This submit recaps the courtroom choices analyzing the California Consumer Privacy Act (CCPA) thus far. I solely know of seven opinions as of May 1, 2021, a quantity that struck me as surprisingly small. (If you suppose I’m lacking any, please e-mail me).
CCPA lawsuits typically match into one of many following 4 classes:
- Data breach Private Right of Action (PRA). Since Jan. 1, 2020, the CCPA authorizes a non-public proper of motion with respect to sure knowledge breaches. I highly anticipated this could be a well-liked declare; I believed plaintiffs would allege it in each knowledge breach lawsuit. We’ve seen a lot of these filings, however few of the circumstances have issued opinions but. 16 months isn’t very lengthy within the lifespan of litigation, so this jurisprudence continues to be rising.
- AG enforcement. The AG’s workplace gained partial enforcement energy on July 1, 2021 (the rest in August 2020). An AG enforcement will produce a courtroom opinion provided that the events truly struggle in courtroom, which companies are reluctant to do. Plus, the CCPA additionally provides companies a compulsory treatment interval, which additional reduces the percentages of litigated disputes. I’m not conscious of any AG enforcements of the CCPA spilling into courtroom. In truth, I’m not conscious of any publicized CCPA enforcement actions–a shocking stat given the target-rich enforcement surroundings.
- Non-data breach PRA. The CCPA doesn’t authorize PRAs for any statutory violations aside from specified knowledge breaches. Some plaintiffs have asserted these CCPA claims anyhow. They will fail.
- Constitutional challenges. In the CCPA’s early days, I heard quite a lot of chatter that sad companies had been going to problem the CCPA, however I don’t imagine any lawsuits had been ever filed. Given the CCPA’s imminent deprecation because of the CPRA, I don’t count on any courtroom challenges to the CCPA to emerge at this level.
TL;DR: it’s been fairly quiet on the CCPA litigation entrance thus far.
1. Kaupelis v. Harbor Freight Tools USA, Inc., 2020 U.S. Dist. LEXIS 246379 (C.D. Cal. Sept. 28, 2020):
The CCPA does state that it’s “intended to further the constitutional right of privacy.” But the CCPA is a statute that’s targeted on explicit practices; particularly, it seeks to deal with the sale of PI and the disclosure of PI for enterprise functions. This intent is evidenced all through the CCPA…
The phrases “sale” and “business purpose” should not outlined in a method that encompasses civil discovery requests….The plain language of the CCPA exhibits that neither of those phrases is meant to incorporate disclosure of PI as a part of a civil discovery request. Indeed, the CCPA’s irrelevance to civil discovery requests is additional proven by how the CCPA expressly “shall not restrict a business’ ability to . . . comply with a civil, criminal, or regulatory inquiry, investigation, subpoena, or summons by federal, state, or local authorities.” The CCPA subsequently doesn’t require the expanded use of discover and consent by events responding to discovery requests.
Prior ruling: Kaupelis v. Harbor Freight Tools USA, Inc., 2020 U.S. Dist. LEXIS 198864 (C.D. Cal. August 19, 2020).
2. DeLuna v. Tandem Diabetes, CIVDS 2010795 (Cal. Superior Ct. listening to transcript from October 27, 2020):
The second reason behind motion, which was introduced under the Consumer Privacy Act, I might maintain the demurrer to this reason behind motion….This statutory scheme isn’t relevant to HIPAA regulated entities. Paragraph 116 alleges a violation of HIPAA. And the information which are alleged appear to match the necessities for HIPAA regulated entities.
3. Facebook, Inc. v. KindTotal Ltd., 2020 U.S. Dist. LEXIS 210431 (N.D. Cal. Nov. 9, 2020). My prior blog post. “Despite the CCPA’s general purpose of granting consumers greater control over how their personal information is used, BrandTotal has not cited any provision of that statute that specifically requires Facebook to provide the sort of access at issue here. The fact that the statute allows companies to provide financial compensation to consumers for collection of their personal information, does not by its terms require other companies that have collected users’ information to make it available to the company offering compensation.”
4. Stasi v. Inmediata Health Grp. Corp., 2020 U.S. Dist. LEXIS 217097 (S.D. Cal. Nov. 19, 2020):
Plaintiffs don’t merely allege that it must be inferred or rebuttably presumed that their data was accessed by an unauthorized particular person. Plaintiffs repeatedly allege that their data “was viewed by unauthorized persons.” Moreover, Inmediata doesn’t level to any authority requiring Plaintiffs to plead theft or unauthorized entry in an effort to plead a believable violation of the CCPA. The CCPA supplies a non-public proper of motion for precise or statutory damages to “[a]ny consumer whose nonencrypted and nonredacted personal information . . . . is subject to an unauthorized access and exfiltration, theft, or disclosure as a result of the business’s violation of the duty to implement and maintain reasonable security procedures and practices appropriate to the nature of the information to protect the personal information[.]” Plaintiffs argue, and Inmediata doesn’t dispute, that the information alleged within the FAC that Plaintiffs’ private and medical data had been accessible by way of the internet, constitutes a “disclosure” under the CCPA. Further, though Inmediata is appropriate that the CCPA doesn’t apply to medical data ruled by CMIA, Inmediata doesn’t deal with the non-medical data that it admits was accessible on the internet. Accordingly, at this early stage within the litigation, Plaintiffs allege a believable declare primarily based on violation of the CCPA, and Inmediata has not met its burden of displaying in any other case.
