The private right of action in the California Consumer Privacy Act has generated substantial commentary. Now that plaintiffs have started to bring lawsuits alleging violations of the CCPA, we can see how these claims are being plead and the novel questions courts will be asked to consider.
Litigation on these issues seems likely, as litigants seek to define the scope of this remedy for consumers.
CCPA private right of action
Section 1798.150(a)(1) of the CCPA provides a private right of action to “[a]ny consumer whose nonencrypted and nonredacted personal information ... is subject to an unauthorized access and exfiltration, theft, or disclosure” due to a business violating “the duty to implement and maintain reasonable security procedures and practices....” The term “personal information” is defined more narrowly for purposes of a private right of action, using the definition from Section 1798.81.5(d)(1)(A) from California’s Customer Records Act. “Personal information” under this section of the CRA means an individual’s name “in combination” with another listed “data element,” such as a Social Security number, driver’s license or another identification number, account number or credit or debit card number with access code or password, medical or health insurance information, or unique biometric data.
The damages available for a private right of action include a statutory amount of between $100 and $750 per consumer per incident or actual damages, whichever is greater, as well as injunctive or declaratory relief and a catch-all for “any other relief the court deems proper.”
There are provisions limiting the private right of action. Pursuant to 1798.150(b), a consumer seeking statutory damages must give a business an opportunity to “cure” the alleged violation by sending it a written notice prior to filing suit. If the business cures the noticed violation within 30 days and provides the consumer “an express written statement” the violations have been cured and no further violations shall occur, a claim for statutory damages cannot be pursued.
In addition, Section 1798.150(c) states the private right of action only applies to violations defined in 1798.150(a) “and shall not be based on violations of any other section of this title.” It also provides “[n]othing in this title shall be interpreted to serve as the basis for a private right of action under any other law.”
Types of claims
The IAPP has collected complaints alleging violations of the CCPA in its "CCPA Genius" tool under the enforcement section. These lawsuits illustrate the different approaches plaintiffs are taking with respect to pleading CCPA claims.
- Data breaches
Some complaints are based on alleged data breaches, like Barnes v. Hanna Andersson & Salesforce.com (amended complaint), Fuentes v. Sunshine Behavioral Health Group, Rahman v. Marriott and Lopez v. Tandem Diabetes Care. They generally claim the defendants failed to take adequate data security measures and the plaintiffs’ personal information was subject to “unauthorized access and exfiltration, theft, or disclosure.” These types of cases appear to fit within the anticipated scope of the CCPA’s private right of action.
- Failure to comply with CCPA notice and opt-out provisions
Other claims, like the lawsuits against Houseparty, Ring, and Zoom, are premised on a failure to comply with the CCPA’s notice and opt-out provisions.
In the Houseparty case, Sweeney v. Life on Air, Inc. & Epic Games, Inc., the plaintiff alleges defendants failed to notify her they were “collecting, using, or selling” her personally identifiable information “to unauthorized third parties like Facebook” when she used the application. She claims this conduct violated the CCPA, citing the provisions regarding notice at collection (Section 1798.100(b)) and opt-out rights (Sections 1798.120(b) and 1798.135(a)(1)).
Sheth v. Ring also is not based on a data breach, but on a claim the defendant does not implement adequate security measures and shares its customers’ personal information “with unauthorized third parties without the customers’ informed consent.” The complaint alleges this conduct violates the CCPA’s notice and opt-out provisions.
There also are similar cases against Zoom based on its alleged disclosure of personal information to third parties, like Facebook, including Kirpekar v. Zoom, Cullen v. Zoom, and Henry v. Zoom.
Given the restrictive language in Section 1798.150(c) limiting the private right of action, defendants can be expected to challenge these claims.
- Unfair competition law claims
As predicted, many of the class actions assert a violation of the CCPA constitutes a violation of California’s Unfair Competition Law.
