Key Developments in CCPA Litigation for Q1 2021As we move deeper into the second year of CCPA litigation, the substantive issues continue to develop and we remain focused on the patterns and implications of recent filings and rulings.  In this post, we highlight notable developments in three cases that occurred in the first quarter of 2021.  These cases raise significant issues regarding judicial interpretation of the private right of action in the CCPA, the definition of a “data breach,” and CCPA plaintiffs’ ability to access pre-complaint discovery.

CCPA Claim Dismissed For Lack Of Data Breach Allegations

On August 5, 2020, Plaintiff filed a class action complaint against Defendants Alphabet, Inc. and Google, LLC in the Northern District of California.  Plaintiff alleged that Defendants monitored and collected Android Smartphone users’ sensitive personal data without those users’ consent when they interacted with non-Google applications on their smartphones.  Plaintiff’s CCPA cause of action was based on Defendants’ failure to disclose these activities in violation of Cal. Civ. Code § 1789.100(b).  Plaintiff’s proposed class definition included “All Android Smartphone users from at least as early as January 1, 2014 through the present.”

On September 30, 2020, Defendants moved to dismiss the CCPA claim, arguing that (1) Plaintiff failed to allege that his information was subject to a data breach; and (2) Plaintiff, as a New York resident, had no standing under the CCPA, which only provides relief to California residents.

On February 2, 2021, the court dismissed the CCPA claim with prejudice, finding that the complaint did not allege that any personal information was subject to unauthorized access as a result of a security breach.  The court reasoned that the CCPA only conferred “a private right of action” for violations related to “personal information security breaches,” and that Plaintiff was therefore unable to state a claim.  The court also observed that Civil Code § 1798.150(c) explicitly states that “[n]othing in this title shall be interpreted to serve as the basis for a private right of action under any other law.”  McCoy v. Alphabet, Inc., No. 20-CV-05427-SVK, 2021 WL 405816 (N.D. Cal. Feb. 2, 2021).

On February 16, 2021, Plaintiff filed an Amended Complaint that alleges a violation of California’s Unfair Competition Law (“UCL”) using the alleged CCPA violation as a predicate.  It will be relevant to follow how the court addresses Plaintiff’s attempt to transform his dismissed CCPA claim into a UCL claim, in light of the court’s observation that the CCPA does not provide a basis for a private right of action under other laws.

McCoy v. Alphabet, Inc. et al., 5:20-cv-05427 (N.D. Cal.).

Plaintiffs Allege Numerous, Individualized “Data Breaches”

On April 1, 2021, Plaintiffs filed a Consolidated Class Action Complaint against Bank of America in the Northern District of California.  Plaintiffs allege that Bank of America issued Visa debit cards containing public benefit disbursements to recipients, including Plaintiffs and other members of the class, that were purportedly prone to breaches because the cards utilized outdated magnetic stripe technology, rather than the EMV chips that have allegedly become the industry standard due to improved security features.  Plaintiffs’ CCPA cause of action alleges that as a result of the inadequate security safeguards, the cardholders suffered unauthorized access and disclosure of their personal information that resulted in their funds being stolen through unauthorized transactions.

The statutory language of the CCPA indicates that a claim must be connected to a data breach.  Cal. Civ. Code § 1789.150.  Unlike most cases, Plaintiffs do not allege that a single, centralized data breach occurred.  Instead, Plaintiffs allege that individual data breaches of each cardholder were permitted by Bank of America’s card design.  This theory raises questions about what qualifies as a data breach under the CCPA and whether the design of a consumer product that renders the product vulnerable to breach, followed by actual breaches, qualifies.  A judicial determination of this issue could help determine the scope of similar consumer actions.

Yick v. Bank of America, N.A., 3:21-cv-376 (N.D. Cal.).

Defendant Compelled To Disclose Information Related To Data Breach Investigations 

On April 16, 2021, Plaintiffs filed a redacted Consolidated Class Action Complaint against Blackbaud, Inc. in the District of South Carolina.  Plaintiffs allege that Blackbaud provides data security services for sensitive information, and that Plaintiffs and the class members are Blackbaud’s clients.  Plaintiffs’ CCPA cause of action alleges that as a result of a data breach, cybercriminals stole the sensitive private information that Plaintiffs entrusted to Blackbaud.

Of note, the early proceedings in this case have included the forced production of Blackbaud’s forensic report on the data breach.  The report was apparently compiled independent of the litigation and, upon learning of the report, the Court ordered Blackbaud to immediately produce the forensic report and allowed Plaintiffs to use that report in drafting a consolidated complaint.  This is an issue that we’ve explored previously (here and here).  Companies need to be vigilant and deliberate in how they approach the issue of internal investigations concerning data breaches where litigation could arise.

In re Blackbaud, Inc., Customer Data Breach Litigation¸ 3:20-mn-02972-JMC, MDL No. 2972 (D.S.C.).

As these and other CCPA-related cases progress through the litigation stages, we will continue to provide updates.  Our prior summaries of CCPA-related litigation can be found in our CCPA Litigation Round-ups for:  Q1 2020, Q2 2020, and Q3 & Q4 posts. We will continue to report on relevant developments in CCPA litigation and provide updates in our CCPA Litigation Tracker.

If you have any questions about defending and/or preparing for a potential privacy consumer class action, please reach out to our team, and if you have questions on your privacy compliance strategy, please reach out to our privacy compliance team.

On the latest episode of the Ad Law Access Podcast, Kelley Drye Partner Alysa Hutnik and Robert Cunningham, Head of Legal, at Ketch discuss the state of privacy, tracking, compliance technology and tools, and strategies privacy lawyers and others can use to help do their jobs. As you would expect, there are some practical tips to take away. Listen here or wherever you get your podcasts.

It has been a full year since the California Consumer Privacy Act (“CCPA”) took effect at the top of 2020. In the cases filed in the second half of the year, the complaints more frequently assert a violation of the CCPA as a standalone cause of action, though it remains common for a CCPA violation to be asserted as a predicate to support a separate cause of action, such as a violation of California’s Unfair Competition Law (“UCL”).

In this post, we include our round-up of representative cases filed in the third and fourth quarters of the year. Our prior summaries of CCPA-related litigation filed last year can be found in our Q1 2020 CCPA Litigation Round-Up and CCPA Litigation Round-Up: Q2 2020. We have separately analyzed trends emerging from the 2020 CCPA litigation landscape. Going forward into 2021, we will continue to report on relevant developments in CCPA consumer litigation, and also provide updates in our CCPA Litigation Tracker chart.

  1. Cases Filed in Q3/Q4 2020 Alleging Direct Violation of CCPA

Shadi Hayden v. The Retail Equation, Inc. et al., No. 8:20-cv-01203 (C.D. Cal.)

