Three months into the pandemic here, California is the hotspot for COVID-19 consumer class actions, with well over 50 actions filed through May 2020. Plaintiffs recognize the lower burden under California's consumer protection statutes; and California's brand new, and plaintiff-friendly, cybersecurity law beckons as the use of electronic platforms from home proliferates during the pandemic.

In many cases, these pandemic-related claims under California's cybersecurity and consumer protection statutes will be ripe for dismissal before discovery and class certification proceedings. In this two-part article, we consider the new cybersecurity statute; new rulings on key issues; and available defenses at the motion to dismiss stage. Some defenses are applicable across the board; others are statute-specific.

A. Cybersecurity Law.

Due to stay-at-home orders, the use of home-based electronic platforms for social and business purposes has exploded. Several class actions have been filed in California against video conferencing platforms, alleging the unlawful acquisition by third parties of plaintiffs' personal identifying information. In Hurvitz v. Zoom Video Commc'ns, Inc., No. 2:20-cv-03400 (C.D. Cal., filed Apr. 13, 2020) for example, where the defendants include Zoom, Facebook and LinkedIn, the putative class consists of "[a]ll persons and businesses in the United States whose personal or private information was collected and/or disclosed by Zoom to a third party upon installation or opening of the Zoom video conferencing application." Causes of action include common law claims (unjust enrichment, intrusion upon seclusion), violations of the California Constitution's right to privacy, and alleged statutory violations (California's Right to Privacy Act, Invasion of Privacy Act, Unfair Competition Law, and the newly enacted Consumer Privacy Act, discussed below).

The California Consumer Privacy Act (CCPA), as yet untested, is the nation's newest and most comprehensive consumer privacy law. The statute became operative on Jan. 1, 2020 (with attorney general enforcement set to begin on July 1, 2020). On June 1, 2020, the California attorney general submitted final proposed regulations to the California Office of Administrative Law.

The CCPA gives natural persons who are California residents four basic rights with regard to their personal information:

1. The right to know what personal information a business has collected about them, where it was sourced from, what it is being used for, whether it is being disclosed or sold, and to whom it is being disclosed or sold;
2. The right to "opt out" of allowing a business to sell their personal information to third parties;
3. The right to have a business delete their personal information; and
4. The right to receive equal service and pricing from a business, even if they exercise their privacy rights under the Act.

The statute provides for statutory damages, Cal. Civ. Code § 1798.150(a)(1), thereby eliminating the need to prove actual damages, which can be a challenge in cases charging data breaches. Injunctive and declaratory relief are also available.  §1798.150(a)(1)(B),(C).

There is a catch: to pursue statutory damages, plaintiffs must provide the defendant 30 days' written notice that the data security provision of the CCPA has been violated.  Id. § 1798.150(b). The defendant then has 30 days to "cure" the violations and provide the plaintiffs with "an express written statement that the violations have been cured and that no further violations shall occur." Id. If the business does so, then the plaintiff may not request statutory damages in a subsequent suit. The statute does not define "cure," so it remains to be determined how a business can successfully "cure" data security violations under the statute.

Because data breaches can involve millions of individuals, and each individual can collect statutory damages, potential payouts under the CCPA will encourage class action filings.

B. Consumer Protection Actions.

Consumer unfair competition class actions are nothing new, particularly in consumer-friendly California.   See, e.g., Davidson v. Kimberly-Clark Corp., 889 F.3d 956 (9th Cir. 2018).  It is notable, nonetheless, that numerous class actions charging consumer fraud have been filed in California during the COVID-19 pandemic. In Mercado v. eBay, Inc., No. 5:2020-cv-03053 (N.D. Calf., filed May 4, 2020), for example, plaintiffs sued eBay for allegedly encouraging sellers on its platform to hike the price of masks, hand sanitizer, disinfectants and other products that can help combat COVID-19, in violation of California Executive Order N-44-20, and Penal Code section 396, which prohibit charging a price that exceeds, by more than 10%, the price of an item before a state or local declaration of emergency. In McQueen v. Amazon.com, No. 20-cv-02782 (N.D. Cal., filed Apr. 21, 2020), the putative class alleges that Amazon engaged in "unconscionable" and unlawful price increases during the COVID-19 pandemic, inflating prices for essential goods by upward of 672%; and in David v. Vi-Jon Inc., No. 3:20-cv-00424 (S.D. Cal., filed Mar. 5, 2020), consumers allege that Vi-Jon Inc., the manufacturer of a hand sanitizer, falsely represented to consumers that its product was effective against COVID-19, causing consumers to purchase the product, to their detriment. Other consumer class actions have ranged farther afield, for example, seeking refunds from health clubs that closed their facilities but still billed customers; and class actions against ticket aggregators and promoters of live events.

