If a written contract between a law firm and its client (e.g., an engagement letter) prohibits the law firm from using, retaining, and disclosing personal information except to the extent permitted by the client, the law firm may be a “service provider” under the CCPA. The CPRA amended the CCPA’s definition of service provider such that, beginning on January 1, 2023, the contract between a law firm and its client may also need to include provisions prohibiting the sale or sharing of personal information, and the combination of personal information between and among clients of the law firm.
The net result is that if a law firm has a written contract that satisfies the requirements of being a service provider under the CCPA, the law firm may be considered a service provider; if the law firm does not have a written contract that satisfies the requirements of a service provider under the CCPA, the law firm may be considered a third party or a business.
As a comparison, under the European GDPR the Article 29 Working Party, the predecessor to the European Data Protection Board, took the position that if a vendor has a “traditional role and professional expertise” that requires it to determine the purpose and means of processing, that independent expertise may convert the vendor into a controller. The Working Party specifically noted that in situations in which a “barrister represents his/her client in court, and in relation to this mission, processes personal data related to the client’s case” the barrister is a controller.1 The Working Party’s rationale may be that the instruction that a client provides to their attorney is not necessarily to process data, but, rather, to represent the client’s interest before a court. Because the processing of data is an ancillary function that is wholly (or partially) determined by the attorney independent from the client, the attorneys’ processing should be conceptualized as that of a controller. The United Kingdom’s Information Commissioner’s Office reached a similar conclusion in the context of discussing whether a solicitor is a processor or a controller. The ICO suggested that an attorney that functions as a solicitor should be considered a controller in the following situations:
- Advising clients as to legal rights vis-a-vis data subjects. An attorney should be considered a controller when he or she receives personal data about a third party in order to advise the client concerning its rights vis-a-vis the third party (e.g., a client shares personal data about a former salesman that stole client information).2
- Client defers to attorney concerning use of data. An attorney should be considered a controller when a client has “little understanding of the process the solicitors will adopt or how they will process the personal data” during the course of providing a representation.3
It is unclear whether a California court interpreting the CCPA would find the European interpretation of law firms as controllers relevant when interpreting the CCPA.
1 Article 29 Data Protection Working Party, WP169: Opinion 1/2010 on the concepts of ‘controller’ and ‘processor” at 28 (Feb. 16, 2010).
2 UK ICO, “Data Controllers and Data Processors: What the Difference Is and What the Governance Implications Are” at 12-13.
3 Id. In Germany the national Council of Data Protection Commissioners (Datenschutzkonferenz) took a similar position and confirmed that attorneys act as controllers when processing personal data of their clients. Datenschutzkonferenz, Kurzpapier Nr. 13, Auftragsverarbeitung, Art. 28 DS-GVO (16 January 2018), www.lda.bayern.de/media/dsk_kpnr_13_auftragsverarbeitung.pdf, p.4.