2021 was another record setting year for the California Consumer Privacy Act (“CCPA”). Read on for CPW’s highlights of the year’s most significant events concerning CCPA litigation, as well as our predictions for what 2022 may bring.
2020 Recap: The CCPA Comes Into Effect
The CCPA went into effect on January 1, 2020. It regulates any “business” that “does business in California,” even those without a physical presence in the state, and determines the means and purposes of the processing of “personal information”.
As a recap, what entities qualify as a “business” subject to the CCPA? The statute defines a “business” as a for-profit, private entity that (1) collects “personal information”, (2) determines the means of processing that personal information, (3) does business in California, and (4) meets one of the following criteria:
-
Has annual gross revenues exceeding $25 million;
-
Annually sells/buys or receives/shares for commercial purposes the personal information of 50,000 or more California consumers; or
-
Derives 50% or more of its annual revenue from selling personal information.
Generally, the CCPA covers all information so long as it relates to a California resident or California household. Aligning with the GDPR, the CCPA defines “personal information” to include “information that identifies, relates to, describes, is reasonably capable of being associated with, or could reasonably be linked, directly or indirectly, with a particular consumer or household.” Cal. Civ. Code § 1798.140(o).
The CCPA requires compliance with its notification and transparency notices. First, the CCPA expects businesses to present up to four notices, to be determined by that business’s practices. Second, businesses must also inform consumers of their rights under the CCPA including their: (1) right to know, (2) right to delete, (3) right to opt out, (4) right to not be discriminated against for exercising their CCPA rights.
Section 1798.150(a)(1) of the CCPA provides a private right of action to “[a]ny consumer whose nonencrypted and nonredacted personal information … is subject to an unauthorized access and exfiltration, theft, or disclosure” due to a business failing to satisfy “the duty to implement and maintain reasonable security procedures and practices….” (emphasis supplied). Damages available for a private right of action under Section 1798.150(a)(1) include a statutory amount of between $100 and $750 “per consumer per incident or actual damages, whichever is greater”, as well as injunctive or declaratory relief and “any other relief the court deems proper” (emphasis supplied).
The first CCPA lawsuit, Fuentes v. Sunshine Behavioral Health Group, LLC, No. 8:20-cv-00487 (C.D. Cal.), appeared on March 10, 2020, only three months after the law went into effect. Others soon followed.
Overview of 2021 CCPA Litigations: What Do the Numbers Show?
To date, over 125 cases asserting CCPA claims have been filed this year, with the vast majority (91.2%) filed in federal courts. Each quarter of 2021 has seen roughly the same number of cases filed (about 30-35 cases). Not surprisingly, about 60% of all federal cases were filed in California’s federal courts, with the largest number of cases filed in the Northern and Southern Districts of California. Outside of California, the Western District of Washington had the largest number of CCPA cases filed with ten total cases filed to date. A handful of cases have also been filed in district courts in each of the Second, Third, Fourth, Fifth, Sixth, Seventh, Eighth, and Eleventh Circuits. Ten of the eleven state court cases filed have been filed in California Superior Courts.
Interestingly, nearly 40% of all CCPA cases filed this year either concerned the T-Mobile data event or alternatively, another data event involving a financial services company following account hacks on the California Employment Development Department’s (“EDD”) prepaid debit cards. As such, the largest number of cases filed this year were concentrated in the communications and financial services industries. The remaining CCPA cases, however, span a wide range of industries—including technology, healthcare, insurance, and hospitality. Even a hair transplant company had a CCPA lawsuit brought against it this year.
And while cyber theft remains on the rise, plaintiffs (and plaintiffs’ attorneys) have not lost sight of other data use implications mandated by the CCPA. For example, Flo Health Inc., an ovulation-tracking app has been hit with a number of class action lawsuits alleging the app “secretly collected” (i.e. without consent) personal information of users—including whether women were trying to get pregnant—and shared that data with third-party data collectors and advertisers. The lawsuits follow the FTC’s investigation into related concerns. Some of the complaints against Flo Health reference the CCPA as supporting other claims raised by plaintiffs, such as violation of the California’s Unfair Competition Law (Cal. Bus. & Prof. Code §§ 17200, et seq.), without asserting a direct CCPA claim.
2021 Developments in CCPA Case Law
This year has seen a number of developments in CCPA litigation case law. We highlight a few of those developments here.
At the beginning of this year, one federal court held that the CCPA does not limit the scope of discovery in litigation. Will Kaupelis v. Harbor Freight Tools USA, Inc., Case No. 19-01203 (C.D. Cal.). This case was brought as a putative class action and concerned claims that the defendant allegedly manufactured and sold chainsaws with a design defect. After defendant’s motion to dismiss was denied, plaintiff sought discovery that included the PI of customers who had complained about the purported product defect (including individuals in California). The defendant resisted production of this information, in reliance on the CCPA. Specifically, the defendant argued that the CCPA expanded the privacy rights previously provided under California law. As such, the defendant argued that the court should “protect the consumers’ PI by allowing consumers an opportunity to opt out from disclosure.” The defendant claimed this approach was consistent with the CCPA’s notice and consent requirements. The court, however, granted plaintiff’s motion to compel, stating that, “[n]othing in the CCPA presents a bar to civil discovery. Notably, no other case has so held. And the statute itself explicitly says that it is not a restriction on a business’s ability to comply with federal law.” The court later dismissed an amended complaint on similar grounds.
