, ,

Attorney’s Guide to Ethical Marketing: Alabama

This post is part of the Attorney’s Guide to Ethical Marketing, a series of posts (and eventually an eBook) that provides attorneys with a summary of key ethical rules for marketing across all fifty states, and the US territories.  If you want to be notified when your jurisdiction is covered, subscribe to The Dead Drop, my monthly newsletter covering updates from this site and beyond on marketing, law, and the psychology of persuasion.

  • Relevant Citations: Ala. RPC §§ 7.1–7.6
  • Limitations on Direct Contact with Prospective Clients (Y/N): Yes
  • Permitted Forms of Marketing
    • Traditional Media (Y/N): Yes
    • Inbound Marketing (Y/N): Yes
    • Social Media Marketing (Y/N): Yes
    • Email Marketing (Y/N): Yes
    • PPC Advertising (Y/N): Yes
  • Mandatory Language (Y/N): Yes
  • Opt-Out Requirement (Y/N): Yes
  • Retention and Record Keeping Requirement (Y/N): Yes
  • Non-Surname Branding (Y/N): Yes
  • Date of Last Revision: 2009


All printed communications must be marked as advertisements in red 14-point text and indicate the name of at least one attorney responsible for the content thereon. If a contract is included, it must be watermarked indicating that it is a sample contract. All advertisements must be sent to the Office of the General Counsel of the Alabama State Bar Association and retained on file by the advertising party for six years.

, ,

My New Series: An Attorney’s Guide to Ethical Marketing Across the United States

Beginning this week, I will be publishing a series of posts that summarize the legal rules that govern attorney marketing. This series came out of working with a client that wanted to market his law firm aggressively but was afraid the Washington Rules of Professional Conduct tied his hands. In June 2018, I prepared a guide for Washington lawyers on how they could engage in effective marketing yet still comply with the Rules of Professional Conduct. My guide was part of helping him understand that he had a lot of leeway in how he approached marketing and branding his business.

After writing the guide, I became intrigued by the question of how legislatures and courts regulated attorney marketing in the US, where there were critical differences in marketing rules across the states, and whether there were trends in attorney marketing regulations. (As you may expect, finding that sort of thing intriguing doesn’t exactly make me exciting company at a cocktail party.)  This project came out of those questions, and I hope it will help law firms asking the same questions as my client was back in the summer of 2018.

What to Expect

Each post provides a “baseball card” of sorts to lawyers looking for a quick reference on the rules governing how they can market their legal practice. It provides an easy-to-reference link to the governing law (well, laws, in the case of California), and quickly answers the following questions:

  • Can I directly reach out to potential clients in my jurisdiction?
  • Can I use traditional print, radio, and television marketing in my jurisdiction?
  • Can I use inbound marketing in my jurisdiction?
  • Can I use social media marketing in my jurisdiction?
  • Can I use pay-per-click advertising on either search engines or social media sites in my jurisdiction?
  • Do I need to include special language in attorney advertising?
  • Do I need to have an “opt-out” provision for people that don’t want to see my law firm’s ads?
  • Do I need to keep a copy of my ads for a particular length of time?
  • Do I need to use my last name as the name of my law firm, or can I make it something more memorable and appealing to clients? (As someone who grew up with a Polish surname that people found difficult to pronounce, let alone spell, I can understand this desire.)

When appropriate, each post will also provide a short commentary addressing common pitfalls and concerns related to attorney advertising.

Why Publish This Guide

As a former litigator, I understand that while any attorney worth their license could do this research themselves, they find themselves swamped with a million different responsibilities for clients to occupy their billable hours. As a result, a lot of attorneys neglect the marketing of their legal practice because it is just one more thing to do; worse, it is one more thing that happens to be rife with ethical pitfalls and compliance issues.

Marketing in highly regulated professions is a niche in which I specialize. I enjoy the challenge of combining my legal knowledge with my experience in creating psychologically compelling content that persuades people to take action. If you are interested in developing a coherent, strategic approach to marketing your business, or if you have a few questions you need answered about digital marketing, I’m happy to help. We can set up a time at your convenience to go over your questions and concerns. I promise it won’t feel like a pitch for a used car or a timeshare, and, no matter what, you will walk away with marketing intelligence you can use. Here’s a link to my schedule if you want to set something up.

Where to Find Other Posts in this Series

I plan on covering all fifty states and will include analysis and commentary as well. I will collect these posts in the Attorney’s Guide to Ethical Marketing during the process of creating this series, and then release them as a standalone eBook at its conclusion. If you want to be notified when I cover your jurisdiction, subscribe to The Dead Drop, my monthly newsletter has updates from this site and beyond on marketing, law, and the psychology of persuasion.