California is clearly a hospitable venue for consumer class action lawsuits. The California Unfair Competition Law (UCL) broadly prohibits business practices that are unlawful, unfair or fraudulent. Cal. Bus. & Prof. Code §§ 17200-17209. Each prong of the statute provides a "separate and distinct theory of liability." Lozano v. AT & T Wireless Servs., Inc., 504 F.3d 718, 731 (9th Cir. 2007).

Moreover, the "unlawful" prong of the statute "borrows" violations of other laws and treats them as unlawful practices under the UCL itself. "Borrowed" laws have included federal statutes and regulations; state statutes and regulations; local ordinances; standards of professional conduct; common law; and prior decisional law.  See Rose v. Bank of America. N.A., 57 Cal. 4th 390 (2013) (upholding the borrowing of a federal statute even though Congress had repealed the statute's private cause of action provision allowing civil damages). An affirmative defense under the borrowed law is, of course, a bar to the UCL action. Damages are not available under the UCL, but the statute provides for injunctive relief, restitution and civil penalties, although civil penalties are available only in government enforcement actions.

Other popular consumer protection state statutes include the California False Advertising Law (FAL), which prohibits false or misleading statements to consumers about any product or service; and the California Consumers Legal Remedies Act (CLRA), which prohibits "unfair methods of competition and unfair or deceptive acts or practices" in connection with the sale or lease of goods or services to consumers. The CLRA permits actual, statutory and punitive damages and expressly bars 27 defined business acts and practices. Cal. Civ. Code § 1770(a).  The statute provides for streamlined class certification, and dispositive motion proceedings.

California's CLRA, UCL, and False Advertising Law "have no scienter requirement, whereas many other states' consumer protection statutes do require scienter."  Mazza v. Am. Honda Motor Co., 666 F.3d 581, 591 (9th Cir. 2012).

C. General Defenses at the Motion-to-Dismiss Stage.

There are a number of general defenses that may be available at the pleadings stage in consumer fraud or cybersecurity class action lawsuits. The ones that follow are the more important defenses and have the potential to dispose of the lawsuit.

1. Arbitration Agreements and Class Action Waivers.

In California, the CCPA gives consumers the right to seek, on "an individual or class-wide" basis, actual damages, statutory damages, or injunctive or declaratory relief following certain types of data security breaches. The statute further provides that: "Any provision of a contract or agreement of any kind that purports to waive or limit in any way a consumer's rights under this title, including, but not limited to, any right to a remedy or means of enforcement, shall be deemed contrary to public policy and shall be void and unenforceable." Cal. Civ. Code. § 1798.192. The statute, therefore, can be read to invalidate the use of arbitration and class action waiver clauses in contracts, since those provisions might prevent consumers from proceeding on a "class-wide" basis.

However, it is now settled that class waiver clauses in consumer agreements are generally enforceable, given the strong federal policy favoring arbitration.  See AT&T Mobility LLC v. Concepcion, 563 U.S. 333 (2011); DirecTV, Inc. v. Imburgia, 136 S. Ct. 463, 468 (2015); Epic Sys. v. Lewis, 138 S. Ct. 1612, 1623 (2018). Furthermore in Sanchez v. Valencia Holding Co., 353 P.3d 741(Cal. 2015), the California Supreme Court ruled that class action waiver provisions in contracts are enforceable, even when state law appears to provide for class action type recovery. As a result, federal law should trump the CCPA provision and compel enforcement of class waivers.

There remains a question whether a plaintiff retains the right to seek injunctive relief in court for the benefit of the public at large, notwithstanding an arbitration agreement. This was the ruling of the California Supreme Court in McGill v. Citibank, N.A., 393 P.3d 85 (Cal. 2017), where the court held that a waiver "in a predispute arbitration agreement" of the right to seek public injunctive relief "in any forum" is "contrary to California public policy and is thus unenforceable under California law." Id. at 87. The Ninth Circuit has upheld the rule, finding that it is not preempted by the Federal Arbitration Act ("FAA").  Blair v. Rent-a-Center, Inc., 928 F.3d 819, 831 n.3 (9th Cir. 2019).  In the meantime, on June 1, 2020, the U.S. Supreme Court denied certiorari in two cases raising the same preemption issue.  McArdle v. AT&T Mobility LLC, 772 F. App'x 575 (9th Cir. 2019), cert. denied, 2020 WL 2814785 (June 1, 2020); Tillage v. Comcast Corp., 772 F. App'x 569 (9th Cir. 2019), cert. denied, 2020 WL 2814783 June 1, 2020).

