Client Privacy Notice Addendum for California Residents
This Client Privacy Notice Addendum for California Residents (the “California Client Privacy Addendum”) describes our collection and use of Personal Information and supplements the information contained in Foley & Lardner’s (“Foley”) Client Privacy Notice and applies solely to Clients and Related Entities (as defined in our Privacy Notice) who reside in the State of California (“consumers”) for whom we collect Personal Information related to a Matter. We adopt this notice to comply with the California Consumer Privacy Act of 2018 as amended by the California Privacy Rights Act of 2020 (“CPRA”) and implementing regulations and any terms defined in the CPRA have the same meaning when used in this notice.
Scope
This California Privacy Addendum applies to information that we collect from our Clients and Related Entities that identifies, relates to, describes, references, is capable of being associated with, or could reasonably be linked, directly or indirectly, with a Client, a Related Entity, or their respective devices (“Personal Information”) that we may collect during the course of our representation of a Matter. However, publicly available information that we collect from government records and deidentified or aggregated information (when deidentified or aggregated as described in the CPRA) are not considered Personal Information and this California Privacy Addendum does not apply to such information. This California Privacy Addendum also does not apply to certain Personal Information that is excluded from the scope of the CPRA, like: (a) health or medical information covered by the Health Insurance Portability and Accountability Act of 1996 (HIPAA) and the California Confidentiality of Medical Information Act (CMIA) or clinical trial data; and (b) Personal Information covered by certain sector-specific privacy laws, including the Fair Credit Reporting Act (FCRA), the Gramm-Leach-Bliley Act (GLBA) or California Financial Information Privacy Act (FIPA), and the Driver’s Privacy Protection Act of 1994. While this California Privacy Addendum may not apply to these types of data, Foley still treats these as confidential pursuant to our ethical obligations as legal counsel.
Information We Collect
During the course of our representation of a Matter, we may collect information that identifies, relates to, describes, references, is capable of being associated with, or could reasonably be linked, directly or indirectly, with a particular consumer or device related to that Matter (“Personal Information”). As a large law firm, the categories of Personal Information we may collect and may have collected over the prior twelve (12) months about our Clients and Related Entities varies greatly depending on the Matter, and may include:
| Category | Potential Pieces of Personal Information |
|---|---|
| A. Identifiers. | A real name, alias, postal address, unique personal identifier, online identifier, Internet Protocol address, email address, account name, Social Security number, driver’s license number, passport number, or other similar identifiers. |
| B. Personal information categories listed in the California Customer Records statute (Cal. Civ. Code § 1798.80(e)). | A name, signature, Social Security number, physical characteristics or description, address, telephone number, passport number, driver’s license or state identification card number, insurance policy number, education, employment, employment history, bank account number, credit card number, debit card number, or any other financial information, medical information, or health insurance information. Some Personal Information included in this category may overlap with other categories. |
| C. Protected classification characteristics under California or federal law. | Age (40 years or older), race, color, ancestry, national origin, citizenship, religion or creed, marital status, medical condition, physical or mental disability, sex (including gender, gender identity, gender expression, pregnancy or childbirth and related medical conditions), sexual orientation, veteran or military status, genetic information (including familial genetic information). |
| D. Commercial information. | Records of personal property, products or services purchased, obtained, or considered, or other purchasing or consuming histories or tendencies. |
| E. Biometric information. | Genetic, physiological, behavioral, and biological characteristics, or activity patterns used to extract a template or other identifier or identifying information, such as, fingerprints, faceprints, and voiceprints, iris or retina scans, keystroke, gait, or other physical patterns, and sleep, health, or exercise data. |
| F. Internet or other similar network activity. | Browsing history, search history, information on a consumer’s interaction with a website, application, or advertisement. |
| G. Geolocation data. | Physical location or movements. |
| H. Sensory data. | Audio, electronic, visual, thermal, olfactory, or similar information. |
| I. Professional or employment-related information. | Current or past job history or performance evaluations. |
| J. Non-public education information (per the Family Educational Rights and Privacy Act (20 U.S.C. Section 1232g, 34 C.F.R. Part 99)). | Education records directly related to a student maintained by an educational institution or party acting on its behalf, such as grades, transcripts, class lists, student schedules, student identification codes, student financial information, or student disciplinary records. |
| K. Inferences drawn from other Personal Information. | Profile reflecting a person’s preferences, characteristics, psychological trends, predispositions, behavior, attitudes, intelligence, abilities, and aptitudes. |
| L. Sensitive Personal Information (“Sensitive Personal Information”) | – Government identifiers (social security; driver’s license; state identification card; or passport number) – Complete account access credentials (user names, financial account numbers, or credit/debit card numbers combined with required access/security code or password) – Precise geolocation (within an area of less than 1850 feet) – Racial or ethnic origin – Religious or philosophical beliefs – Union membership – Genetic data – Mail; email; or text messages contents not directed to us – Unique identifying biometric information – Health; sex life; or sexual orientation information |
As further described in Sales and Sharing of Personal Information, we do not “sell” any categories of Personal Information for monetary or other valuable consideration, and we do not “share” any categories of Personal Information for cross-context behavioral advertising.
