HB Ad Slot
HB Mobile Ad Slot
Does the CCPA require a law firm to respond to an access request that seeks personal information that it obtained from its client?
Saturday, January 2, 2021

The CCPA states that the “obligations imposed on businesses by Sections 1798.110 to 1798.135 [of the CCPA], inclusive, shall not apply where compliance by the business with the title would violate an evidentiary privilege under California law . . . .”[1] The exception does not appear to apply to the obligations imposed by Section 1798.100 of the CCPA.

Section 1798.100 currently contains within it a requirement that a business must, in response to an access request, “provide” to a consumer “specific pieces of personal information the business has collected” about the individual.[2] Although the CPRA amended Section 1798.100 by removing the obligation to provide personal information pursuant to an access request, the amendment does not become operative until Jan. 1, 2023.

The net result is that the portion of the CCPA that discusses exemptions for privileged materials may not directly prevent a California resident from requesting that a law firm disclose privileged information that relates to the California resident. Until the CPRA’s amendments take effect, a law firm that receives an access request that seeks privileged information should consider one, or more, of the following alternative grounds upon which to refuse the request:

  • The CCPA states that it shall not restrict a business’s ability to “[e]xercise or defend legal claims.”[3] The forced disclosure of privilege information would interfere with the law firm’s ability to defend the legal claims of its clients, and the law firm’s clients’ ability to exercise or defend its own claims through the assistance of the law firm.

  • If a law firm’s contract with its client meets the statutory definition of a service provider under the CCPA, the regulations implementing the CCPA permit the law firm to refuse an access request by informing the requesting consume that “the request cannot be acted upon because the request has been sent to a service provider.”[4]


[1] Cal. Civ. Code § 1798.145(b).

[2] Cal. Civ. Code § 1798.100(a), (c), (d) (Oct. 2020).

[3] Cal. Civ. Code 1798.145(a)(5).

[4] CCPA Reg. 999.314(e). See also FSOR Appendix A at 174 (Response 539).

HTML Embed Code
HB Ad Slot
HB Ad Slot
HB Mobile Ad Slot
HB Ad Slot
HB Mobile Ad Slot
 
NLR Logo
We collaborate with the world's leading lawyers to deliver news tailored for you. Sign Up to receive our free e-Newsbulletins

 

Sign Up for e-NewsBulletins