On August 3, a class action amended complaint was filed by thirteen named plaintiffs against The Retail Equation, Inc. (“TRE”) and a variety of retailers: Sephora USA, Inc., Advance Auto Body Parts, Inc., Bed Bath & Beyond, Inc., Best Buy Co., Inc., Buy Buy Baby, Inc., Caleres, Inc., CVS Health Corporation, Dick’s Sporting Goods, Inc., L Brands, Inc., Stein Mart, Inc., The Gap, Inc., The Home Depot, Inc., and The TJX Companies, Inc. (the “Defendant Retailers”) in the District Court for the Central District of California.  Plaintiffs’ CCPA claim alleges that the Defendant Retailers, without their customers’ knowledge or consent, collect large amounts of data about their retail customers, including: (1) “Consumer Commercial Activity Data,” which includes “the unique purchase, return, and/or exchange histories of individuals consumers”; and (2) “Consumer ID Data,” which includes “the unique identification information contained on or within a consumer’s driver’s license, government-issued ID card, and/or passport” such as “the consumer’s name, date of birth, race, sex, photograph, complete street address, and zip code.” Plaintiffs allege that this data is shared with TRE as non-anonymized, individual data sets, which TRE processes to create consumer reports and a risk score for each customer. The risk score is allegedly used to advise the retailer about whether a customer’s attempted return or exchange is fraudulent or abusive.  The amended complaint alleges that “Defendants’ policies and practices failed to hold plaintiffs’ and Class members’ personal information secure by, for example, [the Retailer Defendants’ sharing of] the personal information . . . in an unsecured, unrestricted manner with TRE to create consumer reports and generate a ‘risk score’ that TRE then shared with other Defendant Retailers alongside other personal information.”

McCoy v. Alphabet, Inc. et al., 5:20-cv-05427 (N.D. Cal.)

On August 5, 2020, plaintiff Robert McCoy filed a class action complaint against defendants Alphabet Inc. and Google LLC for monitoring and collecting the sensitive personal data of Android Smartphone users when they interact with non-Google applications on their smartphones, without obtaining consent. This personal data includes the duration of time spent on non-Google apps and how frequently those apps are opened.  Plaintiff’s CCPA cause of action alleges that defendants failed to disclose that they collect the class members’ personal data and the true purpose for collecting the data, which plaintiff alleges is to gain a competitive edge over rival companies. Plaintiff’s proposed class definition includes “All Android Smartphone users from at least as early as January 1, 2014 through the present.”

On September 30, 2020, Google filed a Motion to Dismiss, including arguments that the CCPA claim fails because (1) plaintiff fails to allege his information was subject to a data breach; and (2) relief is only available to a consumer, which is defined as a “California resident,” and plaintiff is a New York resident.

Guzman v. RLI Corp. et al., No. 2:20-cv-08318 (C.D. Cal.)

On September 10, 2020, plaintiff Jose Guzman filed a class action complaint against defendants RLI Corp. and RLI Insurance Company alleging that defendants, through the Pacer filing service, disclosed the login credentials to computer systems containing personal and confidential information of class members. Plaintiff alleges that as a surety, defendants requested access to the records of Libre by Nexus, which secures bonds for detained undocumented immigrants. Plaintiff alleges that, in a separate suit, defendants disclosed Libre’s login credentials by filing them publicly, giving anyone with a Pacer login access to class members’ personal and confidential information including dates of birth, names of minor children, home address, Social Security Numbers, and taxpayer identification numbers and financial account information.

On October 22, 2020, defendants filed a Motion to Dismiss, including arguments that the CCPA claim fails because: (1) defendants’ access was court-authorized and therefore not unauthorized; (2) plaintiff failed to establish that there was a “violation of the duty to implement and maintain reasonable security procedures and practices”; and (3) plaintiff did not comply with the mandatory 30-day notice and cure provision. On November 6, 2020, the action was voluntarily dismissed without prejudice.

Gardiner v. Walmart Inc. et al., 4:20-cv-04618 (N.D. Cal.)

On July 10, 2020, plaintiff Lavarious Gardiner filed a class action complaint against retailer Walmart alleging that vulnerabilities on Walmart’s website led to breaches of Walmart’s systems, allowing hackers to steal customers’ personally identifiable information (including full names, addresses, financial account information, and credit card information), and allowed hackers to attack Walmart’s customers’ computers directly as well. The CCPA cause of action alleges that Walmart violated its duty to implement and maintain reasonable security procedures and practices appropriate to the nature of the personal information. On October 29, 2020, the Parties stipulated to a briefing schedule on defendant’s Motion to Dismiss which is scheduled to be completed by February 3, 2021.

Flores-Mendez et al v. Zoosk, Inc. et al., 3:20-cv-04929 (N.D. Cal.)

On July 22, 2020, plaintiffs Juan Flores-Mendez and Amber Collins filed a class action complaint against Zoosk, Inc., an online dating site, and its parent company, Spark Networks SE, alleging that cybercriminals hacked and obtained 30 million of Zoosk’s user’s records, containing their name, email, date of birth, and password, due to Zoosk failing to maintain reasonable security controls and systems.  Plaintiffs only sought injunctive and equitable relief but alleged that if Zoosk could not cure the breach within 30 days of its July 14 notice letter, they intended to amend to seek actual and statutory damages. On October 30, 2020, plaintiffs filed an Amended Complaint.

Warshawsky et al v. cbdMD, Inc et al., No. 3:20-cv-00562 (W.D.N.C.)

On October 9, 2020, plaintiffs Michael Warshawsky and Michael Steinhauser filed a class action complaint against cbdMD Inc., and CBD Industries, LLC. Plaintiffs allege that due to two data breaches, hackers accessed consumers’ names, credit card numbers, CVV security codes, credit card expiration dates, addresses, email addresses, and bank account numbers. Plaintiffs’ CCPA cause of action alleges that defendants’ computer systems and data security practices were inadequate to safeguard its customers’ personal information.

Diczhazy et al v. Dickeys Barbecue Restaurants Inc. et al., No. 3:20-cv-2189 (C.D. Cal.)

On November 9, 2020, plaintiffs Ross Diczhazy and Wesley Etheridge II filed a class action complaint against Dickey’s Barbecue Restaurants Inc. and Dickey’s Capital Group, Inc. for their alleged failure to secure and safeguard the names, payment card numbers and security codes of proposed class members in a data breach in violation of the CCPA. The complaint purports two classes: (a) All California residents who made a purchase from Dickey’s using a payment card, or otherwise disclosed payment card information to Dickey’s, since January 1, 2020, and whose personal information was compromised including as part of the Joker’s Stash BlazingSun data set; and (b) All persons who made a purchase from Dickey’s using a payment card, or otherwise disclosed payment card information to Dickey’s, since January 1, 2018, and whose personal information was compromised including as part of the Joker’s Stash BlazingSun data set.

Marquez v. Dickey’s Barbecue Resturants, Inc. et al., No. 3:20-cv-2251 (S.D. Cal.)

On November 18, 2020, plaintiff Jose Luis Marquez also filed a class action complaint against Dickey’s Barbecue Restaurants Inc. and Dickey’s Capital Group, Inc. for their failure to secure and safeguard their customers’ personal identifying information. As in Diczhazy (above), there is a nationwide class as well as a California subclass alleged: (a) All persons residing in the United States who made a credit or debit card purchase at any affected Dickey’s Barbecue Pit restaurant during the period of the Data Breach; and (b) All persons residing in the State of California who made a credit or debit card purchase at any affected Dickey’s Barbecue Pit restaurant during the period of the Data Breach.

Gitner v. U.S. Bank National Association et al., No. 0:20-cv-02101 (D. Minn.)

On November 20, 2020, plaintiff Barry Gitner filed a first amended class action complaint in the District of Minnesota against U.S. Bank National Association and U.S. Bancorp for their alleged failure to secure and safeguard the confidential, personally identifiable information of thousands of consumers, including names, account numbers, Social Security Numbers, driver’s license numbers, and dates of birth. Specifically, plaintiffs allege that a computer server with consumer information was stolen from defendants’ corporate offices. Under the CCPA cause of action, plaintiffs seek injunctive or other equitable relief but reserve their rights to amend the complaint to seek actual and statutory damages if the breach is not cured within 30 days. On January 13, 2021, the Court stayed the action pending arbitration of Plaintiff’s individual claims, after defendants’ Motion to Compel Arbitration was unopposed.