2. Article III Standing

In the four years following the Supreme Court ruling in Spokeo v. Robins, 136 S. Ct. 1540 (2016), which held that Article III standing requires a concrete injury, even in the context of a statutory violation, constitutional standing has been an issue in consumer and data breach class action litigation. See Frank v. Gaos, 139 S. Ct. 1041 (2019) (per curiam) (vacating settlement of class action and remanding to address standing); Campbell v. Facebook, Inc., 951 F.3d 1106 (9th Cir. 2020) (Article III standing found where statute addressed substantive privacy interests).  Where claims are based on alleged violations of statutes affording private rights of action, jurisdictional requirements might be met in state court, but in federal court the standing issue (i.e., whether there is injury-in-fact, causation and redressability, will remain an open question. If there is no standing, there is no federal jurisdiction, and the complaint—even if removed from state court—would have to be dismissed.

In the Ninth Circuit, courts have held that, as a general rule, standing should be addressed prior to class certification. Broomfield v. Craft Brew All., Inc., No. 17-CV-01027-BLF, 2017 WL 3838453, at *14 (N.D. Cal. Sept. 1, 2017). "Moreover, when a plaintiff's lack of standing is 'plain enough from the pleadings,' it can form appropriate grounds for dismissal even if it overlaps with issues regarding whether the named plaintiffs are adequate representatives under Rule 23." Id. (citing Gen. Tel. Co. v. Falcon, 457 U.S. 147, 160 (1982)).

A consideration, in evaluating the complaint, is the relationship between Article III standing and class actions. In Ramirez v. TransUnion LLC, 951 F.3d 1008 (9th Cir. 2020), a divided Ninth Circuit held that individual class members need to satisfy Article III's standing requirements to recover individual monetary damages. The court reasoned that a contrary rule would "transform the class action—a mere procedural device—into a vehicle for individuals to obtain money judgments in federal court even though they could not show sufficient injury to recover those judgments individually." Id. at 1023–24.  Class members who cannot demonstrate an injury-in-fact traceable to an alleged statutory violation or alleged conduct must be excluded from any class damages award.  While Ramirez focused on Article III standing at the "final judgment stage" of a class action, it observed that "district courts and parties should keep in mind that they will need a mechanism for identifying class members who lack standing at the damages phase" when they consider class certification.  Id. at 1023 n.6.  Accordingly, if it is obvious at the outset that there is no conceivable means of ultimately assessing the harm to absent class members, the issue would be worth flagging on a motion to dismiss.

Finally, choice-of-laws issues can affect the jurisdictional analysis.  In Mazza v. American Honda Motor Co., 666 F.3d 581 (9th Cir. 2012), the Ninth Circuit ruled that the district court, in certifying a class under Rule 23, misapplied California's choice-of-law rules by permitting California's substantive laws to apply to a class that included individuals from forty-four states. The court of appeals observed that material variations in state consumer protection laws would preclude application of California law; and that a class could not be certified for a deception claim under California's unfair competition law if the class members were not exposed to the same alleged misrepresentations or some class members also received corrective disclosures.  Accordingly, individualized issues of exposure and reliance would predominate over common issues.  See, e.g., 666 F.3d at 589 (plaintiffs must demonstrate that  California has "significant contact or significant aggregation of contacts to the claims of each class member"); id. at 596 ("A presumption of reliance does not arise when class members were exposed to quite disparate information from various representatives of the defendant.").

While this issue appears, at first blush, to be a certification matter, some federal courts have cast it as an Article III standing issue to be resolved on a motion to dismiss. Compare Azar v. Gateway Genomics, LLC, No. 15cv2945 AJB (WVG), 2017 WL 1479184 (N.D. Cal. Apr. 25, 2017) (deferring addressing the choice-of-law issue until the certification stage) with Azimpour v. Sears, Roebuck & Co., 2017 WL 1496255 (S.D. Cal. Apr. 26, 2017) (motion to dismiss denied in part, and granted in part pursuant to Article III).  See also Trazo v. Nestle USA Inc., 113 F. Supp. 3d 1047 (N.D. Cal. 2015) (dismissing where overly broad class definition included individuals who had no injury and hence no standing to sue).

