Privacy Policy
Barack Ferrazzano Kirschbaum & Nagelberg LLP
Last Updated: April 13, 2023
Effective Date: April 13, 2023
BFKN is committed to protecting the privacy of our clients and other individuals whose personal data we receive, consistent with applicable laws and regulations. This Privacy Policy (this "policy") describes the way in which we collect, use, and disclose personal data.
This policy applies to information collected and used by Barack Ferrazzano Kirschbaum & Nagelberg LLP as well as BF Discovery LLC, our affiliated eDiscovery company. We refer to these entities collectively in this policy as “BFKN,” “we,” "us,” and “our,” depending on the context.
For persons in the European Union (EU) and the United Kingdom (UK), this Privacy Notice is intended to comply with the EU General Data Protection Regulation and the UK General Data Protection Regulation, which we refer to collectively as the GDPR.
If you are a resident of California, please see the section below entitled “Additional Information for California Residents” that is included at the end of this policy.
Please read this policy carefully before providing us with any information, particularly personal data. BY USING OUR WEBSITE OR OTHERWISE PROVIDING US WITH ANY PERSONAL DATA, YOU CONSENT TO THE USE OF YOUR PERSONAL DATA AS SET FORTH IN THIS POLICY.
We reserve the right to update this policy from time to time by posting a new policy on this page, and in some cases where changes are material we may also contact you via email or post a notice on our website homepage to let you know of such changes. You will be able to determine when this policy was last updated by referring to the “Last Modified” legend at the top. It is your responsibility to check this policy regularly for any changes. Changes to this policy are effective when posted, and you will be bound by those changes even if you did not take the time to review them.
1. What personal data do we collect about individuals?
Personal data refers to any information relating to an identified or identifiable natural person, such as a name, an email or physical address, an identification number, as well as information specific to that natural person, such as genetic, cultural, and physical information. Personal data includes any information defined as “personal data,” “personal information,” “personally identifiable information” under applicable laws.
In the course of conducting the business of our law firm and eDiscovery business, we may receive personal data about individuals in several ways. Examples of the categories of personal data we collect and how we collect it are:
- Contact Information: This information, which includes names, job titles, addresses, and email addresses, is generally provided to us by clients in connection with their engagement, and by parties contacting us through our website or through personal interactions at meetings and events. We use contact information to communicate with clients and others about firm business, as well as about developments in the law, news about the firm, or events in which the firm is involved.
- Financial Information: This information, which includes credit card information, bank information, and general financial data, may be provided by our clients in connection with payment for legal services, or may be provided by our clients or third parties in connection with a transaction, litigation, or other matter with which we are involved.
- Health Information: We may receive health information of our clients and others to the extent relevant or required in connection with a legal matter for which we have been engaged. In addition, we may collect medical and health information from visitors to our offices – specifically your body temperature and whether you have or display certain symptoms such as fatigue, cough, sneezing, runny or stuffy nose, sore throat, headaches, shortness of breath, or other symptoms of respiratory illness – when necessary for us to engage in screening to address viruses and other health conditions.
- Other Information: In connection with our representation of our clients, our clients may provide us with other information that is considered “personal data” under applicable laws, if that personal data is necessary for or otherwise applicable to our work.
2. Why do we collect this personal data, and how do we use it?
We are a law firm in the business of providing legal advice to clients and representing their interests in transactions, litigation, before government agencies, and in other types of legal matters. Our eDiscovery business provides clients with a platform to provide discovery solutions.
For purposes of the GDPR, we only collect and process data if we have an appropriate legal basis for doing so, and we describe the applicable legal bases below. These legal bases are also consistent with our business and commercial purposes for collecting and using information.
If you have formally engaged us to provide legal or discovery services to you, our engagement letter forms a contract between you and us, and we will collect and use personal data as necessary to communicate with you about our representation, to perform the work you have hired us to do, and to process any payments made to our firm.
We may also process personal data as necessary to comply with a legal obligation to which we are subject, such as producing information required by a court order.
