Law firms have long focused their redaction efforts on HIPAA, FRCP 5.2, and court-specific filing rules. But the rapid expansion of data privacy regulations — particularly the California Consumer Privacy Act and the European Union's General Data Protection Regulation — has created a new category of redaction obligations that many firms are not prepared to meet.
The challenge is compounded by the fact that law firms are not exempt from these regulations. When a firm collects, processes, or stores personal data — whether from clients, opposing parties, witnesses, or employees — it takes on data controller or processor obligations that include responding to data access and deletion requests.
How CCPA Affects Law Firm Redaction
The California Consumer Privacy Act, as amended by the California Privacy Rights Act, gives California residents the right to know what personal information a business collects about them, the right to request deletion of that information, and the right to opt out of the sale of their personal information.
When CCPA applies to law firms: A law firm is subject to CCPA if it does business in California and meets any of the following thresholds: annual gross revenue exceeding $25 million, annually buying, selling, or sharing the personal information of 100,000 or more California residents, or deriving 50 percent or more of annual revenue from selling or sharing personal information.
Data Subject Access Requests (DSARs). When a California resident submits a DSAR to a law firm, the firm must provide all personal information it holds about that individual within 45 days. However, providing this information often requires redacting personal data belonging to other individuals contained in the same documents.
For example, if a former client requests their file and that file contains discovery documents referencing dozens of other individuals, the firm must redact those third parties' personal information before producing the file. Similarly, if a former employee requests their personnel records and those records reference other employees, third-party information must be removed.
Redaction vs. deletion. CCPA requires that firms be able to both redact and delete personal information. When a deletion request is received, the firm must determine whether the information can be deleted entirely or whether document retention obligations — such as ethics rules requiring maintenance of client files — necessitate redaction rather than deletion.
Penalties for non-compliance. CCPA violations carry penalties of up to $2,500 per unintentional violation and $7,500 per intentional violation. The California Privacy Protection Agency has actively pursued enforcement actions since 2024, and law firms are not immune from scrutiny.
How GDPR Affects Law Firm Redaction
The GDPR applies to any organization that processes personal data of EU residents, regardless of where the organization is located. American law firms handling international matters, representing EU-based clients, or processing data originating from EU jurisdictions are subject to GDPR obligations.
Data minimization principle. GDPR Article 5(1)(c) requires that personal data be adequate, relevant, and limited to what is necessary for the purposes of processing. For law firms, this means that when producing or sharing documents, the firm should redact personal data that exceeds what is necessary for the purpose at hand.
Pseudonymization vs. anonymization vs. redaction. GDPR Article 4(5) defines pseudonymization as processing personal data so that it can no longer be attributed to a specific individual without the use of additional information. This is distinct from anonymization (irreversible removal of identifying characteristics) and redaction (removal of specific data from a document). Law firms must understand which approach applies in each context:
- Redaction is appropriate when documents must retain their integrity but specific data points must be removed
- Pseudonymization is appropriate when data must remain usable for analysis but de-linked from individuals
- Anonymization is appropriate when data is used for statistical or research purposes and individual identification is permanently unnecessary
DSAR processing under GDPR. Like CCPA, GDPR gives individuals the right to access their personal data. When a law firm receives a Subject Access Request, it must provide the requested information within one month. Third-party personal data within the responsive documents must be redacted before production.
Right to erasure. GDPR Article 17 gives individuals the right to have their personal data erased under certain circumstances. When full erasure conflicts with legal hold obligations or document retention requirements, redaction of personal identifiers from retained documents may satisfy the obligation while preserving the document for legal purposes.
Penalties. GDPR violations can result in fines of up to 4 percent of global annual turnover or 20 million euros, whichever is greater. Even smaller enforcement actions regularly result in six- and seven-figure fines.
Building a DSAR Response Workflow with Redaction
Most law firms lack a systematic process for responding to DSARs. The following workflow addresses both CCPA and GDPR requirements:
Step 1: Identify responsive data. Search all firm systems — document management, email, case management, billing, HR — for personal data belonging to the requesting individual. This step alone can be substantial for large firms with distributed data across multiple platforms.
Step 2: Categorize documents by third-party content. Separate documents that contain only the requester's personal data from documents that contain data belonging to multiple individuals. The former can be produced without redaction; the latter require redaction of third-party information.
Step 3: Apply automated redaction for third-party data. Use AI-powered detection to identify and redact personal data belonging to individuals other than the requester. Configure the tool to detect names, identification numbers, financial information, and contact details of third parties.
Step 4: Review for privilege and exemptions. Both CCPA and GDPR contain exemptions for information protected by attorney-client privilege or attorney work product. Review responsive documents for privileged content and withhold or redact accordingly, documenting the legal basis for each withholding.
Step 5: Produce and document. Deliver the redacted documents to the requester within the applicable deadline (45 days for CCPA, one month for GDPR). Maintain a record of the request, the search conducted, the documents produced, and the basis for any withholdings or redactions.
Cross-Border Complications
Law firms handling international matters face overlapping obligations that create redaction complexity:
- A document produced in U.S. litigation that contains EU residents' personal data may trigger GDPR obligations even though the litigation is domestic
- A DSAR from an EU resident directed to a U.S. firm's London office may require coordination between offices subject to different regulatory frameworks
- Transfer of personal data from EU to U.S. jurisdictions for litigation purposes must comply with GDPR's data transfer provisions, and redaction may be required to minimize the data transferred
The practical solution is to apply the most restrictive standard — typically GDPR — as the baseline and add jurisdiction-specific requirements as needed.
The Growing Risk of Inaction
Data privacy enforcement against law firms is increasing. Regulators view law firms as high-value targets because they hold large volumes of sensitive personal data and because enforcement actions against firms generate public attention that reinforces compliance messaging.
Firms that have not yet implemented DSAR response procedures and privacy-compliant redaction workflows are operating on borrowed time. The question is not whether a firm will receive a DSAR or face a privacy inquiry — it is when.
Conclusion
CCPA and GDPR have expanded the definition of when and why law firms must redact documents. These obligations exist alongside — not instead of — existing HIPAA, FRCP, and state court redaction requirements. Firms that build a unified redaction workflow capable of handling all these regulatory frameworks simultaneously are better positioned than those managing each requirement in isolation.