Christine Wood is a partner at Best Best & Krieger LLP, and Jennifer Ransom is a lead paralegal. They can be reached at christine.wood@bbklaw.com and jennifer.ransom@bbklaw.com

---

The California Public Records Act (CPRA) is more than just legal terminology. It is a statute that guides how public records are accessed and disclosed. The CPRA applies to all state and local agencies and covers records in any format. Those familiar with the act understand its value as a tool for accessing public records and the significant burden it places on responding agencies.

Compliance is a high-stakes obligation for any responding agency — even a small mistake can be costly. Here is how the act works, common pitfalls, evolving challenges, and strategies agencies can use to meet their obligations.

The law in plain English

The CPRA lays the foundation for government transparency and accountability in California. Originally enacted in 1968, it is one of the state’s two sunshine laws. It was most recently changed in 2021, when policymakers recodified the statute to enhance usability without altering substantive rights or obligations. Proposition 59 (2004) added the public’s right of access to the California Constitution. Together, the two form a strong legal framework that requires agencies to balance disclosure obligations with privacy protections.

The primary purpose of the CPRA is straightforward: to require disclosure of identifiable public records. It does not set retention periods or dictate what data an agency collects. Its sole function is disclosure.

What counts as a public record

A public record is broadly defined as any writing related to the conduct of the public’s business. The record may be prepared, owned, used, or retained by the agency. A “writing” includes letters, emails, texts, photographs, audio, and database entries. Neither format nor storage location matters. Agencies can hold records in actual possession or control them through a third party.

Any person may inspect records during office hours and ask for copies. A “person” includes individuals, companies, partnerships, limited liability companies, and associations. A requester does not need to identify themselves or state a purpose for the request. An agency cannot limit access based on motive when the record is otherwise disclosable.

Exemptions and the public interest balancing test

When it comes to the CPRA, disclosure is the default. However, the act outlines exemptions to protect privacy, ensure fair process, and preserve legal privileges. Common examples include personnel and medical files, criminal investigatory records, taxpayer information, voter data, and records protected by attorney-client privilege, attorney work product, trade secrets, or copyright.

The “catch-all” exemption allows an agency to withhold records when the public interest in non-disclosure clearly outweighs the public interest in disclosure. Use this exemption with caution, and thoroughly document the reasons for its use. If used and later challenged, an agency must provide justification for the withholding.

The request cycle and deadlines

Requests can be made in any manner, including orally. While agencies can offer a portal or a form, the use of these options should always remain optional. Agencies can always complete a form for a caller or visitor who makes an oral request.

An agency must respond within 10 days, but a 14-day extension is available in narrow situations. These include searches across separate offices; an extensive collection of potentially responsive records; consultation with another agency that has a substantial interest in the records; the need to compile data or write code to extract data; and the effects of a declared emergency that limits staff or facility access.

A denial must be in writing and name the official who made the determination. Agencies should use clear letters for production, denial, determination, extension, and particularly close-out letters (a letter in which the agency deems the request complete). Each letter should cite the statutory basis.

The CPRA requires prompt production. For large sets of records, rolling productions are acceptable. However, each production should include a cover letter that notes the asserted exemptions and sets the next target date.

If a request is vague or very broad, seek clarification. The act requires agencies to help individuals frame focused requests that describe identifiable records. A requester can describe subject matter or search criteria, but at no time should a requester be asked to provide the title or exact file name of a record to assist the agency in the search.

Litigation risks

A requester who believes the agency violated the CPRA can file a writ petition in court. Courts can order the production of records that were previously withheld, and a prevailing requester may also recover attorneys’ fees and costs.

Discovery in CPRA cases is narrower than in other writ matters, but any form of discovery still drives costs, adds time, and expands the scope of risk. A missed deadline or over-redaction can snowball into unpredictable costs.

Real-world strain and non-negotiable duties

Some requesters file frequently. Some aim to provoke a misstep. Some use hostile language. The law still binds the agency to act. Every request requires a response with the statutorily prescribed timeline. Production of records must follow a reasonable speed, often referred to as the promptness standard. Respectful and factual communication supports both goals.

Does a tough requester change the duty to disclose? No, it does not. The CPRA governs the public’s right of access — not the tone of a single exchange. When processing requests, best practices include ensuring clear intake procedures, careful tracking of progress, and regular updates. A professional tone can usually calm tense moments. Don’t forget to document each step and name a point of contact with set deadlines.

Common errors that drive risk

Unjustified delays or denials create exposure for agencies. Agencies that miss the 10-day window or fail to cite a valid exemption are at risk. Heavy redactions that appear to conceal routine information can trigger challenges. Silence can function as a constructive denial and can trigger legal risk.

Additionally, agencies must be mindful of charging fees, as the CPRA only permits the recovery of direct duplication costs and, in limited cases, programming or data extraction costs. It does not authorize charges for staff searches, redactions, or review time.

Technology and expanding obligations

Courts expect agencies to use all available tools when fulfilling requests. Staff must search across email servers, collaboration platforms, databases, and other systems that hold public records. When staff conduct agency business on personal devices or accounts, those locations can fall in the scope of the request. That reality raises privacy concerns. Courts show less sympathy for “too voluminous” claims in light of standard tools such as metadata filters, threading, deduplication, and automated redaction.

Policy and training reduce these problems. Direct staff to use official systems for agency work. Reinforce that rule in onboarding and refresher sessions. Strong policies narrow the search field and protect privacy. It also supports credible declarations about the scope of a search.

Managing difficult requesters without losing your cool

Some requesters file repeated or overlapping requests. Some write with legal threats or insults. Others send vague lists that hide the actual request within several pages of text. The key is to treat each request on its own terms, interpret the request broadly, and follow the law. Keep messages short, clear, and neutral. Outline the process. Identify who will follow up and when. Request clarification when the request is unclear or excessive. Track all correspondence and decisions. Early coordination prevents last-minute scrambles and mistakes.

Watch out for warning signs that a request may have legal risk. These signs can take several forms, such as urgent demand language or boilerplate language that suggests a mass filing. Legal citations paired with threats or broad or vague text that seems designed to overwhelm agency staff are also red flags. Letters from law offices or media that contain accusations or threatening language are also common. When you encounter these signs, notify leadership and engage agency counsel as necessary.  

Practical steps that work

Adopt written procedures for intake, tracking, searches, review, redaction, and production. Name a coordinator with authority to set schedules and obtain records. Train front-line staff on intake and on the duty to assist requesters.

Why this matters

The CPRA is a legal obligation and a constitutional right of the people. Noncompliance with any part of the act carries a legal risk, which may include financial and reputational harm. Clear communication and efficient processes that provide access to public records show good faith and protect the public’s right of access.