A Roundup of CCPA Court Decisions (I Only Know of 7)

This post recaps the court decisions analyzing the California Consumer Privacy Act (CCPA) so far. I only know of seven opinions as of May 1, 2021, a number that struck me as surprisingly small. (If you think I’m missing any, please email me).

Overview

CCPA lawsuits generally fit into one of the following four categories:

  • Data breach Private Right of Action (PRA). Since Jan. 1, 2020, the CCPA authorizes a private right of action with respect to certain data breaches. I expected this would be a popular claim; I thought plaintiffs would allege it in every data breach lawsuit. We’ve seen many of those filings, but few of the cases have issued opinions yet. 16 months isn’t very long in the lifespan of litigation, so this jurisprudence is still emerging.
  • AG enforcement. The AG’s office gained partial enforcement power on July 1, 2021 (the remainder in August 2020). An AG enforcement will produce a court opinion only if the parties actually fight in court, which businesses are reluctant to do. Plus, the CCPA also gives businesses a mandatory cure period, which further reduces the odds of litigated disputes. I’m not aware of any AG enforcements of the CCPA spilling into court. In fact, I’m not aware of any publicized CCPA enforcement actions–a surprising stat given the target-rich enforcement environment.
  • Non-data breach PRA. The CCPA does not authorize PRAs for any statutory violations other than specified data breaches. Some plaintiffs have asserted those CCPA claims anyways. They will fail.
  • Constitutional challenges. In the CCPA’s early days, I heard a lot of chatter that unhappy businesses were going to challenge the CCPA, but I don’t believe any lawsuits were ever filed. Given the CCPA’s imminent deprecation due to the CPRA, I don’t expect any court challenges to the CCPA to emerge at this point.

TL;DR: it’s been pretty quiet on the CCPA litigation front so far.

Case Summaries

1. Kaupelis v. Harbor Freight Tools USA, Inc., 2020 U.S. Dist. LEXIS 246379 (C.D. Cal. Sept. 28, 2020):

The CCPA does state that it is “intended to further the constitutional right of privacy.” But the CCPA is a statute that is focused on particular practices; namely, it seeks to address the sale of PI and the disclosure of PI for business purposes. This intent is evidenced throughout the CCPA…

The terms “sale” and “business purpose” are not defined in a way that encompasses civil discovery requests….The plain language of the CCPA shows that neither of these terms is intended to include disclosure of PI as part of a civil discovery request. Indeed, the CCPA’s irrelevance to civil discovery requests is further shown by how the CCPA expressly “shall not restrict a business’ ability to . . . comply with a civil, criminal, or regulatory inquiry, investigation, subpoena, or summons by federal, state, or local authorities.” The CCPA therefore does not require the expanded use of notice and consent by parties responding to discovery requests.

Prior ruling: Kaupelis v. Harbor Freight Tools USA, Inc., 2020 U.S. Dist. LEXIS 198864 (C.D. Cal. August 19, 2020).

2. DeLuna v. Tandem Diabetes, CIVDS 2010795 (Cal. Superior Ct. hearing transcript from October 27, 2020):

The second cause of action, which was brought under the Consumer Privacy Act, I would sustain the demurrer to this cause of action….This statutory scheme is not applicable to HIPAA regulated entities. Paragraph 116 alleges a violation of HIPAA. And the facts that are alleged seem to match the requirements for HIPAA regulated entities.

3. Facebook, Inc. v. BrandTotal Ltd., 2020 U.S. Dist. LEXIS 210431 (N.D. Cal. Nov. 9, 2020). My prior blog post. “Despite the CCPA’s general purpose of granting consumers greater control over how their personal information is used, BrandTotal has not cited any provision of that statute that specifically requires Facebook to provide the sort of access at issue here. The fact that the statute allows companies to provide financial compensation to consumers for collection of their personal information, does not by its terms require other companies that have collected users’ information to make it available to the company offering compensation.”

4. Stasi v. Inmediata Health Grp. Corp., 2020 U.S. Dist. LEXIS 217097 (S.D. Cal. Nov. 19, 2020):

Plaintiffs do not merely allege that it should be inferred or rebuttably presumed that their information was accessed by an unauthorized individual. Plaintiffs repeatedly allege that their information “was viewed by unauthorized persons.” Moreover, Inmediata does not point to any authority requiring Plaintiffs to plead theft or unauthorized access in order to plead a plausible violation of the CCPA. The CCPA provides a private right of action for actual or statutory damages to “[a]ny consumer whose nonencrypted and nonredacted personal information . . . . is subject to an unauthorized access and exfiltration, theft, or disclosure as a result of the business’s violation of the duty to implement and maintain reasonable security procedures and practices appropriate to the nature of the information to protect the personal information[.]” Plaintiffs argue, and Inmediata does not dispute, that the facts alleged in the FAC that Plaintiffs’ personal and medical information were accessible via the internet, constitutes a “disclosure” under the CCPA. Further, although Inmediata is correct that the CCPA does not apply to medical information governed by CMIA, Inmediata does not address the non-medical information that it admits was accessible on the internet. Accordingly, at this early stage in the litigation, Plaintiffs allege a plausible claim based on violation of the CCPA, and Inmediata has not met its burden of showing otherwise.

5. McCoy v. Alphabet, Inc., 2021 U.S. Dist. LEXIS 24180 (N.D. Cal. Feb. 2, 2021). “Plaintiff conceded that [the CCPA] claim should be dismissed because there are no allegations of a security breach in this case.”