In many cases, we will collect and process personal data as necessary to carry out our legitimate business interests, which are:
- to conduct our business as a law firm and represent our clients in transactional and litigation matters;
- to carry out our clients’ instructions;
- to communicate with our clients and third parties regarding ongoing matters;
- to produce certain information to opposing parties in litigation (subject to court orders governing the confidentiality of the information); and
- to keep our current and former clients and others informed about developments in the law, news about the firm, and events in which the firm is involved.
Where we rely on our legitimate interests to process your personal data, you have the right to object to such processing (meaning that you can ask us to stop).
3. Who do we disclose your personal data to?
The personal data that we receive from clients and other persons will be available to various employees at our firm, including the lawyers and paralegals at our firm who provide services to our clients, as well as to certain staff members who need access to the information to do their jobs, which may include staff who: (a) process invoices to clients; (b) manage client trust accounts; (c) draft correspondence or other documents; (d) process data used in litigation; (e) evaluate potential conflicts of interest; or (f) prepare and distribute marketing materials. Our personnel are subject to confidentiality obligations with respect to the information they receive.
In addition to the employees at our firm, we may provide your personal data to vendors who we engage to hold our data in the cloud, manage our email security, or who process our data for shipping, e-billing, marketing or litigation purposes. These parties are under contractual obligations limiting their use and disclosure of your information.
We may also provide your personal data to counsel for parties who are engaged in transactions or litigation in which we are representing clients, as required for the purpose of that representation, such as providing due diligence in a transaction or discovery in litigation.
We will not sell or lease your personal data to third parties unless we have your permission or are required by law to do so.
4. How long will we keep your personal data?
We typically retain the information we receive in the course of matters in which we represent clients for 7 years after the matter is over. We sometimes retain data longer if the attorney responsible for the matter determines that it is appropriate to do so.
We retain contact information until we determine that it is no longer valid or we no longer have need to use that information.
5. What do we do to secure your personal data?
We are committed to ensuring that your information is secure. In order to prevent unauthorized access or disclosure, we have put in place suitable physical, electronic and managerial procedures to safeguard and secure the information we collect online.
6. How do we use cookies and other tracking technology?
Cookies. A cookie is a small file that asks permission to be placed on your computer's hard drive, if allowed by your browser’s cookie setting. If allowed, the file is added and the cookie helps analyze web traffic or lets you know when you visit a particular site. Cookies allow web applications to respond to you as an individual. The web application can tailor its operations to your needs, likes and dislikes by gathering and remembering information about your preferences.
We use traffic log cookies to identify which pages are being used. This helps us analyze data about webpage traffic and improve our website in order to tailor it to customer needs. We only use this information for statistical analysis purposes and then the data is removed from the system.
Overall, cookies help us provide you with a better website by enabling us to monitor which pages you find useful and which you do not. A cookie in no way gives us access to your computer or any information about you, other than the data you choose to share with us.
You can choose to accept or decline cookies. Most web browsers automatically accept cookies, but you can usually modify your browser setting to decline cookies if you prefer. This may prevent you from taking full advantage of our website.
Do Not Track. Currently, certain browsers, including Firefox, Google Chrome, Safari, and Internet Edge, offer a “do not track” (or, “DNT”) option. This option, using a technology known as a DNT header, sends a signal to websites visited by the user about the user’s DNT preference, if any, set on the browser. We do not currently commit to responding to browsers’ DNT signals. We cannot make this commitment because no common industry standard for DNT has been adopted by industry groups, technology companies, or regulators.
Third Party Services. Some features on our site may be served by third parties, including advertisers, ad networks and servers, content providers and application providers. These third parties may use cookies, alone or with web beacons or other tracking technology, to collect information about you when you use the site. They may be able to associate the information they collect with your personally identifiable information, or they may collect information, including personally identifiable information, about your online activities over time and across other website and online services. They may use this information to provide you with behavioral advertising or other targeted content. That content may appear either on our site, or on other websites. We cannot control any third parties’ tracking technologies or how they may be used. If you have any questions about an advertisement or other targeted content, you should contact the responsible provider directly.
