CCPA/CPRA: Privacy Policy and Disclaimers for Law Firms. Whew!
The California Privacy Protection Agency (CPPA) has formally approved its comprehensive package of revised and new regulations under the California Consumer Privacy Act (CCPA). This approval confirms an effective date of January 1, 2026.
A lot of this has to do with cybersecurity, risk assessments, and automated decision-making technology. However, the critical aspect that may affect your website is . . . cookie consent. Read on to see if this applies to your law firm.
Is this Legal Advice?
Although I am a Florida attorney, the information provided here is for educational purposes only and does not constitute legal advice. No attorney-client relationship is formed by this communication.
Given the complexities of California’s regulatory landscape, I strongly recommend consulting with a California-licensed attorney specializing in administrative law or CCPA/CPRA compliance to address your specific legal needs.
With that disclaimer out of the way, here is my take on the CCPA and its CPRA amendment.
Applicability of the CCPA
The California Consumer Privacy Act (CCPA) applies to businesses that meet specific criteria. The CCPA (and its updated version, the CPRA) doesn’t apply to every firm.
To be a “covered business” in 2026, you must be a for-profit entity doing business in California that meets at least one of the following three metrics:
- Revenue Threshold: Businesses with annual gross revenues of $25 million or more ($26,625,000 when adjusted for inflation in 2026). If you are a large firm, then the CCPA applies to you.
- Data Volume: Companies that buy, receive, sell, or share the personal information of 50,000 or more California residents, households, or devices annually. This has been adjusted to 100,000 for 2026. This could be the case if your firm has many visitors from California and uses Google Analytics or other tracking tools.
– OR –
- Business Model: Any business that derives 50% or more of its annual revenue from selling consumers’ personal information. Most likely, this does not apply to a law firm.
Note that nonprofit and government agencies are exempt.
Small Law Firms Should Still Be Concerned
Note that the”Share” Factor could affect your firm. This is the most common way smaller firms get caught.
“Sharing” includes sending data to third parties (like Meta or Google) for cross-contextual behavioral advertising. If your website has ~8,500 unique California visitors per month and uses a tracking pixel, you likely hit this threshold. In short, do you have about 275 visitors per day in California?
If you use Google Analytics, check your Google Analytics “California” user count for the past 12 months. If “Users” exceed 100,000, you are in scope. This is not total, but California users.
What Does the CCPA Affect?
The CCPA can affect many areas. This article will focus on the last one, but note that these are also affected:
- Displaying Confirmation of an Honored Opt-Out Request: Businesses must provide a clear, immediate acknowledgement—such as a “Success” message or visual toggle—to ensure the user knows their request to stop the sale or sharing of data has been processed.
- Symmetry in the Opt-Out Process: The path to withdrawing consent should be just as intuitive and require the same number of clicks as the path to granting consent, preventing “dark patterns” that make it difficult to opt out.
- Financial Incentive Programs May Not Be Selected by Default: To ensure true voluntary participation, businesses cannot pre-check enrollment boxes for loyalty programs or discounts that require the collection of personal information.
- Privacy Policy Updates – Required Identification of PI Categories Disclosed: Updated policies must explicitly list the specific categories of personal information—such as identifiers or geolocation—shared with service providers to maintain full transparency with the consumer.
- Cookie Consent Banner Updates – ‘X’ing’ Out Does Not Mark the Opt-In: Closing a banner by clicking an “X” must be treated as a refusal of consent or a “neutral” action rather than an implied agreement to be tracked.
Let’s talk about cookies though, as this is the most important item for your firm. Most likely, you have an easy opt-in/opt-out process for your newsletters and honor that. But you may not be in compliance with cookie tracking.
Cookie Consent Banner Updates – ‘X’ing’ Out Does Not Mark the Opt-In Consent Spot
Basically, California is cracking down on “Dark Patterns”—design tricks that nudge people into giving up their data. Here are the two big takeaways:
- Closing a Pop-Up Does Not Mean Giving Consent
If a visitor just hits the “X” on your cookie banner or clicks away to get it out of their face, you cannot count that as “Yes.” Unless they specifically click a button that says “I Accept” (or something similar), you must treat them as if they said “No.” - The “Equal Energy” Rule (Symmetry)
You can’t make the “Accept All” button a giant, bright green box while the “Decline” button is a tiny, grey link hidden in the corner. Both choices must be equally easy to see and click. If you make it harder to say “No” than it is to say “Yes,” the state considers that a violation.
Why This Matters for Your Law Firm
If your website uses tracking pixels (like Meta or Google Analytics) to find new clients, the law treats that data sharing as a “sale” or “share” of information.
In the past, some firms assumed that if a user didn’t explicitly say “No,” they could keep tracking them. The new rule stops this. If a potential client ignores your banner, you have to stop the tracking by default.
| Don’t Do This | Do This Instead |
|---|---|
| Assume “X-ing out” of a banner means they agree. | Assume “X-ing out” means Opt-Out. |
| Use a giant “Accept” button and a hidden “No” link. | Make “Accept” and “Decline” look identical in size/style. |
| Use “Double Negatives” (e.g., “Don’t click here to not opt-out”). | Use clear, simple language, like “Accept” and “Decline.” |
What are Cookies?
Nom. Nom. Cookies are good. But you can’t eat these.
Cookies are clingy little digital breadcrumbs that follow you around the internet like a stalker who just wants to remind you about those shoes you looked at once.
What Cookies are Used?
The most common cookies are Google Analytics. Other plugins may also put cookies on the site, depending on your setup.
Google Analytics and Cookies?
Google Analytics (specifically Google Analytics 4, which is the standard as of 2026) primarily uses first-party cookies. These are small text files stored on a visitor’s browser that allow the platform to distinguish unique users and track their interactions across a single website.