Jurisdictions Covered

  • Alabama
  • Alaska
  • Arizona
  • Arkansas
  • California
  • Colorado
  • Connecticut
  • Delaware
  • Florida
  • Georgia
  • Hawaii
  • Idaho
  • Illinois
  • Indiana
  • Iowa
  • Kansas
  • Kentucky
  • Louisiana
  • Maine
  • Maryland
  • Massachusetts
  • Michigan
  • Minnesota
  • Mississippi
  • Missouri
  • Montana
  • Nebraska
  • Nevada
  • New Hampshire
  • New Jersey
  • New Mexico
  • New York
  • North Carolina
  • North Dakota
  • Ohio
  • Oklahoma
  • Oregon
  • Pennsylvania
  • Rhode Island
  • South Carolina
  • South Dakota
  • Tennessee
  • Texas
  • Utah
  • Vermont
  • Virginia
  • Washington
  • West Virginia
  • Wisconsin
  • Wyoming
  • Territories
    • American Samoa
    • District of Columbia
    • Guam
    • Northern Mariana Island
    • Puerto Rico
    • United States Virgin Islands
  • Relevant Federal Regulations
  • Comparison with the Model Rules of Professional Conduct and ABA Guidance

Presentation for Northwest University

This is a copy of a presentation I am giving for marketing students at Northwest University in Kirkland, WA, on October 23, 2018.  Thanks go to  Professor Sarah Nelson, and to the students for their time.

Anything you say can be used against you – Created with Haiku Deck, presentation software that inspires


Digital Marketing for Washington Attorneys

Television, the Internet, and other forms of electronic communication are now among the most powerful media for getting information to the public, particularly persons of low and moderate income; prohibiting television, Internet, and other forms of electronic advertising, therefore, would impede the flow of information about legal services to many sectors of the public.

RPC 7.2 (Comment 3) (2016).

Few professions are as heavily regulated as law when it comes to advertising in the United States. However, attorneys in Washington State have a great deal of flexibility when it comes to advertising in accordance with the applicable ethics rules. See RPC 7.1–7.5. This piece addresses the Rules of Professional Conduct (RPC) applicable to digital marketing of legal services.

Under the RPC, Washington attorneys are prohibited from the following sorts of advertising:

  • advertising that misrepresents either facts or the law (RPC 7.1);
  • advertising that makes a true statement that is still misleading (RPC 7.1(2));
  • advertising that states a lawyer can reproduce past outcomes in future cases (RPC 7.1(3));
  • advertising that compares a lawyer favorably to other lawyers without justification (RPC 7.1(3));
  • advertising stating a lawyer can inappropriately influence a government official (RPC 7.1(4) and RPC 8.4(e));
  • claims of special certifications without basis and attribution (RPC 7.4); and,
  • generally, direct contact with most potential clients to seek employment (RPC 7.3).

Thus, many attorneys feel that they can engage in general television and radio advertisements, a basic website, and little else. When considering the high costs of print, radio, and television advertising, many attorneys forego it all together. Similarly, many avoid it because it appears cheap and schlocky.

However expensive traditional media may be for advertising, there are cost-effective options available to attorneys wishing to seek new ways to bring in potential clients.  Inbound content marketing, focusing on informative content that attracts potential litigants or other potential clients, works hand-in-hand with the algorithms that guide Google’s search engine results.  As attorneys publish more information on their practice areas, they become more likely to be found via a Google search, now the primary means that consumers search for professionals.


If you haven’t acted yet, you’re late.

Recently, I’ve been writing about the changes in privacy laws that affect businesses as a result of the European Union enacting the GDPR.  The date the law came into force was May 25, 2018, so businesses that haven’t updated their privacy policies are late.  I’ve updated my privacy and content policies.  You should too.


Preparing for the GDPR (video explanation)

Need to make sense of the European Union’s new law with global implications?  This video will help.


Businesses Should Be Ready for the GDPR Coming this May (A Lawyer’s Take)


On May 25, 2018, the European Union will begin enforcement of the General Data Privacy Regulations (GDPR).  The GDPR represents an expansive approach to protecting the privacy rights of European citizens, and has the potential impact businesses across the globe, not just in the European Union.  The business community needs to understand the GDPR, who it affects, and how to comply with the law, lest they face costly punishment by the EU.  

What is the GDPR?

The GDPR is an administrative regulation enacted by the European Parliament to protect the privacy of Europeans as it applies to data collection.  The GDPR came about, according to the Commission Implementing Decision (EU) 2016/1250 (comparable to the legislative history that accompanies the US Code), because of the European Union’s belief in “the fundamental right to respect for private life with regard to the processing of personal data, [and] also a high level of protection of those fundamental rights and freedoms.”  


Non-compliance with the GDPR's privacy rules can lead to penalties of up to 4% of a company’s global turnover or €20 million ($25 million at the time of writing), whichever is greater.

Non-compliance with the GDPR’s privacy rules can lead to penalties of up to 4% of a company’s global turnover or €20 million ($25 million at the time of writing), whichever is greater.

