Do companies have to “flow down” access requests to service providers?

Probably.

When a business receives a request from a consumer to access the personal information that the business has “collected,” it must decide whether to grant the request or to deny it based upon one of the exceptions to access contained in the CCPA.¹ If the business decides to grant the request and provide the personal information in its possession, the CCPA does not specifically state that the business must also direct its service providers to produce the personal information that may be in their possession. This contrasts with deletion requests where the CCPA expressly states that a business which intends to honor such a request must “direct any service providers to delete the consumer’s personal information from their records.”²

Although the CCPA does not expressly state that a business must direct its service providers to search for and produce information collected from a consumer, privacy advocates are likely to take the position that flowing down an access request is implicitly required for the following reasons:

Service providers are an extension of a business. The CCPA states that a service provider “processes information on behalf of a business.”³ To the extent that a service provider functions as an agent of a business, an argument could be made that a failure by the business to instruct the service provider to search for and produce information could constitute a violation by the business itself.
The CCPA refers to access to the information “collected.” The CCPA states that a consumer should be able to request access to the “specific pieces of personal information the business has collected.”⁴ To the extent that a business collects personal information and then transmits it to a service provider for storage or further processing, the personal information was still “collected” by the business and, therefore, may need to be identified and produced regardless of whether it currently resides with the business or with its service provider.
Access requests under the European GDPR are typically flowed down. Like the CCPA, the European GDPR does not expressly state that a controller must flow down an access request to a processor. In practice, however, it is well accepted in Europe that if a controller grants an access request it should flow down an instruction to its processors to provide the impacted personal information. In turn, the GDPR requires processors to “assist[] the controller . . . [in] the fulfilment of the controller’s obligation to respond to requests for exercising data subject’s rights . . . .”⁵

The act of instructing service providers to provide personal information in response to a consumer’s request is often referred to as “flowing down” an access request, or an “access request flow down.”

Can a service provider refuse a deletion instruction from a business under the CCPA?

Yes.

Unless a service provider has contractually agreed otherwise, they can refuse an instruction to delete personal information that they receive from their client (i.e., the business for whom the service provider was processing personal information).

The CCPA allows a consumer to “request that a business delete any personal information about the consumer.”¹ When a consumer requests that a business delete personal information, the CCPA requires that a business “direct [its] service providers” to delete the information as well.²

Although a business must “direct” its service providers to delete data, the CCPA states that “a service provider shall not be required to comply with a consumer’s request to delete the consumer’s information if it is necessary for the business or a service provider to maintain the consumer’s information” in order to accomplish one of nine exceptions. While some of those exceptions arguably apply only to the business’s use of personal information, other exceptions may apply equally to the service provider’s handling of data. These include:³

Detect security incidents, protect against malicious, deceptive, fraudulent, or illegal activity; or prosecute those responsible for that activity.
Debug to identify and repair errors that impair existing intended functionality.
Exercise free speech, ensure the right of another consumer to exercise his or her right of free speech, or exercise another right provided for by law.
Comply with the California Electronic Communications Privacy Act pursuant to Chapter 3.6 (commencing with Section 1546) of Title 12 of Part 2 of the Penal Code.
To enable solely internal uses that are reasonably aligned with the expectations of the consumer based on the consumer’s relationship with the business.
Comply with a legal obligation.
Otherwise use the consumer’s personal information, internally, in a lawful manner that is compatible with the context in which the consumer provided the information.

If a service provider needs the personal information for one of the reasons listed above, it may refuse the deletion request from the business.

Did California Declare War on Attorney Client Privilege? How the CCPA Impacts Privilege Protections

The hastily drafted CCPA raises serious issues concerning the attorney-client privilege, work-product doctrine, and client confidentiality. Drafted in approximately one-week as a political compromise to address a proposed privacy ballot initiative,¹ the CCPA contains provisions that are all too unclear regarding an attorney’s obligations to maintain client confidentiality and privilege. Without further clarification from the legislature or the California Attorney General’s rulemaking process, this lack of clarity is likely to lead to litigation.

The crux of the problem lies in the CCPA’s broad reach and its vaguely worded exemptions. The CCPA confers an obligation upon businesses (a term which could apply to many law firms and their corporate clients depending upon the factual circumstances) to provide privacy notices to individuals about whom information is collected, to provide individuals with access to information held about them, and, in some instances, to delete information about individuals upon their request. As it is currently written, the CCPA contains an exemption which states that the “obligations imposed on businesses by Sections 1798.110 to 1798.135 [of the CCPA], inclusive, shall not apply where compliance by the business with the title would violate an evidentiary privilege under California law . . . .”² While the legislature presumably intended to ensure that the CCPA did not require a business or its outside counsel to disclose privileged information, on its face the exemption is limited only to the obligations imposed by “Sections 1798.110 to 1798.135.” It expressly does not apply to obligations imposed by other sections of the CCPA, such as Sections 1798.100 or 1798.105.

Sections 1798.100 and 1798.105 are particularly relevant when it comes to attorney-client privilege, work-product, and client confidentiality. Section 1798.100 contains within it the requirement that a business must, in response to an access request, “provide” to a consumer “specific pieces of personal information the business has collected” about the individual.³ Section 1798.105 contains within it the requirement that a business must, in response to a valid deletion request, “delete the consumer’s personal information from its records. . . .”⁴ The net result is that the statute does not on its face prevent a California resident from requesting that an attorney, or a business, disclose privileged, work-product, or confidential information that relates to the California resident, nor does it prevent the California resident from requesting that a law firm (or its client) delete privileged information that relates to the individual.

Other more general exemptions to disclosure in the CCPA could arguably apply, although it is unclear whether the legislature intended that these exemptions cover privileged, work-product, and confidential information of a client. For instance, Section 1798.145(j) states that none of the “rights afforded to consumers and the obligations imposed on the business” should “adversely affect the rights and freedoms of other consumers,” while Section 1798.145(a)(1) provides “the obligations imposed on businesses by this title shall not restrict a business’s ability to … [c]omply with federal, state, or local laws.”⁵ A business or law firm faced with the question of whether it must disclose privileged, work-product, or confidential information may turn to these sections to argue that the CCPA should not supersede other state laws concerning privilege, work-product, or an attorney’s ethical obligations to maintain client confidentiality.⁶ However, a consumer seeking disclosure of the information may conversely argue the more specific should govern over the general. Because the specific exemption concerning evidentiary privileges (such as privilege) expressly does not apply to all sections of the CCPA, so the argument goes, these other more general exemptions should not apply either.

As a result of the lack of clarity in the statute, Bryan Cave Leighton Paisner, LLP has specifically requested that the California Attorney General issue rulemaking clarifying that privileged, work-product, and confidential information of a client is exempt from disclosure under all of the provisions of the CCPA. Without rulemaking from the Attorney General or further clarification from the legislature, the CCPA otherwise leaves important issues that lie at the heart of the attorney-client relationship to the uncertainties of litigation.