March 2, 2021

Volume XI, Number 61

Advertisement

March 02, 2021

Subscribe to Latest Legal News and Analysis

March 01, 2021

Subscribe to Latest Legal News and Analysis

Do Law Firms Have to Respond to Access Requests that Seek Personal Information Obtained from Clients?

As plaintiffs’ attorneys continue to experiment with ways to utilize the California Consumer Privacy Act (CCPA) to obtain quasi-discovery, questions exist whether they may attempt to leverage the obligations imposed by the CCPA on law firms. While the CCPA states that the “obligations imposed on businesses by Sections 1798.110 to 1798.135 [of the CCPA], inclusive, shall not apply where compliance by the business with the title would violate an evidentiary privilege under California law ,”[1] it is important to note that the exception does not appear to apply to the obligations imposed by Section 1798.100 of the CCPA. That omission is relevant because Section 1798.100 contains within it a requirement that a business must, in response to an access request, “provide” to a consumer “specific pieces of personal information the business has collected” about the individual.[2] The net result is that the portion of the CCPA that discusses exemptions for privileged materials may not directly prevent a California resident from requesting that a law firm disclose privileged information that relates to the California resident. A law firm that receives an access request that seeks privileged information should consider one, or more, of the following alternative grounds upon which to refuse the request:

  • The CCPA states that it shall not restrict a business’s ability to “[e]xercise or defend legal claims.”[3] The forced disclosure of privileged information would interfere with the law firm’s ability to defend the legal claims of its clients, and the law firm’s clients’ ability to exercise or defend its own claims through the assistance of the law firm.

  • If a law firm’s contract with its client meets the statutory definition of a service provider under the CCPA, the regulations implementing the CCPA permit the law firm to refuse an access request by informing the requesting consume that “the request cannot be acted upon because the request has been sent to a service provider.”[4]

It is important to note that the gap within the evidentiary privilege exception in the CCPA was addressed by the California Privacy Rights Act (CPRA), which removed from Section 1798.100 the obligation to provide personal information pursuant to an access request. The amendment does not, however, become operative until Jan. 1, 2023.


[1] Cal. Civ. Code § 1798.145(b).

[2] Cal. Civ. Code § 1798.100(a), (c), (d) (Oct. 2020).

[3] Cal. Civ. Code 1798.145(a)(5).

[4] CCPA Reg. 999.314(e). See also FSOR Appendix A at 174 (Response 539).

Advertisement
©2020 Greenberg Traurig, LLP. All rights reserved. National Law Review, Volume XI, Number 15
Advertisement
Advertisement

TRENDING LEGAL ANALYSIS

Advertisement
Advertisement

About this Author

David A. Zetoony Privacy Attorney Greenberg Traurig
Shareholder

David Zetoony, Co-Chair of the firm's U.S. Data, Privacy and Cybersecurity Practice, focuses on helping businesses navigate data privacy and cyber security laws from a practical standpoint. David has helped hundreds of companies establish and maintain ongoing privacy and security programs, and he has defended corporate privacy and security practices in investigations initiated by the Federal Trade Commission, and other data privacy and security regulatory agencies around the world, as well as in class action litigation. 

David receives regular recognitions from clients and peers for...

303.685.7425
Advertisement
Advertisement