The California Consumer Privacy Act ("CCPA") was enacted in early 2018 as a political compromise to stave off a poorly drafted, and plaintiff’s friendly ballot initiative. Although the CCPA is scheduled to go into force in early 2020, there is a great deal of confusion regarding the requirements of the CCPA, including the degree to which it aligns with other privacy regulations such as the European General Data Protection Regulation (“GDPR”).
To help address that confusion, BCLP published the California Consumer Privacy Act Practical Guide, and is publishing a multi-part series that discusses the questions most frequently asked by clients concerning the CCPA.
Q. Is a service provider permitted to disclose personal information if it receives a civil subpoena, or a discovery request?
The CCPA was put together quickly (in approximately one week) as a political compromise to address a proposed privacy ballot initiative that contained a number of problematic provisions. (For more on the history of the CCPA, you can find a timeline that illustrates its history and development on page two of BCLP’s Practical Guide to the CCPA). Given its hasty drafting there are a number of areas in which the Act is at best ambiguous, at worst leads to unintended results. The ability of a service provider to respond to a civil subpoena or to respond to a discover request is one of those issues.
Section 1798.140(v) of the CCPA states that a service provider must be contractually prohibited from “disclosing the personal information [provided to it by a business] for any purpose other than for the specific purpose of performing the services specified in the contract for the business, or as otherwise permitted by this title. . . .”1 Section 1798.145(a) of the CCPA contains six exceptions in which the disclosure prohibitions within the Act would not apply. While one of those exceptions involves compliance with “a civil, criminal, or regulatory inquiry, investigation, subpoena, or summons by federal, state, or local authorities,” the exception applies only to a “business.”2 As the Act defines “businesses” and “service providers” separately (the former determines the “purposes and means of the processing of consumer personal information, the latter does not) it appears that, on its face, the CCPA does not excuse a service provider from complying with its contractual obligation to not disclose information in order comply with civil investigations, subpoenas, or summonses. This conclusion is bolstered by the fact that one of the other exceptions within Section 1798.145(a) (an exception that allows for disclosure when cooperating with law enforcement agencies) specifically references service providers.
While common sense suggests that a service provider should be able to comply with a lawfully issued subpoena or discovery request, given the text of the CCPA judicial guidance will be needed to determine whether businesses can contractually permit their service providers to comply with civil discovery and, if they cannot, whether a service provider will be permitted to disclose information in response to validly issued discovery without being held in breach of contract.
1. CCPA, Section 1798.140(v).
2. CCPA, Section 1798.145(a)(3).