CCPA Definitions Confuse the Judge in a Data Breach Case–In re Blackbaud

August 16, 2021 · by Eric Goldman · in Privacy/Security

Blackbaud “provides data collection and maintenance software solutions for administration, fundraising, marketing, and analytics to social good entities such as non-profit organizations, foundations, educational institutions, faith communities, and healthcare organizations.” In a very unfortunate development, cybercriminals hacked into Blackbaud’s database and exfiltrated personal data. I got a few notices about this breach…did you? It was a significant and damaging event because it shook the confidence of donors to Blackbaud’s customers, and we need more charitable giving right now, not less. Blackbaud paid a Bitcoin ransom to the cybercriminals in exchange for their representation that they would destroy the exfiltrated data. It’s hard to believe the cybercriminals actually honored that promise.

Many plaintiffs around the country sued Blackbaud for its security breach, which got consolidated a complex MDL with nearly 100 different causes of action. As part of a complicated ruling, the court specifically addressed the applicability of the CCPA’s private right of action.

Blackbaud argued that it’s not a regulated “business” pursuant to the CCPA. However, the judge says it was sufficient for the plaintiffs to allege that Blackbaud processes data at its customers’ requests and has over $25M in annual revenue. Plus, Blackbaud registered as a data broker in California, and the definition of “business” in the data broker law is identical to the CCPA. So the judge implies that the data broker registration functioned like an admission.

Nevertheless, Blackbaud argued that it’s a “service provider,” not a “business.” As everyone familiar with the CCPA knows, the CCPA botched the distinctions between “business” and “service provider.” The idea was to replicate the GDPR distinctions between controllers and processors, with processors having less duties than controllers, but the CCPA drafters mishandled this (and pretty much everything else). The court says that “service providers” are a subset of “businesses” (“the statutory definition of ‘service provider’ suggests that ‘business’ is a broader term that encompasses ‘service provider'”), so any service provider should also qualify as a “business” (at least for purposes of the data breach private right of action).

Well…service providers could meet all of the statutory requirements of a business, but the whole reason to have separate definitions is that sometimes businesses have different obligations than service providers–and the data breach provision expressly only applies to “businesses.” The two terms clearly cannot be treated as the same because there are at least four times when the CCPA uses the phrase “businesses or service providers,” which would be unnecessary if service providers are always businesses. What I think the court meant to say is that Blackbaud, in this circumstance, was functioning as the business and not as the service provider with respect to the data breach, but that required the court to provide more explanation and wrestle with the statutory construction. Instead, the court’s more succinct equation of “service provider = business” is clearly wrong. I blame the judge for that mistake, but the CCPA drafters really deserve most of the blame.

Case citation: In re Blackbaud, Inc., Customer Data Breach MDL Litigation, 2021 U.S. Dist. LEXIS 151831 (D.S.C. Aug. 12, 2021)

UPDATE: Kanter v. Epiq Systems, Inc., 2021 WL 4353274 (C.D. Cal. July 16, 2021), covers similar ground about the intersection between “service provider” and “business” in a data breach case. The court says the plaintiff adequately alleged the defendant was a business because:

Plaintiff alleges that in order to perform its services, which it performs pursuant to contracts with other entities, Epiq collects consumers’ personal information from consumers. This is an activity for a business, not a service provider, which receives personal information from the business… [and] Plaintiff alleges that Epiq works with its clients to determine how it will use consumers’ personal information to provide notice and manage claims and opt-outs.

Prior CCPA/CPRA Posts

CCPA Definitions Confuse the Judge in a Data Breach Case–In re Blackbaud

Comments and Pings

One Pingback/Trackback