As noted by CIO, the GDPR requires that personally identifiable information is collected and processed in a manner that is lawful, fair, and transparent.  Relevant to the recent scandal involving Facebook and Cambridge Analytica, the EU permits the collection of EU citizen data only for explicit, legitimate purposes.  The GDPR requires that data collection be narrowly tailored to the collecting party’s specific needs.  It also codifies a requirement that businesses — the law carves out exceptions for data collection for non-commercial, law enforcement, and intelligence purposes — ensure that personally identifiable information only be kept as long as needed by the businesses that collect it.  Related to this point, the EU expands on the notion of the “right to be forgotten” by requiring dataprocessors and collectors to take steps allowing for the deletion of an EU national’s data upon request.  The GDPR codifies a requirement that data be processed and stored in a fashion that is secure, and requires processors and collectors to notify EU nationals within 72 hours if there is a data breach.  The GDPR requires the appointment of Data Protection Officers responsible for the maintenance of records concerning how personally identifiable information related to EU nationals is collected, processed, secured and used, much like how Sarbanes-Oxley and other US regulations required public companies to develop ethics and compliance programs.


Why Does the GDPR matter to non-European Businesses?

While this seems innocuous, if not an admirable position to take by the EU, the underlying regulations have caused some consternation in the international community.  Partly, this is due to the extreme applicability of the GDPR.  The EU has expanded previous regulations (namely EU Directive 95/46/EC) the GDPR to apply to all companies worldwide that process or collect data relating to EU nationals.  Thus, if a resident of Kewanee, Illinois (or Lima, Peru) has a craft business that collects personally identifiable information related to the mailing addresses of EU residents in order to ship goods to them, it is equally subject to the GDPR as British Airways or Novo Nordisk.  

Being subject to the GDPR is no small matter.  The second reason the GDPR is causing unrest in the business community is the aggressive penalties included in the regulation by the EU.  Non-compliance with the GDPR can lead to penalties of up to 4% of a company’s global turnover or €20 million ($25 million at the time of writing), whichever is greater.  

The business community responded to the Commission enacting the GDPR with concerns that the GDPR reached beyond the scope of the US-EU Privacy Shield regulations and imposing the will of the EU on other sovereign nationals.  If the US Government permits enforcement of the EU regulations on US companies (a jurisdictional issue more for legal scholars), compliance with the GDPR will be costly, most of all to small to mid-sized companies that do not already have compliance programs commonly seen in Fortune 500 companies.  According to international law firm Paul Hastings LLP, compliance costs for a business are estimated to be $1 million, just for technology improvements.  Additional expenses would be incurred, such as those associated with retaining counsel to understand how to comply with the GDPR and hiring employees to maintain regulation compliance.  Writing in the Harvard Business Review, Larry Downes noted that the GDPR appeared protectionist, as it was cheaper for businesses to comply if they used European data centers rather than ones outside the EU.  Similar concerns have been raised in the Asian-Pacific market.  

What should US businesses be doing in anticipation of the May enforcement deadline?

First, businesses should be aware that, regardless of the GDPR, there are already US regulations concerning the preservation of the privacy of customer personally identifiable information.  The Federal Trade Commission already enforces numerous laws and regulations pertaining to data privacy and online marketing, including (but not limited to):

If US businesses do not already have data privacy compliance plans in place, they need to do so, not just to comply with the GDPR, but also with the US privacy regulations.  

With the respect to the GDPR, to summarize the hundreds of pages of regulation here would be overwhelming, both to the writer and to readers.  There are some core changes businesses can make to ensure compliance when the law is enacted in May 2018.  

  • Businesses should conduct an audit under the command and control of a CISSP-certified professional (or other properly trained and certified network security professional) to identify what personally identifiable information they are collecting; 
  • Businesses should consider how they process that personally identifiable information, for what purpose, and for how long do they keep it; 
  • Businesses should consider whether the way they process and store data would be considered reasonably secure by a professional (or by a jury), and, if not, what steps they should take to make their data secure; 
  • Businesses should consider the processes they have in place to address requests under the GDPR’s “right to be forgotten” requirements; 
  • Businesses should consider the processes they have in place to address data breaches, including whether they can notify EU consumers of breaches within 72 hours; and,
  • Businesses should be considering whether their outsourced cloud storage providers (if they have any) are in compliance with the GDPR and FTC regulations.  


Beginning May 25, 2018, the EU’s implementation of the GDPR will have the potential to affect businesses worldwide.  Compliance with the GDPR represents a significant commitment of capital and labor for businesses, triggered if these businesses engage in practices that affect the data privacy of EU nationals.  Businesses should anticipate the implementation of the GDPR by conducting security audits and developing plans to ensure compliance and avoid liability.

Note: This article is not intended to constitute legal advice.  Always consult an attorney if you have questions or concerns regarding your obligations under the law.