(l-r) Philip N. Yannella, Kim Phan, and Gregory Szewczyk, with Ballard Spahr.An Early Look at California Consumer Privacy Act Litigation Trends
Earlier this year, California became the first state in the country to provide a private cause of action for victims of a data breach.
July 16, 2020 at 02:26 PM
9 minute read
Earlier this year, California became the first state in the country to provide a private cause of action for victims of a data breach. The private right of action is a key provision in the California Consumer Privacy Act (CCPA)—which became effective on Jan. 1, 2020—and allows California residents whose personal information is "subject to an unauthorized access and exfiltration, theft, or disclosure as a result of the business' violation of the duty to implement and maintain reasonable security procedures and practices" to seek damages of $100-$750, per incident.
Because the CCPA's private cause of action expressly allows for class actions, privacy attorneys have long predicted that the law would trigger a wave of litigation. Numerous articles have been written speculating how businesses will defend themselves against CCPA class actions, and how plaintiffs will plead around/argue against these defenses. Most of the CCPA class actions filed to date are still early in the pleadings stage and as a result we do not yet have any decisions addressing the thornier issues that are likely to be the basis for motion practice. Still, we are beginning to see some emerging trends.
|A New Wave of Litigation?
As of the time of this writing, there have been 46 lawsuits filed asserting claims under the CCPA, the vast majority in California federal court. Among the defendants facing CCPA class action claims are Facebook, Zoom, Marriott, Hannah Anderson, Epic Games and Minted.
On the one hand, 46 lawsuits may not seem like a large number—new data breaches are seemingly reported every week. On the other hand, the CCPA only provides a right of action relating to the unauthorized access to sensitive personal information—Social Security numbers, driver's license numbers, medical information, biometric data and financial account information—which is a subset of all reported breaches. Moreover, the CCPA provides for a 30-day notice period before a lawsuit can be filed, and at least on its face is not retroactive (more on this below). The extent to which CCPA litigation explodes depends on how courts ultimately decide the issues discussed below and, of course, the number of newly reported breaches.
|Does the CCPA Allow Claims for Unauthorized Sharing?
While much of the litigation to date has focused on the types of claims largely expected—e.g., claims for actual data breaches and claims asserting unfair and deceptive practices related to alleged failures to provide necessary privacy notices—other cases have included more creative claims.
For example, in Robert Cullen v. Zoom Video Communications, No. 5:20-cv-02155-SVK (N. D. Cal.), there is no allegation of a traditional data breach. Rather, the plaintiff asserted a claim under the CCPA arising from Zoom's alleged sharing of personal information with Facebook. The complaint fails to acknowledge that the CCPA's private right of action only applies to unauthorized disclosures of sensitive personal information, which Zoom did not share with Facebook. Further, the plaintiff's interpretation of "unauthorized disclosure" includes intentional disclosures to business partners, which runs contrary to the CCPA's text and legislative history.
|Unfair Competition Law Claims
Other plaintiffs have tried to expand the CCPA's reach by asserting claims under California's Unfair Competition Law (UCL). For example, in People v. TWC Product and Technologies, No. 19STCV00605 (Cal. Sup. Ct. 2019), the State argued that the UCL required The Weather Channel (TWC) to make certain privacy-related disclosures beyond those required by the CCPA.
In its June 11 motion for summary judgment, TWC argued that California courts must abstain from employing remedies available under the UCL where it would drag the court into an area of complex economic policy that has already been addressed by the legislature. TWC argued that in light of this comprehensive and expensive record, it would be unfair to impose additional and unidentified requirements under the UCL.
|Personal Jurisdiction and Venue
Other potential defenses have not yet been the subject of motions to dismiss, but almost certainly will be asserted as cases advance. One of these defenses is lack of personal jurisdiction. The CCPA has a broad jurisdictional definition and covers all businesses that do business within the state of California and satisfy one of the CCPA's other jurisdictional triggers (revenues greater than $25 mm per year, collection of personal data of more than 50,000 consumers, or greater than 50% of profits derived from the sale of personal information).
It is likely that many out of state defendants will seek to dismiss claims based on a lack of personal jurisdiction. Operation of a website that reaches home-state residents can provide minimum contacts to establish specific personal jurisdiction but the test is highly fact specific and may well depend on other factors, such as the number of customers a business maintains and the extent of the business' marketing toward such customers.
