Beyond COVID-19: Crisis response or road to recovery?
Crisis response or road to recovery?
While California’s groundbreaking Consumer Privacy Act (“CCPA”) imposed sweeping new requirements regarding disclosure of how businesses collect and use personal information, it drew a balance when it came to enforcement, limiting private actions to those involving unauthorized access to personal information, and leaving enforcement of the remaining provisions of the CCPA to the California Attorney General.
Prior to the start of enforcement, many in the business community were concerned that the plaintiffs’ bar would attempt to bring claims under the CCPA—or if not directly under the CCPA, based on a CCPA violation—that were apparently barred by the statute’s explicit language and limited private right of action. Such claims included direct attempts to impose liability for failure to disclose how businesses collected and used personal information, as well as the indirect use of the California Unfair Competition Law (“UCL”) to impose liability based on alleged CCPA violations. Businesses were also concerned about whether the plaintiffs’ bar would attempt to impose retroactive liability on claims that arose prior to the Act’s effective date.
Four months into the enforcement era, the early returns show that businesses were right to be concerned about expansive efforts to enforce the CCPA. While the volume of cases filed through April 2020 is not high, the plaintiffs’ bar is showing no hesitancy in bringing claims that appear to be stretching the boundaries of the CCPA’s limits on private enforcement.
On its face, the CCPA expressly limits the private right of action to those consumers affected by a data breach: “The cause of action established by this section shall apply only to violations as defined in subdivision (a) and shall not be based on violations of any other section of this title.”1
The Act’s legislative history supports this reading—attempts to expand the limited the private right of action for all violations of the CCPA were defeated in the legislature.2 A report from the Assembly Committee on Privacy and Consumer Protection plainly clarifies the effect of the provision: “With respect to enforcement specifically, would create a limited private right of (sic) action for consumers whose information is subject to specified data breaches” while primary enforcement authority lies with the California Attorney General.3 And, according to an Assembly Floor Analysis Report, this limited right was intended to give way to: “a significant reduction of business’ liability exposure pursuant to consumer-initiated actions.”4
Notwithstanding the failed attempts to expand the private right of action in the legislature, the plaintiffs’ bar is asking courts to recognize a broader private right of action that also applies to a more expansive definition of personal information. For example, Zoom Video Communications is facing eight related consumer class actions in the Northern District of California, most of which allege Zoom violated under the CCPA for sharing user information with Facebook for the purpose of targeted advertising.5 Similar claims have been made against Ring, LLC, for allegedly failing to provide consumers notice of Ring’s collection and sharing of personal information and of the right to opt out.6 These claims fall outside of the scope of the private right of action for several reasons.
First, the plaintiffs allege Zoom and Ring each violated section 1798.100(b), by not providing notice that it was collecting and sharing personal information without notice. These claims, on their face, are outside of the scope of the private right of action described in section 1798.150(a).
Second, the data breach claims against Zoom under section 1798.150(a) fail to take into account the much more narrow definition of “personal information” that applies for the purpose of the private right of action, namely, an individual’s name in combination with (i) a social security number, (ii) a driver’s license or other government identification number, or (iii) a credit or debit card number.7 Zoom had allegedly shared the device model, software, storage information, time zone, and IP address, which falls outside the scope of personal information that may give rise to the CCPA’s private right of action.
The UCL prohibits conduct that is “unlawful,” “fraudulent,” and “unfair,”8 each with its own test. Plaintiffs seem eager to test the limitation on the private right of action under the CCPA, by casting alleged violations of the CCPA as actionable under the UCL.
In February, a class action was filed against Clearview AI alleging that the company violated the UCL by failing to provide the notice required under the CCPA prior to the collection of the plaintiffs’ biometric information.9 Plaintiffs alleged that Clearview’s conduct was both “unlawful” and “unfair” under the UCL.
Two of the Zoom class actions also allege that Zoom violated the UCL by engaging in unlawful, fraudulent, and unfair conduct activity. While the complaints only specifically tie the CCPA violation to the “unlawful” claim, it appears that plaintiffs are also asserting that the CCPA violations constitute “unfair” conduct, as they allege that Zoom’s actions offend “an established public policy”10 prohibited by the UCL, one specifically for collecting consumer information without notice and consent in violation of section 1798.100(b).
The “unlawful” prong of the UCL “borrows violations of other laws and treats them as independently actionable.”11 However, the courts impose an important limitation on that use of the UCL—plaintiffs may not “plead around an absolute bar to relief simply by recasting the cause of action as one for unfair competition.”12 And the CCPA contains an unambiguous provision that disclaims its use as the basis for a UCL violation: “Nothing in this title shall be interpreted to serve as the basis for a private right of action under any other law.”13 A Senate Judiciary Committee report specifically interpreted this provision to bar UCL claims: “It appears that this provision would eliminate the ability of consumers to bring claims for violations of the Act under statutes such as the Unfair Competition Law, Business and Professions Code Section 17200 et seq. . . .”14
It is not clear that the plaintiffs’ UCL claims will fare any better under the “unfair” prong. The test for violation of the “unfair” prong in consumer actions has been unsettled since the California Supreme Court’s opinion in Cel-Tech Comms., Inc. v. Los Angeles Cellular Telephone Co.15 Although Cel-Tech disapproved both expansive tests that had been used by appellate courts, its refusal to specify the proper test for unfair business practices in the consumer context has led California courts of appeal to split over three different tests for unfair acts in consumer UCL actions:
The basic rule in California is that “a statute may be applied retroactively only if it contains express language of retroactivity or if other sources provide a clear and unavoidable implication that the Legislature intended retroactive application.”18 The CCPA’s effective date is January 1, 2020,19 thus it would seem that it would not apply to conduct occurring before that date.
Not surprisingly, some early cases are definitely pursuing claims based on conduct that occurred before January 1, 2020. For example, Salesforce and Hannah Andersson were sued over a breach that allegedly occurred between September and November 2019.20 And the litigation against Ring also asserts liability based on conduct occurring after June 1, 2019.
It seems likely that two things will happen here:
COVID-19 has made it difficult for many companies to perform some of their contractual obligations, giving rise to a high number of corporate disputes, particularly relating to the application of force majeure and change in law provisions.
© Norton Rose Fulbright LLP 2020