As plaintiffs’ attorneys continue to experiment with ways to utilize the California Consumer Privacy Act (CCPA) to obtain quasi-discovery, questions exist whether they may attempt to leverage the obligations imposed by the CCPA on law firms. While the CCPA states that the “obligations imposed on businesses by Sections 1798.110 to 1798.135 [of the CCPA], inclusive,

A law firm will most likely be considered a controller when processing personal data from third parties as part of a representation of a client (e.g., when collecting information from a witness).

While it is theoretically possible that a law firm may function as a processor by collecting personal data from a third party on