Schaubach v. Hotels.Com, LP et al., No. 8:20-cv-2370 (C.D. Cal.)

On December 17, 2020, plaintiff Lauren Schaubach filed a class action complaint against defendants Hotels.com, L.P. (“HLP”), Expedia Group, Inc. (“Expedia”) and Amazon Web Services, Inc. (“AWS”) after a Cloud Hospitality server hosted by Defendant AWS and containing information for customers of Defendant HLP and Defendant Expedia was hacked and tens of millions of data records were exposed, including full names, email address, ID numbers, phone numbers, credit card numbers, security codes and expiration dates. Plaintiff seeks to represent a class of “all consumers in California whose personally identifiable information was compromised in the Breach.” On December 17, 2020, the action was voluntarily dismissed without prejudice.

  1. Cases Filed in Q3/Q4 2020 Alleging CCPA Violations As a Predicate For UCL Causes of Action

Pygin v. Bombas, LLC et al., No. 4:20-cv-04412 (N.D. Cal.)

On July 1, 2020, plaintiff Alex Pygin filed a class action complaint against defendants Bombas, LLC, Shopify (USA) Inc. and Shopify, Inc., alleging that sock and apparel retailer Bombas uses an ecommerce platform supplied by Shopify to take customers’ personal and payment information (including name, billing, shipping and email addresses, along with credit card numbers, expiration dates, and security codes) and that the customers’ information was compromised during a data breach due to defendants’ negligent and/or careless acts and omissions and failure to protect the data.

While plaintiff brings no claim under the CCPA, he alleges that class members have suffered injury including “deprivation of rights they possess under . . . the California Consumer Privacy Act” by “failing to maintain reasonable security procedures and practices appropriate to the nature of the personally identifiable information.” As part of its causes of action for negligence and violation of the UCL, plaintiff alleges that defendants: (i) had a duty to take reasonable steps and employ reasonable methods of safeguarding the personally identifiable information of class members, as required under the CCPA; (ii) failed to maintain those reasonable security procedures and practices by storing the information in an unsecure electronic environment; and (iii) failed to disclose the data breach to class members in a timely and accurate manner as required by the CCPA.

Currently pending before the Court is Shopify’s Motion to Dismiss for (1) lack of personal jurisdiction, (2) violation of FRCP 8 for failing to distinguish among defendants and adequately allege that Shopify caused harm, and (3) failure to state a claim, based partially on the argument that the CCPA does not “create any private right of action under any other law.”

Calixte et al. v. Dave, Inc., 2:20-cv-07704 (C.D. Cal.)

On August 24, 2020, five plaintiffs filed a class action complaint against defendant Dave Inc. alleging that its users’ names, emails, date of birth, physical address, phone numbers and social security numbers were compromised as a result of a cyberattack against a former third party service provider of Dave Inc. The complaint alleges that the hackers’ ability to pivot from a third-party vendor’s system to the defendant’s systems without detection demonstrates the lack of controls and cybersecurity measures in use at Dave Inc. to prevent such unauthorized use.

Plaintiffs only allege violations of the CCPA as a predicate to their UCL violation cause of action based on Dave Inc.’s alleged failure to implement and maintain reasonable security measures. The proposed nationwide class is defined as “All persons whose PII was compromised as a result of the Data Breach announced by Dave Inc. in July and August of 2020.” The Parties are currently briefing defendant’s Motion to Compel Arbitration. On November 9, 2020, the action was voluntarily dismissed without prejudice.

Wesch v. Yodlee, Inc. et al., No. 3:20-cv-05991 (N.D. Cal)

On August 25, 2020, plaintiff Deborah Wesch filed a class action complaint against defendants Yodlee, Inc. and Envestnet, Inc. (who acquired Yodlee) alleging that Yodlee sells highly sensitive financial data, such as bank balances and credit card transaction histories, collected from software products that it markets and sells to financial institutions. Plaintiffs allege that when individuals connect their bank accounts to Paypal, they upload their banking credentials using Yodlee’s system. Yodlee then allegedly stores a copy of the credentials on its own system and exploits them, contrary to the disclosed use of the information.

Plaintiff’s UCL cause of action is predicated upon alleged violations of the CCPA, including that defendants: (i) disclose before or at the point of collection, the category of information to be collected and how it will be used; and (ii) refrain from collecting additional information for additional purposes without providing notice.

Plaintiff filed an Amended Complaint on October 21, 2020  and the parties have stipulated to briefing schedule on plaintiff’s anticipated Motion to Dismiss.

Conditi v. Instagram, LLC et al., No. 3:20-cv-06534 (N.D. Cal.)

            On September 17, 2020, plaintiff Brittany Conditi brought a class action complaint against defendants Instagram LLC and Facebook Inc. alleging that Instagram constantly accesses users’ smartphone camera feature and monitors users without permission when they are not interacting with the camera feature, which goes beyond the services it promises to provide. Plaintiff alleges that Instagram does this to collect valuable personal data to increase their advertising revenue.

Plaintiff’s UCL cause of action is based upon allegations that defendants violated the CCPA by failing to disclose that they monitor users through their smartphone cameras, while not in use, to collect personal information. Plaintiff proposes the following class definition: “All Instagram users whose smartphone cameras were accessed by Instagram without their consent from 2010 through the present (the ‘Class Period’).”

 

You can follow developments in CCPA-related cases by referring to our new CCPA Litigation Tracker. If you have any questions about defending and/or preparing for a potential privacy consumer class action, please reach out to our team.

California became the first U.S. state with a comprehensive consumer privacy law when the California Consumer Privacy Act (“CCPA”) became operative on January 1, 2020. The CCPA provides for broad privacy rights for residents of California and imposes data protection obligations on companies doing business in California that meet certain criteria.  For further background on the CCPA, see our prior CCPA blog posts here.

Privacy Risks Trigger Public Disclosure

While many businesses continue to work on their CCPA privacy compliance strategies and risk mitigation measures, those subject to the law also should consider whether their data practices prompt any material disclosures. Item 105 of Securities and Exchange Commission (“SEC”) Regulation S-K requires public companies to disclose the most significant factors that make investing in their securities speculative or risky.

The SEC published a proposed rule for public comment in the Federal Register on August 23, 2019, that sets forth amendments to modernize the description of business, legal proceedings, and risk factor disclosures that registrants are required to make pursuant to Regulation S-K.  In a public comment to the proposed rule, the World Privacy Forum advised the SEC that the privacy and security risks and obligations that companies face today require that there be more disclosure of those risks in public disclosures. Thus, it requested that the SEC expressly require the appropriate disclosure of material privacy and security risks faced by regulated companies.

In support of its request to the SEC, the World Privacy Forum pointed not only to the risk of data breaches, but also to the material impact that privacy regulations, including the CCPA, can have on a company’s operations. Specifically, it pointed to a $5 billion fine that the Federal Trade Commission imposed on Facebook for its failure to comply with a privacy-related FTC consent decree and the potential for a fine of up to four percent of a company’s worldwide revenues for violations of the European Union’s General Data Protection Regulation (“GDPR”).

The comment continues, however, by noting that fines are not the only risk that companies face from privacy regulations. Compliance with privacy and security regulations can also have a material risk on a company’s operations, with the comment specifically citing:

  • Loss of markets, customers, and opportunities;
  • Failure of business models to be consistent with privacy requirements;
  • Charges for responding to data breaches; and
  • Loss of key personnel.

Because privacy and security risks are unique to each company, boilerplate disclosures will not suffice to warn investors of these risks. As noted in the comment, a company that collects and uses consumer data as part of its business model faces a significantly larger threat to the continuity of its operations by privacy regulations than a company that maintains only its employees’ data.

