Every law firm website is an advertisement under bar rules, whether you think of it that way or not. That means the same ethics rules that govern what you can say in a TV commercial or a direct mail piece apply to every page of your site, every social media post made on behalf of your firm, and every Google ad you run.
Most lawyers know vaguely that some rules exist. Few have done a systematic audit of whether their online presence actually meets them. This checklist covers the full landscape, from low-stakes technical requirements to violations that can end careers, ordered from least to most serious consequence.
State rules vary significantly. Everything here is grounded in ABA Model Rules, which roughly 90% of U.S. jurisdictions have adopted in some form. Always verify your specific state bar's requirements, particularly for advertising (some states, including California, Florida, New York, and Texas, have substantially stricter rules than the ABA baseline).
This article is written for educational purposes and does not constitute legal advice. Consult your state bar's ethics resources or an ethics attorney for guidance specific to your jurisdiction.
-
Cookie Notice and Privacy Disclosure
If your website uses Google Analytics, Facebook Pixel, or any other tracking technology (and most law firm sites do), you are collecting data about visitors. Most U.S. law firms aren't directly subject to GDPR, but if any EU visitors reach your site, GDPR's cookie consent requirements technically apply. More practically, California's CCPA applies to businesses collecting personal data from California residents, and your website almost certainly collects it.
At minimum, your site should disclose what data is collected and how it is used. A simple privacy policy page covering analytics, contact form data, and any third-party tools you use satisfies most requirements. Full cookie consent banners are generally required only if you have significant EU traffic or are based in California with over 100,000 annual site visitors.
Potential consequences: GDPR fines can reach €20 million or 4% of global annual turnover for egregious violations, though enforcement against small U.S. firms is rare. CCPA enforcement by the California Attorney General has focused on larger businesses. The practical risk for most solo practitioners is low but non-zero, and a privacy policy costs nothing to add.
-
HTTPS and Basic Website Security
Your website must be served over HTTPS, not HTTP. This is no longer optional in any meaningful sense. Browsers actively flag HTTP sites as "Not Secure," Google penalizes them in rankings, and more importantly, any data submitted through an unencrypted connection (contact forms, intake questionnaires, anything) is transmitted in plain text and can be intercepted.
For a law firm, transmitting client communications over an unencrypted connection is not just a technical oversight. It is a potential violation of your duty of confidentiality under ABA Model Rule 1.6, which requires reasonable measures to prevent unauthorized disclosure of client information. SSL certificates are free through services like Let's Encrypt and are standard on virtually all modern hosting plans.
Potential consequences: Bar discipline for confidentiality violations, civil liability if client data is intercepted, and loss of search engine visibility. An unencrypted law firm site in 2026 is an ethics exposure waiting to happen.
-
Contact Information and Attorney Identification
Under ABA Model Rule 7.2, all advertising must include the name and contact information of at least one lawyer or law firm responsible for the content. Your website is advertising. That means every page (or at minimum, the site as a whole) must clearly identify the responsible attorney or firm, along with a physical address and phone number.
This requirement extends to social media profiles and Google Ads. A Facebook page for your firm with no identifying attorney information, or an ad that promotes your services without disclosing who is responsible for it, violates this rule in most jurisdictions. Some states, including New York, require this identification on every individual page of advertising material, not just on a contact page.
Potential consequences: Bar disciplinary action ranging from informal admonishment to formal reprimand. Usually addressed through a compliance notice, but repeated or willful violations escalate.
-
Advertising Record Retention
Many lawyers are surprised to learn that bar rules in most jurisdictions require them to retain copies of all advertising materials for a specified period, typically two to three years from the date of dissemination. This includes website pages, social media posts made on behalf of the firm, email campaigns, Google Ads, and any other marketing communication.
New York is among the strictest, requiring a one-year retention period for digital advertising specifically, and three years for other forms. Texas requires advertisers to submit certain materials to the State Bar's Advertising Review Committee before or concurrent with their use, along with a filing fee. Florida has its own pre-review submission requirements for targeted direct communications.
In practice, this means screenshotting or archiving your website periodically, keeping records of ads you've run, and documenting when each was published and taken down. Few solo practitioners do this, and few state bars actively audit it, but the requirement exists and noncompliance is a technical violation.
