Does Your Website Need a Privacy Policy?

Is a law firm website required to have an explicit privacy policy? At the moment, in most jurisdictions generally the answer is no. But, are there reasons a law firm probably should have a privacy policy? Heck yes!

Here's why.

First Things First: Privacy Policy vs. Disclaimer

So, first off, a privacy policy is different from your legal disclaimer or Terms of Use. A general disclaimer on a law firm website usually covers website terms of use basics as well as some attorney-specific items, including information necessary to comply with your Rules of Professional Conduct governing attorney advertising (i.e. clauses addressing how information on your website is not intended to be legal advice and that contacting you via the website or email does not create an attorney-client relationship, etc.).

A privacy policy, on the other hand, is meant to inform site visitors about data collected about the user by your website. In a nutshell, it tells them whether and how your site collects anonymous browsing data about visitors (usually via cookies) as well as what you (and any marketing or analysis programs you use) do with personally identifying information submitted by visitors, such as their names, mailing addresses, email addresses, and phone numbers.

Circuit and Lock Representing Website Privacy Policy

Why Have a Privacy Policy on Your Website?

The major benefit to having a privacy policy on your website — beyond compliance with the handful of laws and regulations that directly require it — is transparency. Even more so than many other types of websites, law firm websites attract visitors with potentially confidential concerns. You do those visitors a great service by ensuring they understand whether and how their information is collected and used. And, as in the case of The Modern Firm's standard privacy policy for law firm sites, you can help further by noting how folks can opt out of any data collection.

A privacy policy thus provides a direct service to your potential clients — and it may not be just peace of mind that you're giving them. For some practices, the benefit could even extend to protecting a site user's family relationships or personal safety. Imagine, for example, a potential client researching local divorce attorneys after an escalation of domestic violence in the home. This client may well wish to avoid any remarketing ads by your firm popping up on her phone or family computer at other times, indicating that she had been searching for divorce attorneys. The clear directions your privacy policy provides to opt out of these types of ads provide a direct, important service.

Of course the flip side is the benefit to your law firm: your respect for a potential client's privacy beginning with their first contact with your firm serves to build trust and confidence right off the bat.

Fair Information Practice Principles

Creating and following a privacy policy is also in line with fair information practice principles, which have been generated by various entities, national and international, since the 1970s. These include the FFC's Fair Information Practice Principles (archived here) and the Organisation for Economic Co-operation and Development (OECD) Guidelines on the Protection of Privacy and Transborder Flows of Personal Data. These principles form the basis of many privacy laws. Taking them into account in your business practice — even where no laws govern in your jurisdiction — illustrates your respect for clients' and potential clients' privacy.

In brief, these privacy principles are often boiled down to the six FFC Fair Information Practice Principles, which can be summarized roughly as:

  1. Notice / Awareness. Consumers should be made aware of how an entity collects and uses personal information.
  2. Choice / Consent. Consumers should have options with regard to how information collected about them is used.
  3. Access / Participation. Where personal information is necessarily kept by an entity, consumers should have the ability to access and correct this information.
  4. Integrity / Security. An entity that collects personal information should take steps to ensure its accuracy and prohibit unauthorized access to it.
  5. Enforcement / Redress. Ideally, the law should allow consumers to seek a remedy if these principles are violated.

Now, obviously these concepts contemplate collection and use of personal information well beyond the functions of most law firm websites. The most significant concepts for our immediate purposes are Notice and Choice, each of which are squarely addressed by the handful of laws that affirmatively require website privacy policies.

What Laws or Bar Rules Require Privacy Policies?

For the most part, neither generally applicable laws nor individual jurisdictions' Rules of Professional Conduct governing attorney advertising directly require a law firm to include a privacy policy on its website. Indeed, as a general matter, Internet privacy laws aimed at protecting consumers' information are fairly minimal. And, in the wake of the April 2017 rollback of Obama-era FCC privacy regulations by Congress and President Trump, the trend is arguably leaning away from additional privacy protections, at least at the federal level. Where laws do exist (or have been proposed) at the state level, they most commonly address collection and use of consumer information by Internet service providers, as opposed to by individual website owners or operators.

But there are notable exceptions that apply to law firms — and that also provide useful guidance for firms crafting voluntary privacy policies.

Below are the stand-out exceptions based on my research as of November 2017. But always remember: I'm not your lawyer and this is not intended to be actionable legal advice! Moreover, I have not addressed any of the specific laws, regulations or guidelines specific to Internet use by, or online marketing to, children.

