words of caution in developing a privacy policy. First, once you publish a privacy policy, it’s important for you and your staff to adhere to it. The FTC hasn’t hesitated to bring enforcement actions against companies that don’t keep their privacy policies, and making false representations about how you’ll use personal information is a deceptive practice that would run afoul of ethical requirements. Second, privacy law is always changing, so keep your policy dated and review it every so often to assess whether an upgrade is required.
We lawyers aren’t special snowflakes. If avail ourselves of today’s digital economy, we’ve got to follow the same rules as other players rather than hiding behind our obscure ethics codes or waiting a half-life for guidance from regulators. Most importantly we need to ask ourselves whether those regulators and ethics regulations remain relevant in an online, mobile and multi-jurisdictional world where legal ethics comprise an increasingly diminishing piece of our overall compliance obligations and standing alone, no longer suffice to protect our clients or the public.
Image courtesy of Shutterstock
My question would be this: I have a contact page on both my blog and firm website. However, I don’t actively collect or encourage the entry of personal information for active lead generation. What’s the rule on this? I have the disclaimer. I am unclear as to whether I need any sort of privacy policy.
There are Chances, Sometimes the Websites and the Contents of others can be stolen, which is considered an offense.