5. McCoy v. Alphabet, Inc., 2021 U.S. Dist. LEXIS 24180 (N.D. Cal. Feb. 2, 2021). “Plaintiff conceded that [the CCPA] claim should be dismissed because there are no allegations of a security breach in this case.”
6. Gardiner v. Walmart, Inc., 2021 U.S. Dist. LEXIS 75079 (N.D. Cal. Mar. 5, 2021). Venkat covered this ruling. The CCPA’s knowledge breach PRA isn’t retroactive to activity earlier than January 1, 2020.
7. Maag v. U.S. Bank, National Association, 21-cv-00031-H-LL (S.D. Cal. April 8, 2021)
To state a CCPA declare, a plaintiff should allege that his or her PII was accessed “as a result of the business’s violation of the duty to implement and maintain reasonable security procedures and practices appropriate to the nature of the information.” Here, Plaintiff fails to allege any information to assist the notion that Defendant’s safety was poor. Plaintiff solely makes unsupported allegations that his PII was compromised as a result of Defendant didn’t “implement and maintain reasonable security procedures and practices,” “failed to effectively monitor its systems for security vulnerabilities,” and had “lax security.” These conclusory allegations are alone inadequate to state a CCPA declare.
In a footnote, the courtroom adds:
Plaintiff does allege that Defendant failed to guard his PII with an encryption or password. But this allegation goes to a separate component of Plaintiff’s CCPA declare. The CCPA solely applies to “nonencrypted and nonredacted personal information” within the first place. Thus, holding that the failure to password shield PII additionally quantities to a failure to undertake “reasonable security measures” would learn the latter component out of the CCPA altogether, and would imply that any theft of unencrypted PII might create CCPA legal responsibility….Thus, Plaintiff’s allegation that his PII was not password protected is inadequate to state a CCPA declare by itself.
This raises an attention-grabbing conundrum for plaintiffs: how can plaintiffs correctly allege that knowledge was saved in a nonencrypted/nonredacted method with out getting discovery?
Other Cases to Note
- Mackintosh v. Lyft, Inc., 2019 WL 5682826 (E.D. Cal. Nov. 1, 2019). CCPA wasn’t but efficient.
- Guzman v. RLI Corp., 2020 U.S. Dist. LEXIS 222488 (C.D. Cal. Oct. 6, 2020). No TRO in a case alleging CCPA and different claims.
- Rahman v. Marriott Int’l, Inc., 2021 U.S. Dist. LEXIS 15155 (C.D. Cal. Jan. 12, 2021). The plaintiffs’ complete case, together with the CCPA declare, was dismissed for lack of Article III standing.
- Wesch v. Yodlee, Inc., 3:20-cv-05991-SK (N.D. Cal. Feb. 16, 2021). The opinion doesn’t point out the CCPA, however the UCL 17200 declare was predicated on a CCPA violation. The courtroom dismissed the UCL declare.
- Silver v. Stripe Inc., 4:20-cv-08196-DMR (N.D. Cal. minute order April 20, 2021). A minute order dismissed the UCL declare that was predicated on a CCPA violation.
There have been different non-substantive opinion references to the CCPA.
Prior CCPA/CPRA Posts
* CCPA Data Breach Lawsuit Against Walmart Fails–Gardiner v. Walmart
* The Anticipated Domino Effect: Virginia Passes Second State “Comprehensive” Privacy Law (Guest Blog Post)
* SF Chronicle Op-Ed: “Prop. 24 is the Wrong Policy Approach, at the Wrong Time, via the Wrong Process”
* Over 50 Privacy Professionals & Experts Oppose Prop. 24
* Californians: VOTE NO ON PROP. 24, The California Privacy Rights Act (CPRA)
* A Review of the “Final” CCPA Regulations from the CA Attorney General
* The CCPA Proposed Regs’ Data Valuation Calculation Provisions Provide Flexibility, But Raise Ambiguity & Transparency Concerns (visitor weblog submit)
* My Third Set of Comments to the CA DOJ on the CCPA Regulations
* Comments on the DOJ’s Proposed Modifications to the CCPA Regulations
* Eric Goldman’s Comments to the California DOJ Draft Regulations for the Consumer Privacy Act (CCPA) (Part 3 of 3)
* Some Lessons Learned from the California Consumer Privacy Act (CCPA), 18 Months In (Part 2 of 3)
* Resetting the California Consumer Privacy Act (CCPA)…with 2 Weeks To Go! (Part 1 of 3)
* And At the End of the Day, the CCPA Remains Very Much the Same (Guest Blog Post)
* A Recap of the Senate Judiciary Committee Hearing on Amending the California Consumer Privacy Act (Guest Blog Post)
* Want Companies to Comply with the CCPA? Delay Its Effective Date (Guest Blog Post)
* Recap of the California Assembly Hearing on the California Consumer Privacy Act
* A Status Report on the California Consumer Privacy Act
* 41 California Privacy Experts Urge Major Changes to the California Consumer Privacy Act
* California Amends the Consumer Privacy Act (CCPA); Fixes About 0.01% of its Problems
* Recent Developments Regarding the California Consumer Privacy Act
* The California Consumer Privacy Act Should Be Condemned, Not Celebrated
* A First (But Very Incomplete) Crack at Inventorying the California Consumer Privacy Act’s Problems
* Ten Reasons Why California’s New Data Protection Law is Unworkable, Burdensome, and Possibly Unconstitutional (Guest Blog Post)
* A Privacy Bomb Is About to Be Dropped on the California Economy and the Global Internet
* An Introduction to the California Consumer Privacy Act (CCPA)