California Consumer Privacy Act enforcement: What are the early lawsuits telling us about the scope of litigation?

California Consumer Privacy Act enforcement: What are the early lawsuits telling us about the scope of litigation?

Publication May 6, 2020

While California’s groundbreaking Consumer Privacy Act (“CCPA”) imposed sweeping new requirements regarding disclosure of how businesses collect and use personal information, it drew a balance when it came to enforcement, limiting private actions to those involving unauthorized access to personal information, and leaving enforcement of the remaining provisions of the CCPA to the California Attorney General. 

Prior to the start of enforcement, many in the business community were concerned that the plaintiffs’ bar would attempt to bring claims under the CCPA—or if not directly under the CCPA, based on a CCPA violation—that were apparently barred by the statute’s explicit language and limited private right of action. Such claims included direct attempts to impose liability for failure to disclose how businesses collected and used personal information, as well as the indirect use of the California Unfair Competition Law (“UCL”) to impose liability based on alleged CCPA violations. Businesses were also concerned about whether the plaintiffs’ bar would attempt to impose retroactive liability on claims that arose prior to the Act’s effective date. 

Four months into the enforcement era, the early returns show that businesses were right to be concerned about expansive efforts to enforce the CCPA. While the volume of cases filed through April 2020 is not high, the plaintiffs’ bar is showing no hesitancy in bringing claims that appear to be stretching the boundaries of the CCPA’s limits on private enforcement.

Trend 1: Expanding the scope of the CCPA’s private right of action

On its face, the CCPA expressly limits the private right of action to those consumers affected by a data breach: “The cause of action established by this section shall apply only to violations as defined in subdivision (a) and shall not be based on violations of any other section of this title.”1

The Act’s legislative history supports this reading—attempts to expand the limited the private right of action for all violations of the CCPA were defeated in the legislature.2 A report from the Assembly Committee on Privacy and Consumer Protection plainly clarifies the effect of the provision: “With respect to enforcement specifically, would create a limited private right of (sic) action for consumers whose information is subject to specified data breaches” while primary enforcement authority lies with the California Attorney General.3 And, according to an Assembly Floor Analysis Report, this limited right was intended to give way to: “a significant reduction of business’ liability exposure pursuant to consumer-initiated actions.”4

Notwithstanding the failed attempts to expand the private right of action in the legislature, the plaintiffs’ bar is asking courts to recognize a broader private right of action that also applies to a more expansive definition of personal information. For example, Zoom Video Communications is facing eight related consumer class actions in the Northern District of California, most of which allege Zoom violated under the CCPA for sharing user information with Facebook for the purpose of targeted advertising.5 Similar claims have been made against Ring, LLC, for allegedly failing to provide consumers notice of Ring’s collection and sharing of personal information and of the right to opt out.6 These claims fall outside of the scope of the private right of action for several reasons.

First, the plaintiffs allege Zoom and Ring each violated section 1798.100(b), by not providing notice that it was collecting and sharing personal information without notice. These claims, on their face, are outside of the scope of the private right of action described in section 1798.150(a). 

Second, the data breach claims against Zoom under section 1798.150(a) fail to take into account the much more narrow definition of “personal information” that applies for the purpose of the private right of action, namely, an individual’s name in combination with (i) a social security number, (ii) a driver’s license or other government identification number, or (iii) a credit or debit card number.7 Zoom had allegedly shared the device model, software, storage information, time zone, and IP address, which falls outside the scope of personal information that may give rise to the CCPA’s private right of action.

Trend 2: Cloaking a CCPA claim as a UCL violation

The UCL prohibits conduct that is “unlawful,” “fraudulent,” and “unfair,”8 each with its own test. Plaintiffs seem eager to test the limitation on the private right of action under the CCPA, by casting alleged violations of the CCPA as actionable under the UCL. 

In February, a class action was filed against Clearview AI alleging that the company violated the UCL by failing to provide the notice required under the CCPA prior to the collection of the plaintiffs’ biometric information.9 Plaintiffs alleged that Clearview’s conduct was both “unlawful” and “unfair” under the UCL. 

Two of the Zoom class actions also allege that Zoom violated the UCL by engaging in unlawful, fraudulent, and unfair conduct activity. While the complaints only specifically tie the CCPA violation to the “unlawful” claim, it appears that plaintiffs are also asserting that the CCPA violations constitute “unfair” conduct, as they allege that Zoom’s actions offend “an established public policy”10 prohibited by the UCL, one specifically for collecting consumer information without notice and consent in violation of section 1798.100(b). 