Potential consequences: Bar discipline, typically informal, for failure to maintain records. More practically, if a complaint is filed against you related to advertising, failure to produce records significantly weakens your defense.
-
Google Ads Compliance
Running Google Ads for your law firm requires navigating two overlapping sets of rules: Google's own advertising policies and your state bar's advertising rules. Failing either can result in your ads being disapproved, your account suspended, or a bar complaint.
Google prohibits misleading claims, guaranteed outcomes, and certain sensitive targeting for legal matters. Personal injury and criminal defense ads cannot use personalized audience targeting based on users' personal hardships or traumatic experiences: you can target users actively searching for an attorney, but not users who were recently in an accident. Pharmaceutical and drug-related case advertising triggers Google's healthcare content restrictions, even though you're advertising legal services, not drugs.
Your state bar's rules apply equally to Google Ads as to any other advertising. Claims must be truthful, results-based language must include appropriate disclaimers, and the responsible attorney must be identified. Some states require that ads targeted to specific geographic areas or practice areas include jurisdictional disclosures. Ads must be retained as records under your state's advertising retention rules.
Potential consequences: Google account suspension cutting off your advertising entirely. Bar discipline for rule violations in ad content, treated identically to violations in any other advertising medium.
-
Social Media Compliance
Everything your state bar says about advertising applies to social media posts made on behalf of your firm. A Facebook post promoting your services, a LinkedIn article describing your case results, an X post about your practice areas, all of it is advertising subject to the same rules as a billboard or TV spot.
This means social media posts cannot be false or misleading, cannot imply guaranteed outcomes, must identify the responsible attorney where required, and must comply with testimonial and results rules if you share client success stories. You are also responsible for advertising rules violations committed by anyone posting on your firm's behalf, including staff, marketing agencies, and contractors. ABA Model Rule 5.3 requires you to supervise non-lawyers working for your firm and ensure their conduct is compatible with your ethical obligations.
Responding to reviews online also carries ethics implications. You cannot reveal confidential client information in your response, even to defend yourself against a negative review. The standard guidance is to respond professionally without disclosing anything about the representation.
Potential consequences: Bar discipline for advertising violations, potential confidentiality breaches if client information is disclosed in review responses. Reputational damage from non-compliant or unprofessional social media conduct.
-
Review and Testimonial Solicitation Rules
Asking clients for reviews is generally permitted, but the rules around how you ask, what you can offer, and how you use the results are more complicated than most lawyers realize.
Under ABA Model Rule 7.2, lawyers cannot give anything of value to a person for recommending their services. This means you cannot offer discounts, gift cards, referral fees, or any other incentive in exchange for a positive review or a client referral. A thank-you note or token gift of nominal value given purely as appreciation (not contingent on a review) occupies a gray area that varies by jurisdiction, but anything that could be construed as payment for a recommendation is prohibited.
Testimonials are permitted under the ABA Model Rules but are regulated. They cannot create unjustified expectations, must not be false or misleading, and in many states must include a disclaimer that past results do not guarantee similar outcomes. Some states, including California, have historically been more restrictive about testimonials entirely. If you display client reviews on your website, each individual testimonial should carry an appropriate disclaimer in its immediate context, and a single footer disclaimer covering all testimonials generally does not satisfy the requirement.
You also cannot ask a current client for a review while the representation is ongoing in a way that could be seen as coercive or that might affect the client's judgment about continuing the relationship.
Potential consequences: Bar discipline for prohibited referral payments or misleading testimonials. Complaints from clients who feel pressured. FTC disclosure requirements if reviews involve any form of compensation, which could also implicate bar rules simultaneously.
-
Jurisdictional and Geographic Disclosures
Your website is accessible everywhere, but your license is not. ABA Model Rule 7.2 requires advertising to identify the jurisdictions where you are licensed to practice. If a potential client in a state where you are not licensed contacts you based on your website and relies on that contact to their detriment, you face unauthorized practice of law exposure in addition to advertising rule violations.