In March, Walmart scored a massive win for defendants in data privacy litigation in the Lavarious Gardiner v. Walmart Inc. et al. case. The Court adopted Walmart’s narrow interpretation of the CCPA and dismissed Plaintiff’s non-cognizable CCPA claim. As a reminder, this case involved a plaintiff inferring, from finding his information on the dark web, that Walmart had suffered a data breach. In response, Walmart argued first, that Plaintiff’s failure to allege when the breach purportedly occurred was fatal to the Complaint because the CCPA is not retroactive. The Court sided with Walmart and agreed that Plaintiff needed to plead a breach occurring after January 1, 2020: “Absent allegations establishing that Walmart’s alleged violation of the CCPA occurred after it went into effect, Plaintiff’s CCPA claim is not viable. Second, the Court also held that Plaintiff’s CCPA claim failed for the additional reason that Plaintiff did not sufficiently allege disclosure of his personal information as defined in the CCPA. Cal. Civ. Code § 1798.81.5. The Court found insufficient the Complaint’s allegation that the purported breach compromised the full names, financial account information, credit card information, and other PII of Walmart customers: “[a]lthough in the Complaint Plaintiff generally refers to financial information and credit card fraud, he does not allege the disclosure of a credit or debit card or account number, and the required security or access code to access the account.” (emphasis added).
In July, 2021 the Central District of California denied a motion to compel arbitration brought by the Gap in the data breach litigation, Shadi Hayden v. Retail Equation et al., No. 20-cv-01203 (C.D. Cal. July 07, 2020). There the court reasoned that, because the Gap was not a party to the arbitration agreement it attempt to invoke, the arbitration agreement did not apply to bar the litigation. The Gap subsequently appealed, and the case remains pending.
In an August decision, a federal judge found the majority of Plaintiffs’ statutory claims to withstand a Rule 12(b)(6) motion to dismiss in the In re Blackbaud data privacy multi-district litigation. MDL No. 2972 (D.S.C. Aug. 12, 2021). Plaintiffs’ allegations that a cyberattack resulting from Blackbaud’s “deficient security program” and failure to comply with industry and regulatory standards, was sufficient to withstand a motion to dismiss. As to the CCPA, the Court found that Blackbaud was alleged to be a “business” under the CCPA, relying largely on its registration as a “data broker” under California law. The Court notably rejected Blackbaud’s argument that it was a “service provider” as insulating it from liability under the CCPA.
In another significant ruling, in Brooks v. Thomson Reuters Corp., No. 21-cv-01418-EMC, 2021 U.S. Dist. LEXIS 154093 (N.D. Cal. Aug. 16, 2021) the Northern District of California recently denied in part a defendant’s motion to dismiss a complaint alleging violations of various consumer privacy statutes. Of note, the Court found that an affirmative defense of compliance with one privacy statute, the CCPA, did not shield defendant from liability for alleged violations of other state laws.
Finally, in December, the Northern District of California denied a motion to intervene and oppose a preliminary approved settlement in the litigation that followed a widespread data event Accellion had suffered. Cochran v. Accellion, Inc., 2021 U.S. Dist. LEXIS 214686 (N.D. Cal. Nov. 5, 2021). In Cochran, one of the entities that used Accellion as a services provider agreed as part of a $5 million dollar settlement to modify its business practices going forward. This would include switching to a “new secure file transfer solution,” securing or destroying the personal information subject to the data event and boosting its third-party vendor risk management program. In denying the Proposed Intervenor’s Motion to Intervene, the Court analyzed intervention as a matter of right and permissive intervention. The Court, however, rejected that intervenors could intervene as a matter of right because the Court heard the Proposed Intervenors’ objections to the proposed settlement on two occasions, the settlement agreement allows putative intervenors to protect their interests by opting out of the settlement class, and because the Court found that the Proposed Intervenors interest in a preliminary settlement approval is not a “significant protectable interest.” The Court denied permissive intervention because, among other things, the Proposed Intervenors already had the opportunity to participate in the fairness hearings.
Predictions for CCPA Litigation in 2022
So what is on the horizon for 2022? Certainly an expansion of consumer privacy laws that follow California’s lead. This past year saw Virginia and Colorado launch privacy legislation and that trend will continue in 2022. While claims invoking the consumer privacy law of other states may be kept at bay during 2022, the lessons learned from CCPA litigation will come into play in 2023 as those new laws, particularly those with a private right of action, start going into effect.
In the meantime, we can expect that the lawsuits making their way through the courts will continue shaping the contours of CCPA litigation. Of particular interest will be the impact of the Ramirez v. TransUnion decision upon class action litigation, including CCPA claims arising from a data incident. As previously noted, which commentators worried that Ramirez might preclude data breach litigations from being brought in federal courts, those concerns have not materialized, with CCPA claims remaining just at home in federal court in state court.
We can also expect to see continued enforcement activity at the state level. In July 2021, California’s Attorney General Bonta issued a press release summarizing its first year of CCPA enforcement and reinforcing its commitment to CCPA enforcement. The pressure will remain on companies to annually update their California privacy notices to avoid finding themselves the target of enforcement activities.
Marissa Black also contributed to this article.