This Client Privacy Notice Addendum for California Residents (the “California Client Privacy Addendum”) describes our collection and use of Personal Information and supplements the information contained in Foley & Lardner’s (“Foley”) Client Privacy Notice and applies solely to Clients and Related Entities (as defined in our Privacy Notice) who reside in the State of California (“consumers”) for whom we collect Personal Information related to a Matter. We adopt this notice to comply with the California Consumer Privacy Act of 2018 (“CCPA”) and implementing regulations and any terms defined in the CCPA have the same meaning when used in this notice.
Where noted, this California Privacy Addendum also does not apply to Personal Information reflecting a written or verbal business-to-business communication, such as information from our clients related to our engagement, including billing information and other information about our Client’s information who are not themselves the subject of a Matter (as defined in our Privacy Notice) (“B2B Personal Information”). Unless otherwise noted, this exemption will expire on January 1, 2021.
During the course of our representation of a Matter, we may collect information that identifies, relates to, describes, references, is capable of being associated with, or could reasonably be linked, directly or indirectly, with a particular consumer or device related to that Matter (“Personal Information”). As a large law firm, the categories of Personal Information we may collect and may have collected over the prior twelve (12) months about our Clients and Related Entities varies greatly depending on the Matter, and may include:
|Category||Potential Pieces of Personal Information Collected|
|A. Identifiers.||A real name, alias, postal address, unique personal identifier, online identifier, Internet Protocol address, email address, account name, Social Security number, driver’s license number, passport number, or other similar identifiers.|
|B. Personal information categories listed in the California Customer Records statute (Cal. Civ. Code § 1798.80(e)).||A name, signature, Social Security number, physical characteristics or description, address, telephone number, passport number, driver’s license or state identification card number, insurance policy number, education, employment, employment history, bank account number, credit card number, debit card number, or any other financial information, medical information, or health insurance information.
Some Personal Information included in this category may overlap with other categories.
|C. Protected classification characteristics under California or federal law.||Age (40 years or older), race, color, ancestry, national origin, citizenship, religion or creed, marital status, medical condition, physical or mental disability, sex (including gender, gender identity, gender expression, pregnancy or childbirth and related medical conditions), sexual orientation, veteran or military status, genetic information (including familial genetic information).|
|D. Commercial information.||Records of personal property, products or services purchased, obtained, or considered, or other purchasing or consuming histories or tendencies.|
|E. Biometric information.||Genetic, physiological, behavioral, and biological characteristics, or activity patterns used to extract a template or other identifier or identifying information, such as, fingerprints, faceprints, and voiceprints, iris or retina scans, keystroke, gait, or other physical patterns, and sleep, health, or exercise data.|
|F. Internet or other similar network activity.||Browsing history, search history, information on a consumer’s interaction with a website, application, or advertisement.|
|G. Geolocation data.||Physical location or movements.|
|H. Sensory data.||Audio, electronic, visual, thermal, olfactory, or similar information.|
|I. Professional or employment-related information.||Current or past job history or performance evaluations.|
|J. Non-public education information (per the Family Educational Rights and Privacy Act (20 U.S.C. Section 1232g, 34 C.F.R. Part 99)).||Education records directly related to a student maintained by an educational institution or party acting on its behalf, such as grades, transcripts, class lists, student schedules, student identification codes, student financial information, or student disciplinary records.|
|K. Inferences drawn from other Personal Information.||Profile reflecting a person’s preferences, characteristics, psychological trends, predispositions, behavior, attitudes, intelligence, abilities, and aptitudes.|
Personal information does not include:
We may use or disclose the Personal Information we collect and, over the prior twelve (12) months, have used or disclosed the Personal Information we have collected, for one or more of the following business or commercial purposes:
Foley will not collect additional categories of Personal Information or use the Personal Information we collected for materially different, unrelated, or incompatible purposes without providing our Clients and Related Parties notice.
Foley obtains the categories of Personal Information listed above from the following categories of sources:
Foley may disclose a Client’s or a Related Entity’s Personal Information to a third party for a business purpose. When we disclose Personal Information for a business purpose, we either enter a contract that describes the purpose and requires the recipient to both keep that Personal Information confidential and not use it for any purpose except performing the contract or the other recipient may have a professional duty to not use it for any other purpose.
In the preceding twelve (12) months, Foley may have disclosed, depending on the Matter, any or all of the above categories of Personal Information for a business purpose to the following categories of third parties: Service providers, courts and other tribunals, government entities, opposing counsel, and other counsel.
We do not sell (as defined in the CCPA) our Client’s or any Related Entities’ Personal Information and have not sold their Personal Information in the prior twelve (12) months.
The CCPA provides consumers (California residents) with specific rights regarding their Personal Information. This section describes our Clients and Related Entities CCPA rights and explains how to exercise those rights. Clients and Related Entities may exercise these rights themselves or through their authorized agents. However, as a law firm, the rights of our Clients and Related Entities may be limited as described below in.
