Are law firms considered businesses or service providers of the personal information that they receive from clients as part of a representation?

It depends.

If a written contract between a law firm and its client (e.g., an engagement letter) prohibits the law firm from using, retaining, and disclosing personal information except to the extent permitted by the client, the law firm may be a “service provider” under the CCPA.  The CPRA amended the CCPA’s definition of service provider such that, beginning on January 1, 2023, the contract between a law firm and its client may also need to include provisions prohibiting the sale or sharing of personal information, and the combination of personal information between and among clients of the law firm.

The net result is that if a law firm has a written contract that satisfies the requirements of being a service provider under the CCPA, the law firm may be considered a service provider; if the law firm does not have a written contract that satisfies the requirements of a service provider under the CCPA, the law firm may be considered a third party or a business.

As a comparison, under the European GDPR the Article 29 Working Party, the predecessor to the European Data Protection Board, took the position that if a vendor has a “traditional role and professional expertise” that requires it to determine the purpose and means of processing, that independent expertise may convert the vendor into a controller.  The Working Party specifically noted that in situations in which a “barrister represents his/her client in court, and in relation to this mission, processes personal data related to the client’s case” the barrister is a controller.¹  The Working Party’s rationale may be that the instruction that a client provides to their attorney is not necessarily to process data, but, rather, to represent the client’s interest before a court.  Because the processing of data is an ancillary function that is wholly (or partially) determined by the attorney independent from the client, the attorneys’ processing should be conceptualized as that of a controller.  The United Kingdom’s Information Commissioner’s Office reached a similar conclusion in the context of discussing whether a solicitor is a processor or a controller.  The ICO suggested that an attorney that functions as a solicitor should be considered a controller in the following situations:

• Advising clients as to legal rights vis-a-vis data subjects. An attorney should be considered a controller when he or she receives personal data about a third party in order to advise the client concerning its rights vis-a-vis the third party (e.g., a client shares personal data about a former salesman that stole client information).²

• Client defers to attorney concerning use of data. An attorney should be considered a controller when a client has “little understanding of the process the solicitors will adopt or how they will process the personal data” during the course of providing a representation.³

It is unclear whether a California court interpreting the CCPA would find the European interpretation of law firms as controllers relevant when interpreting the CCPA.

Are all businesses required to train their employees, or just those that collect large quantities of personal information?

The regulations implementing the CCPA discuss the education of employees regarding CCPA related responsibilities in two sections:

Some businesses expressed confusion to the California Attorney General as to whether, when read together, the above requirements only require a business to train employees if the business processes personal information about more than 10 million consumers.  The Attorney General clarified that ‘[a]ll businesses have the responsibility of ensuring that all individuals responsible for handling consumer inquiries about the CCPA” are “informed” of the requirements in the CCPA, but that only businesses that process high volumes of personal information are required to document a formal training policy.⁴

Are businesses required to train their employees about the CCPA?

The CCPA does not explicitly reference the requirement to train employees, but it does require that:

All individuals responsible for handling consumer inquiries about the business’s privacy practices or the business’s compliance with this title are informed [concerning the CCPA’s requirements] . . . and how to direct consumers to exercise their rights under those sections.”⁵

The California Attorney General repeated the above requirement to “inform” certain employees in the regulations that were promulgated pursuant to the CCPA,⁶ and further specified that if a business processes information about more than 10 million Californians in a calendar year it should “[e]stablish, document, and comply with a training policy to ensure that all individuals responsible for handling consumer requests made under the CCPA or the business’s compliance with the CCPA are informed of all the requirements in these regulations and the CCPA.⁷ The CPRA does not modify, or expand, the requirement to “inform” or “train” employees.

The language utilized by the CCPA and the regulations implementing the CCPA introduces some ambiguity as to whether training should be directed at only those individuals that are responsible for handling consumer inquires about (1) the business’s privacy practices or (2) the business’s compliance with this title, or whether training should be directed at those individuals that (1) handle consumer inquiries about the business’s privacy practice or (2) handle any of the business’s compliance activities in connection with the title.  The former interpretation would lead companies to focus training on those employees that interact with consumers (e.g., customer service); the latter interpretation might require companies to train a broader group of employees (e.g., IT, human resources, operations, marketing, etc.).

