California State Bar Approves Privacy Law Specialization; Certifications Begin January 1, 2027 with a Two-Year Grandfather Window

California Legal News — State Bar regulatory update; not a summary of a published court opinion.

Action: Approval of Proposed Standards for Certification and Recertification in Privacy Law, creating a new attorney specialty area under the Legal Specialization Program
Approving Body: The State Bar of California, Board of Trustees (on the recommendation of the California Board of Legal Specialization and following a 90-day public-comment period)
Vote Date: 2026-05-14
Standards Effective: 2027-01-01 (Legal Specialization Program begins accepting applications)
Grandfather Window Closes: 2028-12-31 (after which all candidates must pass the written specialization exam; first exam administration anticipated October 2029)
Sources: California Lawyers Association — Privacy Law Section announcement; State Bar of California — Proposed Standards for Certification and Recertification in Privacy Law
Source: Mirrored from lexcalifornia.com

What Happened

At its May 14, 2026 meeting, the State Bar of California Board of Trustees approved the standards that establish Privacy Law as a recognized specialty under the State Bar’s Legal Specialization Program. It is the first new specialty the Bar has added in more than twenty years. The standards take effect on January 1, 2027, when the Legal Specialization Program will begin accepting applications for certification as a Privacy Law Specialist. Certified specialists will be permitted to hold themselves out as such in marketing and communications, joining the existing certified-specialist categories (appellate, criminal, family, immigration and nationality, taxation, estate planning/trust and probate, workers’ compensation, franchise and distribution, and legal malpractice law).

How an Attorney Becomes Certified

From January 1, 2027 forward, the standard pathway requires four pieces, all measured against the five years preceding the application:

Task-based experience. A minimum of 100 points across fifteen qualifying task categories, with point caps designed to require diverse exposure across the field. The categories include regulatory-compliance counseling (cap of 35 points), contract drafting and negotiation (35), privacy due diligence in transactions (35), incident-response work (35), and privacy litigation representation (cap of 65, reflecting the time involvement litigation matters typically require). Most individual matters earn five points.
Education. Forty-five hours of approved privacy-law-specific continuing legal education within the three years before application.
Peer/client references. The standard pathway requires references attesting to the applicant’s substantial involvement in privacy law.
Written exam. A specialization-specific written examination is required. The first administration is anticipated for October 2029.

The Two-Year Grandfather Window (Jan. 1, 2027 – Dec. 31, 2028)

For the first two calendar years that the program is open, an alternative pathway lets qualifying attorneys certify without sitting for the written exam. The trade-off is heavier experience and education requirements:

150 task-experience points in the five years preceding the application (50% more than the standard pathway).
60 hours of approved privacy-law-specific CLE (45 hours from the regular CLE allotment plus 15 additional hours drawn from the subject categories that will eventually appear on the exam specifications).
Five peer references from attorneys, clients, or judges.

After December 31, 2028, the alternative pathway closes and the written exam becomes mandatory.

What “Privacy Law” Covers

The standards define the specialty broadly to track how privacy practice has actually developed. The subject-matter scope encompasses professional responsibility and ethical obligations around data and AI; the principal privacy and AI principles (notice, consent, access, accuracy, security, accountability, data minimization, and nondiscrimination); data collection, including third-party sources and data brokers; permissible use, deidentification, and targeted advertising; data security including the CIA triad, access controls, and breach management; data sharing, service-provider relationships, and cross-border transfers; and technology-specific privacy concerns across adtech, AI, autonomous vehicles, biometrics, cloud, fintech, genomics, healthtech, IoT, neural and brain-computer interfaces, blockchain/NFTs, robotics, social media, immersive and metaverse technologies, and wearables. The breadth of the scope is deliberate — the State Bar’s consulting group built the framework to be durable as new technologies emerge rather than tied to today’s headline statutes alone.

Recertification

Certification runs in five-year cycles. To recertify, a specialist must demonstrate either 100 points of qualifying privacy law work during the preceding cycle or file a sworn statement of continued substantial involvement, plus 60 hours of approved privacy-law-specific education.

How This Came Together

The standards were the product of a multi-year process. The California Board of Legal Specialization first recommended creating a Privacy Law specialty in 2021. A Consulting Group on Privacy Law Specialization was established in September 2021 and chaired by Jeewon Kim Serrato, founding chair of the California Lawyers Association’s Privacy Law Section. The group consulted with the International Association of Privacy Professionals and the CLA Privacy Law Section’s Executive Committee, among others, in drafting the standards. The State Bar’s Board of Trustees authorized circulation for public comment at its May 22–23, 2025 meeting, and the 90-day public comment period closed September 11, 2025. The May 14, 2026 vote of the Board of Trustees was the final approval step.

What’s Next

Practitioner planning, now – end of 2028. Privacy practitioners who would qualify for the grandfather pathway should begin assembling task-point records, CLE documentation, and peer/client reference lists in advance of the January 1, 2027 application opening. Documentation that pre-dates the program is allowed within the five-year look-back.
Exam-track timing, 2029 forward. Candidates who apply in 2027–2028 but cannot complete certification under the alternative pathway, and all candidates from January 1, 2029 onward, will be on the written-exam track. The first exam administration is anticipated for October 2029.
Marketing and law-firm practice implications. Once the first wave of specialists is certified in 2027, expect rapid adoption in law-firm bios, RFP responses, and panel-counsel applications, particularly in heavily regulated sectors (financial services, healthcare, adtech, life sciences) that have used IAPP credentials as the closest available proxy. The new specialization is the first state-bar-issued credential in this area in California.
Recertification cycle. The first cohort certified in 2027 will face their first recertification deadline in 2032.

Notes

This post summarizes a regulatory action by a California state agency (the State Bar). No court decision is involved. Material is drawn from the California Lawyers Association Privacy Law Section’s published announcement and from the State Bar’s own publication of the Proposed Standards. Specific point caps and CLE figures reflect the Standards as reported by the CLA; the Standards document itself (incorporated into the Legal Specialization rules upon effective date) will be the authoritative reference once published. Some secondary coverage has described California as the second U.S. state to certify privacy-law specialists; that comparison has not been independently verified for this post and is omitted.