Use of Personal Information
We may use or disclose the Personal Information we collect and, over the prior twelve (12) months, have used or disclosed the Personal Information we have collected, for one or more of the following business or commercial purposes:
- To fulfill the reason we have collected the information, such as to provide legal services for our Clients.
- Short-term, transient use, provided that we do not disclose the Personal Information to another third party and we do not use it to build a profile about a Client, a Related Entity, or other third party.
- To perform business services for or on behalf of Foley or our Clients, including maintaining or servicing client accounts, providing IT services, shipping and receiving, verifying client information, processing payments, providing financing, providing advertising or marketing services, providing analytic services, or providing similar services to or on behalf of Foley.
- To procure, maintain, renew, and otherwise obtain the benefit of insurance, including communications with our insurers to file, process, and defend claims.
- To perform legal services for or on behalf of Foley and our Clients related to our representation in a Matter, including for communicating with tribunals, government agencies, arbitrators, mediators, insurers, accountants, opposing counsel, transcription and other court reporting services, discovery services, expert opinions, forensic services, auditing services, and other similar entities and services.
- To fulfill our ethical obligations under the applicable rules of professional document, including such rules related to Client confidentiality.
- Undertaking activities to verify or maintain the quality of our services or device that is owned or controlled by Foley, and to improve, upgrade, or enhance the service or device that is owned or controlled by the business.
- To respond to law enforcement requests and as required by applicable law, court order, or governmental regulations.
- As described to our Client or Related Entity when collecting their Personal Information or as otherwise set forth in the CCPA.
- To evaluate or conduct a merger, combination, divestiture, restructuring, reorganization, dissolution, or other sale or transfer of some or all of Foley’s assets, whether as a going concern or as part of bankruptcy, liquidation, or similar proceeding, in which Personal Information held by Foley about our Clients and Related Entities is among the assets transferred.
Foley will not collect additional categories of Personal Information or use the Personal Information we collected for materially different, unrelated, or incompatible purposes without providing our Clients and Related Parties notice.
Use of Sensitive Personal Information
We do not use or disclose our Clients’ and Related Entities Personal Information for any purpose other than the following:
- to perform the services reasonably expected by an average Client who requests such services;
- to detect security incidents that compromise the availability, authenticity, integrity, and confidentiality of stored or transmitted Personal Information, provided that our use of your Personal Information is reasonably necessary and proportionate for such purposes;
- to resist malicious, deceptive, fraudulent, or illegal actions directed at Foley and to prosecute those responsible for those actions, provided that our use of your Personal Information is reasonably necessary and proportionate for this purpose;
- to ensure the safety of natural persons, provided that our use of our Clients’ and Related Entities’ Personal Information is reasonably necessary and proportionate for this purpose;
- for short-term, transient use, provided that the Personal Information is not disclosed to another third-party and is not used to build a profile about a Client or a Related Entity or otherwise alter their experience outside the current interaction with us;
- for service providers or contractors to perform services on behalf of us, such as maintaining or servicing accounts, providing Client service, processing or fulfilling orders and transactions, verifying Client information, processing payments, providing financing, providing analytic services, providing storage, or providing similar services on behalf of us; and
- to verify or maintain the quality or safety of a service that is owned, manufactured, manufactured for, or controlled by us, and to improve, upgrade, or enhance the service or device that is owned, manufactured by, manufactured for, or controlled by us.
Because our use of your Sensitive Personal Information is limited to the above purposes as permitted under the CPRA, we do not provide Clients or Related Entities the ability to limit our use of their respective Sensitive Personal Information.
Sources of Personal Information
Foley obtains the categories of Personal Information listed above from the following categories of sources:
- Directly from our Clients and Related Entities;
- Witnesses and other similarly deposed third-parties;
- From other third-party sources during discovery, including through a subpoena or other lawful means;
- and other third-parties that may provide information during the course of our investigation or engagement for a Matter, such as experts, forensic teams, auditors, court reporters, transcription services, and other similar third-parties.
