Privacy Litigation 2021 Year in Review: CCPA Litigation

The California Consumer Privacy Act has been operative for two full years now, and plaintiffs continue to file CCPA claims at a brisk clip. 2021 saw nearly 100 new complaints with many of the same types of claims we saw in 2020.[1]

In our prior report, we highlighted several ways plaintiffs were challenging the limits of the CCPA’s private right of action. These included attempts to (i) apply CCPA retroactively, (ii) assert claims for violations of sections other than § 1798.150 (the data breach provision) or in the absence of a data breach, and (iii) use the CCPA as a predicate for other claims (such as California’s Unfair Competition Law). All of these issues remained open when 2021 began. Now, with the first wave of CCPA cases moving through pleading stage, courts are starting to delineate the scope of the Act’s private right of action. These decisions shed helpful light on some of the issues we previously flagged and raise several more:

• Retroactive application. In Gardiner v. Walmart Inc., the Northern District of California ruled that because the CCPA “does not contain an express retroactivity provision[,]” an “alleged breach [] is only actionable under the CCPA if it occurred after January 1, 2020.”[2] The plaintiff attempted to sidestep the issue by arguing that their information was still available on the dark web in 2021. This was not enough: the “violation of the duty to implement and maintain reasonable security procedures and practices” must have “occurred on or after January 1, 2020.”[3] Other courts have interpreted the relevant time period similarly, concluding that CCPA claims must arise from breaches occurring on or after January 1, 2020.[4]
• Violations based on sections other than § 1798.150 or not concerning data breaches. In McCoy v. Alphabet, Inc., the plaintiff based his CCPA claim on allegations that the defendant failed to disclose data collection practices in violation of § 1798.100(b). He did not allege a breach of the duty “to implement and maintain reasonable security procedures and practices[,]” as required by § 1798.150. The Northern District of California dismissed the CCPA claim without a fight from the plaintiff. At the motion to dismiss hearing, the plaintiff “conceded that [the CCPA] claim should be dismissed because there [were] no allegations of a security breach in th[e] case.”[5] Similarly, a few months later, the Central District of California rejected a § 1798.150 claim based on the theory that the defendant violated the CCPA by disclosing the plaintiff’s credit card information to its credit card processor in connection with an auto-renewing subscription.[6] Because the disclosure was neither “caused by [d]efendant’s failure to implement reasonable security procedures” nor without authorization, the court dismissed that CCPA claim.[7]
• CCPA as a predicate for Unfair Competition Law (UCL) claims. In at least two cases, the Northern District of California rejected attempts to use the CCPA to support a California UCL claim. In both cases, the plaintiffs argued that the UCL “permits injured consumers to ‘borrow’ violations of other laws and treat them as unlawful competition that is independently actionable.” In rejecting the argument, the court stressed that the CCPA “on its face states that consumers may not use [it] as a basis for a private right of action under any statute” and such “violations cannot serve as the predicate for [a] UCL claim[.]”[8]

2021’s CCPA decisions also provide guidance on what is needed to allege violations of § 1798.150:

• Pleading requirements for alleging lack of reasonable security. A recurring question in CCPA cases is: what must plaintiffs plead to adequately allege a violation of the duty to implement and maintain reasonable security procedures and practices under § 1798.150? Although courts are split on the issue, several dismissed claims where the allegations were too conclusory. For example, the Southern District of California dismissed a CCPA claim where the plaintiff “fail[ed] to allege any facts to support the notion that [d]efendant’s security was deficient[,]” relying solely on the fact that the plaintiff’s personal information “was accessed[.]”[9] This departs from a case in 2020, where a different judge in the Southern District allowed a CCPA claim to survive based on allegations of “access[] by an unauthorized individual” alone, without detailing the defendant’s alleged security deficiencies.[10]
• Pleading requirements for satisfying “personal information” element of a CCPA claim. The CCPA’s private right of action does not apply to all violations “of the duty to implement and maintain reasonable security procedures and practices”—only those that result in “unauthorized access and exfiltration, theft, or disclosure” of “nonencrypted or nonredacted personal information, as defined in [§ 1798.81.5(d)(1)(A)]. That provision defines “personal information” more narrowly than the definition of “personal information” (in § 1798.140) applicable to other CCPA requirements. In Gardiner, the court dismissed the CCPA claim, finding that the plaintiff failed to allege—as required under §1798.81.5—that “the required security or access code to access the account” was compromised.[11] The judge refused to assume, based on the plaintiff’s “string of speculation,” that purchasing a product online with a credit card necessarily meant that the information compromised met the applicable definition of “personal information.”[12]
• Whether pleading ransomware alone supports a claim based on exfiltration under § 1798.150. To assert a CCPA claim, the Act requires pleading that personal information was subject to “unauthorized access and exfiltration, theft, or disclosure[.]”[13] In one case involving this issue, the defendant argued that because the nature of the attack “involve[d] encrypting a company’s data on the company’s own computer systems rather than stealing the company’s data,” there was no claim for unauthorized “exfiltration, theft, or disclosure[.]”[14] The Central District of California rejected this argument, refusing to infer from news articles that the ransomware variant did not involve exfiltration, and finding instead that the plaintiff’s allegations of data theft were “plausibl[e]” and “sufficient.”[15]
• Pleading requirements for alleging a “business” violated its duties under the CCPA. The CCPA provides a private right of action only resulting from a “business’s” violation of the duty prescribed in §1798.150.[16] Several defendants attempted to avoid liability under § 1798.150 by arguing that they were not a “business,” but rather a “service provider”—terms the CCPA defines distinctly. Rulings on this issue went both ways. In one case, the Central District of California dismissed a CCPA claim against a software-as-a-service company because the plaintiff failed to allege that the SaaS company was a covered business, rather than a service provider. [17] Following the amended complaint, which alleged that the defendant “determine[d] the purposes and means of the processing of consumers’ personal information[,]” the same court denied a renewed motion to dismiss.[18] The court found the new allegations plausibly alleged that the software defendant was a business, not a service provider. A District of South Carolina decision also denied a motion to dismiss where the plaintiffs alleged that a SaaS company “develop[ed] software solutions to process its customers’ patrons’ personal information.”[19]

