Client Privacy Notice Addendum for California Residents

This Client Privacy Notice Addendum for California Residents (the “California Client Privacy Addendum”) describes our collection and use of Personal Information and supplements the information contained in Foley & Lardner’s (“Foley”) Client Privacy Notice and applies solely to Clients and Related Entities (as defined in our Privacy Notice) who reside in the State of California (“consumers”) for whom we collect Personal Information related to a Matter. We adopt this notice to comply with the California Consumer Privacy Act of 2018 (“CCPA”) and implementing regulations and any terms defined in the CCPA have the same meaning when used in this notice. 

Where noted, this California Privacy Addendum also does not apply to Personal Information reflecting a written or verbal business-to-business communication, such as information from our clients related to our engagement, including billing information and other information about our Client’s information who are not themselves the subject of a Matter (as defined in our Privacy Notice) (“B2B Personal Information”). Unless otherwise noted, this exemption will expire on January 1, 2021.  

Information We Collect

During the course of our representation of a Matter, we may collect information that identifies, relates to, describes, references, is capable of being associated with, or could reasonably be linked, directly or indirectly, with a particular consumer or device related to that Matter (“Personal Information”). As a large law firm, the categories of Personal Information we may collect and may have collected over the prior twelve (12) months about our Clients and Related Entities varies greatly depending on the Matter, and may include: 


Category  Potential Pieces of Personal Information Collected 
A. Identifiers.  A real name, alias, postal address, unique personal identifier, online identifier, Internet Protocol address, email address, account name, Social Security number, driver’s license number, passport number, or other similar identifiers. 
B. Personal information categories listed in the California Customer Records statute (Cal. Civ. Code § 1798.80(e)).  A name, signature, Social Security number, physical characteristics or description, address, telephone number, passport number, driver’s license or state identification card number, insurance policy number, education, employment, employment history, bank account number, credit card number, debit card number, or any other financial information, medical information, or health insurance information.
Some Personal Information included in this category may overlap with other categories. 
C. Protected classification characteristics under California or federal law.  Age (40 years or older), race, color, ancestry, national origin, citizenship, religion or creed, marital status, medical condition, physical or mental disability, sex (including gender, gender identity, gender expression, pregnancy or childbirth and related medical conditions), sexual orientation, veteran or military status, genetic information (including familial genetic information). 
D. Commercial information.  Records of personal property, products or services purchased, obtained, or considered, or other purchasing or consuming histories or tendencies. 
E. Biometric information.  Genetic, physiological, behavioral, and biological characteristics, or activity patterns used to extract a template or other identifier or identifying information, such as, fingerprints, faceprints, and voiceprints, iris or retina scans, keystroke, gait, or other physical patterns, and sleep, health, or exercise data. 
F. Internet or other similar network activity.  Browsing history, search history, information on a consumer’s interaction with a website, application, or advertisement. 
G. Geolocation data.  Physical location or movements.  
H. Sensory data.  Audio, electronic, visual, thermal, olfactory, or similar information. 
I. Professional or employment-related information.  Current or past job history or performance evaluations. 
J. Non-public education information (per the Family Educational Rights and Privacy Act (20 U.S.C. Section 1232g, 34 C.F.R. Part 99)).  Education records directly related to a student maintained by an educational institution or party acting on its behalf, such as grades, transcripts, class lists, student schedules, student identification codes, student financial information, or student disciplinary records.  
K. Inferences drawn from other Personal Information.  Profile reflecting a person’s preferences, characteristics, psychological trends, predispositions, behavior, attitudes, intelligence, abilities, and aptitudes. 

Personal information does not include:

  • Publicly available information from government records.

  • Deidentified or aggregated consumer information.

  • Information excluded from the CCPA’s scope, like:

    • health or medical information covered by the Health Insurance Portability and Accountability Act of 1996 (HIPAA) and the California Confidentiality of Medical Information Act (CMIA) or clinical trial data;

    • Personal Information covered by certain sector-specific privacy laws, including the Fair Credit Reporting Act (FCRA), the Gramm-Leach-Bliley Act (GLBA) or California Financial Information Privacy Act (FIPA), and the Driver’s Privacy Protection Act of 1994.