Because of modern privacy regulations (like GDPR and CCPA) and browser restrictions (like Safari’s ITP), GA4 is designed to be more “privacy-first,” meaning it can also function with limited data or “cookieless” pings if a user denies consent.
| Cookie Name | Default Lifespan | Purpose |
|---|---|---|
| _ga | 2 years | The main cookie used to distinguish unique users. It stores a randomly generated Client ID. |
| _ga_<container-id> | 2 years | Used to persist session state. It keeps track of the current visit and is the successor to the older session cookies. |
| _gid | 24 hours | Used to distinguish users on a shorter timeframe (often seen in legacy or hybrid setups). |
| _gat | 1 minute | Used to throttle the request rate, ensuring Google’s servers aren’t overwhelmed by data pings. |
Key Changes in 2026
The Transition to “GS2” Format: Google recently updated the internal structure of the _ga_* session cookies from a format called GS1 to GS2. This change makes the data in the cookie easier for developers to read (using key-value pairs separated by $), but doesn’t change the cookie’s core purpose.
Consent Mode V2: By now, Google Consent Mode V2 is standard. If a user rejects cookies on your banner, GA4 stops using these cookies and instead sends “cookieless pings.” It then uses AI and machine learning to “model” or estimate the behavior of those users so your reports don’t have massive gaps.
Browser Caps: Even though Google sets a “2-year” expiration, browsers like Safari and Firefox often force these cookies to expire much sooner (sometimes in as little as 7 days or even 24 hours) to protect user privacy.
Penalties for Non-Compliance
Non-compliance with the CCPA carries significant financial and legal risks, with inflation-adjusted civil penalties now reaching up to $2,663 per unintentional violation and $7,988 per intentional violation. Because these fines apply to each affected consumer, costs for large-scale data breaches can escalate into the millions. Additionally, the law grants consumers a private right of action, allowing them to sue for statutory damages between $107 and $799 per incident if a breach results from a failure to maintain reasonable security measures, often leading to costly class-action litigation.
What Do We Recommend? Websites That Can Help
We recommend that, if the CCPA applies to you, you implement a cookie policy and use technology to address issues. Again, the key is whether your firm has $26,625,000 in revenue. Do you have more than 275 visits per day from California? Or does your business model derive 50% of its income from selling personal data? If so, then you need a cookie policy.
We have clients who use the following third-party services. We are agnostic in terms of technology, and they all have technology that can help manage your cookie opt-in and opt-out.
1. CookieYes (https://www.cookieyes.com/)
- Synopsis: A user-friendly, lightweight Consent Management Platform (CMP) designed for quick implementation. It is widely used by smaller websites and blogs that need to meet GDPR and CCPA requirements without a heavy technical lift.
- Pricing: Offers a robust free plan for personal sites. Paid plans for businesses range from $10 to $55 per month, making it one of the most affordable entry-point providers.
- Key Features: Automated cookie scanning, customizable banners, and a “consent log” to prove compliance in case of an audit.
2. Captain Compliance (https://captaincompliance.com/)
- Synopsis: A premium alternative to “self-service” tools. They focus on full-spectrum compliance rather than just a banner.
- Pricing: Offers a basic free version, but professional-grade, law-firm-ready plans start at $449 per month.
- Key Features: Includes a “Compliance Shield,” deep page scanning, and a heavy focus on the US state laws (including Florida’s specific 2024 regulations). They are unique because they offer more consultative support than lower-cost rivals.
3. Cookiebot (https://www.cookiebot.com/)
- Synopsis: Owned by Usercentrics, Cookiebot is famous for its powerful, patented scanning technology that finds “hidden” trackers that many other tools miss. It is highly automated and “plug-and-play.”
- Pricing: Pricing is based on the number of subpages. It starts with a free plan (for <50 pages), with Premium tiers usually starting at $13-$56+ per month, depending on site size.
- Key Features: Automatic cookie categorization, monthly scan reports sent via email, and a highly reliable “prior consent” feature that blocks cookies until the user clicks accept.
4. Osano (https://www.osano.com/)
- Synopsis: Osano markets itself as the “most liked” privacy platform and is built for companies that want to completely offload the legal risk. They are known for their “No-Fines, No-Penalties” guarantee, which offers to pay your fines if their tool fails you.
- Pricing: Offers a free tier for low-traffic users. Business plans typically start around $199 to $549 per month, though they often require custom quotes for larger organizations.
- Key Features: Tracks the privacy practices of over 11,000 vendors; provides a single line of code for installation; and features an “attorney-vetted” database for legal changes worldwide.
5. OneTrust (https://www.onetrust.com/)
- Synopsis: The “800-pound gorilla” of the industry. OneTrust is an enterprise-grade Governance, Risk, and Compliance (GRC) platform. It is often the choice for global law firms or corporations that need to manage thousands of domains and complex internal data maps.
- Pricing: Pricing is often opaque and custom-quoted, but entry-level “Essentials” suites typically start around $800+ per month, with full enterprise implementations often costing tens of thousands annually.
- Key Features: Deep integration with AI governance, third-party risk management, and Data Subject Access Request (DSAR) automation. It is less of a “plugin” and more of a full-scale corporate compliance infrastructure.
Sample Privacy & Disclaimer Policies
We can provide templates to help you start your disclaimer and privacy policies. These are templates only. They are starter documents. You will absolutely need to review, revise, and approve them. As lawyers, you are uniquely qualified to review them, know your state’s bar rules, and what needs to be added/removed.
Sample Disclaimer
Sample Privacy Policy
Join our newsletter, where you will learn educational info on latest insights, tips and best practices.
Share:
About Us
Did you know more than 200 clients have worked with PaperStreet for more than 10 years?
Get a Free Website
Analysis and Consultation
Marketing Services