The “unlawful” prong of the UCL “borrows violations of other laws and treats them as independently actionable.”11  However, the courts impose an important limitation on that use of the UCL—plaintiffs may not “plead around an absolute bar to relief simply by recasting the cause of action as one for unfair competition.”12 And the CCPA contains an unambiguous provision that disclaims its use as the basis for a UCL violation: “Nothing in this title shall be interpreted to serve as the basis for a private right of action under any other law.”13 A Senate Judiciary Committee report specifically interpreted this provision to bar UCL claims: “It appears that this provision would eliminate the ability of consumers to bring claims for violations of the Act under statutes such as the Unfair Competition Law, Business and Professions Code Section 17200 et seq. . . .”14

It is not clear that the plaintiffs’ UCL claims will fare any better under the “unfair” prong. The test for violation of the “unfair” prong in consumer actions has been unsettled since the California Supreme Court’s opinion in Cel-Tech Comms., Inc. v. Los Angeles Cellular Telephone Co.15 Although Cel-Tech disapproved both expansive tests that had been used by appellate courts, its refusal to specify the proper test for unfair business practices in the consumer context has led California courts of appeal to split over three different tests for unfair acts in consumer UCL actions:

  • a “balancing” test (substantially derived from one of the disapproved cases;16
  • a test derived from the Federal Trade Commission (the “FTC test”); and
  • a test requiring a UCL claim to be “tethered” to law or public policy as set forth in Cel-Tech.17 Regardless of which test is applied, it seems unlikely that a CCPA violation itself would be sufficient to bring an “unfair” claim in light of the proscription of the Act precluding its use “as the basis for a private right of action under any other law.”

Trend 3: Retroactive application

The basic rule in California is that “a statute may be applied retroactively only if it contains express language of retroactivity or if other sources provide a clear and unavoidable implication that the Legislature intended retroactive application.”18 The CCPA’s effective date is January 1, 2020,19 thus it would seem that it would not apply to conduct occurring before that date.

Not surprisingly, some early cases are definitely pursuing claims based on conduct that occurred before January 1, 2020. For example, Salesforce and Hannah Andersson were sued over a breach that allegedly occurred between September and November 2019.20 And the litigation against Ring also asserts liability based on conduct occurring after June 1, 2019.

What’s next?

It seems likely that two things will happen here:

  • the plaintiffs’ bar will continue to push the envelope in bringing claims that appear legally untenable on their face until legally untenable until the courts unambiguously hold that such claims are legally untenable, and
  • defendants will vigorously litigate to impose liability where it was not intended.

    If past experience with new legislative right, and limit, is of any predictive value, then it will likely be years of litigation and differing federal and state opinions until a consensus emerges. As we say often in these situations, stay tuned.

Footnotes

1   Cal. Civ. Code § 1798.150(c).

2   See, e.g., “Privacy for All Act of 2019” (AB-1760), SB 561. 

3   Committee on Privacy and Consumer Protection Report, AB 375, 2017-2018 Sess. (Cal. 2018).

4   Assembly Floor Analysis Report, AB 375, 2017-2018 Sess. (Cal. 2018).

5   As of April 30, 2020, these were  Cullen v. Zoom Video Communications Inc., case number 5:20-cv-02155; Taylor v. Zoom Video Communications Inc., case number 3:20-cv-02170; Johnston v. Zoom Video Communications Inc., case number 5:20-cv-02376; Kondrat v. Zoom Video Communications Inc., case number 5:20-cv-02520; Lawton v. Zoom Video Communications Inc., case number 3:20-cv-02592; Jimenez v. Zoom Video Communications Inc., case number 5:20-cv-02591; Hartmann v. Zoom Video Communications Inc., case number 5:20-cv-02620; and Henry v. Zoom Video Communications Inc., case number 5:20-cv-02691.

6   Sheth v Ring, LLC, Case No. 2:20-cv-01538 (C.D. Cal.), filed Feb. 18, 2020.

7   Cal. Civ. Code § 1798.81.5(d).

8   Cal. Bus. & Prof. Code § 17200.

9   See Sean Burke et al. v. Clearview AI, Inc., et al., 20-CV-0370-BAS-MSB (S.D. Cal.), filed Feb. 27, 2020. Here, plaintiffs alleged that Clearview “scrapped” photos of individuals on publicly available websites, and then used facial recognition software to generate “faceprints” to match the faces to publicly-available personally identifiable information.

10   Johnston, ¶ 124; Cullen, ¶ 124

11   Cel-Tech Comms., Inc. v. Los Angeles Cellular Telephone Co., 20 Cal. 4th 163, 180 (1999).

12   Id., 20 Cal. 4th at 182 (1999). 

13   Cal. Civ. Code § 1798.150(c).

14   Senate Judiciary Committee Report, AB-375, 2017-2018 Sess. (Cal. 2018). 

15   Infra, note 11.

16   People v. Casa Blanca Convalescent Homes, 159 Cal. App. 3d 515 (1984).

17   See Drum v. San Fernando Valley Bar Ass’n, 182 Cal.App.4th 247 (2010).

18   Myers v. Philip Morris Companies, Inc., 28 Cal. 4th 830, 844.

19   Cal. Civ. Code § 1798.198.

20   Barnes v. Hanna Anderson, LLC, et al., No.: 3:20-cv-00812-LB (N.D. Cal.), First Amended Complaint filed March 9, 2020. 



Recent publications

Subscribe and stay up to date with the latest legal news, information and events...