These and other privacy law developments are a good reminder for public companies that their CCPA-related exposure extends beyond the CCPA’s monetary provisions, which are limited to a narrow private right of action for data breaches, as well as enforcement by the California Attorney General. Class action plaintiffs have used similar data privacy statutes to support securities fraud claims, and companies should expect to see similar claims predicated on compliance with the CCPA. Rather than basing the claim on a direct violation of the privacy statute at issue, such as the CCPA, the complaints are rooted in violations of federal securities laws and claim that the company did not accurately disclose its compliance with regulatory obligations under the privacy law or disclose the impact that the privacy law would have on its business.

Privacy Shareholder Litigation Examples

For example, shareholders of Nielsen Holdings PLC (“Nielsen”) brought a securities class action against the company and some of its officers and directors alleging securities fraud under the federal securities laws based on false or misleading statements made by the company regarding how the GDPR would impact its business and financial performance. The consolidated complaint alleges that the defendants misled investors by stating that the GDPR would not have any major impact on the company, assuring investors that the company was ready for the GDPR’s effective date, and assuring investors that the company would continue to have access to data from Facebook and others, which it relied upon for many of its products and services. The defendants went as far as to call the GDPR a “non-event” for the company.

In reality, however, the GDPR had a material effect as soon as it became effective by preventing Nielsen from getting the data it needed from large data providers. The truth was revealed to the market on July 26, 2018, the complaint alleges, when Nielsen reported its 2Q18 earnings and disclosed a significant decline in its performance. Nielsen attributed its poor performance to the GDPR, and admitted that Nielsen no longer had access to the data from Facebook and other data providers for its analytical products, including data that helped advertisers target individual consumers. Following this disclosure, Nielsen’s stock price declined 25% in one day.

In another securities class action predicated in part on the GDPR, investors alleged that Facebook made false and misleading statements regarding its compliance with the GDPR and the impact that the legislation would have on its business and operations. Specifically, the operative complaint alleges that Facebook made materially false and misleading statements when: “(i) it falsely and without a reasonable basis assured investors that GDPR had not caused, and would not cause, a decline in active use of Facebook’s solid [sic] media platforms; and (ii) it portrayed Facebook as adhering to and prepared to meet the requirements of the GDPR, when in reality Facebook was not.”

The investors claim that the truth was revealed to the market on July 25, 2018, when Facebook released its 2Q18 earnings report and revealed “a significant decline in users in Europe, zero user growth in the United States, decelerating worldwide growth of active users (i.e., those most responsible for generating data used in targeted advertising), lower than expected revenues and earnings, ballooning expenses affecting profitability, and reduced guidance going forward.” The company’s stock dropped by nearly 19% the following day.

The complaint alleges that the GDPR contributed to Facebook’s declining revenue growth by limiting the data that users share with the company, which lead to a reduction in spending by advertisers, and by requiring the company to “incur billions in expenses to become privacy compliant.” The complaint alleged this was in contrast to the company’s prior reassurances that the GDPR would not have a material impact on Facebook’s business because the vast majority of users were opting into data sharing and because the company’s privacy practices were already compliant with the regulation.

Facebook and Nielsen are examples of a growing trend of cases in securities class action litigation that allege class-wide harm to shareholders based on violations of the federal securities law, in these cases sections 10(b) and 20(a) of the Securities Exchange Act of 1934 and Rule 10b-5, rather than harm to consumers based on direct violations of privacy statutes like the GDPR or CCPA. Also notable is that neither of these class actions was preceded by regulatory action prosecuting a breach of the privacy regulation by the company.  The Facebook plaintiffs recently filed their Third Amended Complaint and Nielsen has a pending motion to dismiss, therefore it remains to be seen whether this theory of securities fraud will prove successful for plaintiffs’ attorneys.

Public Company Privacy Disclosure Considerations

These developments raise several considerations for public companies.  At a minimum, public companies should ensure that they have accurately assessed and disclosed their compliance with and exposure under privacy statutes, including the CCPA. Companies should not attempt to rely on generic risk disclosure provisions but instead should provide thoughtful, tailored disclosures of the impact that newly-enacted data protection legislation—including the CCPA—will have on their businesses.

Companies also would do well to consider the extent to which:

  • The company’s data practices trigger compliance with U.S. and international privacy laws (often this means becoming familiar with the broadening definition of personal information under such laws);
  • Increased consumer rights concerning the sharing of personal information may limit or preclude the company’s ability to use the personal information in a manner that is material to its business practices, which could impact the company’s growth strategies or financial condition;
  • Data protection laws and industry changes will require the company to delete or remove consumer information from its records or otherwise materially increase the costs of doing business to ensure compliance;
  • The company’s failure to comply with privacy or data protection obligations could result in governmental investigations, enforcement actions or litigation, resulting in monetary penalties to the company, restrictive injunction terms, or a general loss of trust in the company, which in turn could have an adverse effect on a company’s reputation and business;
  • Data protection laws and industry changes will result in changes to the company’s data sources that, in turn, could affect the company’s ability to procure the data necessary for the company’s operations and thereby limit sources of revenue for the company;
  • Data protection laws and industry changes will result in business clients or consumer users choosing to limit or not adopt and use the company’s products, affecting the company’s ability to acquire customers and thereby limiting sources of revenue for the company.

While privacy laws in the U.S. are clearly at an inflection point, the trend line demonstrates that data strategies must be evaluated both for their possibilities and potential risks to the company.  Public companies that routinely perform rigorous internal privacy analyses and continue to closely monitor these quick moving legal and industry changes will be better positioned to address their transparency obligations, and in so doing, mitigate the risk of facing privacy shareholder suits.

For more information on the CCPA and other topics, see:

 

Advertising and Privacy Law Resource Center

January 1, 2020 was the effective date for the California Consumer Privacy Act (CCPA).  As we reported and summarized in our Q1 2020 CCPA Litigation Round-Up, private litigants wasted no time in filing consumer-related causes of action under the new law.

Here, we provide an update on material developments in that first wave of claims and report on additional private lawsuits commenced in the first half of the year.  We have further categorized the recently-filed cases based on those stemming from a data breach versus not.  In the latter category, the cases are further split based on the underlying alleged violations – last quarter, non-breach based claims related to the disclosures and opt-out mechanisms required by the CCPA as well as the scope of “personal information” covered by the CCPA.

1. Update on Cases Reported in Q1 2020

Continue Reading CCPA Litigation Round-Up: Q2 2020

The California Consumer Privacy Act (CCPA) took effect January 1, 2020.  While the California Attorney General’s enforcement authority is delayed until July 1, private litigants have already started to file direct claims under the CCPA as well as other consumer-related causes of actions predicated on alleged CCPA violations.  Notably, the California Attorney General takes the position that enforcement actions can cover violations that predate July 1, 2020.

As detailed in our prior posts (see, e.g., here and here), the CCPA expressly provides for only a limited private right of action related to data security breaches.  Cal. Civ. Code 1798.150.  Private plaintiffs can recover actual damages or statutory damages of $100 to $750 per statutory violation.  While a broader potential private right of action was considered, which would have permitted individuals to sue for additional CCPA violations, that amendment (SB 561) failed.

Nevertheless, private litigants have thus far filed CCPA-related claims in cases where breaches have occurred, but also in cases where no breach is alleged.  A quarter of the year in, we consider here how the CCPA has already impacted consumer class action claims.

Barnes v. Hanna Andersson LLC and Salesforce.com Inc., Case No. 4:20-cv-00812 (N.D. Cal.)

