The first wave of California Consumer Privacy Act litigation has begun to roll in, and the complaints are already raising interesting questions about the scope of CCPA’s private right of action. The actions assert a variety of claims under numerous theories and present a broad range of potential risks to businesses subject to CCPA. In light of the many questions that surround CCPA’s private right of action, the extent of possible liability from private litigation is still largely unknown and potentially significant.
The first wave of private lawsuits filed under the California Consumer Privacy Act (CCPA) has begun to roll in, and the complaints are already raising interesting questions about the scope of CCPA’s private right of action. The recent explosion in popularity of video conferencing and social media software in response to the COVID-19 pandemic—and the technical issues some of these products have experienced—has inspired its own wave of litigation, with several cases alleging violations of CCPA along with other laws. The flurry of litigation activity makes clear the importance of CCPA compliance, particularly in the current challenging business environment. Although it’s too early to tell how these lawsuits will play out, some themes are emerging.
Refresher on CCPA Private Right of Action
Businesses are now familiar with the long list of privacy obligations imposed by CCPA and enforceable by the California attorney general. Although CCPA contains a private right of action, that right is applicable only to CCPA’s sole data security provision. Cal. Civ. Code § 1798.150 authorizes consumers to institute a civil action against a business whose failure to implement and maintain reasonable security procedures resulted in the unauthorized access and exfiltration, theft or disclosure of the consumer’s nonencrypted and nonredacted personal information. The definition of “personal information” in the context of § 1798.150 is narrower than the expansive definition applicable to other CCPA provisions, applying only to an individual’s name together with an identifying data element, such as a Social Security number, driver’s license number or medical information. A plaintiff may seek injunctive or declaratory relief, actual damages or statutory damages in an amount not less than $100 and not greater than $750 per consumer, per incident. Before seeking statutory damages, however, the consumer must provide the business 30 days’ written notice to cure the alleged violation. The “notice and cure” provision is the subject of some controversy, because CCPA does not explain how a violation that resulted in a data breach can be “cured.” CCPA also explicitly prohibits consumers from using alleged violation of its provisions “to serve as the basis for a private right of action under any other law,” thus, in theory, prohibiting a plaintiff from alleging that a CCPA violation constitutes a violation of the California Unfair Competition Law, Cal. Bus. & Prof. Code §§ 17200, et seq. or other statutes. That hasn’t stopped plaintiffs from trying, as described below.
Theme #1: Suits Brought as Class Actions
Most, if not all, of the lawsuits brought under CCPA thus far have been brought as class actions. (Taylor v. Zoom Video Communications, Inc., No. 5:20-cv-02170 (N.D. Cal. Mar. 31, 2020) (Taylor); Hurvitz v. Zoom Video Communications, Inc. et al., No. 2:20-cv-03400 (C.D. Cal. Apr. 13, 2020) (Hurvitz); Sweeney v. Life on Air, Inc. et al., No. 3:20-cv-00742 (S.D. Cal. Apr. 17, 2020) (Sweeney)). This result was anticipated, as the damages element of the CCPA private right of action encourages class actions. Plaintiffs are able to obtain statutory damages, and they can obtain them on a per incident, per customer basis. Plaintiffs have, unsurprisingly, been enticed by the ability to obtain significant damages without proving actual harm.
Theme #2: Complaints Not Limited to CCPA Claims
Many of the actions brought so far contain claims under other statutes or common law. In Fuentes v. Sunshine Behavioral Health Group LLC, No. 8:20-cv-00487 (C.D. Cal. Mar. 10, 2020) (Fuentes), the plaintiffs brought 11 claims in addition to the CCPA claim, both statutory and common law, including claims of negligence, negligence per se, breach of contract and breach of implied contract. Likewise, in both the Taylor and Hurvitz class action complaints, the plaintiffs brought six claims in addition to asserted violations of CCPA. Though not unexpected, this pattern demonstrates that businesses must be prepared to defend a wide range of claims in addition to any alleged CCPA violations.
Theme #3: Leveraging CCPA to Make Other Claims
Rather than make claims under CCPA, several plaintiffs have used violations of CCPA as a springboard from which to make claims under other statutes. In Hurvitz, the plaintiffs allege that defendant Zoom Video Communications (Zoom) violated the provision of CCPA requiring a business to provide notice to consumers of the categories and uses of personal information it collects at or before the point of collection, and prohibiting the business from collecting additional categories of personal information or using personal information for additional purposes without providing additional notice. (See Cal. Civ. Code § 1798.100(b); Hurvitz Complaint, ¶ 213.) Because a literal reading of CCPA would prohibit private plaintiffs from enforcing these provisions, the Hurvitz plaintiffs instead allege that the violation constitutes an unlawful practice in violation of the California Unfair Competition Law, Cal. Bus. & Prof. Code §§ 17200, et seq. A complaint filed this past week uses CCPA in a similar manner. (See Saint Paulus Lutheran Church et al. v. Zoom Video Communications, Inc., No. 5:20-cv-03252 (N.D. Cal. May 13, 2020) (Saint Paulus Lutheran Church).)
