California Votes to Establish New Privacy Law Specialization

By Jeewon Kim Serrato

On December 13, 2025, the California Board of Legal Specialization (CBLS) voted to approve a new Legal Specialization in Privacy Law. This is the culmination of a process that the State Bar of California initiated in November 2022 by establishing a Consulting Group on the Establishment of a Legal Specialization in Privacy Law (Privacy Law Group). Appointed by the State Bar of California, the 13-member Privacy Law Group was tasked with studying the practice area to assess whether there is sufficient need and interest to create a specialty, as well as whether the area is sufficiently defined as to create a useful specialization. The Privacy Law Group determined that certification in this area of law is feasible and appropriate and presented draft certification standards for review by the CBLS and the State Bar Board of Trustees.

The next step will be the Board of Trustees meeting, scheduled for May 2025, where the recommendation will be reviewed. Following this, it will be posted for a 60-day public comment period. If all proceeds as planned, the final approval and adoption of the specialization will be considered and receive final approval at the subsequent Board of Trustees meeting in September 2025.

What is the CBLS’s Role?

The CBLS administers the State Bar of California Program for Certifying Legal Specialists. This program was created by the California Supreme Court to promote attorney competence and provide consumers with an independent means to verify an attorney’s qualifications. The legal specializations administered by the CBLS are the only programs by which attorneys can receive a designation as a specialist in an area of law. While there are other certifications available, this new Privacy Law Specialization is the only method by which privacy lawyers licensed to practice in California will be able to advertise themselves as a certified specialist.

With more than 225,000 attorneys, the State Bar of California is the largest state bar in the country. Nearly 170,000 lawyers actively practice law in California. The new privacy law specialization will have a significant impact on how attorneys in the U.S. think about privacy law specialization.

Is There a Need and Demand For a Privacy Law Specialization?

The Privacy Law Group presented to the CBLS and the State Bar agreed that privacy law is an area of law that can be defined and there is need and demand for privacy law specialists in California.

There were several discussions about the certification programs that are currently available in the market. While there are many other certification programs for privacy specialists, many are not exclusive to lawyers, therefore they do not signify a specialization in privacy law, and they do not allow California-licensed attorneys to advertise themselves as a privacy law specialist due to the state bar rules.

This is the first time the CBLS has recognized a new legal specialty field in more than a decade. The Privacy Law Group discussed the rapid developments in privacy law that occurred in the last ten years. The fact that the California Lawyers Association (CLA) established a stand-alone privacy law section in 2020 and now has more than 1,200 members was discussed as one of the supporting factors for the CBLS to consider as it weighs whether there is need and demand for a specialization in privacy law.

What Is Privacy Law?

As part of the proposal and presentation to the CBLS, the Privacy Law Group discussed at length what it means to practice in privacy law. Over the course of a year, there were several discussions as to what is and is not privacy law. For example, the Group considered whether cybersecurity and artificial intelligence (AI) would be part of privacy. In the end, the Group considered the work privacy law practitioners currently engage in and sought to create a specialization that would be flexible enough to adapt over time to changes in the legal and regulatory landscape as well as emerging technologies that impact the legal practice.

Below is the list of continuing legal education topics in privacy law that were approved by the CBLS. Any attorney that receives the privacy law specialization would be expected to be a specialist in these areas:

• Frameworks and standards related to privacy and data security
• International privacy compliance and international data transfers
• Data subject rights
• Online privacy policies, notices and practices
• Children’s privacy
• Financial privacy
• Health information privacy
• Educational privacy
• Employment privacy law
• Privacy laws governing advertising and marketing
• Law enforcement and privacy
• Emerging technology and privacy
• Cybersecurity and information security standards and requirements
• Data breach response, including breach notification requirements
• Privacy right of action

How Can I Become a Privacy Law Specialist?

Once the proposal receives final approval from the Board of Trustees, California-licensed attorneys will be able to apply for the Privacy Law Specialization. While the exam is being developed, the CBLS approved an alternative process by which attorneys can receive the specialization. For the first two years after the specialization is established, licensees will be able to demonstrate that they have met the following Alternative to Exam Requirements and receive the Privacy Law Specialist designation.

Proposed Alternative to Exam Requirements in Privacy Law include:

• Submit a total of at least 150 points in Task and Experience Requirement.
• Supply evidence of at least 60 hours of continuing legal education or professional education from the topics in the Privacy Law Specialist exam specifications within the 5 years preceding the end of the two-year alternative exam period.
• Provide at least 5 peer references from attorneys, clients, or judges attesting to your privacy law qualifications.

The chart below describes how each applicant can meet the Task and Experience Requirement. For each section below in which you claim 20 or more points, you must also provide a brief narrative statement summarizing your experience in that area.

