Companies that do business in California know that it is a magnet for class action litigation. The California Consumer Privacy Act ("CCPA"), a new privacy law that applies to data collected about California residents, will provide even more incentive to plaintiff’s attorneys to bring suit in California.
The CCPA was enacted in early 2018 as a political compromise to stave off a poorly drafted ballot initiative. Although the CCPA is scheduled to go into force in early 2020, there is a great deal of confusion regarding the requirements of the CCPA, including the degree to which it aligns with other privacy regulations such as the European General Data Protection Regulation (“GDPR”). To help address that confusion, BCLP is publishing a multi-part series to address the most frequently asked litigation-related questions concerning the CCPA. BCLP is also working with clients to assess – and mitigate – litigation risks for when the CCPA goes into effect by putting in place the policies, procedures, and protocols needed to comply with the Act.
Q. Is a service provider permitted to disclose personal information if it receives a civil subpoena or a discovery request?
Section 1798.140(v) of the CCPA states that a service provider must be contractually prohibited from “disclosing the personal information [provided to it by a business] for any purpose other than for the specific purpose of performing the services specified in the contract for the business, or as otherwise permitted by this title. . . .”1
Section 1798.145(a) of the CCPA contains six exceptions to the disclosure prohibitions. While one of those exceptions involves compliance with “a civil, criminal, or regulatory inquiry, investigation, subpoena, or summons by federal, state, or local authorities,” the exception applies only to a “business.”2 As the Act defines “businesses” and “service providers” separately (the former determines the “purposes and means of the processing of consumers’ personal information,” the latter does not) it appears that on its face, the CCPA does not excuse a service provider from complying with its contractual obligation to not disclose information in order to comply with civil investigations, subpoenas, or summonses. This conclusion is bolstered by the fact that one of the other exceptions within Section 1798.145(a) (an exception that allows for disclosure when cooperating with law enforcement agencies) specifically references service providers.
While common sense suggests that a service provider should be able to comply with a lawfully issued subpoena or discovery request, given the text of the CCPA, it is unclear whether businesses can contractually permit their service providers to comply with civil discovery and, if they cannot, whether a service provider will be permitted to disclose information in response to discovery without being held in breach of contract.
Until the legislature or courts provide further guidance on this issue, service providers receiving civil subpoenas or discovery requests should timely assert objections and/or seek a protective order based on the CCPA, and withhold personal information from any production response until the parties can agree on excluding or redacting the personal information or a court orders production.
To avoid potential breach of contract issues, the parties may wish to provide within their contracts an instruction from the business to the service provider stating that (1) service provider will forward any such requests to the business, and (2) business will instruct service provider on how to handle the request. Absent contrary judicial or legislative direction, the CCPA may even allow an instruction in the contract stating that the service provider is permitted to disclose the data in response to a validly submitted discovery request after providing the business with notice and an opportunity to object. Note that such an instruction under the CCPA may not be consistent with the GDPR, so there may be a slight contracting tension between a service provider that is required to comply with both laws.
[View source.]