7. How can you control the use of your personal data?
If you are a California resident, please also see the section below entitled “Additional Information for California Residents.”
You may choose to restrict the collection or use of your personal data in the following ways:
- whenever you are asked to fill in a form on the website, look for the box that you can click to indicate that you do not want the information to be used by anybody for direct marketing purposes; and
- if you have previously agreed to let us use your personal data for direct marketing purposes, you may change your mind at any time by writing to or emailing us at bfekina@bfkn.com.
You have the right to ask us for a copy of the personal data we have about you, along with related information about our purposes for processing that data.
If you believe that any information we are holding about you is incorrect or incomplete, you have the right to ask us to correct that information. We will promptly correct any information found to be incorrect.
In addition, you have the right to ask us to erase your personal data. If you do so, we will delete your information, unless we continue to have an overriding legitimate interest in retaining the information. We will always honor a request to delete information that we use solely for direct marketing purposes.
If you would like to make any request to us about your personal data, please contact us at bfekina@bfkn.com.
8. Who can you contact with questions or complaints?
If you have a question or complaint about how we are using your personal data, you can contact us and we will promptly address your complaint.
If you are a California resident, please also see the section below entitled “Additional Information for California Residents.”
If you are in the EU, the GDPR also gives you the right to lodge a complaint with the governing Data Protection Authority within your jurisdiction. You can find your national Data Protection Authority here. We would, however, appreciate the opportunity to address your concerns directly before you approach a regulatory authority, so please contact us in the first instance at bfekina@bfkn.com.
9. Who is your “Data Controller”?
Under the GDPR, our firm – Barack Ferrazzano Kirschbaum & Nagelberg LLP – is considered the “Data Controller” with respect to the personal data we collect directly, because we are responsible for deciding how to use that data.
You may communicate with us by writing to us at:
Barack Ferrazzano Kirschbaum & Nagelberg LLP
200 W. Madison Street
Chicago, IL 60606
bfekina@bfkn.com
Attention: Edward F. Malone
10. A note to visitors from outside the United States (U.S.)
If you reside outside the U.S., any information you provide to our website will be transferred out of your country and into the U.S. If you do not want any personal information to be transferred to the U.S., please do not provide that information to us or our website. By providing personal information to us or our website, you expressly consent to the transfer of that information to the U.S.
11. Additional information for California residents.
This Additional Information for California Residents section is a part of, and supplements, our privacy policy. We refer to this section of our privacy policy as the “California Notice.”
This California Notice applies only to residents of California (who are referred to as “you” or “your” in this section). This California Notice is being provided as required by the California Privacy Rights Act of 2020 (which amended and replaced the California Consumer Privacy Act of 2018, and is referred to as the “CPRA”). Any terms defined in the CPRA (such as “personal information,” “consumer,” “service provider,” “contractor,” “third party,” “sale/sell,” and “share”) will have the same meaning when used in this California Notice.
This California Notice is made available through our websites in the United States, including the sites and applications that link to this California Notice such as www.bfkn.com (which we refer to collectively in this California Notice as the “site,” which also includes all associated content, functionality, and services offered on or through the site).
A. The categories of personal information we collect.
The section of our policy above entitled “What personal data do we collect about individuals?” describes the types of personal information we collect, and the section above entitled “Why do we collect this personal data, and how do we use it?” provides information about our business and commercial purposes for collecting that personal information.
For purposes of the CPRA, the personal information we collect falls into the categories listed below. For each category listed below, we also provide more information about the sources of that personal information, and our business and/or commercial purpose for collecting this information.