1. Provided substantive written legal advice or analysis regarding regulatory compliance with privacy laws. 5 points per matter. Maximum number of points in this category: 35 points.
2. Reviewed, drafted, or negotiated data privacy terms in contracts, including outsourcing/service provider agreements or other third-party contracts. 5 points per matter or transaction. Maximum number of points in this category: 35 points.
3. Provided substantive written legal advice or analysis regarding data sharing requests or counseling on cross-border data transfers and advised on privacy-related risks. 5 points per matter or transaction. Maximum number of points in this category: 35 points.
4. Conducted data privacy due diligence involved in corporate transactions, including mergers and acquisitions, reorganization, bankruptcy, receivership, sale of assets, or transition of service to another provider. 5 points per matter or transaction. Maximum number of points in this category: 35 points.
5. Advised on policies, procedures, or processes relating to physical, technical, and administrative privacy and information security controls. 5 points per policy, procedure, or process. Maximum number of points in this category: 35 points.
6. Represented a party in litigation as its principal attorney on privacy issues where matters of privacy law are among the main contested issues. 5 points per separate litigation matter; 10 points per litigation matter if at least 500 hours are billed by the attorney on the case on privacy issues; or 15 points per litigation matter if at lest 750 hours are bills by the attorney on the case on privacy issues. Maximum number of points in this category: 65 points.
7. Represented a party in a government investigation as its principal attorney where matters of privacy law are among the main contested issues. 5 points per investigations matter; 10 points per investigations matter if at least 500 hours are billed by the attorney on the case on privacy issues; or 15 points per investigations matter if at least 750 hours are billed by the attorney on the case on privacy issues. Maximum number of points in this category: 65 points.
8. Acted as the principal attorney in devising and implementing the litigation strategy in connection with pending or threatened litigation where matters of privacy law are expected to be among the main contested issues. 5 points per litigation matter. Maximum number of points in this category: 35 points.
9. Acted as the principal attorney in devising and implementing a formal compliance program for a client following the entry of a court order, consent order, settlement, or other binding order or award against the client in any litigation or investigation matter where matters of privacy laws are among the main issues. 5 points per litigation or investigations matter. Maximum number of points in this category: 35 points.
10. Provided substantive written legal advice or analysis to conduct a data inventory or records of processing activities. 5 points per matter. Maximum number of points in this category: 35 points.
11. Provided substantive written legal advice or analysis to develop or implement external-facing privacy notices, statements or reports as required by privacy laws. 5 points per matter. Maximum number of points in this category: 35 points.
12. Provided substantive written legal advice or analysis on privacy issues for marketing, product, feature, or service delivery, such as implementing privacy by design or conducting privacy impact assessment. 5 points per matter. Maximum number of points in this category: 35 points.
13. Provided substantive written legal advice or analysis regarding data subject or consumer rights matters (e.g., access, deletion, opt-ins/opt-outs). 5 points per matter. Maximum number of points in this category: 35 points.
14. Led or participated in incident response or data breach investigation, including forensic analysis, root cause analysis, and remediation efforts, drafting, and reviewing incident reports and communications to stakeholders. 5 points per matter. Maximum number of points in this category: 35 points.
15. Assisted with breach notifications to regulators or affected individuals. 5 points per matter. Maximum number of points in this category: 35 points.

While the expectation is that attorneys in the private sector will most likely participate to earn the specialist designation, the Privacy Law Group recognized that the specialization should be available to recognize specialists who practice in government, in-house or other capacity. To the extent attorneys have experience that may not fit exactly into the listed requirements, the Task and Experience Requirements allow applicants to demonstrate substantial compliance with the requirements by submitting evidence of other experience. While the applicants need to show 150 points from the Task and Experience during the Alternative to Exam period, applicants for the specialization after the exam has been established will only need show 100 points.

How Can Attorneys Prepare To Become A Privacy Law Specialist?

The Privacy Law Specialist designation is not intended to show competence, but rather a high-level of expertise. For attorneys interested in becoming a privacy law specialist, the CLA and other organizations provide excellent education resources. In addition to the legal education requirements, specialists will need to show that they are actively practicing in this area in order to meet the recertification requirements every five years.

You can subscribe to the email list to receive meeting notifications and updates from the Privacy Law Group here: https://www.calbar.ca.gov/About-Us/Who-We-Are/Committees/California-Board-of-Legal-Specialization/Privacy-Law-Group.

How Will The Public Benefit From The California Legal Specialization In Privacy Law?

California remains the 5th largest economy in the world since 2017, with a nominal GDP of nearly $3.9 trillion in 2023, according to the U.S. Bureau of Economic Analysis. On a per capital basis, California is the second largest economy in the world. California’s tech workforce is over 1.5 million strong–more than the next two ranked states combined, according to the Computing Technology Industry Association. As emerging technologies like AI bring new legal issues to the forefront, the legal industry will be in need for specialists that can work with the tech industry in this exciting area of law.

Considering California’s outsized economic power and its position as global leader in technological innovation, California attorneys will continue to play a significant role in establishing the rules and implementing compliance programs, as well as testing and challenging the industry’s compliance with privacy expectations. This new Legal Specialization in Privacy Law will help the public search for and identify certified specialists in the area of privacy law. The Certified Specialist Search is available here: https://apps.calbar.ca.gov/members/ls_search.aspx