Use of Personal Information

We may use or disclose the Personal Information we collect and, over the prior twelve (12) months, have used or disclosed the Personal Information we have collected, for one or more of the following business or commercial purposes: 

  • To fulfill the reason we have collected the information, such as to provide legal services for our Clients.

  • Short-term, transient use, provided that we do not disclose the Personal Information to another third party and we do not use it to build a profile about a Client, a Related Entity, or other third party.

  • To perform business services for or on behalf of Foley or our Clients, including maintaining or servicing client accounts, providing IT services, shipping and receiving, verifying client information, processing payments, providing financing, providing advertising or marketing services, providing analytic services, or providing similar services to or on behalf of Foley.

  • To procure, maintain, renew, and otherwise obtain the benefit of insurance, including communications with our insurers to file, process, and defend claims. 

  • To perform legal services for or on behalf of Foley and our Clients related to our representation in a Matter, including for communicating with tribunals, government agencies, arbitrators, mediators, insurers, accountants, opposing counsel, transcription and other court reporting services, discovery services, expert opinions, forensic services, auditing services, and other similar entities and services. 

  • To fulfill our ethical obligations under the applicable rules of professional document, including such rules related to Client confidentiality. 

  • Undertaking activities to verify or maintain the quality of our services or device that is owned or controlled by Foley, and to improve, upgrade, or enhance the service or device that is owned or controlled by the business.

  • To respond to law enforcement requests and as required by applicable law, court order, or governmental regulations. 

  • As described to our Client or Related Entity when collecting their Personal Information or as otherwise set forth in the CCPA. 

  • To evaluate or conduct a merger, combination, divestiture, restructuring, reorganization, dissolution, or other sale or transfer of some or all of Foley’s assets, whether as a going concern or as part of bankruptcy, liquidation, or similar proceeding, in which Personal Information held by Foley about our Clients and Related Entities is among the assets transferred. 

Foley will not collect additional categories of Personal Information or use the Personal Information we collected for materially different, unrelated, or incompatible purposes without providing our Clients and Related Parties notice.

Sources of Personal Information

Foley obtains the categories of Personal Information listed above from the following categories of sources:

  • Directly from our Clients and Related Entities;

  • Witnesses and other similarly deposed third-parties;

  • From other third-party sources during discovery, including through a subpoena or other lawful means;

  • and other third-parties that may provide information during the course of our investigation or engagement for a Matter, such as experts, forensic teams, auditors, court reporters, transcription services, and other similar third-parties. 

Sharing Personal Information

Foley may disclose a Client’s or a Related Entity’s Personal Information to a third party for a business purpose. When we disclose Personal Information for a business purpose, we either enter a contract that describes the purpose and requires the recipient to both keep that Personal Information confidential and not use it for any purpose except performing the contract or the other recipient may have a professional duty to not use it for any other purpose. 

Disclosures of Personal Information for a Business Purpose

In the preceding twelve (12) months, Foley may have disclosed, depending on the Matter, any or all of the above categories of Personal Information for a business purpose to the following categories of third parties: Service providers, courts and other tribunals, government entities, opposing counsel, and other counsel.

Sales of Personal Information 

We do not sell (as defined in the CCPA) our Client’s or any Related Entities’ Personal Information and have not sold their Personal Information in the prior twelve (12) months.

Clients and Related Entities Rights and Choices 

The CCPA provides consumers (California residents) with specific rights regarding their Personal Information. This section describes our Clients and Related Entities CCPA rights and explains how to exercise those rights. Clients and Related Entities may exercise these rights themselves or through their authorized agents. However, as a law firm, the rights of our Clients and Related Entities may be limited as described below in. 

Limitations to Our Obligations and Rights Under this California Privacy Addendum

This California Privacy Addendum may also not apply to the extent it would restrict our ability to:

  • Comply with federal, state, or local laws, regulations, and other rules regarding professional conduct (including any laws or ethical rules related to attorney-client privilege, attorney duties of confidentiality, or other professional duties that apply to us as attorneys);

  • Comply with a civil, criminal, or regulatory inquiry, investigation, subpoena, or summons by federal, state, or local authorities. 

  • Cooperate with law enforcement agencies concerning conduct or activity that Foley, our Clients, service providers, or another third party reasonably and in good faith believes may violate federal, state, or local law. 

  • Exercise and defend legal claims, including those against us or our Clients.