The Hurvitz and Saint Paulus Lutheran Church plaintiffs’ attempt to use CCPA to allege an unfair trade practices claim creates interesting questions for the courts to address. As noted above, CCPA prohibits private plaintiffs from using any of its provisions to serve as the basis for a private right of action under any other law. (See Cal. Civ. Code § 1798.150(c).) Therefore, it is not clear that claims such as those made by the Hurvitz and Saint Paulus Lutheran Church plaintiffs are authorized by CCPA. If such claims are upheld, they would create a functional back-door private right of action for the privacy provisions of CCPA.
Theme #4: Actions Filed in Federal Court
Most, if not all, of the CCPA actions to date have been filed in federal court. (See, e.g., Taylor, Hurvitz, Sweeney, Fuentes, Saint Paulus Lutheran Church, Barnes v. Hanna Andersson LLC, No. 3:20-cv-00812 (N.D. Cal. Mar. 9, 2020).) The jurisdictional basis for such actions is the Class Action Fairness Act, 28 U.S.C. § 1332(d), which provides for federal jurisdiction for class-action claims comprising a class of at least 100 members and alleging an amount in controversy of at least $5 million, provided that minimal diversity exists (i.e., at least one plaintiff must be domiciled in a different state than at least one defendant). The fact that these claims have been brought in federal court creates an interesting dynamic whereby the federal courts may have the opportunity to examine and adjudicate CCPA before California state courts do. This trend may incentivize the California attorney general to bring early enforcement actions to establish binding precedent in state courts before many cases are adjudicated by the federal courts.
Theme #5: Claims Brought for Violations of CCPA Privacy Provisions
Although CCPA’s private right of action is explicitly limited to allegations of injury suffered in the context of data breaches arising from the defendant’s failure to provide “reasonable security,” plaintiffs are nonetheless bringing claims for violations of the privacy provisions of CCPA. The Sweeney plaintiffs, for instance, alleged violations of (i) Cal. Civ. Code § 1798.100(b), requiring notice at or before the point at which personal information is collected and limiting additional uses of personal information; (ii) Cal. Civ. Code §1798.120(b), requiring a business to provide notice of the right to opt-out of sales of personal information; (iii) Cal. Civ. Code § 1798.135(a)(1), requiring a “Do Not Sell My Personal Information” link on a business’s homepage and (iv) Cal. Civ. Code § 1798.135(a)(6), requiring a business using information collected in connection with an opt-out request solely to comply with the opt-out request. (See Sweeney Complaint, ¶¶ 102-105.) Likewise, the Taylor plaintiffs alleged violations of Cal. Civ. Code §§ 1798.100(b) and 1798.120(b). (See Taylor Complaint, ¶¶ 131-132.) Although none of these claims appears to be sustainable under the plain text of CCPA, it remains for the courts to clarify the scope of the private right of action.
Theme #6: Creative Applications of Private Right of Action
Plaintiffs are also bringing claims that will force courts to confront some of the more ambiguous provisions of CCPA’s private right of action for data breaches. In Cullen v. Zoom Video Communications, Inc., No. 5:20-cv-02155 (N.D. Cal. Mar. 30, 2020) (Cullen), for instance, the complaint alleges that the defendant violated its duty to implement and maintain reasonable security procedures and practices, resulting in the unauthorized disclosure of plaintiffs’ nonencrypted and nonredacted personal information. (See Cullen Complaint ¶ 34.) For a period of time, Zoom’s iOS app featured a digital advertising platform’s software development kit (SDK) that collected certain device identifiers, such as device carrier, device model and time zone. Several days after an article was published on the SDK, Zoom released a blog post stating that it had been unaware that the SDK was collecting the device identifiers, and had removed the SDK from the iOS client. The Cullen complaint appears to allege (i) that Zoom’s decision to remove the SDK demonstrates that the access to and disclosure of the device identifiers was unauthorized and (ii) Zoom’s ability to quickly remedy the problem demonstrates that Zoom failed to implement and maintain reasonable security procedures and practices. (See Cullen Complaint ¶ 37.)
The Cullen complaint may bring some clarity to the meaning of the terms “unauthorized access” and “reasonable security procedures and practices” in the CCPA’s private right of action. Although the private right of action is widely understood to protect only against data breaches, the Cullen plaintiffs make at least a colorable allegation that the right of action may apply to exchanges of information between business partners. The Cullen claim may fail on other grounds—it does not appear that the device identifiers at issue constitute “personal information,” and it’s not clear the plaintiffs provided the statutorily required 30 days’ notice to cure—but the case nonetheless raises important questions about the extent of the private right of action. If the Cullen or similar claims are successful, the scope of culpability under the private right of action could be expansive.
The first round of CCPA litigation drives home the point that CCPA is being enforced. The actions assert a variety of claims under numerous theories and present a broad range of potential risks to businesses subject to CCPA. In light of the many questions that surround CCPA’s private right of action, the extent of possible liability from private litigation is still largely unknown and potentially significant.