On February 3, 2020, California consumer Bernadette Barnes filed a putative class action Complaint against retailer Hanna Andersson arising from a data breach.  The breach (which occurred in September-November 2019), allegedly resulted in the loss of personally identifiable information (“PII”), including unencrypted credit card and consumer information.  Plaintiff also sued the cloud vendor Salesforce.com that allegedly stored the PII at issue.

Plaintiff seeks to represent a nationwide class including: “All individuals whose PII was compromised in the data breach announced by Hanna Andersson on January 15, 2020,” as well as a California sub-class.  Plaintiff does not include a cause of action under the CCPA, but relies upon the CCPA as a predicate for her claim under California’s Unfair Competition Law, Cal. Bus. & Prof. Code §17200 (“UCL”), along with causes of action for negligence and a declaratory judgment.

Sheth v. Ring LLC, Case No. 2:20-cv-01538 (C.D. Cal.)

On February 18, 2020, Seattle, Washington consumer Abhi Sheth filed a putative class action Complaint against California-based video doorbell and security camera manufacturer Ring.  Plaintiff alleges inadequate security measures for handling PII as well as unauthorized disclosure to third parties.

Plaintiff seeks to represent a class of consumers defined as: “All persons residing in the United States who purchased a Ring Security Device within the applicable statute of limitations period.  Plaintiff’s CCPA claim alleges improper collection and use of personal information without notice, and failing to provide the required notice of a right to opt out of the sale of personal information to third parties.  Plaintiff does not allege that Ring had any specific data breach or security event that triggered the claim.  Plaintiff asserts seven other causes of action arising from the same facts:  invasion of privacy; negligence; breach of implied warranty of merchantability; breach of implied contract; unjust enrichment; and violations of the UCL and California Legal Remedies Act, Cal. Civ. Code § 1750, et seq. (“CLRA”).

Significantly, the arbitration clause in Ring’s consumer agreement may create the first opportunity to balance the CCPA’s perceived hostility to arbitration, on the one hand, and the parties’ contract and policy underlying the Federal Arbitration Act, on the other.  That issue is expected to be a heavy battleground in CCPA consumer class actions, making this a potentially important first test on that issue.

On March 5, the Sheth case was consolidated with four other privacy-related cases pending against Ring and on March 31, the separate Sheth case was closed.  The continuing matter, In re: Ring LLC Privacy Litigation, Case No. 2:19-cv-10899 (C.D. Cal.), began with a December 26, 2019 Complaint that does not reference the CCPA; however, the Court’s February 11 Consolidation Order permits the plaintiffs to file a Consolidated Complaint after interim class counsel is appointed.  It is reasonable to expect that the updated pleading and addition of Sheth to the consolidated action could inject the CCPA more directly into the overall claims.

Burke v. ClearviewAI, Inc., Case No. 3:20-cv-00370 (S.D. Cal.)

On February 27, 2020, California consumer Sean Burke and Illinois consumer James Pomerene filed a putative class action Complaint against ClearviewAI (and its two founders) alleging the improper collection and sale of PII and biometric information in violation of, among other laws, the CCPA.  Clearview “scrapes” websites (scanning, extracting, and copying images) to compile a comprehensive database that allegedly includes over three billion images and PII of consumers, which Clearview sells to law enforcement and private entities.  Plaintiffs allege that Clearview collected and used their PII without notice or consent in violation of the CCPA.

Plaintiffs seek to represent three California-related sub-classes:

(a) Sub-Class One (the “CCPA Class”) (Cal. Civ. Code § 1798.100, et seq): All persons who, while residing in California, had their California Biometric Information collected and/or used by Clearview without prior notice by Clearview and without their consent.

(b) Sub-Class Two (the “Commercial Misappropriation Class”) (Cal. Civ. Code § 3344): All persons who, while residing in California, had their Photograph or likeness knowingly used by Clearview for commercial gain without their consent.

(c) Sub-Class Three (the “Unjust Enrichment Class”): All persons who, while residing in California, had their California Biometric Information misappropriated by Clearview from which Clearview was unjustly enriched.

The Complaint also asserts claims under the Illinois Biometric Information Privacy Act, 740 ILCS 14/1, et seq. (“BIPA”) as well as specific causes of action for violations of the UCL, commercial misappropriation, and unjust enrichment.

Cullen v. Zoom Video Communications, Inc., Case No. 5:20-cv-02155 (N.D. Cal.)

On March 30, 2020, California consumer Robert Cullen filed a putative class action Complaint against online video-conferencing provider Zoom alleging the failure to properly safeguard user information and improper disclosure of individual and business information to third parties, including Facebook.  The allegations arise from a March 26 Vice Media report that purports to detail unauthorized sharing and data vulnerabilities of Zoom.

Plaintiff seeks to represent a class comprised of: “All persons and businesses in the United States whose personal or private information was collected and/or disclosed by Zoom to a third party upon installation or opening of the Zoom video conferencing application.”

Plaintiff asserts a claim under the CCPA for Zoom’s alleged collection and use of PII without adequate notice and failing to prevent unauthorized disclosure.  Plaintiff asserts related claims under the UCL and CLRA based on the same conduct and violation of, inter alia, the CCPA.  Plaintiff also alleges negligence, invasion of privacy, and unjust enrichment.

While these initial CCPA-related cases remain at the earliest stages, they demonstrate the ways in which consumer plaintiffs will use the CCPA in class actions.  Notably, however, not all consumer privacy complaints filed since January incorporated the CCPA.  Indeed, two consumer complaints filed in March 2020 in the Northern District of California make allegations arising from a consumer data breach, but do not include any claim under (or even reference to) the CCPA.

I.C., a minor by and through his natural parent, Nasim Chaudhri and Amy Gitre v. Zynga, Inc., Case No. 3:20-cv-01539 (N.D. Cal.); Carol Johnson and Lisa Thomas v. Zynga, Inc., Case No. 3:20-cv-02024 (N.D. Cal.). 

On March 3, 2020, Plaintiffs Amy Gitre and I.C. filed a putative class action Complaint arising from video game manufacturer Zynga’s alleged failure to protect PII of its users, including both adults (Gitre) and minors (I.C.).  Plaintiffs filed a fourteen-count Complaint that includes statutory and common law claims arising from the alleged failure to properly secure account holders’ PII.  In September 2019, a hacker publicly claimed to have breached Zynga’s database and was able to extract information concerning 218 million users.  The breach is alleged to have included users from some of Zynga’s most popular games: Words With Friends; Draw Something; and OMGPOP.  On September 12, 2019, Zynga posted a “Player Security Announcement” that confirmed the breach.

Plaintiffs seek to represent a nationwide class of: “All individuals in the United States whose PII was obtained or maintained by Zynga and compromised as a result of the Zynga data breach described herein” as well as adult and minor sub-classes.  The causes of action include:  negligence; negligent misrepresentation; negligence per se (under Section 5 of the FTC Act); unjust enrichment; violation of state data breach laws (including failure to safeguard data and failure to provide adequate notice of the breach); intrusion upon seclusion; and declaratory judgment (seeking an injunction compelling proper security of PII).  There are no references to, or causes of action under, the CCPA.

On March 23, a follow-on suit was filed in the same court raising similar allegations.  The Plaintiffs, Carol Johnson and Lisa Thomas, seek an identical nationwide class as well as Missouri and Wisconsin sub-classes, based on the citizenship of the Plaintiffs.  The Complaint asserts a narrower list of causes of action regarding negligence, negligence per se, unjust enrichment, and declaratory judgment.  Again, there are no references to, or causes of action under, the CCPA.