This California Privacy Addendum may also not apply to the extent it would restrict our ability to:
Clients and Related Entities have the right to request that Foley disclose certain information to them about our collection and use of their Personal Information over the past 12 months. Except as described above in Limitations to Our Obligations and Rights Under this California Privacy Addendum, once we receive and confirm a verifiable consumer request from a Client or a Related Entity (see Exercising Access, Data Portability, and Deletion Rights), we will disclose to them:
We do not provide these access and data portability rights for B2B Personal Information.
Clients and Related Entities have the right to request that Foley delete any of their respective Personal Information that we collected from them and retained, subject to certain exceptions. Once we receive and confirm the Client’s or Related Entity’s verifiable consumer request (see Exercising Access, Data Portability, and Deletion Rights), we will delete (and direct our service providers to delete) that Client’s or Related Entity’s Personal Information from our records, unless this right is limited as described above in Limitations to Our Obligations and Rights Under this California Privacy Addendum or one of the following exceptions apply.
We may deny a deletion request from a Client or a Related Entity if retaining the information is necessary for us or our service provider(s) to:
We do not provide these deletion rights for B2B Personal Information.
To exercise the access, data portability, and deletion rights described above, please submit a verifiable consumer request to us by either:
If a Client or Related Entity (or their respective authorized agent) submit a request to delete their information online and no other exception applies, we will use a two-step process in order to confirm that the Client or Related Entity wants their Personal Information deleted. This process may include verifying the request through contacting the Client or Related Entity through any of the contact information we have regarding that Client or Related Entity.
If a Client or Related Entity fails to make its submission in accordance with the ways described above, we may either treat the request as if it had been submitted with our methods described above, or provide the Client or Related Entity with information on how to submit the request or remedy any deficiencies with the request.
Only the Client or Related Entity, or a respective agent that has authorize to act on their behalf, may make a verifiable consumer request related to that Client’s or Related Entity’s Personal Information. To designate an authorized agent, see Authorized Agents below. We may request additional information so we may confirm a request to delete a Client’s or a Related Entity’s Personal Information.
Subject to the Limitations to Our Obligations and Rights Under this California Privacy Addendum and any other obligations we may have related to a Client’s or Related Entity’s Personal Information under applicable law, Clients and Related Entities may only make a verifiable consumer request for access or data portability twice within a 12-month period. The verifiable consumer request must:
We cannot respond to a request from a Client or Related Entity or provide them with Personal Information if we cannot verify their identity or authority to make the request and confirm the Personal Information relates to the Client or Related Entity.
Making a verifiable consumer request does not require you to be our Client. We will only use Personal Information provided in a verifiable consumer request to verify the requestor’s identity or authority to make the request.
Clients and Related Entities may authorize their respective agents to exercise their rights under the CCPA on their behalf by registering their agent with the California Secretary of State. They may also provide their authorized agent with power of attorney to exercise their rights. If a Client or Related Entity authorizes an agent, we may require that the agent provide proof that the agent has been authorized exercise the Client’s or Related Entity’s rights on their behalf. We may also request that a Client’s or Related Entity’s authorized agent submit proof of the agent’s own identity. We may deny a request from a Client’s or a Related Entity’s agent to exercise their rights on their behalf if the agent fails to submit adequate proof of identity or adequate proof that they have the authority to exercise the Client’s or Related Entity’s rights.
We will respond to a verifiable consumer request within ten (10) days of its receipt. We will generally process these requests within forty-five (45) days of its receipt. If we require more time (up to 45 days), we will inform the Client or Related Entity of the reason and extension period in writing.
Any disclosures we provide will only cover the 12-month period preceding the verifiable consumer request’s receipt. The response we provide will also explain the reasons we cannot comply with a request, if applicable. For data portability requests, we will select a format to provide the applicable Client’s or Related Entity’s Personal Information that is readily useable and should allow them to transmit the information from one entity to another entity without hindrance.
We do not charge a fee to process or respond to a Client’s or Related Entity’s verifiable consumer request unless it is excessive, repetitive, or manifestly unfounded. If we determine that the request warrants a fee, we will tell the Client or Related Entity why we made that decision and provide them with a cost estimate before completing their request.
We will not discriminate against a Client or a Related Entity for exercising any of their CCPA rights. Unless permitted by the CCPA, we will not, as a result of them exercising any of their CCPA rights:
We do not offer any financial incentives for our Client’s or a Related Entity’s Personal Information that could result in different prices, rates, or quality levels. Any differences we provide in prices, rates, or quality levels is unrelated to our receipt of any Client’s or any Related Entity’s Personal Information, however we may not be able to provide our services without collecting our Client’s and Related Entities’ Personal Information.
Foley & Lardner LLP reserves the right to amend this California Client Privacy Addendum at our discretion and at any time and as described in our Client Privacy Notice. When we make changes to this California Client Privacy Addendum, we will post the updated notice on this webpage and update the notice’s effective date. Our Client’s continued use of our legal services following the posting of changes constitutes their acceptance of such changes.
Clients and Related Entities can contact us at the contact information listed in our Privacy Notice if they have any questions or comments about this California Client Privacy Addendum, the ways in which Foley collects and uses our Clients’ and Related Entities’ Personal Information described above and in our Privacy Notice, their choices and rights regarding such use, or if they wish to exercise any of their rights under California law.