Disclosures of Personal Information
Foley may disclose a Client’s or a Related Entity’s Personal Information to a third party for a business purpose. When we disclose Personal Information for a business purpose, we either enter a contract that describes the purpose and requires the recipient to both keep that Personal Information confidential and not use it for any purpose except performing the contract or the other recipient may have a professional duty to not use it for any other purpose.
Disclosures of Personal Information for a Business Purpose
In the preceding twelve (12) months, Foley may have disclosed, depending on the Matter, any or all of the above categories of Personal Information for a business purpose to the following categories of third parties: Service providers, courts and other tribunals, government entities, opposing counsel, and other counsel.
Sales and Sharing of Personal Information
We do not sell or share (each as defined in the CPRA) our Client’s or any Related Entities’ Personal Information, including any Personal Information about Client’s or Related Entities under the age of 16, and have not sold or shared their Personal Information in the prior twelve (12) months.
Clients’ and Related Entities’ Rights and Choices
The CPRA provides consumers (California residents) with specific rights regarding their Personal Information. This section describes our Clients’ and Related Entities’ CPRA rights and explains how to exercise those rights. Clients and Related Entities may exercise these rights themselves or through their authorized agents. However, as a law firm, the rights of our Clients and Related Entities may be limited as described below in.
Limitations to Our Obligations and Rights Under this California Privacy Addendum
This California Privacy Addendum may also not apply to the extent it would restrict our ability to:
- Comply with federal, state, or local laws, regulations, and other rules regarding professional conduct (including any laws or ethical rules related to attorney-client privilege, attorney duties of confidentiality, or other professional duties that apply to us as attorneys);
- Comply with a civil, criminal, or regulatory inquiry, investigation, subpoena, or summons by federal, state, or local authorities.
- Cooperate with law enforcement agencies concerning conduct or activity that Foley, our Clients, service providers, or another third party reasonably and in good faith believes may violate federal, state, or local law.
- Exercise and defend legal claims, including those against us or our Clients.
- Collect, use, retail, sell, or disclose information that is de-identified or aggregated.
- Collect or sell information about California consumers if every aspect of our commercial conduct takes place wholly outside of California.
Access to Specific Information and Data Portability Rights
Clients and Related Entities have the right to know certain information about the Personal Information Foley has collected about them.
- Right to Know. Except as described above in Limitations to Our Obligations and Rights Under this California Privacy Addendum, Client and Related Entities have the right to request that we disclose certain information to the applicable Client or Related Entity about our collection and use of the Client’s or Related Entities’ Personal Information over the past 12 months (a “Right to Know” Client or Related Entity Request). This includes: (a) the categories of Personal Information we have collected about the Client or Related Entity; (b) the categories of sources from which that Personal Information came from; (c) our purposes for collecting this Personal Information; (d) the categories of third parties with whom we have shared your Personal Information; and (e) if we have “sold” or “shared” or disclosed the Client’s or Related Entities’ Personal Information, a list of categories of third parties to whom we “sold” or “shared” such Personal Information, and a separate list of the categories of third parties to whom we disclosed your Personal Information to. The Client or Related Entity must specifically describe if they are making a Right to Know request or a Data Portability Request. If a Client or Entity would like to make both a Right to Know Client or Related Entity Request and a Data Portability Client or Related Entity Request they must make both requests clear in your request. If it is not reasonably clear from their request, we will only process their request as a Right to Know request. Clients and Related Entities may make a Right to Know or a Data Portability Client or Related Entity Request a total of two (2) times within a 12-month period at no charge.