3. Personal Jurisdiction

Plaintiffs may ask a California court to hear claims of nonresident plaintiffs who assert they were injured in other states by conduct occurring outside California.  In Bristol-Meyers Squibb v. Superior Court, 137 S. Ct. 1773 (2017), the Supreme Court held that California state courts lacked jurisdiction, in a mass tort action, to hear claims of nonresident plaintiffs who alleged that they were harmed in other states by conduct occurring outside California.  The Court opined that the Due Process Clause of the Fourteenth Amendment allows a state court to exercise personal jurisdiction only to the extent that a plaintiff's claims "arise out of or relate to the defendant's contacts with the forum." The Court left open the question whether the same restrictions would apply in federal court under the Fifth Amendment.

Recently, the issue has been considered in three federal courts of appeals decisions. In Mussat v. IQVIA, Inc., 953 F.3d 441 (7th Cir.  2020), the Seventh Circuit held that Bristol-Myers did not apply to a nationwide class action in federal court under a federal statute. The court reasoned that: "Once certified, the class as a whole is the litigating entity, and its affiliation with a forum depends only on the named plaintiffs." In Molock v. Whole Foods Market Group, Inc., 952 F.3d 293 (D.C. Cir. 2020), a divided panel of the D.C. Circuit ruled that, because putative class members are not parties until certification, the issue of the applicability of Bristol-Myers to class actions was premature.  Judge Silberman, in dissent, opined that Bristol-Myers applied to class actions.  Id. at 310.  In Cruson v. Jackson Nat'l Life Ins. Co., 954 F.3d 240 (5th Cir. 2020), the Fifth Circuit, following the D.C. Circuit, ruled that, before class certification, the putative nonresident plaintiffs were not properly before the court.

The issue remains open in the Ninth Circuit, and in most jurisdictions, and will eventually have to be resolved by the Supreme Court.  While some California federal district courts have rejected importing Bristol Meyers into the class action context, recently, in Carpenter v. Pet Smart, Inc., No. 19-cv-1731, __F.3d__, 2020 WL 996947, at *6 (S.D. Cal. Mar. 2, 2020), the court unequivocally held that "a state cannot assert specific personal jurisdiction over a defendant for the claims of unnamed class members that would not be subject to specific personal jurisdiction if asserted as individual claims."  Accord: Goldstein v. General Motors LLC, No.  No.: 3:19-cv-01778-H-AHG, 2020 WL 1849659 (S.D. Cal., Apr. 13, 2020). 

4. Federal Preemption.

Many federal courts will entertain the defense of federal preemption at the motion to dismiss stage. See Gisvold v. Merck & Co., Inc. 2014 WL 6765718 (S.D. Cal. Nov. 25, 2014) (dismissing false and misleading labeling claims on preemption grounds); People ex rel. Harris v. Delta Air Lines, Inc., 202 Cal. Rptr. 3d 395, 412 (Cal. App. 2016) (ADA preempted a UCL action for enforcement of  Online Privacy Protection Act's privacy policy requirements).

5. Rule 9(b)

Fraud cases obviously require heightened pleading under Fed. R. Civ. Pro. 9(b) and comparative state pleading rules. In Cortina v. Walmart, the court dismissed fraud claims at the motion to dismiss stage for failure to meet the heightened pleading standard in a case alleging misrepresentations on the label of a dietary supplement. And in In re Goggle Assistant Privacy Litigation, No. 19-cv-04286-BCF, 2020 WL 2219022 (N.D. Calf. May 7, 2020), the court dismissed fraud claims made pursuant to the UCL for failure to meet the requirements of Rule 9(b): "The lack of specific allegations regarding the allegedly fraudulent business practices is especially problematic here because claims under the fraudulent prong of the UCL are subject to the heightened pleading requirements of Rule 9(b)." Id. at *30 (internal quotation marks and citation omitted).

Richard Olderman is counsel at Williams & Connolly LLP, where he has primarily focused on appellate litigation. 

Edward Barnidge is a litigation partner at Williams & Connolly LLP, focusing on commercial litigation and heading the firm's class action practice.  

 Read more: 

An Early Cure for COVID-19 Class Actions in California, Part 2