October 19, 2021

Volume XI, Number 292

Advertisement
Advertisement

October 18, 2021

Subscribe to Latest Legal News and Analysis
Advertisement

Does the CCPA require a law firm to respond to an access request that seeks personal information that it obtained from its client?

The CCPA states that the “obligations imposed on businesses by Sections 1798.110 to 1798.135 [of the CCPA], inclusive, shall not apply where compliance by the business with the title would violate an evidentiary privilege under California law . . . .”[1] The exception does not appear to apply to the obligations imposed by Section 1798.100 of the CCPA.

Section 1798.100 currently contains within it a requirement that a business must, in response to an access request, “provide” to a consumer “specific pieces of personal information the business has collected” about the individual.[2] Although the CPRA amended Section 1798.100 by removing the obligation to provide personal information pursuant to an access request, the amendment does not become operative until Jan. 1, 2023.

The net result is that the portion of the CCPA that discusses exemptions for privileged materials may not directly prevent a California resident from requesting that a law firm disclose privileged information that relates to the California resident. Until the CPRA’s amendments take effect, a law firm that receives an access request that seeks privileged information should consider one, or more, of the following alternative grounds upon which to refuse the request:

  • The CCPA states that it shall not restrict a business’s ability to “[e]xercise or defend legal claims.”[3] The forced disclosure of privilege information would interfere with the law firm’s ability to defend the legal claims of its clients, and the law firm’s clients’ ability to exercise or defend its own claims through the assistance of the law firm.

  • If a law firm’s contract with its client meets the statutory definition of a service provider under the CCPA, the regulations implementing the CCPA permit the law firm to refuse an access request by informing the requesting consume that “the request cannot be acted upon because the request has been sent to a service provider.”[4]


[1] Cal. Civ. Code § 1798.145(b).

[2] Cal. Civ. Code § 1798.100(a), (c), (d) (Oct. 2020).

[3] Cal. Civ. Code 1798.145(a)(5).

[4] CCPA Reg. 999.314(e). See also FSOR Appendix A at 174 (Response 539).

©2021 Greenberg Traurig, LLP. All rights reserved. National Law Review, Volume XI, Number 2
Advertisement
Advertisement
Advertisement
Advertisement
Advertisement
Advertisement

About this Author

David A. Zetoony Privacy Attorney Greenberg Traurig
Shareholder

David Zetoony, Co-Chair of the firm's U.S. Data, Privacy and Cybersecurity Practice, focuses on helping businesses navigate data privacy and cyber security laws from a practical standpoint. David has helped hundreds of companies establish and maintain ongoing privacy and security programs, and he has defended corporate privacy and security practices in investigations initiated by the Federal Trade Commission, and other data privacy and security regulatory agencies around the world, as well as in class action litigation. 

David receives regular recognitions from clients and peers for...

303.685.7425
Advertisement
Advertisement
Advertisement