Litigating the CCPA in Court
- Despite significant restrictions on private rights of action, more than 50 lawsuits have invoked the California Consumer Privacy Act (CCPA) since it took effect on Jan. 1, 2020, nearly all of them class actions.
- While the CCPA is expected to play an important role in future data breach cases given the availability of statutory damages, plaintiffs' right to litigate alleged CCPA violations in other contexts will face strong opposition, and this may be the most important CCPA issue in the coming six to 12 months.
- With the California Attorney General's enforcement activities beginning on July 1, 2020, businesses need to manage potential liability exposure on two fronts, and it is currently unclear which front will pose the bigger risk.
The California Consumer Privacy Act (CCPA or Act) went into effect on Jan. 1, 2020. A first-of-its-kind law in the United States, the CCPA grants California residents expansive rights over businesses' collection, use and sharing of their personal information. The Act provides California residents with the right to seek access to, or deletion of, their personal information, as well as the right to object to the sale or sharing of such information with third parties.
For the most part, the CCPA vests enforcement authority with the California Attorney General (CA AG),1 and certain critical compromises were struck during the CCPA's dramatic legislative process in 2018 and 2019 to limit private enforcement for other violations:
- First, the law expressly provides that a private right of action is available only for certain data breach incidents "and shall not be based on violations of any other section of" the CCPA. The Act further states that "[n]othing in this title shall be interpreted to serve as the basis for a private right of action under any other law."2
- Second, although data breach suits may be brought on an individual or class-wide basis for actual damages incurred or statutory damages,3 a consumer seeking statutory damages must first provide the intended defendant with 30 days' advance written notice of the alleged violations of the CCPA, and if the business cures the alleged violation and provides an express written statement to that effect, the would-be plaintiff may not initiate an action for statutory damages.4
Many requirements of the CCPA have been the subject of legal debate since the law passed, and the precise contours of enforcement has been a popular topic.5 There was, however, generally broad consensus that consumers would swiftly embrace the availability of statutory damages, and, be equally quick to challenge the limits of the CCPA's private right of action. It is therefore no surprise that in the seven months since the CCPA went into effect, approximately 50 private lawsuits have been filed that cite the CCPA in some respect as a basis for suit.
Roughly half of these lawsuits were filed in connection with data breaches. Plaintiffs in the other cases premise claims on alleged violations of consumer rights, often asserting that noncompliance with the CCPA, by extension, constitutes a violation of California's Unfair Competition Law (UCL), Consumer Legal Remedies Act (CLRA) or other causes of action. Unsurprisingly, these suits are generally filed as class actions.
CCPA Suits Filed in Connection with Security Incidents
The CCPA adds an attractive new dimension to data breach class action cases. Plaintiffs have traditionally struggled to establish that a particular security incident was the proximate cause of monetary damages or some other actual injury recognized by law. This hindered plaintiffs' ability to establish Article III standing in federal court and present a viable damages theory. The CCPA is the first generally applicable data breach law in the United States to offer statutory damages as an alternative to establishing actual damages.
In the new wave of CCPA data breach cases, plaintiffs have generally pleaded a right to statutory damages, and also often seek restitution and an injunction against defendants' continued (allegedly) improper handling of personal information.6 Only a small percentage of cases allege actual damages as a result of the purported incident.7
The data breach lawsuits plead violations under the CCPA with various degrees of specificity. Most cases allege a data breach and then generally contend that the breach was a violation of the CCPA without offering further detail.8 In this context, the CCPA claim is typically asserted along with other common data breach claims including negligence, breach of contract, unjust enrichment and violation of the UCL.9
Other cases are pleaded with greater specificity and allege that the plaintiffs gave the defendant notice prior to filing suit.10 In at least several instances, however, it does not appear that plaintiffs waited the requisite 30 days before filing suit.11
A number of cases also assert a violation of California's UCL based on a violation of the CCPA arising from a data breach.12 The UCL defines "unfair competition" broadly to "mean and include any unlawful, unfair or fraudulent business act or practice and unfair, deceptive, untrue or misleading advertising and any act prohibited by [California's false advertising law]."13 Private parties may seek injunctive relief and restitution under the UCL.14 These claims, therefore, necessarily seek validation from the courts that the UCL is an appropriate vehicle through which an underlying CCPA violation can be asserted in a private action (this is discussed further below).
CCPA Suits Unrelated to Security Incidents
Notwithstanding the CCPA's narrow private right of action, a variety of other lawsuits have been filed alleging violations of the law.
Violations of the Notification Requirements
Claims such as these outright ignore the CCPA's restriction that a consumer may only bring a private right of action for certain data breaches.