Even if personal jurisdiction can be established, many out of state defendants will likely seek to transfer venue to their home states. Class actions that assert California-only causes of actions may not meet the standards for a venue transfer. Nationwide breach class actions, with California sub-classes, may however be ripe for venue transfers.
|Arbitration Clauses
Another issue likely to be hotly litigated at the pleadings stage is arbitration. Section 1798.192 of the CCPA states that "any provision of a contract or agreement of any kind that purports to waive or limit in any way a consumer's rights under [the CCPA], including, but not limited to, any right to a remedy or means of enforcement" is "void and unenforceable." Whether such a bar on arbitration clauses and class-action waivers is enforceable is questionable in light of recent Supreme Court case law, which has consistently upheld the enforcement of arbitration clauses under the Federal Arbitration Act.
|'Curing' the Violation
Another issue that may trigger motions to dismiss concerns the CCPA's "cure" provision. Section 1798.150(b) states that prior to initiating an action against a business, a consumer must provide the business with 30 days' written notice identifying the specific provisions of the CCPA the consumer alleges have been or are being violated. The defendants are afforded 30 days to "cure" the defect.
The complaints filed to date typically assert that the plaintiffs provided notice to the defendant of its failure to implement reasonable data security controls with little additional context. This kind of boilerplate pleading may become the basis for motions to dismiss, but it is also quite possible that the "cure" provision doesn't provide defendants with as much relief as it may appear. For one the statutory language specifies that a business may cure the violation, if possible. "Cure" is not defined under the CCPA and it may be that by the time a lawsuit is filed it is not possible for defendant to cure the violation, if the cure provision is read by courts to require that defendants remedy the security issue in order to prevent damage to plaintiffs. Additionally, to utilize the cure defense, a defendant must provide a written statement to the plaintiffs attesting to the fact. A violation of the express statement can become a basis for additional statutory damages.
|What Is Reasonable Data Security?
Another key issue that courts will need to address, most likely at the summary judgment stage, is the meaning of "reasonable" data security—the standard California law provides for covered business. The question of what reasonable data security means has not been addressed by California, or any other courts. Some states, such as Ohio and North Carolina, have implemented data security laws that provide safe harbors against liability for companies that establish security controls that align with recognized standards such as the ISO or NIST, but it will likely be many years before litigants have a better sense of what courts or juries will deem reasonable data security to mean.
|Retroactivity
Section 1798.150 is not expressly retroactive but certain of the consumer requests provisions have a 12-month look back period, making it unclear whether the law was meant to have a retroactive application. Moreover, the requirement that a business maintain reasonable data security procedures existed in California law prior to the establishment of the CCPA and therefore, under one line of argument, Section 1798.150 does not "affect rights, obligations, acts, transactions and conditions which are performed or exist prior to the adoption of the statute," which is the standard set forth in Aetna Casualty & Surety v. Industrial Accident Commission, 182 P.2d 159, 161 (Cal. 1947), the leading California Supreme Court case on the subject. At least one case—Barnes v. Hannah Anderson, Case No. 3:20-cv-00812-LB—relates to a breach that occurred prior to Jan. 1, 2020.
|Conclusion
Because it is the first U.S. law to provide a private right of action for victims of data breaches, the CCPA will likely be a magnet for litigation for years to come. How successful that litigation will be, however, remains to be seen as defendants have a range of statutory and common law defenses to CCPA causes of action. Businesses and their lawyers should pay close attention as Courts will likely begin addressing many of these potential defenses in the next 3-6 months.
Phililp Yannella, partner with Ballard Spahr, serves as practice leader of the firm's privacy and data security group, and practice leader of the firm's e-discovery and data management group, He provides clients with 360-degree advice on the transfer, storage, and use of digital information.
Kim Phan is a partner with the firm. She counsels clients on privacy and data security law in areas including the Gramm-Leach-Bliley Act (GLBA), the Fair Credit Reporting Act (FCRA), the Telephone Consumer Protection Act (TCPA), and other federal and state privacy and data security statutes and regulations, including the California Consumer Privacy Act (CCPA).
Greg Szewczyk, partner-elect with the firm, focuses on complex corporate and commercial litigation, First Amendment matters, and privacy and cybersecurity counseling.