Geographic disclosures belong in your footer, on your contact page, and in your attorney biography. For national ad campaigns, including language clarifying that you are licensed only in specific states and that you may associate with local counsel for matters in other jurisdictions is both a compliance requirement and a practical client expectation management tool. Some states require this language even in geographically targeted local ads, particularly if your practice area attracts out-of-state clients.
Potential consequences: Unauthorized practice of law complaints in states where you are not licensed. Bar discipline in your home jurisdiction for advertising that does not comply with jurisdictional disclosure requirements. Civil liability if an out-of-jurisdiction client relies on your representation to their detriment.
-
Specialization and Certification Claims
Under ABA Model Rule 7.2, a lawyer may not state or imply that they are a specialist or expert in a field unless they have been certified by an organization accredited by the ABA or approved by their state bar's authority. The words "specialist," "expert," and "board certified" are protected terms that require formal certification behind them.
This trips up lawyers constantly, particularly on websites and social media profiles. Describing yourself as a "criminal defense specialist" when you have practiced criminal defense for twenty years but hold no formal certification violates the rule. You may say you "focus on," "concentrate in," or "limit your practice to" a specific area. You may not claim specialization you haven't earned through an accredited certification program.
If you do hold valid certifications, you must identify the certifying organization by name. "Board Certified" alone is insufficient: it must read "Board Certified in Criminal Trial Law by the [Name of Organization]." Vague or unattributed certification claims are treated the same as false specialization claims in most jurisdictions.
Potential consequences: Bar discipline, typically a formal reprimand for first violations. In egregious cases or repeat violations, suspension. The FTC has also signaled interest in false credentialing claims by professionals generally, adding a potential federal layer.
-
Truthful Advertising Under ABA Model Rule 7.1
ABA Model Rule 7.1 is the foundational advertising rule: all communications about your services must be truthful and not misleading. This sounds obvious, but violations are far more common than most lawyers recognize, and intent is irrelevant: an inadvertently misleading statement violates the rule just as much as a deliberate one.
Common violations include describing yourself as "the best" or "highly qualified" without factual substantiation, implying you have a connection to a government agency or court, using phrases like "we win" that imply guaranteed outcomes, and displaying awards or ratings from pay-to-play services without disclosing their commercial nature. The rule prohibits not just false statements but also technically true statements that create a misleading overall impression, and a carefully worded half-truth is still a violation.
This rule applies uniformly across your website, social media, Google Ads, directory listings, email signatures, and any other communication made on behalf of your firm. It extends to everything your marketing agency or staff produces on your behalf.
Potential consequences: Bar discipline ranging from informal admonishment to suspension depending on severity and intent. Repeated violations or deliberate deception can result in disbarment proceedings. Civil liability for deceptive advertising under state consumer protection laws is also possible independent of bar discipline.
-
Results and Case Outcome Disclaimers
Advertising past results (verdicts, settlements, case outcomes) is one of the most effective marketing tools available to law firms and one of the most frequently misused. The core rule is that past results cannot imply that similar results are available to prospective clients. Every jurisdiction that permits results-based advertising requires some form of disclaimer making clear that prior outcomes do not guarantee future results.
The disclaimer must appear in context, adjacent to the result being advertised, not buried in a footer or on a separate disclaimer page. A "$2 million verdict" headline requires its disclaimer immediately below it, not on a separate terms page three clicks away. The specific language required varies by state: some mandate exact phrasing, others permit reasonable variations as long as the disclaimer is clear and conspicuous.
Some states go further. Florida requires that results-based advertising include additional context about the facts of the case. Missouri historically required disclosure that advertising should not be the sole basis for selecting an attorney. Check your state's specific rules before running any results-based campaign.
Potential consequences: Bar discipline for advertising violations, including formal reprimand and suspension for repeated or willful noncompliance. Client complaints from prospective clients who feel misled by advertised results that don't reflect their outcome.
-
ADA and WCAG Accessibility Compliance
The Department of Justice has made clear that the ADA applies to business websites as places of public accommodation. Courts have consistently ruled against businesses with inaccessible websites, and the volume of accessibility lawsuits has increased significantly year over year, with over 5,000 digital accessibility cases filed in 2025 alone. The irony of a law firm (particularly one representing plaintiffs or doing civil rights work) operating an inaccessible website is not lost on plaintiffs' attorneys.