We will continue to monitor the various claims, as well as court decisions in CCPA litigations.  If you have any questions about defending and/or preparing for a potential privacy consumer class action, please reach out to our team.

Advertising and Privacy Law Resource Center

Private consumer litigation in 2020 was significantly impacted by the California Consumer Privacy Act (CCPA) which took effect on January 1, 2020.  Whether asserted as a standalone CCPA violation claim or as a predicate act for other causes of action, including under California’s Unfair Competition Law (“UCL”), the volume of CCPA litigation has not abated.  While some claims have already been resolved (by motion or agreement), others are just hitting their litigious stride and with a full year of experience, certain trends have started to develop.

Over the course of the year, we have reported and summarized filed cases in our CCPA Round-Ups (Q1, Q2, Q3/4).  Now, with the first year of CCPA litigation behind us, this post (1) highlights emerging trends across the docket of cases; and (2) introduces Kelley Drye’s new CCPA Litigation Tracker, which is designed to provide an ongoing reference guide for updates on key cases involving consumers asserting CCPA-related claims.

California Attorney General (AG) released third draft of proposed CCPA regulationsRecent putative consumer class action cases filed against Ring and Zoom raise allegations under the California Consumer Privacy Act (“CCPA”) and are likely to be the first battlegrounds over the CCPA’s potential hostility to consumer arbitration clauses.  The continued applicability of arbitration agreements is likely to be a significant (and hard-fought) issue with far-reaching implications for consumer litigation under, and involving, the CCPA.  This post reviews recent precedent concerning prior attempts by California to bar arbitration or otherwise ignore federal preemption in the context of privacy statutes in an effort to predict how the courts will navigate the CCPA’s attempted restriction on arbitration.

CCPA On Arbitration

The CCPA provides consumers with a private right of action when they are affected by a data breach of certain types of personal information.  Cal. Civ. Code § 1798.150.  The law permits recovery of statutory damages between $100 to $750 per consumer, per incident, and explicitly envisions actions proceeding on an individual or class-wide basis.  Id. at (b).  In addition to monetary damages, private consumers may seek injunctive relief under the CCPA.   1798.150(a)(1)(B).  These statutory damages and right to collective action make the CCPA a ripe target for consumer class actions.  That is further bolstered by the CCPA’s apparent limitation of parties’ ability to contract around public class actions.  Specifically, the CCPA directs that:

Any provision of a contract or agreement of any kind that purports to waive or limit in any way a consumer’s rights under this title, including, but not limited to, any right to a remedy or means of enforcement, shall be deemed contrary to public policy and shall be void and unenforceable.

Section 1798.192 (emphasis added).  Thus, the CCPA would not permit a company to force an individual arbitration based on a consumer contract where a class-wide CCPA claim is asserted.  But is that enforceable?

California’s History of Trying to Limit Arbitration

California’s history of seeking to limit parties’ rights to compel arbitration has, for years, been at the center of the dispute over the strength and reach of the Federal Arbitration Act, 9 U.S.C. § 1 et seq. (“FAA”).  The landmark case on this issue is AT&T Mobility LLC v. Concepcion, 563 U.S. 333 (2011).  In Concepcion, the United States Supreme Court addressed a clash between the FAA and California’s declaration that arbitration waivers were unconscionable and, thus, unenforceable.  The FAA won.  Based on the FAA, the Court found California could not reject arbitration agreements, even if such clauses required consumers to arbitrate individually.

In the ensuing decade, the Court has re-confirmed the Concepcion decision against subsequent challenges, including from California.  Of particular relevance, in 2015, the Court confirmed that class action waiver clauses in consumer agreements are enforceable, even in the face of contrary California state law.  DirecTV, Inc. v. Imburgia, 577 U.S. __, 136 S.Ct. 463, 468, 193 L.Ed.2d 365 (2015).  The Court also confirmed that arbitration agreements with a class action waiver remain valid, even where consumers are presented with the practical hurdle that a plaintiff’s costs of individually arbitrating might far exceed the potential individual recovery available.  American Express Co. v. Italian Colors Restaurant, 570 U.S. 228 (2013).

In 2017, the California Supreme Court held that arbitration clauses that left individual consumers without the ability to obtain public injunctive relief were unenforceable.  McGill v. Citibank, N.A., 2 Cal. 5th 945 (2017).  Currently pending before the United States Supreme Court is a petition for a writ of certiorari on the question of “whether California’s public-policy rule conditioning the enforceability of arbitration agreements on acquiescence to public-injunction proceedings is preempted by the FAA.”  AT&T Mobility LLC v. McArdle, No. 19-1078.

Privacy Laws Cannot Overcome Federal Preemption

Given the unique nature of the privacy protections of the CCPA and lack of parallel federal privacy protections, it is instructive to see how courts have approached preemption of prior California privacy statutes.  In 2012, California’s Attorney General brought suit against Delta Airlines alleging that the lack of a clearly-disclosed privacy policy in the “Fly Delta” app violated the California Online Privacy Protection Act (CalOPPA), Cal. Bus. & Prof. Code §§ 22575-22579.  Delta challenged the state’s ability to bring consumer protection claims against commercial airlines given the federal Airline Deregulation Act of 1978, Pub. L. 95-504, 49 U.S.C. § 1371, et seq.  The court dismissed, finding that the federal statute preempted the statutory requirements of CalOPPA.  State of California v. Delta Air Lines, Inc., Case No. CGC-12-526741 (Cal. Sup. Ct. May 9, 2013).  The decision was affirmed by the California Court of Appeals.  Case No. A139238, 2016 WL 3001805 (Cal. Ct. App. May 25, 2016).

Conclusion

Recent precedent supports the continuing viability of arbitration clauses, including as part of consumer contracts that waive class actions.  It further confirms that California’s attempts to circumvent federal law, including in the privacy space, are likely to be struck down based on preemption.  Thus, all signs point towards the continued ability of companies to compel arbitration, including individual arbitration, over CCPA claims.

That said, it remains to be seen how far the California courts (federal or state) might permit or force litigants to proceed before that likely outcome is reached.  Thus, despite potential contract terms that include an otherwise valid arbitration clause and class action waiver, CCPA defendants such as Ring and Zoom may need to engage in multiple rounds of motion practice and appeals before getting clarity on the forum in which their cases will even be heard.

Another consideration:  until there is a decision that the CCPA is preempted by the FAA, the CCPA litigation occurring now may be the only cases to provide clarification as to some of the vague provisions of the CCPA (evident by the inconsistent interpretations and compliance applications in the marketplace).  Once CCPA claims are addressed mainly through arbitration, guidance will be left to the California Attorney General’s Office and the more limited number of cases initiated by that Office.

If you have privacy, cyber, or related litigation questions, our team of compliance and litigation specialists would be happy to speak with you.  More information about Kelley Drye’s Privacy and Information Security Litigation team can be found here.

Ad Law Access Podcast

When it takes effect next month, the CCPA is almost certain to become an immediate spark for litigation.  While requests for access/deletion and individual or threatened claims start to fill in-house legal departments’ inboxes and the practical realities of compliance seize resources, a more fundamental question will need to be answered:  Is the CCPA constitutional?

Whether in the form of a declaratory judgment action filed in early January or as part of the normal-course litigation that the CCPA will create, certain aspects of the CCPA are ripe for constitutional challenge and could stall, if not derail, the CCPA before it even gets started.

In this post, we look at two of the constitutional vulnerabilities of the CCPA:  whether its cross-border implications violate the dormant commerce clause, and whether the vague definition of “personal information” is unconstitutionally void.