This content has been archived. It is available through our partners, LexisNexis® and Bloomberg Law.
To view this content, please continue to their sites.
Not a Lexis Subscriber?
Subscribe Now
Not a Bloomberg Law Subscriber?
Subscribe Now
NOT FOR REPRINT
© 2024 ALM Global, LLC, All Rights Reserved. Request academic re-use from www.copyright.com. All other uses, submit a request to [email protected]. For more information visit Asset & Logo Licensing.
You Might Like
View All
Federal Judge Allows Elderly Woman's Consumer Protection Suit to Proceed Against Citizens Bank
5 minute read
Judge Leaves Statute of Limitations Question in Injury Crash Suit for a Jury
4 minute read
Supreme Court's Ruling in 'Students for Fair Admissions' and Its Impact on DEI Initiatives in the Workplace
6 minute read
Membership Has Its Privileges: Bankruptcy Court Examines LLC's Authority to File Bankruptcy
8 minute readTrending Stories
Who Got The Work
Michael G. Bongiorno, Andrew Scott Dulberg and Elizabeth E. Driscoll from Wilmer Cutler Pickering Hale and Dorr have stepped in to represent Symbotic Inc., an A.I.-enabled technology platform that focuses on increasing supply chain efficiency, and other defendants in a pending shareholder derivative lawsuit. The case, filed Oct. 2 in Massachusetts District Court by the Brown Law Firm on behalf of Stephen Austen, accuses certain officers and directors of misleading investors in regard to Symbotic's potential for margin growth by failing to disclose that the company was not equipped to timely deploy its systems or manage expenses through project delays. The case, assigned to U.S. District Judge Nathaniel M. Gorton, is 1:24-cv-12522, Austen v. Cohen et al.
Who Got The Work
Edmund Polubinski and Marie Killmond of Davis Polk & Wardwell have entered appearances for data platform software development company MongoDB and other defendants in a pending shareholder derivative lawsuit. The action, filed Oct. 7 in New York Southern District Court by the Brown Law Firm, accuses the company's directors and/or officers of falsely expressing confidence in the company’s restructuring of its sales incentive plan and downplaying the severity of decreases in its upfront commitments. The case is 1:24-cv-07594, Roy v. Ittycheria et al.
Who Got The Work
Amy O. Bruchs and Kurt F. Ellison of Michael Best & Friedrich have entered appearances for Epic Systems Corp. in a pending employment discrimination lawsuit. The suit was filed Sept. 7 in Wisconsin Western District Court by Levine Eisberner LLC and Siri & Glimstad on behalf of a project manager who claims that he was wrongfully terminated after applying for a religious exemption to the defendant's COVID-19 vaccine mandate. The case, assigned to U.S. Magistrate Judge Anita Marie Boor, is 3:24-cv-00630, Secker, Nathan v. Epic Systems Corporation.
Who Got The Work
David X. Sullivan, Thomas J. Finn and Gregory A. Hall from McCarter & English have entered appearances for Sunrun Installation Services in a pending civil rights lawsuit. The complaint was filed Sept. 4 in Connecticut District Court by attorney Robert M. Berke on behalf of former employee George Edward Steins, who was arrested and charged with employing an unregistered home improvement salesperson. The complaint alleges that had Sunrun informed the Connecticut Department of Consumer Protection that the plaintiff's employment had ended in 2017 and that he no longer held Sunrun's home improvement contractor license, he would not have been hit with charges, which were dismissed in May 2024. The case, assigned to U.S. District Judge Jeffrey A. Meyer, is 3:24-cv-01423, Steins v. Sunrun, Inc. et al.
Who Got The Work
Greenberg Traurig shareholder Joshua L. Raskin has entered an appearance for boohoo.com UK Ltd. in a pending patent infringement lawsuit. The suit, filed Sept. 3 in Texas Eastern District Court by Rozier Hardt McDonough on behalf of Alto Dynamics, asserts five patents related to an online shopping platform. The case, assigned to U.S. District Judge Rodney Gilstrap, is 2:24-cv-00719, Alto Dynamics, LLC v. boohoo.com UK Limited.
Featured Firms
Law Offices of Gary Martin Hays & Associates, P.C.
(470) 294-1674
Law Offices of Mark E. Salomone
(857) 444-6468
Smith & Hassler
(713) 739-1250