  • Collect, use, retail, sell, or disclose information that is de-identified or aggregated.

  • Collect or sell information about California consumers if every aspect of our commercial conduct takes place wholly outside of California. 

Access to Specific Information and Data Portability Rights

Clients and Related Entities have the right to request that Foley disclose certain information to them about our collection and use of their Personal Information over the past 12 months. Except as described above in Limitations to Our Obligations and Rights Under this California Privacy Addendum, once we receive and confirm a verifiable consumer request from a Client or a Related Entity (see Exercising Access, Data Portability, and Deletion Rights), we will disclose to them:

  • The categories of Personal Information we collected about that Client or Related Entity.

  • The categories of sources for the Personal Information we collected about Client or Related Entity.

  • Our business or commercial purpose for collecting or selling that Personal Information.

  • The categories of third parties with whom we share that Personal Information.

  • The specific pieces of Personal Information we collected about the Client or the Related Entity (also called a data portability request). However, we will not disclose any Client’s or Related Entity’s social security number, driver’s license number or other government-issued identification number, financial account number, health insurance or medical identification number. We will also not provide this information if the disclosure would create a substantial, articulable, and unreasonable risk to our Client’s or a Related Entity’s Personal Information or the security of our systems or networks, or if otherwise prohibited by the rules of professional conduct that apply to us as attorneys.

  • If we disclosed the Client’s or the Related Entity’s Personal Information for a business purpose a list disclosing the Personal Information categories that each category of recipient obtained.

We do not provide these access and data portability rights for B2B Personal Information.

Deletion Request Rights 

Clients and Related Entities have the right to request that Foley delete any of their respective Personal Information that we collected from them and retained, subject to certain exceptions. Once we receive and confirm the Client’s or Related Entity’s verifiable consumer request (see Exercising Access, Data Portability, and Deletion Rights), we will delete (and direct our service providers to delete) that Client’s or Related Entity’s Personal Information from our records, unless this right is limited as described above in Limitations to Our Obligations and Rights Under this California Privacy Addendum or one of the following exceptions apply.

We may deny a deletion request from a Client or a Related Entity if retaining the information is necessary for us or our service provider(s) to: 

  1. Complete the transaction for which we collected the Personal Information, provide a good or service that our Client has requested, take actions reasonably anticipated within the context of our ongoing business relationship with our Client, or otherwise perform our contract with our Client.

  2. Detect security incidents, protect against malicious, deceptive, fraudulent, or illegal activity, or prosecute those responsible for such activities.

  3. Debug products to identify and repair errors that impair existing intended functionality.

  4. Exercise free speech, ensure the right of another consumer to exercise their free speech rights, or exercise another right provided for by law.

  5. Comply with the California Electronic Communications Privacy Act (Cal. Penal Code § 1546 et. seq.).

  6. Engage in public or peer-reviewed scientific, historical, or statistical research in the public interest that adheres to all other applicable ethics and privacy laws, when the information’s deletion may likely render impossible or seriously impair the research’s achievement, if the Client or Related Entity previously provided informed consent.

  7. Enable solely internal uses that are reasonably aligned with our Clients’ or Related Entities’ expectations based on our Clients’ relationship with us.

  8. Comply with a legal obligation.

  9. Make other internal and lawful uses of that information that are compatible with the context in which the Client or Related Entity provided it.

We do not provide these deletion rights for B2B Personal Information.

Exercising Access, Data Portability, and Deletion Rights

To exercise the access, data portability, and deletion rights described above, please submit a verifiable consumer request to us by either: 

  • Calling us at +1 (833) 701-1071.

  • Emailing us at privacyofficer@foley.com 

  • Submitting a form in person at one of our offices. This form is available at one of these locations.

If a Client or Related Entity (or their respective authorized agent) submit a request to delete their information online and no other exception applies, we will use a two-step process in order to confirm that the Client or Related Entity wants their Personal Information deleted. This process may include verifying the request through contacting the Client or Related Entity through any of the contact information we have regarding that Client or Related Entity.

If a Client or Related Entity fails to make its submission in accordance with the ways described above, we may either treat the request as if it had been submitted with our methods described above, or provide the Client or Related Entity with information on how to submit the request or remedy any deficiencies with the request. 