Category of Personal Information We Collect |
Examples |
Where Obtained (i.e., the Categories of Sources of the Information) |
Business and/or Commercial Purpose of Collection |
Retention Period |
Identifiers |
Real name, postal address, unique personal identifier, online identifier, Internet Protocol address, email address, account name, Social Security number, driver’s license number, passport number, or other similar identifiers |
Directly from the consumer and/or from the consumer’s, counsel, employer, family member, or other party who may provide information in connection with our legal and eDiscovery services (including by providing such personal information within documents provided to us). Indirectly through online platforms such as LinkedIn, Twitter, Facebook, and Google. |
Communication with consumers; providing services as counsel to the consumer or another party; communicating with consultants and vendors for purposes relating to our business. |
For the duration of our business or prospective business relationship, plus 7 years. |
Personal information categories listed in the California Consumer Records statute (Cal. Civ. Code §1798.80(e)) |
Name, signature, Social Security number, physical characteristics or descriptions, address, telephone number, passport number, driver’s license or state identification card number, insurance policy number, education, employment, employment history, bank account number, credit card number, debit card number, or any other financial information, medical information, or health insurance information. Some personal information included in this category may overlap with other categories. |
Directly from the consumer and/or from the consumer’s, counsel, employer, family member, or other party who may provide information in connection with our legal and eDiscovery services (including by providing such personal information within documents provided to us). |
Communication with consumers; providing services as counsel to the consumer or another party; communicating with consultants and vendors for purposes relating to our business; engaging in health screening of visitors when required to address health conditions. |
For the duration of our business or prospective business relationship, plus 7 years. |
Protected classification characteristics under California or federal law |
Age (40 years or older), race, color, ancestry, national origin, citizenship, religion or creed, marital status, medical condition, physical or mental disability, sex (including gender, gender identity, gender expression, pregnancy or childbirth and related medical conditions), sexual orientation, veteran or military status, genetic information (including familial genetic information). Some personal information included in this category may overlap with other categories. |
Directly from the consumer and/or from the consumer’s, counsel, employer, family member, or other party who may provide information in connection with our legal and eDiscovery services (including by providing such personal information within documents provided to us). |
Providing services as counsel to the consumer or another party. |
For the duration of our business or prospective business relationship, plus 7 years. |
Commercial information |
Records of personal property, products or services purchased, obtained, or considered, or other purchasing or consuming histories or tendencies. |
Directly from the consumer and/or from the consumer’s, counsel, employer, family member, or other party who may provide information in connection with our legal and eDiscovery services (including by providing such personal information within documents provided to us). |
Providing services as counsel to the consumer or another party. |
For the duration of our business or prospective business relationship, plus 7 years. |
Internet or other similar network activity |
Browsing history, search history, information on interaction with a website, application, or advertisement. |
Indirectly through website activity, such as a consumer’s employer’s IP address. |
Assessing our marketing and firm outreach efforts and evaluating the relevance of, interest in, and engagement with content we publicize. |
Cookies/Browsing data may be retained for up to 2 years. |
Sensory data |
Audio and visual information; temperature and other physical health symptoms. |
We collect audio information directly from the consumers via voicemail, and visual information through the use of security cameras that are used in connection with building security; we collect audio and visual information in connection with the use of online meeting platforms, such as Zoom and Microsoft Teams; we collect audio information directly from the consumers via voicemail, and visual information through the use of security cameras that are used in connection with building security; we may collect temperature and other health symptom information directly from consumers visiting our offices. |
Audio information is used solely to review and respond to messages. Video information is used solely to investigate a physical security breach. Temperature and other physical health symptom information is used solely to screen visitors to our offices when necessary to address health conditions. |
Audio information kept through phone logs is retained until the applicable voice message is deleted. Audio and visual information obtained via online meeting platforms is retained by us (a) for a period of 6 months with respect to chat messages; and (b) for the duration of the legal matter plus 7 years for video recordings. Video surveillance information is retained for up to 6 months. Audio and video information collected in connection with providing legal services will be retained for the duration of the legal matter plus 7 years. Temperature and other physical health symptom information is not retained following collection from the consumer. |
Professional or employment-related information |
Current or past job history or performance evaluations. |
Directly from the consumer and/or from the consumer’s, counsel, employer, family member, or other party who may provide information in connection with our legal and eDiscovery services (including by providing such personal information within documents provided to us). |
Providing services as counsel to the consumer or another party; evaluating and responding to applications for employment; tracking relationships and evaluating networking opportunities. |
Client-related employment information will be retained for the duration of our business or prospective business relationship, plus 7 years. With respect to our employees, personnel records are maintained in accordance with our document retention policy. |
Inferences drawn from other personal information |
Profile reflecting a consumer’s personal preferences. |
Directly from the consumer, including through attendance by the consumer at events we may attend or host. |
To accommodate the consumer’s preferences (such as dietary requests). |
For the duration of our business or prospective business relationship, plus 7 years. |
For purposes of the CPRA, we do not collect any categories of information defined as “Sensitive Personal Information,” because we do not use any information for the purposes of inferring characteristics about the person with respect to whom it was collected.