UCL Claim Premised on Violation of the Notification Requirements
In other cases, plaintiffs have pleaded their claims under the UCL, premised on alleged violations of the CCPA's notice requirements.19 Plaintiffs in these cases essentially argue that a CCPA violation is a de facto violation of the UCL.20 For example, one complaint alleges that the defendant "scraped" hundreds of websites for consumers' personal information (which the defendant later sold) without consent and in violation of the CCPA's notification requirements.21 The plaintiffs proceed to argue that a violation of the CCPA's notification requirements, is by extension, a violation of the UCL.22 As with the UCL data breach claims, UCL claims premised on alleged notification violations thus implicitly seek judicial approval to expand CCPA enforcement — notwithstanding the Act's clear instruction that "[n]othing in this title shall be interpreted to serve as the basis for a private right of action under any other law."23
Claims Alleging General Violation of Privacy Rights
Other cases avoid making a claim under any specific provision of the CCPA; plaintiffs instead plead facts regarding a defendant's use of personal information and allege a violation of state privacy rights, for instance under the California Constitution.24 In one such case, the plaintiffs seek an injunction, and to the extent that the defendant fails to respond to the plaintiffs' letter giving notice to CCPA violations, the plaintiffs also seek actual, punitive and statutory damages, restitution, and attorneys' fees and costs.25 Similar to the UCL-based claims, these claims appear to invite the courts to rely upon the CCPA as a vehicle to establish privacy standards for which liability can be justified under other applicable laws.
All of these claim theories venture into unchartered territory. These cases continue to be filed and as they work their way through California's federal and state courts, it remains to be seen how judges will rule on motions to dismiss such claims.
Asserting Violations of the CCPA in Business-to-Business Litigation
Class action plaintiffs do not have a monopoly on creativity. One recently filed case is between competing businesses engaged in market research that involves the collection and sale of personal information.26 The plaintiff alleges that the defendant (the plaintiff's former business partner and now competitor) violated the CCPA by failing to provide sufficient notice of its privacy practices to consumers, and as a result, has gained an unfair and unlawful advantage in violation of the UCL. The plaintiff is seeking restitution, disgorgement and an injunction against its competitor.
Using the CCPA as a weapon in the business context could give rise to a whole new field of CCPA litigation. One can imagine litigious businesses leveraging the CCPA in a manner similar to false advertising claims, or plaintiffs raising the CCPA in whistleblower suits, or shareholder derivative and securities class actions, alleging noncompliance with the Act to the detriment of employees, shareholders or to the value of the defendant business itself. The viability of such claims — purportedly on behalf of the consumers that the law is intended to protect — would seemingly require an extension of legal doctrine equal to, or greater than, in the consumer cases described above.
The CCPA "Safe Harbor" Defense
In January 2019, the City of Los Angeles filed suit against The Weather Channel (TWC).27 In the complaint, the City alleged that TWC was engaged in unfair and fraudulent business practices in violation of the UCL by sharing its mobile app users' geolocation data with third parties for advertising and other commercial purposes, without providing sufficient notice or obtaining any necessary consent.
On June 11, 2020, TWC filed a motion for summary judgment,28 arguing that the City's "lawsuit is an improper attempt to legislate through litigation."29 The disclosure requirements advocated for by the City, TWC contends, "significantly exceed and conflict with the highly detailed and rigorous disclosure requirements imposed under CCPA . . . which [moreover] did not go into effect until a year after Plaintiff filed suit."30 Rather than permitting UCL-type claims over what constitutes appropriate notice to consumers of a business' privacy practices, TWC urges the court to defer to the state legislature "which has already decided these questions—so that California businesses (and others doing business in California) are able to know, to a reasonable certainty, what conduct California law prohibits and what it permits."31
Privacy practitioners heavily engaged on CCPA compliance matters may well see a paradox in any argument that the CCPA provides "reasonable certainty" regarding California's required privacy disclosures. But perhaps over the next one to two years the courts (or the regulator . . . whoever that may be) will provide that clarity — there is no doubt they will have many opportunities to do so.
1 See Cal. Civ. Code § 1798.155(b).
2 See Cal. Civ. Code § 1798.150(c) ("The cause of action established by this section shall apply only to violations as defined in subdivision (a) [regarding data breaches] and shall not be based on violations of any other section of this title. Nothing in this title shall be interpreted to serve as the basis for a private right of action under any other law. This shall not be construed to relieve any party from any duties or obligations imposed under other law or the United States or California Constitution.").
3 Statutory damages range from $100-$750 per individual, per incident. Cal. Civ. Code § 1798.150(a)(1)(A).
4 See Cal. Civ. Code § 1798.150(b).
5 There is some debate, for instance, over whether county or local prosecutors in California can bring public enforcement actions for violations of the CCPA under Section 17204 of California's Business and Professions Code, or if enforcement is solely vested with the CA AG.
