A law firm may be considered a service provider under the CCPA to the extent that a written contract between the law firm and its client (e.g., an engagement letter) prohibits the law firm from using, retaining, and disclosing personal information except to the extent permitted by the client. As the CCPA only requires that a “business that collects a consumer’s personal information” provide a notice at collection,1 if a law firm is a service provider it would not be required to provide a notice at collection to individuals from whom it is attempting to collect personal information.
If, on the other hand, a law firm is considered a business it is possible that it is exempt from the requirement to provide a notice at collection. Specifically, businesses are exempt from any obligations under the CCPA to the extent that they “restrict a business’s ability to . . . exercise or defend legal claims.”2 A court might determine that requiring a law firm to provide a notice at collection restricts the law firm’s ability to exercise or defend legal claims on behalf of clients, or restricts clients ability to have their claims exercised or defended by the law firm.
Even if a law firm is not exempt from the obligation to provide a notice at collection, assuming that the target of the subpoena is a California consumer the subpoena itself may implicitly satisfy the obligation to provide a notice at collection. Specifically, a notice at collection should include the following information:
- A list of the categories of personal information that will be collected;
- The business or commercial purpose for which the information is being collected;
- Information on how to opt-out of the sale of personal information (if information is being sold); and
- Information on how to find the company’s complete privacy notice.3
A third party subpoena, by its nature, specifies the type of personal information that is being sought, and that the information will be used within the context of the identified litigation. While a subpoena does not specify how a recipient can opt out of the sale of their personal information, discovery and ethics rules prevent a law firm from attempting to sell personal information received in discovery. While most subpoenas do not specifically indicate how a subpoena recipient can find a copy of the law firm’s privacy notice, if a recipient is represented by counsel, it would be difficult to argue that their counsel would not know how to locate a law firm’s online privacy notice to the extent that one has been posted. The net result is that most, if not all, of the information required by a notice at collection may be contained within a subpoena.4
1 Cal. Civ. Code 1798.100(b) (Oct. 2020) (emphasis added).
2 Cal. Civ. Code 1798.145(a)(5).
3 CCPA Reg. 999.305(b)(1)-(4).
4 Note that as of January 1, 2023, a notice at collection would also need to include the “length of time” that the business intends to retain each category of personal information. Cal. Civ. Code 1798.100(a)(3). In the context of civil litigation, the length of time that information will be kept is often conveyed to the opposing party through other means such as a negotiated protective order that discusses the return or destruction of documents at the end of the litigation.