Regarding the retention periods set forth above, the above indicate our general practices with respect to document destruction. We maintain a document retention policy that provides for specific retention periods and document destruction practices in accordance with legal requirements and industry best practices.
B. The parties to whom we disclose information.
The section in our policy above entitled “Who do we disclose your personal data to?” describes how we disclose personal information. Some of our disclosure of information is to service providers and contractors (as defined in the CPRA), and other businesses with whom we have contractual relationships, and we provide the personal information in the course of our business relationship with those service providers and businesses.
We also disclose information to the following categories of third parties:
- Co-counsel, opposing counsel, and other representatives, with whom we may share information in the context of our representation of our clients;
- Third parties such as analytics providers, who may use tracking technologies to measure the effectiveness of our website. In connection with their analytics services, they may receive information about your internet or other similar network activity.
C. Information about selling and sharing personal information under the CPRA.
For purposes of the CPRA:
- “Selling” personal information is defined as selling, renting, releasing, disclosing, disseminating, making available, transferring, or otherwise communicating a consumer’s personal information to a third party for monetary or other valuable consideration; and
- “Sharing” is defined as sharing, renting, releasing, disclosing, disseminating, making available, transferring, or otherwise communicating information with third parties for cross-context behavioral advertising, whether or not for monetary or other consideration. “Cross-context behavioral advertising” in turn is defined as targeting or advertising to a consumer based on the consumer’s personal information obtained from the consumer’s activity across businesses, distinctly-branded websites, applications, or services, other than our distinctly-branded websites with which you have intentionally interacted.
We do not sell or share personal information as these terms are defined in the CPRA.
D. Rights of California consumers under the CPRA.
The CPRA provides California residents with specific rights regarding their personal information. If you are a California resident, you have the rights described below. Please note that your rights are subject to limitations and exceptions described in the CPRA, which we will provide more detail about if and when you make a CPRA-related request.
- Right to Know – You have the right to ask us to provide you with information about our collection and use of your personal information over the past 12 months.
- Right to Access/Data Portability - You have the right to ask us to provide you with copies of personal information that we have collected about you, in a portable and readily-usable format.
- Right to Request Deletion of Certain Information - You have the right to ask us to delete personal information about you that we collected from you and have retained.
- Right to Correct – If you believe that any personal information we have about you is incorrect, you have the right to ask us to correct any inaccuracies.
- Right to Non-Discrimination and Non-Retaliation - You have the right not to be discriminated or retaliated against for exercising any of your CPRA rights.
How to submit a verifiable consumer request and exercise your rights
To exercise your rights described above, you must submit a verifiable consumer request to us by either:
- Calling us (toll-free) at 888-874-1987; or
- Emailing us at DataPrivacy@bfkn.com.
Only you, or a person registered with the California Secretary of State that you expressly authorize to act on your behalf, can make a verifiable consumer request related to your personal information. You may also make a verifiable consumer request on behalf of your minor child.
You may only make a verifiable consumer request for access or data portability twice within any 12-month period.
We cannot respond to your request or provide you with information if we cannot identify you or confirm your authority to make the request, so any request will require you to provide sufficient information to allow us to reasonably verify your identity. We will only use any personal information provided in a verifiable consumer request to verify the requestor’s identity or authority to make the request.
We will respond to any verifiable consumer requests in the manner and within the timeframes required by the CPRA.