The California Consumer Privacy Act includes a door to a private right of action, and plaintiffs are eager to jiggle the latch. After all, potential awards for statutory damages lay just beyond. But ostensibly easy access to a handsome payout appears to be bolted with a “combination lock” of sorts, requiring calculated pleading and legal clarification.
The first round of CCPA class actions reveal that plaintiffs have yet to pick the lock, but that won’t stop them from testing theories and challenging assumptions.
As written, the CCPA limits consumers’ actions to security breaches attributable to a business’s “violation of the duty to implement and maintain reasonable security procedures and practices.” Cal. Civ. Code § 1798.150(a). It also expressly prohibits consumers from using its provisions “to serve as the basis for a private right of action under any other law.” Cal. Civ. Code § 1798.150(c).
Notwithstanding this seemingly straightforward language, plaintiffs are poised to challenge the scope of a number of factors essential to stating a cause of action.
For starters, the right to initiate a private cause of action applies only to a “consumer,” defined as a natural person who is a California resident. Cal. Civ. Code § 1798.140(g).
With California residency as one of the most basic elements, it’s somewhat surprising to see, for example, that the sole plaintiff named in Fuentes v. Sunshine Behavioral Health Group LLC hails from Pennsylvania! (Fuentes Complaint, ¶5).
So it appears that defendants will need to anticipate challenges even from non-Californians. But that should be an easy dismissal.
The CCPA’s private cause of action must also concern “personal information” as defined in California’s breach notification statute. Cal. Civ. Code §1798.81.5(d)(1)(A). So that means it’s limited to a consumer’s name, in combination with certain data elements, like a Social Security number or a credit card number.
In Henry v. Zoom Video Communications, Inc., the plaintiff alleges that the wildly popular video conferencing software shared certain information extracted from his device when he connected to Zoom.
Extracted data included things such as the model of the device, the time zone and city from which the device was connected, the identity of plaintiff’s phone carrier, and a unique advertiser ID (Henry Complaint, ¶15).
But do those sorts of things constitute “personal information” for purposes of a CCPA cause of action? The plaintiff doesn’t allege that Zoom shared his name—and even if it did, time zone, location data, and the other mentioned items would not appear to be data elements listed in Cal. Civ. Code §1798.81.5(d)(1)(A).
In short, defendants will need to ensure that the information at issue is information falling under §1798.81.5(d)(1)(A).
‘Unauthorized Access ... or Disclosure’
The CCPA specifies that the underlying security breach—defined as “an unauthorized access and exfiltration, theft, or disclosure”—must result from the defendant’s failure to implement and maintain reasonable security measures.
The plaintiff in Sheth v. Ring LLC alleges that the manufacturer of the popular video doorbell failed to implement adequate security measures to prevent unauthorized access, hacking, and sharing of personal information collected by its product.
Sheth does not allege that a hack occurred, mind you, but rather that Ring’s “disclosure” of personal information to third parties without first providing notice—specifically a notice at collection and a notice of the right to opt out—constitutes a violation of the CCPA. Sheth Complaint, ¶ 116.
Notwithstanding substantial CCPA-related commentary that the private right of action is limited to security “breaches,” defendants will need to examine whether a “disclosure” purportedly in violation of some of the CCPA’s other provisions will render the disclosure “unauthorized” for purposes of the private cause of action.
‘Duty to ... Maintain Reasonable Security’
Even though the CCPA clearly limits private actions to incidents involving deficient security practices, Burke v. Clearview AI, Inc. makes no such allegation.
Instead, Burke challenges Clearview’s practice of scraping images of consumers’ faces from public websites in order to build its facial recognition technology.
Specifically, Burke alleges that Clearview’s failure to provide CCPA-compliant notices before collecting biometric information from consumers’ photographs constituted an unlawful and unfair business practice under California’s Unfair Competition Law (UCL), Cal. Bus. & Prof. Code §17200, et seq. (Burke Amended Complaint, ¶¶67-70).
While Cal. Civ. Code § 1798.150(c) arguably precludes any reliance on the CCPA as a basis for a UCL claim, defendants should be aware that a number of plaintiffs are raising this sort of challenge. (Sheth, above, makes a similar UCL claim).
Another key element to a CCPA claim is that the defendant must be a “business” as set forth in Cal. Civ. Code § 1798.140(c). But is every business a “business”?
In Barnes v. Hanna Andersson LLC, plaintiff alleges that children’s clothier Hanna Andersson LLC suffered a breach of consumer names, billing addresses, and payment card information. Fair enough. But the suit also names Salesforce.com, Inc.—which runs Hanna Andersson’s e-commerce platform—as a co-defendant.
Significantly, the complaint alleges that the breach was attributable to malware on Salesforce’s platform (Barnes First Amended Complaint, ¶29).
Since Salesforce was purportedly processing personal information on behalf of Hanna Andersson, Salesforce would likely fall within the definition of “service provider”—an entity distinct from a “business” under the CCPA. If that’s the case, would Salesforce fall outside the scope of § 1798.150, which permits a cause of action only against a “business”?
Defendants, therefore, will need to look beyond the CCPA’s definition of “business” to see if they can escape liability under a different label.
In addition to the questions posed above, the CCPA’s private cause of action raises other considerations, such as (1) what constitutes a “cure”; (2) what constitutes “reasonable security”; and (3) whether § 1798.150’s cause of action applies retroactively to breaches occurring prior to 2020.
While the code to unlocking a statutory damages award is far from clear, an award per se may not be the goal; the potential for settlement is too great to pass up, especially as the corporate and legal environments are experiencing economic upheaval. Still, the best defense is a good offense, so businesses should consider drafting a binding and enforceable arbitration provision that would (hopefully) preempt California law.
If you’re reading this on the Bloomberg Terminal, please run BLAW OUT <GO> in order to access the hyperlinked content.