- Access to Specific Pieces of Information (Data Portability). Subject to any right a Client may have under applicable law to have information about their Matter returned to them or transferred to another law firm, and except as described above in Limitations to Our Obligations and Rights Under this California Privacy Addendum, Client’s and Related Entities also have the right to request that we provide them with a copy of the specific pieces of Personal Information that we have collected about them, including any Personal Information that we have created or otherwise received from a third-party about them (a “Data Portability” Client or Related Entity Request). If a Client or Related Entity make a Data Portability Client or Related Entity Request electronically, we will provide them with a copy of your Personal Information in a portable and, to the extent technically feasible, readily reusable format that allows them to transmit the Personal Information to another third-party. Clients and Related Entities must specifically describe if they are making a Right to Know request or a Data Portability request. If they would like to make both a Right to Know Client or Related Entity Request and a Data Portability Client or Related Entity Request they must make both requests clear in their request. If it is not reasonably clear from their request, we will only process their request as a Right to Know request. In response to a Data Portability Client or Related Entity Request, we will not disclose a Client’s or a Related Entities’ social security number, driver’s license number or other government-issued identification number, financial account number, health insurance or medical identification number, or your account password or security question or answers. We will also not provide this information if the disclosure would create a substantial, articulable, and unreasonable risk to the Client’s or Related Entities Personal Information, their account with Foley, or the security of our systems or networks. We will also not disclose any Personal Information that may be subject to another exception under the CPRA. If we are unable to disclose certain pieces of a Client’s or a Related Entity’s Personal Information, we will describe generally the types of personal information that we were unable to disclose and provide them a description of the reason we are unable to disclose it. Clients and Related Entities may make a Right to Know or a Data Portability Client or Related Entity Request a total of two (2) times within a 12-month period at no charge.
Except as described above in Limitations to Our Obligations and Rights Under this California Privacy Addendum, Clients and Related Entities have the right to request that we correct any incorrect Personal Information about them to ensure that it is complete, accurate, and as current as possible. Clients and Related Entities may request that Foley correct the Personal Information we have about them as described below under Exercising Your CPRA Privacy Rights. In some cases, Foley may require Clients and Related Entities to provide reasonable documentation to show that the Personal Information we have about them is incorrect and what the correct Personal Information may be. Foley may also not be able to accommodate your request if we believe it would violate any law or legal requirement (including our ethical obligations) or cause the information to be incorrect or if the Personal Information is subject to another exception under the CPRA.
Deletion Rights
Clients and Related Entities have the right to request that Foley delete any of their respective Personal Information that we collected from them and retained, subject to certain exceptions. Once we receive and confirm a Client’s or Related Entity Request (see Exercising Access, Data Portability, and Deletion Rights), we will delete (and direct our service providers to delete) that Client’s or Related Entity’s Personal Information from our records, unless this right is limited as described above in Limitations to Our Obligations and Rights Under this California Privacy Addendum or an exception under the CPRA applies. Some exceptions to Clients’ and Related Entities’ right to delete include, but are not limited to, if we are required to retain their respective Personal Information to complete the transaction or provide you the goods and services for which we collected the Personal Information or otherwise perform under our engagement with the Client for the Matter, to detect security incidents or protect against other malicious activities, and to comply with legal obligations. We may also retain our Clients’ or Related Entities’ Personal Information for other internal and lawful uses that are compatible with the context in which we collected it.
Non-Discrimination Right
We will not discriminate against Clients or Related Entities for exercising any of their CPRA rights. Unless permitted by the CPRA, we will not do any of the following as a result of their exercising their CPRA rights: (a) deny them our services; (b) charge them different prices or rates for our services, including through granting discounts or other benefits, or imposing penalties; (c) provide them a different level or quality of goods or services; or (d) suggest that they may receive a different price or rate for services or a different level or quality of services.
We do not offer any financial incentives for any Client’s or a Related Entity’s Personal Information that could result in different prices, rates, or quality levels. Any differences we provide in prices, rates, or quality levels is unrelated to our receipt of any Client’s or any Related Entity’s Personal Information or their exercise of any rights under the CPRA, however we may not be able to provide our services without collecting our Client’s and Related Entities’ Personal Information.
Exercising Access, Data Portability, and Deletion Rights
To exercise any of the rights described above, please submit a request (a “Client or Related Entity Request”) to us by either:
- Calling us at +1 (833) 701-1071.
- Emailing us at privacyofficer@foley.com
- Submitting a form in person at one of our offices. This form is available at one of these locations.
If a Client or Related Entity (or their respective authorized agent) submit a request to delete their information online and no other exception applies, we will use a two-step process in order to confirm that the Client or Related Entity wants their Personal Information deleted. This process may include verifying the request through contacting the Client or Related Entity through any of the contact information we have regarding that Client or Related Entity.
If a Client or Related Entity fails to make its submission in accordance with the ways described above, we may either treat the request as if it had been submitted with our methods described above, or provide the Client or Related Entity with information on how to submit the request or remedy any deficiencies with the request.
Only the Client or Related Entity, or a respective agent that has authority to act on their behalf, may make a verifiable consumer request related to that Client’s or Related Entity’s Personal Information. To designate an authorized agent, see Authorized Agents below. We may request additional information so we may confirm a request to delete a Client’s or a Related Entity’s Personal Information.
