Since the Jan. 1, 2020 kickoff for private enforcement under the California Consumer Privacy Act (CCPA), plaintiffs have filed scores of class actions invoking the CCPA. Such claims, when properly made, present substantial risk to companies including statutory damages up to $750 per consumer. Early key takeaways can help companies limit risk under the CCPA and the anticipated California Privacy Rights Act (CPRA), largely not operative until Jan. 1, 2023.
Takeaway 1: Plaintiffs May Not Sue for Non-Actionable Security Incidents
The CCPA permits private lawsuits based on certain security incidents. As one court dismissing a claim has stated, “to succeed on a CCPA claim, a plaintiff must allege that his personal information was subject to unauthorized . . . disclosure as a result of a business’s failure to implement and maintain reasonable security procedures and practices.” Disclosures that are authorized by terms and conditions, or not caused by a failure to provide reasonable security, may not be actionable.
CPRA Perspective: The CPRA keeps the limitations on actionable security incidents.
Takeaway 2: Plaintiffs May Not Sue for Breaches Other Than Security Incidents
The CCPA expressly bars private actions “based on violations of any other section” of the CCPA, and states that “[n]othing in this title shall be interpreted to serve as the basis for a private right of action under any other law.”
Still, plaintiffs in numerous class actions have attempted to sue for violations of duties in other sections of the CCPA, including duties to provide notice at collection and provide an opt-out of sale. At least one court has dismissed such a claim.
Plaintiffs in dozens of class actions also have relied on an alleged CCPA violation as a predicate for violation of another California law, often California’s Unfair Competition Law, resulting in at least one dismissal.
CPRA Perspective: The CPRA keeps the strict requirements that limit private actions to security incidents and remove the CCPA as a basis for private rights of action in other laws. It also adds the heading “Personal Information Security Breaches” to the private enforcement provisions confirming the limitation.
Takeaway 3: Arbitration Clauses May Override Class Action Claims
Courts have granted motions to compel arbitration of asserted CCPA class action claims where terms and conditions contained arbitration provisions. Where such provisions apply, they may be enforceable under the Federal Arbitration Act, which may preempt any contrary state law.
Takeaway 4: Non-California Residents Are Improper Plaintiffs
The CCPA expressly authorizes private actions only by “consumers” who are California residents. In light of this, defendants in various cases have moved and should continue to move to dismiss claims brought by non-California plaintiffs and/or require proof of California residency at the time of the claim.
CPRA Perspective: “Consumers” authorized to sue remain California residents.
Takeaway 5: Non-Covered “Businesses” Are Improper Defendants
The CCPA also limits its authorization to actions against a covered “business,” meaning a for-profit entity that, among other things, collects California consumers’ personal information and
- has annual gross revenues over $25 million;
- annually buys, sells, receives, or shares the personal information of 50,000 or more consumers, households, or devices; or
- derives 50 percent or more of its annual revenues from selling consumers’ personal information.
“Service providers,” which process personal information for a business, are omitted.
Defendants have moved to dismiss for failure to allege the defendant was a covered business, and not a service provider, and the issue should continue to be raised early and often.
CPRA Perspective: Service providers and other companies that are not covered “businesses,” as newly defined under the CPRA, may continue to oppose claims.
Takeaway 6: The CCPA Does Not Apply to Pre-2020 Conduct
At least one court has ruled that the CCPA does not apply retroactively. In Gardiner v. Walmart, the court dismissed a CCPA claim for failure to allege a data breach occurred after the CCPA’s Jan. 1, 2020 effective date.
Takeaway 7: Plaintiffs May Not Sue for Non-Actionable Information
For private enforcement, “personal information,” adopted from the California Customer Records Act, means a specific list of sensitive information and is narrower than for the rest of the CCPA.
At least one court has dismissed a CCPA claim for failure to allege actionable personal information. Defendants also may move to dismiss for failure to allege personal information that meets the federal constitutional standing requirement of an “injury in fact.”
CPRA Perspective: To be viable, claims still must allege actionable personal information, albeit within the CPRA’s meaning, which adds to its scope a consumer’s email address in combination with credentials that would permit access to the account.
Takeaway 8: Suits Filed Without Prior 30-Day Notice and Cure Period Are Improper
Actions for individual or class-wide statutory damages must follow a 30-day notice and cure period. Defendants also have moved to dismiss private actions that fail to comply with this requirement.
CPRA Perspective: Suits for statutory damages that do not comply with the 30-day notice and cure period will continue to be improper under the CPRA, which adds that reasonable security procedures and practices following a breach will not constitute a cure with respect to that breach.
Check back for further updates on trends in CCPA and CPRA practice. For more information, please feel free to reach out to the authors or others in BakerHostetler’s Digital Assets and Data Management Practice Group, which regularly counsels and advocates for clients on CCPA compliance, risk, and enforcement within the evolving legal landscape.