Resource Center / Tools and Trackers / How Defendants Are Attacking CCPA Claims
How Defendants Are Attacking CCPA Claims
This chart identifies some of the arguments raised by defendants seeking to avoid liability for alleged violations of the CCPA.
Published: August 2021
Contributor:
The California Consumer Privacy Act provides a limited private right of action under Section 1798.150 against businesses failing to protect personal information from unauthorized disclosure. Plaintiffs have brought more than 140 CCPA-related actions to date. This resource identifies some of the arguments raised by defendants seeking to avoid liability for alleged violations of the CCPA.
CCPA Section 1798.150
(a) (1) Any consumer whose nonencrypted and nonredacted personal information, as defined in subparagraph (A) of paragraph (1) of subdivision (d) of Section 1798.81.5, is subject to an unauthorized access and exfiltration, theft, or disclosure as a result of the business’s violation of the duty to implement and maintain reasonable security procedures and practices appropriate to the nature of the information to protect the personal information may institute a civil action…
(b) Actions pursuant to this section may be brought by a consumer if, prior to initiating any action against a business for statutory damages on an individual or class-wide basis, a consumer provides a business 30 days’ written notice identifying the specific provisions of this title the consumer alleges have been or are being violated…
(c) The cause of action established by this section shall apply only to violations as defined in subdivision (a) and shall not be based on violations of any other section of this title…
-
- The CCPA does not apply retroactively.
Gardiner v. Walmart, Inc., No. 4:20-CV-04618, N.D. Cal. (March 2021, order granting motion to dismiss.)
- The CCPA does not apply retroactively.
-
- Plaintiff must satisfy the CCPA’s definition of “consumer” in Section 1798.140 to bring a claim.
McCoy v. Alphabet, No. 5:20-CV-05427, N.D. Cal. (Sept. 2020, Google motion to dismiss.)
- Plaintiff must satisfy the CCPA’s definition of “consumer” in Section 1798.140 to bring a claim.
-
- Plaintiff fails to state a CCPA claim because she fails to allege facts showing her personal information was in a “nonencrypted and nonredacted” form
Karter v. Epiq Systems, Inc., No. 8:20-CV-01385, C.D. Cal. (March 2021, Epiq motion to dismiss.)
- Plaintiff fails to state a CCPA claim because she fails to allege facts showing her personal information was in a “nonencrypted and nonredacted” form
-
- Plaintiff must plead facts showing the defendant’s deficient security procedures and practices caused the unauthorized access or disclosure.
Shay v. Apple, Inc., No. 3:20-CV-01629, S.D. Cal. (Oct. 2020, Apple motion to dismiss.)
- Plaintiff must plead facts showing the defendant’s deficient security procedures and practices caused the unauthorized access or disclosure.
-
- Plaintiff incorrectly relies on the CCPA’s definition of “personal information” in Section 1798.140, rather than the more limited definition from Section 1798.81.5(d)(1)(A).
Shay v. Apple, Inc., No. 3:20-CV-01629, S.D. Cal. (Oct. 2020, Apple motion to dismiss.)
- Plaintiff incorrectly relies on the CCPA’s definition of “personal information” in Section 1798.140, rather than the more limited definition from Section 1798.81.5(d)(1)(A).
-
- Defendant does not meet the definition of “business” in Section 1798.140. For example, it is a “service provider.”
Hayden v. The Retail Equation, No. 8:20-CV-01203, C.D. Cal. (Nov. 2020, The Retail Equation motion to dismiss.)
- Defendant does not meet the definition of “business” in Section 1798.140. For example, it is a “service provider.”
-
- Plaintiff failed to allege the defendant ever possessed or had any responsibility for protecting the plaintiff’s personal information.
Flores-Mendez v. Zoosk, Inc., No. 3:20-CV-4929, N.D. Cal. (Nov. 2020, Spark Networks SE motion to dismiss.)
- Plaintiff failed to allege the defendant ever possessed or had any responsibility for protecting the plaintiff’s personal information.
-
- Plaintiff must show both unauthorized access and deficient security procedures and practices.
Gershfeld v. Teamviewer US, Inc., No. 8:21-CV-00058, C.D. Cal. (May 2021, Teamviewer motion to dismiss.)
- Plaintiff must show both unauthorized access and deficient security procedures and practices.
-
- Plaintiff brought a claim for statutory damages yet failed to provide the required 30-day pre-suit notice to cure the alleged violation.
Rahman v. Marriott In’t, Inc., No. 8:20-CV-00654, C.D. Cal. (Sept. 2020, Marriott motion to dismiss).
- Plaintiff brought a claim for statutory damages yet failed to provide the required 30-day pre-suit notice to cure the alleged violation.
-
- The CCPA private right of action applies narrowly, only to security breaches, rather than, for example, violations of the notice and disclosure requirements in Section 1798.110.
McCoy v. Alphabet, No. 5:20-CV-05427, N.D. Cal. (Sept. 2020, Google motion to dismiss).
Hayden v. The Retail Equation, No. 8:20-CV-01203, C.D. Cal. (Nov. 2020, The Retail Equation motion to dismiss).
- The CCPA private right of action applies narrowly, only to security breaches, rather than, for example, violations of the notice and disclosure requirements in Section 1798.110.
In addition to the CCPA-specific arguments identified above, defendants are challenging whether federal courts have subject matter jurisdiction over CCPA and other privacy related claims, arguing plaintiffs do not have the required Article III standing. Standing requires a plaintiff to show, among other elements, they suffered an injury in fact. To establish an injury in fact, there must be “an invasion of a legally protected interest” that is “concrete and particularized” and “actual or imminent, not conjectural or hypothetical.” A district court in the Ninth Circuit dismissed a complaint containing a CCPA claim for lack of standing. Rahman v. Marriott In’t, Inc., No. 8:20-CV-00654, C.D. Cal. (Jan. 2021, order granting motion to dismiss).
Defendants also are contesting whether a court can exercise personal jurisdiction over a non-resident defendant. Flores-Mendez v. Zoosk, Inc., No. 3:20-CV-4929, N.D. Cal. (Nov. 2020, Spark Networks SE motion to dismiss on personal jurisdiction).