Only the Client or Related Entity, or a respective agent that has authorize to act on their behalf, may make a verifiable consumer request related to that Client’s or Related Entity’s Personal Information. To designate an authorized agent, see Authorized Agents below. We may request additional information so we may confirm a request to delete a Client’s or a Related Entity’s Personal Information. 

Subject to the Limitations to Our Obligations and Rights Under this California Privacy Addendum and any other obligations we may have related to a Client’s or Related Entity’s Personal Information under applicable law, Clients and Related Entities may only make a verifiable consumer request for access or data portability twice within a 12-month period. The verifiable consumer request must:

  • Provide sufficient information that allows us to reasonably verify that the Client or Related Entity is the person about whom we collected Personal Information or an authorized agent. This may include contacting the Client or the Related Entity at through the current contact information available and, where applicable, obtaining consent from the Client;

  • Describe the Client’s or Related Entity’s request with sufficient detail that allows us to properly understand, evaluate, and respond to it.

We cannot respond to a request from a Client or Related Entity or provide them with Personal Information if we cannot verify their identity or authority to make the request and confirm the Personal Information relates to the Client or Related Entity. 

Making a verifiable consumer request does not require you to be our Client. We will only use Personal Information provided in a verifiable consumer request to verify the requestor’s identity or authority to make the request. 

Authorized Agents

Clients and Related Entities may authorize their respective agents to exercise their rights under the CCPA on their behalf by registering their agent with the California Secretary of State. They may also provide their authorized agent with power of attorney to exercise their rights. If a Client or Related Entity authorizes an agent, we may require that the agent provide proof that the agent has been authorized exercise the Client’s or Related Entity’s rights on their behalf. We may also request that a Client’s or Related Entity’s authorized agent submit proof of the agent’s own identity. We may deny a request from a Client’s or a Related Entity’s agent to exercise their rights on their behalf if the agent fails to submit adequate proof of identity or adequate proof that they have the authority to exercise the Client’s or Related Entity’s rights. 

Response Timing and Format

We will respond to a verifiable consumer request within ten (10) days of its receipt. We will generally process these requests within forty-five (45) days of its receipt. If we require more time (up to 45 days), we will inform the Client or Related Entity of the reason and extension period in writing.

Any disclosures we provide will only cover the 12-month period preceding the verifiable consumer request’s receipt. The response we provide will also explain the reasons we cannot comply with a request, if applicable. For data portability requests, we will select a format to provide the applicable Client’s or Related Entity’s Personal Information that is readily useable and should allow them to transmit the information from one entity to another entity without hindrance.

We do not charge a fee to process or respond to a Client’s or Related Entity’s verifiable consumer request unless it is excessive, repetitive, or manifestly unfounded. If we determine that the request warrants a fee, we will tell the Client or Related Entity why we made that decision and provide them with a cost estimate before completing their request. 

Non-Discrimination

We will not discriminate against a Client or a Related Entity for exercising any of their CCPA rights. Unless permitted by the CCPA, we will not, as a result of them exercising any of their CCPA rights:

  • Deny the Client our services.

  • Charge the Client different prices or rates for our services, including through granting discounts or other benefits, or imposing penalties.

  • Provide our Clients a different level or quality of services.

  • Suggest that our Client may receive a different price or rate for services or a different level or quality of services.

We do not offer any financial incentives for our Client’s or a Related Entity’s Personal Information that could result in different prices, rates, or quality levels. Any differences we provide in prices, rates, or quality levels is unrelated to our receipt of any Client’s or any Related Entity’s Personal Information, however we may not be able to provide our services without collecting our Client’s and Related Entities’ Personal Information. 

Changes to Our California Client Privacy Notice Addendum

Foley & Lardner LLP reserves the right to amend this California Client Privacy Addendum at our discretion and at any time and as described in our Client Privacy Notice. When we make changes to this California Client Privacy Addendum, we will post the updated notice on this webpage and update the notice’s effective date. Our Client’s continued use of our legal services following the posting of changes constitutes their acceptance of such changes.

Questions and Comments

Clients and Related Entities can contact us at the contact information listed in our Privacy Notice if they have any questions or comments about this California Client Privacy Addendum, the ways in which Foley collects and uses our Clients’ and Related Entities’ Personal Information described above and in our Privacy Notice, their choices and rights regarding such use, or if they wish to exercise any of their rights under California law.