Dormant Commerce Clause

The Constitution’s Commerce Clause restricts States from regulating commerce or imposing regulations that impact conduct wholly in another state and/or that create an inconsistent framework across state lines.  While States have the power to regulate conduct outside their borders in certain circumstances, the CCPA creates a unique challenge that includes areas that arguably over-reach.

The Commerce Clause protects against inconsistent legislation arising from the projection of one state’s regulatory regime into the jurisdiction of another State.  The critical inquiry is whether the practical effect of the regulation is to control conduct beyond the State’s borders.  While state-specific data privacy laws are not new, the breadth and scope of the CCPA creates an issue of first impression.

While California has the right and power to protect California consumers, the practical effect of the CCPA is to control business practices outside the state.  Significantly, the CCPA significantly over-reaches in its applicability to corporate affiliates, subsidiaries, and commonly-owned companies of California businesses, regardless of those entities’ own contacts with the state.

Given how uniquely the CCPA defines and regulates “personal information,” “service providers,” “third parties,” and “sale,” the CCPA comprehensively restricts companies’ collection of personal information on their websites that is not readily limited to California data.  If a company wants to avoid triggering a “sale,” the CCPA requires companies to make material changes to what information they collect or which other entities collect on their websites, as well as how business relationships are structured and memorialized, which cannot be readily limited to California resident personal information.

The practical effect of the CCPA on these issues is likely to affect entire industries and cost hundreds of millions, if not billions, of dollars, including affecting business practices and industries not limited to conduct occurring within California.

State Regulation of the Internet

While courts have taken different approaches to the permissible breadth and scope of a state’s internet regulations, the recent trend in the Ninth Circuit has put the onus on companies to either comply with CA’s laws or develop technology that allows them to block access to their websites in CA.

For example, in Greater Los Angeles Agency on Deafness, Inc. v. Cable News Network, Inc., the Ninth Circuit found CNN needed to find a way to provide closed captioning to CA visitors to its website, as mandated by a CA statute. Similarly, in Nat’l Fed’n of the Blind v. Target Corp., the District Court found a retailer needed to make its website accessible to blind visitors to comply with CA law.  The Court offered that Target could make a CA-specific website or block CA visitors; thus, if it chose to alter its entire website to comply with CA law that did not mean California was regulating out-of-state conduct.  One can expect the relevant courts will likely argue companies must comply across the board or find technological solutions.

That said, even with technology that can block or filter by California IP address, the CCPA may still regulate the conduct of non-California residents given its overall comprehensive structure regulating a company’s operational practices and business relationships that are not readily limited to California residents.  Unless and until a federal privacy law with preemptive effect is passed, the CCPA will push the Courts to consider the limits of one state’s ability to regulate conduct on the internet.

What is Personal Information? 

Given the rushed nature of the process that led to the CCPA’s passage, it is not surprising that it includes half-formed and vague definitions or directives.  Unfortunately, one of the most troubling terms is the core concept of “personal information.”  The CCPA defines “personal information” as “information that identifies, relates to, describes, is reasonably capable of being associated with, or could reasonably be linked, directly or indirectly, with a particular consumer or household.”  Significantly, that definition includes “household” information, which (counter-intuitively) means that information about other people falls into the definition of “personal information.”

Other than government-provided information, seemingly anything could qualify as “personal information” under the CCPA because, if combined with other data, it is capable of being linked to an individual consumer.  For example, studies have confirmed that by knowing only a person’s birthdate, zip code, and gender gives you an 87% chance of making an accurate identification.

Void for Vagueness

A statute is void for vagueness if it fails to give a person of ordinary intelligence fair notice that his or her contemplated conduct is forbidden by the statute.  Papachristou v. City of Jacksonville, 405 U.S. 156, 162 (1972).  The failure to define terms has proven a fatal flaw in other regulatory schemes.  For example, in Entm’t Software Ass’n v. Blagojevich, a trade association successfully challenged an Illinois statute that regulated violent video games, including because the definition of “sexually explicit” was found to be unconstitutionally overbroad.

The definition of “personal information” certain seems ripe for challenge on these grounds.  Other CCPA definitions that may be similarly infirm, include:  “business,” “third party,” “sale,” and “aggregate consumer information,” particularly given the materially different obligations, restrictions, and liability exposure if a company misinterprets these vague terms.

These two issues are likely to be significant obstacles to the implementation and application of the CCPA.  Unfortunately, it may be some time before the Courts offer clarity on these questions.  While any declaratory judgment action may involve a request to stay implementation of the statute, it is not guaranteed that additional time will be available.  In the meantime, companies need to ensure their practices, procedures, and policies comply with the CCPA or open themselves up to increased risk and penalties.

 

 

 

As privacy and personal data issues continue to be a focus of both legal action and media coverage, privacy policy statements are getting dusted off and reviewed by more eyes.  Imprecise or inaccurate policy statements, themselves, can expose a company to potential liability.  While most of the recent California Consumer Privacy Act (“CCPA”) attention has focused on the significant operational requirements, data flow classifications, attorney general future enforcement, and the limited private right of action for data breaches, perhaps the largest near-term CCPA risk issue will be how the law overlaps with other California consumer protection statutes, and litigation efforts focusing on alleged inaccuracy or deception based on the public statements companies make about their privacy practices.

CCPA’s Limited Private Right of Action

The Attorney General’s Office was granted wide discretion and enforcement powers to impose fines of up to $2,500 for unintentional violations and up to $7,500 for each intentional violation.  Cal. Civ. Code 1798.155.  The CCPA, however, provides for only limited private right of action for individual consumers related to data security breaches.  Cal. Civ. Code 1798.150.  Plaintiffs can recover actual damages or statutory damages of $100 to $750.  A broader potential private right of action was considered and would have permitted individuals to sue for any and all CCPA violations.  SB 561.  But that amendment failed to pass in May.

Where There’s a Will, There’s a Way?

But anyone expecting that companies will only face privacy-related consumer litigation in the context of a data breach is under-selling the risk.  While direct actions under the CCPA may be limited, the requirements of the CCPA may serve as the basis for claims under other consumer protection statutes.  And, importantly, the public statements and policies that companies issue will be scrutinized not just for their actual compliance, but for whether companies are fulfilling their own promises.  Indeed, nothing prevents individuals from filing putative consumer class action claims alleging false statements, unfair business practices, or misleading conduct on behalf of companies in connection with their privacy policies and practices.

What Types of Claims Are Likely to be Filed?

These claims are likely to be brought pursuant to other California consumer protection statutes, such as California’s Unfair Competition Law (Bus. & Prof. Code 17200), False Advertising Law (Bus. & Prof. Code 17500), and Consumer Legal Remedies Act (Civ. Code 1750).  For example:

  • Section 17200 prohibits “any unlawful, unfair or fraudulent business act or practice and unfair, deceptive, untrue or misleading advertising.”  Put differently, a violation of any other California law, including the CCPA, can serve as the basis for a claim.  That is true even where that underlying statute does not, itself, give rise to a private right of action.
  • Similarly, Section 17500 can give rise to a claim based on by disseminating untrue or misleading statements concerning the performance of services.  That would include statements made concerning the collection, use, handling, storage, dissemination, or destruction of personal information in connection with a business’s activities.
  • Finally, the CLRA prohibits a broad range of representations and statements concerning a company’s policies, procedures, and services.  In addition to actual damages, the statute also permits for recovery of punitive damages and recovery of attorney’s fees.

