Does CCPA Require a Law Firm to Respond to Client Information Req

David A. Zetoony

Email

303.685.7425

Bio and Articles

Find Your Next Job !

Commercial Real Estate Transactional Attorney / Real Estate Lawyer
On Balance Search Consultants

Trusts & Estates Partner / Senior Attorney
On Balance Search Consultants

Chief Operating Officer / Business Manager
On Balance Search Consultants

Legal Support Specialist
Greenberg Traurig, LLP

Litigation Paralegal
Greenberg Traurig, LLP

Litigation Legal Support Specialist
Greenberg Traurig, LLP

Trusts & Estates Attorney / Estate Planning Lawyer
On Balance Search Consultants

Explore More Job Openings

Does the CCPA require a law firm to respond to an access request that seeks personal information that it obtained from its client?

by: David A. Zetoony of Greenberg Traurig, LLP - Data Privacy Dish

Saturday, January 2, 2021

Print Mail Download info_icon_img

/>i

The CCPA states that the “obligations imposed on businesses by Sections 1798.110 to 1798.135 [of the CCPA], inclusive, shall not apply where compliance by the business with the title would violate an evidentiary privilege under California law . . . .”^[1]The exception does not appear to apply to the obligations imposed by Section 1798.100 of the CCPA.

Section 1798.100 currently contains within it a requirement that a business must, in response to an access request, “provide” to a consumer “specific pieces of personal information the business has collected” about the individual.^[2] Although the CPRA amended Section 1798.100 by removing the obligation to provide personal information pursuant to an access request, the amendment does not become operative until Jan. 1, 2023.

The net result is that the portion of the CCPA that discusses exemptions for privileged materials may not directly prevent a California resident from requesting that a law firm disclose privileged information that relates to the California resident. Until the CPRA’s amendments take effect, a law firm that receives an access request that seeks privileged information should consider one, or more, of the following alternative grounds upon which to refuse the request:

The CCPA states that it shall not restrict a business’s ability to “[e]xercise or defend legal claims.”^[3]The forced disclosure of privilege information would interfere with the law firm’s ability to defend the legal claims of its clients, and the law firm’s clients’ ability to exercise or defend its own claims through the assistance of the law firm.
If a law firm’s contract with its client meets the statutory definition of a service provider under the CCPA, the regulations implementing the CCPA permit the law firm to refuse an access request by informing the requesting consume that “the request cannot be acted upon because the request has been sent to a service provider.”^[4]

_{[1] Cal. Civ. Code § 1798.145(b).}

_{[2] Cal. Civ. Code § 1798.100(a), (c), (d) (Oct. 2020).}

_{[3] Cal. Civ. Code 1798.145(a)(5).}

_{[4] CCPA Reg. 999.314(e). See also FSOR Appendix A at 174 (Response 539).}