Hinshaw Submits Comments to California Attorney General Regarding Proposed California Consumer Privacy Act Regulations
CCPA Could Frustrate Tripartite Relationship Between Insured, Insurer, and Law Firm
Hinshaw & Culbertson LLP, a U.S. law firm, has submitted comments to the California Attorney General regarding proposed regulations implementing the California Consumer Privacy Act (CCPA). The CCPA, which goes into effect on January 1, 2020, addresses the processing of personal information of California consumers. It grants California consumers several of the same type of privacy rights found in the European Union's General Data Privacy Regulation (GDPR), including the right to access, delete, and object to the sale of their personal information.
In its role as an advocate for the insurance industry and the legal profession, Hinshaw has raised four concerns with the Attorney General regarding the impact of the proposed regulations on the tripartite relationship between an insurer, its insured, and the law firm retained by an insurer to represent its insured.
- In certain scenarios, proposed regulation §999.314(c)—which covers "Service Providers" such as law firms representing an insurance carrier subject to the CCPA—could make it impossible for the law firm to use in defense of a lawsuit any personal information that the carrier obtained during the claims review process or prior to the suit being filed. Furthermore, the law firm would seemingly be prohibited from sharing information provided by the carrier with experts and consultants necessary to defend the insured. This would frustrate the nature and purpose of the tripartite relationship between the law firm, its client (the insured), and the client’s insurance carrier.
- Current CCPA exceptions—when exercising or defending legal claims and when compliance would violate an evidentiary privilege under California law—only apply to a covered "Business." Since law firms acting as a service provider on behalf of a covered insurance carrier are not exempted anywhere in the regulations, the proposed CCPA regulations could impair the ability of a business to defend legal claims through law firm service providers.
- The CCPA's definition of "Processing" needs further explanation of the meaning of "Operation," as it is currently unclear whether storing personal information in the cloud, or using electronically stored personal information for discovery purposes would constitute "Processing" under the current regulatory scheme.
- Finally, Hinshaw calls upon the Attorney General to clarify the meaning and intent of §1798.145(a), which provides that the obligations imposed on a business by the CCPA shall not "restrict" a business's ability to inter alia comply with federal, state, or local laws, comply with subpoena or regulatory inquiries or investigations, or to exercise or defend legal claims.
"We appreciate the opportunity to provide comment to the Attorney General on the CCPA’s proposed regulations," said San Francisco-based Hinshaw attorney Joanna L. Storey. "We have significant concerns that the regulations, as currently drafted, unintentionally create a cloud of uncertainty about the ability of a legal service provider to appropriately exercise or defend legal claims in the insurance coverage context. We look forward to the Attorney General's guidance on the issues we have raised."