Courts have found that violations of internal policies and/or statements concerning those policies provide sufficient foundation for such actions.  See, e.g., In re Adobe Sys., Inc. Privacy Litig., 66 F. Supp. 3d 1197 (N.D. Cal. 2014) (plaintiffs’ allegations that they relied on Adobe’s claims that personal data would be protected sufficient to establish UCL standing); Smith v. Chase Mortg. Credit Grp., 653 F. Supp. 2d 1035, 1045-46 (E.D. Cal. 2009) (concluding that defendant’s alleged violation of internal policy provides basis for unfairness claim).   

Precision in Privacy Promises

These risks are a good reminder that it is critical not just to have the CCPA required disclosures in privacy statements and communications in response to consumer rights requests, but also to be vigilant and precise about the descriptions of privacy practices and how the company is honoring the rights requests.  In the end, a company’s statements about its CCPA compliance could end up triggering potential exposure far greater than anything available under the CCPA itself.

In exactly two months, the California Consumer Privacy Act (CCPA) takes effect. Many businesses are devoting resources to timely comply, but between the late rollout of the Attorney General’s draft regulations, recent amendments to the law, and a lack of consensus in the industry on interpretation of key CCPA terms, tackling compliance can be daunting. Perhaps that’s why in two polls released this year, businesses have overwhelmingly told the International Association of Privacy Professionals that they are not prepared for the CCPA.

The enforcement penalties support good faith and reasonable efforts to achieve compliance, but the CCPA grants the Attorney General the ability to seek civil penalties of $2,500 for each violation of the law, without defining “each violation.” As with any new law, common sense typically prevails on what early enforcement will address. In general, such cases tend to be the obvious non-compliance, rather than the borderline cases.

Beyond penalties, the CCPA will set the standard for how businesses describe their data practices and privacy commitments to consumers. Non-compliant or confusing privacy messages or practices may have reputational and public relations costs as well. Importantly, the Attorney General cannot bring an enforcement action until, July 1, 2020, at the latest, but any such enforcement action can focus on noncompliance that began on January 1, 2020.

For businesses seeking to comply, and fast, we highlight considerations for prioritizing compliance efforts. Of course, each business is different, and consultation with legal counsel is the surest way to develop a plan to comply with the new law.

Priority: Consumer-Facing Obligations

The CCPA is laser-focused on providing consumers with the tools to exercise their rights to access, delete, or opt out of the sale of their personal information. In particular, the CCPA requires businesses to describe these rights and how they comply in their privacy policies and other required notices.

Companies can prioritize building consumer-facing processes and notices that demonstrate publicly that the business respects and complies with the CCPA. This prioritization includes:

  • Prioritizing Transparency: Post plain language, straightforward consumer notices that address the current CCPA requirements in a manner that a consumer would actually understand (a challenge given reports that many privacy policies require a college reading level). Reviewing privacy policies is often the first step that a consumer – or regulator – can take to see if a company is complying with the CCPA. Privacy policies are public representations and should be vetted to confirm that they accurately reflect a company’s practices and do not contain allegedly false or deceptive statements.
  • Adopting a Privacy-Centric Company Culture: Businesses can establish procedures for personnel, including customer service agents and others most likely to interact with California consumers, so they are prepared to handle privacy rights discussions, or escalate or transfer such requests to those who can. The more straightforward the process, the less likely consumers will become confused and complain. A spike in complaints can be a key source for regulators and others to scrutinize a company’s practices.
  • Creating User-Friendly Options for Privacy Rights Requests: Provide clear directions on how consumers can submit requests, and through which channels. In particular, the CCPA requires a toll-free number (except for online-only businesses) and, for companies that “sell” personal information, a link on the home page that enables consumers to opt out of the sale of personal information.
  • Setting the Right Tone: As with all customer interactions, tone and responsiveness matter. When a consumer makes a privacy rights request, provide a brand-consistent, friendly response within 10 days that confirms receipt and provides information about how the request will be processed.

Priority: Protect Personal Information

The CCPA encourages implementing and maintaining reasonable security procedures and practices. In particular, the CCPA provides a private right of action to any consumer whose unencrypted and unredacted personal information is subject to a security incident due to a business’s failure to implement and maintain reasonable security procedures and practices. Among other remedies, the CCPA provides for statutory damages of $750 per consumer per incident or actual damages, whichever is greater.

Given the significant potential for litigation and statutory damages, prioritizing cyber security is more important than ever. “Reasonable Security” includes:

  • Compliance with Reasonable Industry Standard Practices: As described in a prior California Attorney General report, Critical Security Controls identified by the Center for Internet Security provide a “minimum level of information security that all organizations that collect or maintain personal information should meet.” These controls include reviewing hardware and software connected to a company’s network; implementing key security settings; limiting user and administrator privileges; assessing vulnerabilities and patching holes to stay current; securing critical assets and attack vectors; defending against malware and intrusions; blocking vulnerable access points; providing security training to employees and vendors with access to the network; monitoring accounts and network audit logs; testing defenses; and planning a response to security incidents. Importantly, businesses should document these efforts. Being able to demonstrate that it followed these controls, and how, will be a critical part of a company’s defense.
  • Third-Party Liability for Vendor Compliance: An important aspect of the business/service provider relationship is that a business that discloses personal information to a service provider “shall not be liable … if the service provider … uses it in violation of the [CCPA], provided that, at the time of disclosing the personal information, the business does not have actual knowledge, or reason to believe, that the service provider intends to commit such a violation.” Businesses can review vendor contracts, vendor-posted public terms, vendor descriptions of their services and how they use data, as well as vendor privacy policies and data processing addenda, to support that a vendor reasonably qualifies as a “service provider” and that there are no “red flags” that could provide a basis for third party liability. Depending on how many vendors a business has, it may be reasonable to tackle these efforts by tiered priority.

Priority: Plan for the CCPA’s Impact on Your Digital Advertising

A key area of interest is how the CCPA defines the “sale” of personal information, and how the definition applies to Ad Tech relationships and different services, including the variety of ways your company may use interest-based advertising, enrich your existing data sets, use different types of data analytics services, use matching and re-targeting, or target your advertising to certain defined audience segments.

In particular, publishers may be considered to have “sold” consumer personal information when they pass along persistent identifiers to other Ad Tech participants depending on the relationship with such participants, and how such participants use the data. Just as important, companies that use service providers to assist with their advertising and data analytics efforts should evaluate and firm up such classifications. For partners that are not intuitively service providers or obvious recipients of data sales, more analysis and industry benchmarking on interpretations are likely warranted.

The Interactive Advertising Bureau proposes a framework that will enable publishers and their partners to comply with the CCPA’s provisions on the “sale” of consumer data by providing publishers a technical solution to signal to partners that a consumer has opted out of the “sale” of their personal information. The framework will bind Ad Tech participants using a limited service provider contract. Through this arrangement, the framework maintains the availability of interest-based advertising, but restricts participants in their use of personal information to strictly business purposes.

Otherwise, for companies engaged in digital advertising and analytics, some priorities include:

  • Assessing the “Sale” of Personal Information: Review any disclosure of personal information to other businesses and determine if that disclosure counts as a “sale” for purposes of the CCPA. If so, develop a plan to comply with the CCPA’s requirements.
  • Cataloging Cookies and Pixel Tags: Companies that have contracted with Ad Tech vendors to place cookies or fire pixel tags should catalog these activities and determine the extent to which they represent a “sale” of personal information, or if they reasonably qualify as service provider support. Alternatively, the Company may choose to block them from collecting personal information on the Company’s sites.

If you have any questions about compliance obligations under the CCPA, please contact Alysa Hutnik or Alex Schneider.