CCPA-Related Litigation: Testing the Limits of CCPA as a Tool to Privately Enforce Privacy Practices

 

by Justine Young Gottshall and Tatyana Ruderman

As many companies are still working to navigate the complexities of California’s new privacy statute, the California Consumer Privacy Act (CCPA), plaintiffs’ attorneys are already eager to test the limits of the law. Since the CCPA went into effect on January 1, 2020, no fewer than a dozen lawsuits have been filed in the State of California in state and federal courts alleging CCPA-related causes of action. Interestingly, only a handful of these lawsuits allege traditional data breach or other unauthorized disclosure, the only private right of action specifically permitted under the CCPA statute. However, plaintiffs’ attorneys are attempting to shoehorn CCPA violations into a variety of other statutory counts, with California’s unfair business practices statute (Business & Professions Code § 17200) one of the more popular choices, and trying to bring creative theories as to what might constitute a data breach or unauthorized disclosure under CCPA.

Private Right of Action under CCPA

The CCPA only explicitly allows a private right of action where a consumer’s personal information is stolen or disclosed to an unauthorized person because the business responsible for storing the information failed to maintain reasonable security measures. Cal. Civ. Code § 1798.150(a)(1). The CCPA goes on to provide that the cause of action established by Cal. Civ. Code § 1798.150 shall apply only to violations related to breach and shall not be based on violations of any other section of the title. Cal. Civ. Code § 1798.150(c).

Under the data breach provision, consumers can potentially recover between $100 and $750 per consumer and per incident in statutory damages or their actual damages, whichever is greater, and lawsuits may be brought on either an individual or class basis.

Testing the Limits

The CCPA’s data breach provision is most clearly triggered where a third party, unaffiliated with and/or antagonistic to the company, gains unauthorized access to a consumer’s personal information.

However, interestingly, many CCPA-related class action suits attempt to go further and allege violations of the CCPA’s other provisions (such as failing to provide CCPA-required disclosures and failing to provide a “Do Not Sell My Personal Information” link and opt-out right) by way of its data breach provision. As further explored below, some plaintiffs are essentially making the argument that the CCPA’s data breach provision can be triggered when a third party’s access to personal information is unauthorized by the consumer, even where the third party likely has a business relationship with the defendant and further where the sharing arrangement is likely financially beneficial to the defendant.

Some plaintiffs also sue under other California statutes, such as California’s Unfair Competition Law (UCL), with CCPA as an underlying basis.

Below we review a few proposed class actions filed in U.S. district courts in California that are illustrative of these practices.

  • In G.R., et al. v. Tiktok, Inc., 2:20-cv-04537 (C.D. Cal. May 20, 2020), Plaintiff alleges a claim that calls out violations of the CCPA’s notice and “Do Not Sell” requirements, but seems to be arguing that these form the underlying basis for a violation of the CCPA’s breach provision.

    • As some examples of notable allegations, Plaintiffs’ plead:

      • That TikTok did not obtain consent from users for the collection, retention, or release of their biometric information, pleading that “[i]n direct violation of the CCPA,” the app’s facial recognition technology collected and stored “templates of each [user’s] face – all without ever informing anyone of this practice.”

      • That TikTok violated the CCPA by failing to provide a right to opt-out to the disclosure of such biometric information.

      • That TikTok violated the CCPA by failing to use a reasonable standard of care to protect the biometric identifiers and other information from disclosure, “and, in fact, affirmatively disclosed their biometric identifiers and information.”

      • That TikTok violated the California’s UCL by unlawfully intercepting, recording, disclosing, and otherwise misusing biometric information without consent in violation of the CCPA and by breaching its own privacy policy.

      • That California law should apply to the entire class, not limited to California residents due to TikTok having its U.S. headquarters in California.

    • As seems to be an emerging trend in some of these suits, in addition to shoehorning CCPA violations into another California privacy statute, this case takes a clever approach by essentially pleading that companies trigger the CCPA’s “unauthorized disclosure” provision by not providing requisite notice to users at the point of collection of the information they collect or with whom it is shared (here, biometric information) and also failing to provide notice of their right to opt-out of certain sharing and not allowing consumers the opportunity to do so. Under this theory, the company’s undisclosed sharing with third parties was not authorized by the consumer and thus triggers Cal. Civ. Code § 1798.150(a)(1).

  • A number of federal cases have been filed against Zoom and are now consolidated in the North District of California under In Re: Zoom Video Communications Inc. Privacy Litigation, Case No. 5:20-cv-02155. As one example of these cases, Cullen v. Zoom Video Communications, Inc., 5:20-cv-02155 (March 30, 2020), also alleges violations of the CCPA’s non-actionable notice requirements, seeming to argue that failure to disclose sharing of certain information to third parties then triggered the breach provision.

    • For example, Plaintiffs’ plead:

      • That Zoom violated the CCPA by collecting and using personal information without providing adequate notice.

      • That it failed its duty to implement and maintain reasonable security procedures and practices by including code in its app which made regular disclosures of users’ personal information to Facebook and other third parties.

      • That users’ personal information was subjected to unauthorized disclosure.

      • That Zoom makes certain privacy representations about security in its privacy policy, but did not abide by them.

      • That Zoom violated the California’s Unfair Competition Law (UCL) by engaging in “unlawful activity” in not complying with the CCPA, such as collecting personal information without providing adequate notice at collection.

    • This suit also argues that Zoom triggered the CCPA’s “unauthorized disclosure” provision by not providing requisite notice to users that third parties were automatically collecting information through use of the app.

  • Sweeney v. Life on Air, Inc. & Epic Games, Inc., Case No. 3:20-cv-00742 (S.D. Cal. Apr. 17, 2020) is one example of a suit that directly alleges a failure to provide sufficient notice under the CCPA (not referencing the actionable breach provision).

    • Plaintiffs’ plead that defendants violated the CCPA by:

      • Failing to notify users that they were collecting and disseminating personal information.

      • Failing to provide notice of the right to opt out.

      • Failing to provide a clear and conspicuous link to a page titled “Do Not Sell My Personal Information” where they would be able to opt out.

      • “Failing to use any personal information collected from the consumer in connection with keeping their personal information private”

    • The defendants have filed a motion to compel arbitration based on the arbitration and forum-selection clauses in its Terms of Service.

    • We anticipate that this case is unlikely to succeed because of the clear language in the CCPA that the private right of action only applies to violations related to breach and shall not be based on violations of any other section of the title. Cal. Civ. Code § 1798.150(c). However, it serves as a cautionary tale that any violation of the CCPA can expose a company to unnecessary legal costs and headaches.

Key Takeaways:

As Sweeney and these other suits show, the plaintiffs’ bar is closely scrutinizing privacy practices of companies across a broad range of industries, and using all tools possible to push claims in the courts. At face value, these attempts to litigate on violations of other CCPA provisions seem to directly contravene the CCPA’s specific statement barring CCPA claims as the basis for a private right of action under a separate law. Cal. Civ. Code § 1798.150(c). However, the true scope of the limitation and the ability to make broader “breach” claims, such as those based on access unauthorized by a consumer, will have to be established through litigation and the courts.

The best that companies can do now is operate under the assumption that any violation of the CCPA could potentially expose them to civil litigation. Most importantly, companies should make sure their public-facing policies satisfy the CCPA’s disclosure requirements, that they are complete and accurate, and, where applicable, that they offer an opt-out right with the “Do Not Sell My Personal Information” footer link. One key facet of this is carefully evaluating all relationships with third parties that involve the sharing of any consumer data.