The California Consumer Privacy Act ("CCPA") was enacted in early 2018 as a political compromise to stave off a poorly drafted, and plaintiff’s friendly ballot initiative. Although the CCPA is scheduled to go into force in early 2020, there is a great deal of confusion regarding the requirements of the CCPA, including the degree to which it aligns with other privacy regulations such as the European General Data Protection Regulation (“GDPR”).
To help address that confusion, BCLP published the California Consumer Privacy Act Practical Guide, and is publishing a multi-part series that discusses the questions most frequently asked by clients concerning the CCPA.
Yes and no.
The CCPA was put together quickly (in approximately one week) as a political compromise to address a proposed privacy ballot initiative that contained a number of problematic provisions. (For more on the history of the CCPA, you can find a timeline on page 2 of BCLP’s Practical Guide to the CCPA). Given its hasty drafting there are a number of areas in which the CCPA intentionally, or unintentionally, is at best ambiguous, or at worst leads to unintended results. One of those areas deals with attorney-client communications.
The CCPA confers an obligation upon businesses (a term which could apply to many law firms and their corporate clients depending upon the factual circumstances) to provide privacy notices to individuals about whom information is collected, to provide individuals with access to information held about them, and, in some instances, to delete information about individuals upon their request. As it is currently written, the CCPA contains an exemption which states that the “obligations imposed on businesses by Sections 1798.110 to 1798.135 [of the CCPA], inclusive, shall not apply where compliance by the business with the title would violate an evidentiary privilege under California law . . . .”1 While the exception presumably was intended to ensure that the CCPA did not require a business or an attorney to disclose privileged information, on its face it is limited only to the obligations imposed by “Sections 1798.110 to 1798.135.” More specifically, on its face it does not apply to the obligations imposed by other sections of the CCPA including Sections 1798.100 or 1798.105.
Sections 1798.100 and 1798.105 are particularly relevant when it comes to attorney-client privilege. Section 1798.100 contains within it the requirement that a business must, in response to an access request, "provide” to a consumer “specific pieces of personal information the business has collected” about the individual.2 Section 1798.105 contains within it the requirement that a business must, in response to a valid deletion request, "delete the consumer's personal information from its records. . . ."3 The net result is that the statute does not on its face prevent a California resident from requesting that an attorney, or a business, disclose privileged information that relates to the California resident, nor does it prevent the California resident from requesting that a law firm (or its client) delete privileged information that relates to the individual.
Judicial interpretation (or intervention) may be needed to clarify whether the access and deletion rights of the CCPA are preempted by another federal, state, or local law that guarantees the confidentiality of attorney-client communications. Similarly courts may need to determine whether an access or deletion request could be refused based upon the exception within the CCPA that none of the “rights afforded to consumers and the obligations imposed on the business” should “adversely affect the rights and freedoms of other consumers.”4
1. Cal. Civil Code § 1798.145(b).
2. Cal. Civil Code § 1798.100(a), (c), (d).
3. Cal. Civil Code § 1798.105(c).
4. Cal. Civil Code § 1798.145(j). While the exception that the CCPA’s rights should not “adversely affect the rights and freedoms of other consumers” may be invoked to the extent that an access or deletion request might infringe upon a right of another Californian to provide information to, or receive information from, their attorney in confidence, because “consumer” is defined as including only California residents, this exception may provide little protection if an access or deletion request is transmitted to a non-California client and/or a non-California attorney.