The California Attorney General was asked to clarify the scope of employees that must be trained under the statute and the regulation.  The Attorney General responded by confirming that the first interpretation above is correct and that “[t]he regulation does not state that the business has to train all employees but all individuals responsible for handling consumer inquiries about the business’s privacy practices or the business’s compliance with the CCPA.”⁸  He further explained that the purpose of the regulation is to “ensure that the individuals responsible for handling consumer inquiries . . . can appropriately respond to inquiries.”⁹

Even if not strictly required, training employees who are not directly responsible for responding to consumer inquiries can be a useful tool.  Because the CCPA introduces new rights for consumers, applies to an broad definition of personal information, and imposes various restrictions and obligations on businesses, educating and training employees can provide the necessary foundation to help businesses avoid inadvertently violating the CCPA and the regulations.

Does the CCPA adopt a specific standard for deidentifying information?

No.

The CCPA defines “deidentified” data as information that “cannot reasonable identify, relate to, describe, be capable of being associated with, or be linked, directly or indirectly, to a particular consumer.”¹⁰  A number of individuals and entities requested that the Office of the California Attorney General provide guidance as to what steps should be taken to properly deidentify information sufficient to remove it from the scope of the CCPA.¹¹  The Attorney General declined to provide guidance stating only that “[p]rescribing steps that should be taken to properly deidentify information may not best address the CCPA definitions and all the different methods for complying with the CCPA definitions.”¹² It further advised that business should “consult with an attorney who is aware of all pertinent facts and relevant compliance concerns” when attempting to determine whether information would likely be considered “deidentified.”¹³

Did the CPRA expand the scope of the private right of action?

Marginally.

Section 1798.150 of the CCPA permits consumers to “institute a civil action” if consumer “personal information, as defined in subparagraph (A) of paragraph (1) of subdivision (d) of Section 1798.81.5, is subject to unauthorized access and exfiltration, theft, or disclosure,” and where that unauthorized access was “a result of the business’s violation” of a duty to “implement and maintain reasonable security procedures and practices . . . .” ¹⁴

The CPRA did not expand the private right of action beyond the context of data security breaches, but, as of January 1, 2023, the categories of personal information about which a data breach lawsuit can be brought will expand to include email address in combination with a password or security question that would permit access to an email account.¹⁵

The following provides a complete list of the types of data for which data breach litigation is permitted under the CCPA as of January 1, 2020, and for which data breach litigation will be permitted under the CPRA as of January 1, 2023:¹⁶

Does the $25 million threshold to be considered a business refer to revenue generated in the state of California or worldwide?

In order for an entity to be considered a business, and hence regulated by the CCPA, it must satisfy at least one of three thresholds. One such threshold is whether the business has “annual gross revenue in excess of twenty-five million dollars.”¹⁷

The CCPA does not specify whether the gross revenue threshold refers to revenue generated by a business in the state of California, or revenue generated by a business from any location. The Office of the Attorney General was asked to clarify how businesses should compute their gross revenue and, in response, indicated that the CCPA “does not limit the revenue threshold to revenue generated in California or from California residents.” The Attorney General further refused to consider regulations which would limit the revenue calculation to California stating that “[a]ny proposed change to limit the threshold to revenue generated only in California or from California residents would be inconsistent with the CCPA.”¹⁸

Footnotes

1 Article 29 Data Protection Working Party, WP169: Opinion 1/2010 on the concepts of ‘controller’ and ‘processor” at 28 (Feb. 16, 2010).

2 UK ICO, “Data Controllers and Data Processors: What the Difference Is and What the Governance Implications Are” at 12-13.

3 Id.  In Germany the national Council of Data Protection Commissioners (Datenschutzkonferenz) took a similar position and confirmed that attorneys act as controllers when processing personal data of their clients.  Datenschutzkonferenz, Kurzpapier Nr. 13, Auftragsverarbeitung, Art. 28 DS-GVO (16 January 2018), www.lda.bayern.de/media/dsk_kpnr_13_auftragsverarbeitung.pdf, p.4.

4 FSOR Appendix A at 234 (Response 682).

5 Cal. Civ. Code 1798.130(a)(6); 135(a)(3) (emphasis added).

6 CCPA Reg. 999.317(a).

7 CCPA Reg. 999.317(g)(3).

8 FSOR Appendix A at 215 (Response 634)

9 FSOR Appendix A at 215 (Response 636).  See also FSOR Appendix A at 233 (Response 681).

10 Cal. Civ. Code 1798.140(h).

11 FSOR, Appendix A at 152 (Responses 477, 478).

12 FSOR, Appendix A at 152 (Response 477).

13 FSOR, Appendix A at 152 (Response 477).

14 Cal. Civ. Code 1798.150(a)(1).

15 CPRA 1798.150(A)(1)(.

16 CPRA Section 31(a).

17 Cal. Civil Code 1798.140(c)(1)(A) (Oct. 2020).

18 FSOR Appendix A at 1 (Response 5).