Always a pioneer when it comes to regulations protecting consumers, California has the Online Privacy Protection Act of 2003, which applies to websites that collect personal information from California consumers. In essence, the law requires such websites to display and adhere to a privacy policy covering:

  • Any types of personally identifiable information collected by the website (or other related / connected parties)
  • Any types of third parties with whom the website's operator may share that personally identifiable information
  • If personally identifiable information is collected, how the website responds to web browser settings allowing users to opt out of data collection
  • The effective date of the privacy policy
  • How the website operator notifies site visitors of material changes to the site's privacy policy

The Delaware Online Privacy and Protection Act includes nearly identical requirements for websites visited by Delaware residents. And, just this past summer, Nevada enacted stricter privacy procedures for operators of websites visited by Nevada consumers. Nevada's law is a bit narrower than the Delaware and California statutes; in particular, it exempts an website operator located in Nevada whose revenue is not primarily derived from online sales and whose site is visited by fewer than 20,000 individuals per year.

Finally, note that some states — California and Utah, in particular — have specific laws governing disclaimers and opt-out procedures if a business that collects personally identifying consumer information sells that information or shares it with third parties for the third party's own direct marketing purposes.

What Should a Law Firm's Website Privacy Policy Cover?

All of this adds up to provide useful guidance to law firms crafting their own website privacy policies. Consistent with these laws and policies — particularly those on Notice and Consent — here are some basics that The Modern Firm ensures our privacy policies address:

Cookies on a computer

Not this kind of web cookie.

Anonymous Browsing Data: Cookies — What They Are and Why Your Website Collects Them

Google Analytics (installed on most new Modern Firm websites) and other software collect data when Internet users visit your website. The collection is effected by HTTP cookies (a.k.a. "web cookies," "Internet cookies," "browser cookies" or simply "cookies"). A cookie is essentially a small bit of digital data stored in a user's web browser. There are various types of cookies, some temporary and some longer lasting. The ones we're most interested here are cookies that remain stored by a user's browser and effectively "talk to" your website (via Google Analytics and other marketing programs you use) to give you information about user behavior on your site.

The aggregate data collected by software or services through cookies can include the number of visitors to your site in a given timeframe, the time spent on your site and pages clicked by users, the types of devices used to access your site, and the Internet Protocol (IP) addresses of visitors. This data provides very useful information you can use to improve your website, including by learning which pages are most popular, how your potential clients are reaching you (i.e. via their computers or their smartphones), and how visitors ended up on your website (i.e. Google searches, links from other websites).

Importantly, cookies can also be used to identify web browsers that visited your website even after the user has left your site. This is where remarketing ads come in: using remarketing, you can have ads for your law firm pop up on other websites that host such ads, displaying them only to folks (or, at least, their web browsers) who have visited your website in the past. (Here is a full explanation of remarketing.)

Privacy Policy Implications: Let users know that your site collects cookies, what those cookies may do, and how the user can opt out by changing their web browser settings.

Personally Identifying Information: When Clients Use Your Website Contact Form or Send You an Email

Your website may also collect personally identifying information when a user fills out a contact form or inputs his or her name and/or email address to access additional information, such as if you offer resources (like these free Ohio estate planning resources) or an email newsletter (like this Michigan estate planning website does) to users who supply some personal information to you.

Free Newsletter Sign-Up

Indirectly, a user may supply personally identifying information (at a minimum, an email address) if he or she contacts you via an email address you display on your website. Law firms generally use such personal information to follow up with a potential client personally or add them to an email marketing list to encourage further engagement. This use of their information has privacy implications beyond standard law firm disclaimers (such as: communication via the Internet is not always secure; potential clients do not establish attorney-client relationships with you merely by contacting you; and site visitors should not share confidential information as part of a mere request for further information).

Privacy Policy Implications: Let users know that you may use the information they supply to send them additional information or initiate further contact. And tell them how to opt out of such further communication, such as by emailing you a request to opt-out, or clicking an "unsubscribe" link, if any, in emails they may receive from your law firm.

Marketing Automation: When Browsing Data Meets Personally Identifying Information

Here's a fascinating use of cookies some law firms take advantage of, which effectively combines automated remarketing with targeted email contact to follow up with users who have supplied their email addresses through your website. Marketing automation programs use cookies to connect personally identifiable information submitted by users of your website via forms on your site with their web browsers, and thus their future browsing behavior.

For example, imagine a user inputs his email address on your website to receive access to your free pdf guide "How to Start a Small Business." In addition, your automated marketing program records his email address and connects it with the browser he used to visit your website. Your program later might take any number of automated actions, such as emailing him information about your law firm's business start-up services, either some number of weeks later, or, when the program detects him browsing your website (or even your specific website page on business start-up services) again.

Privacy Policy Implications: Let users know about this potential connection of individualized information with what they might presume is simply anonymous web browsing at a previously visited site. As with the two initial privacy concerns discussed here, tell them how to avoid tracking cookies as well as how to opt out or unsubscribe from any follow-up communications you send them.