The technical standard courts and the DOJ apply is WCAG 2.1 Level AA, which covers requirements including keyboard navigation, sufficient color contrast, alt text for images, accessible form labels, captioned video, and screen reader compatibility. Automated scanning tools like WAVE or Lighthouse catch roughly 30-40% of issues, and the remainder require manual testing. Accessibility overlay widgets do not provide compliance and may actually increase lawsuit risk by signaling that you know the site has issues.
Potential consequences: ADA lawsuits with average settlements around $52,000, plus attorney fees. DOJ civil penalties of up to $75,000 for a first violation and $150,000 for repeat violations. Reputational damage that is particularly damaging for a law firm.
-
Prospective Client Confidentiality and the No Attorney-Client Relationship Disclaimer
Under ABA Model Rule 1.18, you owe duties to prospective clients (people who discuss the possibility of representation with you) even when you never agree to take their case. Those duties include confidentiality and conflict-of-interest obligations. Information someone shares through your contact form or intake questionnaire may trigger these duties even before any engagement letter is signed.
The practical consequence is that information submitted through your website could be confidential, potentially preventing you from representing adverse parties in related matters. Without clear disclaimers, a visitor who fills out your contact form describing their legal situation may reasonably believe they have established a confidential relationship with you.
Your disclaimer needs to appear before any contact form, chat feature, or case evaluation tool, and must clearly state that no attorney-client relationship is created by submitting information, that the information is not confidential, and that submission does not prevent you from representing adverse parties. This disclaimer must be visible before the visitor begins entering information: a post-submission notice is legally insufficient.
Potential consequences: Disqualification from representing clients in matters where a prospective client previously shared confidential information through your website. Bar discipline for confidentiality violations. Malpractice liability if a prospective client relied on the existence of an attorney-client relationship and acted to their detriment. This is the category that most directly affects your ability to practice.
-
Direct Solicitation Prohibitions
ABA Model Rule 7.3 prohibits live, person-to-person solicitation of prospective clients when a significant motive is financial gain and the prospective client has not initiated contact. This prohibition extends beyond cold calls to any live contact (in-person, telephone, or real-time electronic communication) with someone you know or reasonably should know needs legal services in a specific matter.
In the digital context, this means your firm's chatbot or live chat feature cannot be used to proactively initiate legal services solicitations with visitors who haven't reached out first. It means your marketing company cannot cold-call accident victims on your behalf. It means your staff cannot contact someone who submitted a general inquiry and use that contact as an opportunity to pitch your services on a specific matter they haven't raised.
Written solicitations (email, direct mail) are generally permitted under the model rules but must be labeled "Advertising Material" when targeted to someone known to need legal services in a particular matter. Many states require these solicitations to be filed with the state bar. Some states prohibit any solicitation of personal injury or wrongful death plaintiffs within a certain number of days of the incident.
You remain responsible for solicitation conducted on your behalf by anyone you supervise or direct. If your marketing agency is cold-calling potential clients, the violation is yours.
Potential consequences: Bar discipline up to and including suspension for willful or repeated solicitation violations. Some jurisdictions treat solicitation violations as among the most serious advertising ethics offenses because of the potential for overreaching and undue influence. The rule exists specifically to protect vulnerable people (accident victims, recently arrested individuals, those in the middle of personal crises) from being pressured into retaining counsel before they can think clearly.
Keeping Your Compliance Current
This checklist covers the landscape as of 2026, but ethics rules evolve. State bars issue new opinions, courts expand interpretations, and digital practices create compliance questions that existing rules never anticipated. What was fully compliant when your website was built two years ago may not be today.
The lawyers most at risk are not the ones deliberately cutting corners: they're the ones who set up their websites, ran their ads, and never looked back. Periodic review of your online presence against current rules is part of practicing responsibly in a digital age.
Most solo practitioners and small firms don't have time to stay current on advertising ethics on top of everything else. That's one of the practical arguments for having a professional webmaster who understands the legal industry: someone who flags when your site's disclaimers need updating, when new accessibility standards apply, or when a practice you've been using has become a compliance problem. Not a substitute for ethics counsel, but a first line of awareness that most lawyers currently don't have.