Looking ahead to 2022, we expect more rulings clarifying the CCPA’s scope and pleading standards. The geographic scope issue we identified last year (where non-California resident plaintiffs purport to assert claims under the CCPA) remains unresolved, for instance. Due to the split in authority as to pleading standards for “lack of reasonable security” discussed above, plaintiffs are likely to keep asserting tag-along CCPA claims as part of data breach complaints, sometimes solely based on the issuance of a breach notice or news reports. And while the California Attorney General’s office has served some enforcement letters, we await the first AG-filed CCPA case. We will also see action by the new California Privacy Protection Agency, as it is required to adopt further implementing regulations for the California Privacy Rights Act of 2020 (which effectively replaces the CCPA) by July 1, 2022, beyond those previously issued by the AG.[20]

One thing is certain: given the pace of new complaints, 2022 projects to be a busy year for CCPA litigants. 

[1] While more cases mentioning CCPA have been filed, some reference the statute in passing or to support an introductory point about California’s strong public policy geared at privacy protections.

[2] No. 20-CV-04618-JSW, 2021 WL 2520103, at *2 (N.D. Cal. Mar. 5, 2021).

[3] Id. (emphasis added) (citation omitted).

[4] In re Blackbaud, Inc., Customer Data Breach Litig., No. 3:20-MN-02972-JMC, 2021 WL 3568394, at *4 (D.S.C. Aug. 12, 2021) (citing Gardiner’s ruling on CCPA retroactivity favorably).

[5] No. 20-CV-05427-SVK, 2021 WL 405816, at *8 (N.D. Cal. Feb. 2, 2021).

[6] Gershfeld v. Teamviewer US, Inc., No. SACV2100058CJCADSX, 2021 WL 3046775, at *2 (C.D. Cal. June 24, 2021).

[7] Id.

[8] Silver v. Stripe Inc., No. 4:20-CV-08196-YGR, 2021 WL 3191752, at *6–7 (N.D. Cal. July 28, 2021) (citation omitted); Gardiner, No. 20-CV-04618-JSW at *8.

[9] Maag v. U.S. Bank, Nat’l Ass’n, No. 21-CV-00031-H-LL, 2021 WL 5605278, at *2 (S.D. Cal. Apr. 8, 2021); see also Griffey v. Magellan Health Inc., No. CV-20-01282-PHX-MTL, 2021 WL 4427065, at *15 (D. Ariz. Sept. 27, 2021).

[10] See, e.g., Stasi v. Inmediata Health Grp. Corp., 501 F. Supp. 3d 898, 924 (S.D. Cal. 2020) (denying motion to dismiss and holding that if information was “accessible via the internet,” this is enough to state a CCPA claim for violations of section 1798.150).

[11] Gardiner, No. 20-CV-04618-JSW at *3.

[12] Id.

[13] Cal. Civ. Code § 1798.150(a)(1).

[14] Karter v. Epiq Sys., Inc., No. SACV2001385CJCKESX, 2021 WL 4353274, at *2–3 (C.D. Cal. July 16, 2021) (citation omitted).

[15] Id.

[16] Cal. Civ. Code § 1798.150(a)(1).

[17] See Karter v. Epiq Sys., Inc., No. SACV2001385CJCKESX, 2021 WL 4353275, at *2 (C.D. Cal. Apr. 19, 2021).

[18] Karter v. Epiq Sys., Inc., No. SACV2001385CJCKESX, 2021 WL 4353274, at *2 (C.D. Cal. July 16, 2021) (citation omitted).

[19] In re Blackbaud, Inc., Customer Data Breach Litig., No. 3:20-MN-02972-JMC, 2021 WL 3568394, at *4–6 (D.S.C. Aug. 12, 2021).

[20] https://cppa.ca.gov/regulations/.