This is such an interesting story as it takes a look at how there is a potential to use parts of the CCPA to obtain quasi-discovery in certain circumstances.
In fact, this is not dissimilar to some of the experiences we have had here in the UK at A&M, and, indeed elsewhere in Europe, with respect to the GDPR and subject access requests.
Certainly, the regulators have been pushing back on this. It’s clearly not the intention of the data privacy legislation being implemented in Europe and California, but as the author (David. A. Zetoony) sums up: “Ultimately California courts will have to determine whether access requests can be utilized as a means of bypassing traditional discovery procedures.”
If you want more on this theme, then I would suggest speaking with my colleague Robert Grosvenor.
The Office of the California Attorney General was asked to confirm that access requests could not be used in lieu of discovery in litigation. The Attorney General chose to respond that there is no explicit “exception allowing businesses to refuse to respond to a verifiable request by a consumer for that consumer’s personal information while litigation is pending or allowing the business to deny a consumer request on the basis that the business suspects the request was made in lieu of discovery.”2 Ultimately California courts will have to determine whether access requests can be utilized as a means of bypassing traditional discovery procedures.