Subject to the Limitations to Our Obligations and Rights Under this California Privacy Addendum and any other obligations we may have related to a Client’s or Related Entity’s Personal Information under applicable law, all Client and Related Entity Requests must:
- Provide sufficient information that allows us to reasonably verify that the Client or Related Entity is the person about whom we collected Personal Information or an authorized agent. This may include contacting the Client or the Related Entity at through the current contact information available and, where applicable, obtaining consent from the Client;
- Describe the Client’s or Related Entity’s request with sufficient detail that allows us to properly understand, evaluate, and respond to it.
We will only use Personal Information provided in a Client or Related Entity Request to verify the requestor’s identity or authority to make the request.
We cannot respond to a request from a Client or Related Entity or provide them with Personal Information if we cannot verify their identity or authority to make the request and confirm the Personal Information relates to the Client or Related Entity.
Making a verifiable consumer request does not require you to be our Client. We will only use Personal Information provided in a verifiable consumer request to verify the requestor’s identity or authority to make the request.
Authorized Agents
Clients and Related Entities may authorize their respective agents to exercise their rights under the CPRA on their behalf by providing their authorized agent with written authorization or power of attorney to exercise their rights. If a Client or Related Entity authorizes an agent, we may require that the agent provide proof that the agent has been authorized exercise the Client’s or Related Entity’s rights on their behalf. We may also request that a Client’s or Related Entity’s authorized agent submit proof of the agent’s own identity. We may deny a request from a Client’s or a Related Entity’s agent to exercise their rights on their behalf if the agent fails to submit adequate proof of identity or adequate proof that they have the authority to exercise the Client’s or Related Entity’s rights.
Response Timing and Format
We will respond to a verifiable consumer request within ten (10) days of its receipt. We will generally process these requests within forty-five (45) days of its receipt. If we require more time (up to 45 days), we will inform the Client or Related Entity of the reason and extension period in writing.
In response to a Right to Know or Data Portability Client or Related Entity Request, we will provide you with all relevant information we have collected or maintained about them on or after January 1, 2022, unless they request a shorter time period or an exception applies. The response we provide will also explain the reasons we cannot comply with a request, if applicable. For Data Portability Client or Related Entity Requests, we will select a format to provide the applicable Client’s or Related Entity’s Personal Information that is readily useable and should allow them to transmit the information from one entity to another entity without hindrance.
We do not charge a fee to process or respond to a Client’s or Related Entity’s verifiable consumer request unless it is excessive, repetitive, or manifestly unfounded. We reserve the right to consider more than two (2) total Right to Know or Data Portability Client or Related Entity Requests (or combination of the two) in a twelve (12) month period to be repetitive and/or excessive and require a fee. If we determine that the request warrants a fee, we will tell the Client or Related Entity why we made that decision and provide them with a cost estimate before completing their request.
Retention Periods for Personal Information
Foley retains our Clients’ and Related Entities’ Personal Data in accordance with our internal document retention policies, including for the period we represent our Client in the Matter. We may also retain Personal Data for a minimum of ten (10) years following the conclusion of the Matter. After this time, we may retain our Clients’ and Related Entities’ Personal Data and other information:
- for as long as necessary to comply with any legal requirement;
- on our backup and disaster recovery systems in accordance with our backup and disaster recovery policies and procedures;
- for as long as necessary to protect our or our Clients’ legal interests or otherwise pursue our legal rights and remedies;
- to comply with our obligations under the Rules of Professional Conduct; and
- for data that has been aggregated or otherwise rendered anonymous in such a manner that Clients and Related Entities are no longer identifiable, indefinitely.
Changes to Our California Client Privacy Notice Addendum
Foley & Lardner LLP reserves the right to amend this California Client Privacy Addendum at our discretion and at any time and as described in our Client Privacy Notice. When we make changes to this California Client Privacy Addendum, we will post the updated notice on this webpage and update the notice’s effective date. Our Client’s continued use of our legal services following the posting of changes constitutes their acceptance of such changes.
Questions and Comments
Clients and Related Entities can contact us at the contact information listed in our Privacy Notice if they have any questions or comments about this California Client Privacy Addendum, the ways in which Foley collects and uses our Clients’ and Related Entities’ Personal Information described above and in our Privacy Notice, their choices and rights regarding such use, or if they wish to exercise any of their rights under California law.