Less Common: Selling Personal Information to Someone Else

It's particularly important to acknowledge your potential sale (or gift / barter) of email addresses, names or other personal information to third parties for their own direct marketing purposes. This is not the same as "sharing" your site's browsing data with Google Analytics or with other analysis or marketing software that you use for your direct marketing (or that gives Google aggregate browsing information). Rather, it covers situations such as if the business attorney who collects email addresses in return for the free "How to Start a Small Business" guide then turns around and sells those addresses to other businesses who want to target entrepreneurs. (Resulting, say, in the person who requested the free guide getting a barrage of emails offering such things as office equipment, business card printing, etc.)

Not only do the few laws directly governing collection and sale of personal information by private websites tend to require notice of this sort of sharing, but the potential sharing may be of particular concern to the clients of lawyers, for obvious reasons.

Privacy Policy Implications: Let users know if you sell or give third parties personal information, including email addresses submitted to your website, for their own direct marketing purposes. And tell users how they can opt out of this, if they can.

No Brainer: The Policy's Effective Date and Dates of Substantial Changes

Making clear the effective date of your privacy policy and any meaningful changes serves the goal of fair notice to users and is consistent with laws requiring privacy policies.

Privacy Policy Implications: Date your privacy policy as of the day you add it to your website, or the date of launch of the website, if you launch with a policy in place. Advise site visitors that you will post the dates of any substantial changes to the policy and, going forward, keep the last date of substantial modification updated, as needed.

Sample Law Firm Website Privacy Policy

The Modern Firm's standard law firm website privacy policy follows. We designed it to satisfy each of the above elements of a model law firm website privacy policy, with an exception: our policy does not address sale of information to third parties for their own direct marketing, since this is pretty rare among our lawyer clients. It does not, of course, contemplate the requirements of Rules of Professional Conduct or other laws or regulations governing attorney advertising of which we are unaware! And, particularly for firms with specific concerns about, or interests in, privacy law, it is not a substitute for a custom privacy policy developed for your firm by legal counsel.

Privacy Policy

Your privacy is important to FIRMNAME (“we” or "us"). This privacy policy is intended both to: 1) describe how our website may collect and use information from your Internet enabled device (i.e. your computer, tablet, smartphone or other device — and browsers or apps used to access the Internet), and 2) describe how you may opt out of any such collection and use. Please contact us if you have questions about our privacy policy.

Data collection and cookies. Features or partners of our website may collect data including, but not limited to: the number of visitors to our site, the time spent on our site and pages clicked, the types of devices used to access our site, and the Internet Protocol (IP) addresses of visitors. We use this information to improve our website and marketing. This data is collected by sending cookies (or similar tracking technology) to your device. Personal information cannot be collected via cookies and other tracking technology; if you previously provided personally identifiable information, however, cookies may be tied to such information. Aggregate cookie and tracking information may be shared with third parties; and this privacy policy does not cover third parties’ use of cookies. You may configure your device to limit or prevent access by cookies, such as to notify you when you receive a cookie, to block all cookies, or to delete existing cookies.

Partners and features that collect information. Our website marketing partners or features that collect data as described above may include, among others, Google Analytics, other analytics programs, and Google AdWords remarketing service. Remarketing involves tracking devices that have visited our website in order to display ads for our services on other websites. Use these links to learn how Google uses data it collects, to prevent Google Analytics from using data from your device, or to opt out of Google’s interest-based ads.

Information you send us. Please see our disclaimer, which generally addresses information you intentionally send us using e-mail or any contact form on this website. If you submit your name or contact information to us, we may use it to send you information about our services. You may opt out of receiving further information from us by contacting us or, where applicable, by using an “unsubscribe” option included in our communications. We will not sell or give your personally identifying information to other parties for their own direct advertising purposes.

Changes to this policy. We reserve the right to update this policy. If we make updates, we will change the modification date below.

Last modified. DATE OF LAUNCH.

Customizing Your Own Website Privacy Policy

Need a privacy policy for your law firm's website? Clearly the safest bet is to talk to legal counsel about what is recommended in your jurisdiction. But our standard policy may be a good starting point.

As a consideration for existing clients of The Modern Firm, note that, because of the paucity of legal authority requiring privacy policies — and the fact that our law firm website disclaimers have traditionally covered some of the ground discussed above — we have not always included separate privacy policies on our law firm websites. If you're an existing client and you would like to add a privacy policy to your site, contact our support team and we'll be happy to help!

For all clients, existing or new, we're of course also happy to include on your website whatever custom privacy policy you provide to best suit your needs and jurisdictions of practice.

Submit Your Own Question

Have a question about the business end of practicing law? Submit it for publication.

Ask a Question


Receive email alerts when we post a new question of the week to our blog.