The Kirpekar v. Zoom complaint has a count for violation of the CCPA but also alleges a violation of the CCPA constitutes “unlawful activity” in the UCL count. In Almeida, et al v. Slickwraps, an alleged data breach case, the plaintiff does not assert a separate CCPA claim but includes the CCPA in listing alleged statutory violations that constitute unlawful business practices under the UCL.
Burke v. Clearwater AI, a case based on Clearview’s “scraping” of websites for images of consumers’ faces, brings a UCL claim “predicated on” violations of the CCPA. Burke alleges the defendants failed to comply with the CCPA by collecting biometric information without providing the required notice, citing Section 1798.100(b).
Again, the courts will need to decide if the language in 1798.150(c) stating the CCPA should not be “interpreted to serve as the basis for a private right of action under any other law” precludes these claims.
Retroactive application
Another issue plaintiffs are testing is whether courts will apply the CCPA retroactively to conduct that occurred prior to the law’s Jan. 1 effective date.
The CCPA claim in Barnes is based upon Hanna Andersson’s third-party e-commerce platform being infected with malware between September and November 2019. Fuentes alleges the defendant learned of the data breach involving patient records in September 2019 and took action “to remove the records from general internet access” in November 2019. According to the respective complaints, the plaintiffs did not receive notice of these data breaches until January 2020.
The CCPA does not address whether it should apply retroactively, but analysis of California law suggests it will be a difficult argument to make. Perhaps in an effort to avoid this issue, the Barnes amended complaint includes an allegation the personally identifiable information was subject to further unauthorized access and disclosure on the dark web “where hackers further disclosed ... Hanna’s customers’ PII in 2019 and after (Jan. 1).” Whether this allegation will be enough to avoid a retroactive application argument remains to be seen.
Definition of personal information
Another issue likely to be litigated is whether the “personal information” allegedly subject to unauthorized access and disclosure meets the applicable statutory definition.
In Rahman v. Marriott, a Marriott Bonvoy member alleges his data was stolen in the data breach announced by Marriott March 31. According to the complaint, Marriott’s privacy team told Rahman the personal information involved contact details, additional personal details (like company, gender and birthdate), loyalty account information (but not passwords), partnerships and affiliations like linked airline loyalty programs, and room preferences. In a news release regarding the incident, Marriott specifically stated it “has no reason to believe that the information involved included ... account passwords or PINs, payment card information, passport information, national IDs, or driver’s license numbers.”
Will these allegations be enough to establish “personal information” was disclosed as that term is defined in Section 1798.150(a)(1)?
The lawsuits against Zoom may be subject to a similar challenge. In the Kirpekar case, the unauthorized disclosure described in the complaint involved the Zoom app sending Facebook certain information, including “users’ mobile operating system type and version, the device time zone, the device model and the device’s unique advertising identifier.”
Plaintiffs who are not California residents
The CCPA defines “consumer” as “a natural person who is a California resident.” Nevertheless, several of the class actions alleging CCPA claims have named plaintiffs who do not reside in California, including Fuentes (Pennsylvania), Sheth v. Ring (Washington resident), Lopez v. Tandem Diabetes Care, Inc. (Texas), and Henry v. Zoom (New York).
It is unclear how courts will deal with this issue in the class-action context. While class members who are California residents may be able to assert a CCPA claim, is that enough where it is undisputed the lead plaintiff is not?
The 'cure' provision
Plaintiffs are filing suit without giving the defendant business an opportunity to “cure” the alleged violation.
For example, the data breach in Rahman v. Marriott was announced March 31 and the lawsuit was filed April 3. The CCPA count alleges the plaintiff served Marriott with written notice of the alleged violations prior to filing suit and states the complaint will be amended to seek statutory damages if Marriott does not cure. Several of the other lawsuits take the same approach. It will be interesting to see how courts handle this statutory pre-requisite given the ability of plaintiffs to amend.
Looking forward
As courts address these issues and others, the scope of the CCPA’s private right of action should begin to take shape. The IAPP will continue to monitor CCPA litigation for decisions on these issues and additional lawsuits that may further define this remedy.
Photo by Wesley Tingey on Unsplash