6 See, e.g., Complaint, Jose Lopez v. Tandem Diabetes Care, Inc., No. 3:20-cv-00723-LAB-LL, at 25 (S.D. Cal. April 16, 2020).
7 See, e.g., Complaint, Lopez, at 25; Complaint, Fuentes v. Sunshine Behavioral Health, No. 8:20-cv-00487, at 20-21 (C.D. Cal. March 10, 2020) (alleging that the data breach caused the plaintiffs harm as they must now "freeze" credit cards, contact financial and health institutions, monitor credit reports, etc. for "years to come").
8 See, e.g., Complaint, Albert Almeida, Mark Munoz, and Angelo Victoriano v. Slickwraps Inc., No. 2:20-at-00256, at 28, 48 (E.D. Cal. March 12, 2020); Complaint, Daniela Hernandez v. PIH Health, No. 2:20-cv-01662, at 6, 19, 38 (C.D. Cal. Feb. 20, 2020); Complaint, Bernadette Barnes v. Hanna Andersson, LLC, and Salesforce.Com, Inc., No. 4:20-cv-00812-DMR, at 3, 15 (N.D. Cal. Feb. 3, 2020); Complaint, Juan Maldonado v. Solara Medical Supplies, LLC, No. 3:19-cv-02284-H-KSC, at 3, 21 (S.D. Cal. Nov. 29, 2019).
9 See, e.g., Complaint, Slickwraps at 39, 44, 46 and 48; Complaint, Hernandez at 22, 27, 30 and 37; Complaint, Barnes at 16 and 22; Complaint, Maldonado at 23, 30, 33 and 34.
10 See, e.g., Complaint, Michele Pascoe v. Ambry Genetics, No. 8:20-cv-00838, at 50 (C.D. Cal. May 1, 2020) at 50; Complaint, Lopez at 44.
11 Complaint, Lopez at 44 ("If Defendant fails to respond to Plaintiffs' notice letter or agree to rectify the violations detailed above, Plaintiffs also will seek actual, punitive, and statutory damages, restitution, attorneys' fees and costs, and any other relief the Court deems proper as a result of Defendant's CCPA violations.") (emph. added)
12 See, e.g., Complaint, Slickwraps at 48; Complaint, Hernandez at 37-38.
13 See Cal. Bus. & Prof. Code § 17200.
14 See Am. Bankers Mgmt. Co., Inc. v. Heryford, 885 F.3d 629, 632 (9th Cir. 2018).
15 See, e.g., Complaint, G.R. v. TikTok, No. 2:20-cv-04537, at 9 (C.D. Cal. May 20, 2020); Complaint, Sweeney v. Life on Air, No. 3:20-cv-00742,at 21 (S.D. Cal. April 17, 2020).
16 See e.g., Complaint, TikTok at 10; Complaint, Sweeney at 22.
17 See Complaint, Sweeney at 3-4.
18 See Id.
19 See, e.g., Complaint, Sean Burke and James Pomerene v. Clearview AI, et al., No. 3:20-cv-00370-BAS-MSB, at 22 (S.D. Cal. June 14, 2020); Complaint, Cullen v. Zoom, No. 5:20-cv-02155-LHK, at 12 (N.D. Cal. March 30, 2020).
20 See, e.g., Complaint, Burke at 24; Complaint, Cullen at 14.
21 Complaint, Burke at 2-4, 11-13, 14-17, and 22-24.
22 See Id. at 22-24.
23 Cal. Civ. Code § 1798.150(c).
24 Complaint, Sheth v. Ring, No. 2:20-cv-01538-ODW-PJW, at 11 (C.D. Cal. Feb. 18, 2020).
25 Id. at 20-21.
26 See Complaint, Bombora v. ZoomInfo, No. 20-cv-365858 (Cal. Super. Ct. June 10, 2020).
27 See Complaint, California v. TWC Prod. and Tech., LLC, No. 19-STCV-00605 (Cal. Super. Ct. Jan. 3, 2019).
28 Due to the COVID-19-created backlog in the court, TWC's motion is not set to be heard until February 2021.
29 Defendants' Notice of Motion and Motion for Summary Judgment on Defendants' Affirmative Defense of Equitable Abstention, California v. TWC Prod. and Tech., LLC, No. 19-STCV-00605, at 1 (Cal. Super. Ct. June 11, 2020).
30 Id. at 2 (emphasis in original).
31 Id. at 20 (quotation omitted).
Information contained in this alert is for the general education and knowledge of our readers. It is not designed to be, and should not be used as, the sole source of information when analyzing and resolving a legal problem. Moreover, the laws of each jurisdiction are different and are constantly changing. If you have specific questions regarding a particular fact situation, we urge you to consult competent legal counsel.