6. Gardiner v. Walmart, Inc., 2021 U.S. Dist. LEXIS 75079 (N.D. Cal. Mar. 5, 2021). Venkat covered this ruling. The CCPA’s data breach PRA isn’t retroactive to activity before January 1, 2020.

7. Maag v. U.S. Bank, National Association, 21-cv-00031-H-LL (S.D. Cal. April 8, 2021)

To state a CCPA claim, a plaintiff must allege that his or her PII was accessed “as a result of the business’s violation of the duty to implement and maintain reasonable security procedures and practices appropriate to the nature of the information.” Here, Plaintiff fails to allege any facts to support the notion that Defendant’s security was deficient. Plaintiff only makes unsupported allegations that his PII was compromised because Defendant did not “implement and maintain reasonable security procedures and practices,” “failed to effectively monitor its systems for security vulnerabilities,” and had “lax security.”  These conclusory allegations are alone insufficient to state a CCPA claim.

In a footnote, the court adds:

Plaintiff does allege that Defendant failed to protect his PII with an encryption or password. But this allegation goes to a separate element of Plaintiff’s CCPA claim. The CCPA only applies to “nonencrypted and nonredacted personal information” in the first place. Thus, holding that the failure to password protect PII also amounts to a failure to adopt “reasonable security measures” would read the latter element out of the CCPA altogether, and would mean that any theft of unencrypted PII could create CCPA liability….Thus, Plaintiff’s allegation that his PII was not password protected is insufficient to state a CCPA claim on its own.

This raises an interesting conundrum for plaintiffs: how can plaintiffs properly allege that data was stored in a nonencrypted/nonredacted way without getting discovery?

[UPDATE: New case on May 6: Mehta v. Robinhood, 5:21-cv-01013-SVK (N.D. Cal. May 6, 2021): “At the pleadings stage, Plaintiffs sufficiently allege a plausible claim that their personal and financial information was subject to an unauthorized access based on violation of the CCPA….[also,] Plaintiffs’ UCL claim survives to the extent it is based upon the alleged violations of CCPA.”]

Other Cases to Note

  • Mackintosh v. Lyft, Inc., 2019 WL 5682826 (E.D. Cal. Nov. 1, 2019). CCPA wasn’t yet effective.
  • Guzman v. RLI Corp., 2020 U.S. Dist. LEXIS 222488 (C.D. Cal. Oct. 6, 2020). No TRO in a case alleging CCPA and other claims.
  • Rahman v. Marriott Int’l, Inc., 2021 U.S. Dist. LEXIS 15155 (C.D. Cal. Jan. 12, 2021). The plaintiffs’ entire case, including the CCPA claim, was dismissed for lack of Article III standing.
  • Wesch v. Yodlee, Inc., 3:20-cv-05991-SK (N.D. Cal. Feb. 16, 2021). The opinion doesn’t mention the CCPA, but the UCL 17200 claim was predicated on a CCPA violation. The court dismissed the UCL claim.
  • Silver v. Stripe Inc., 4:20-cv-08196-DMR (N.D. Cal. minute order April 20, 2021). A minute order dismissed the UCL claim that was predicated on a CCPA violation.

There have been other non-substantive opinion references to the CCPA.

Prior CCPA/CPRA Posts

* CCPA Data Breach Lawsuit Against Walmart Fails–Gardiner v. Walmart
* The Anticipated Domino Effect: Virginia Passes Second State “Comprehensive” Privacy Law (Guest Blog Post)
SF Chronicle Op-Ed: “Prop. 24 is the Wrong Policy Approach, at the Wrong Time, via the Wrong Process”
Over 50 Privacy Professionals & Experts Oppose Prop. 24
Californians: VOTE NO ON PROP. 24, The California Privacy Rights Act (CPRA)
A Review of the “Final” CCPA Regulations from the CA Attorney General
The CCPA Proposed Regs’ Data Valuation Calculation Provisions Provide Flexibility, But Raise Ambiguity & Transparency Concerns (guest blog post)
My Third Set of Comments to the CA DOJ on the CCPA Regulations
Comments on the DOJ’s Proposed Modifications to the CCPA Regulations
Eric Goldman’s Comments to the California DOJ Draft Regulations for the Consumer Privacy Act (CCPA) (Part 3 of 3)
Some Lessons Learned from the California Consumer Privacy Act (CCPA), 18 Months In (Part 2 of 3)
Resetting the California Consumer Privacy Act (CCPA)…with 2 Weeks To Go! (Part 1 of 3)
And At the End of the Day, the CCPA Remains Very Much the Same (Guest Blog Post)
A Recap of the Senate Judiciary Committee Hearing on Amending the California Consumer Privacy Act (Guest Blog Post)
Want Companies to Comply with the CCPA? Delay Its Effective Date (Guest Blog Post)
Recap of the California Assembly Hearing on the California Consumer Privacy Act
A Status Report on the California Consumer Privacy Act
41 California Privacy Experts Urge Major Changes to the California Consumer Privacy Act
California Amends the Consumer Privacy Act (CCPA); Fixes About 0.01% of its Problems
Recent Developments Regarding the California Consumer Privacy Act
The California Consumer Privacy Act Should Be Condemned, Not Celebrated
A First (But Very Incomplete) Crack at Inventorying the California Consumer Privacy Act’s Problems
Ten Reasons Why California’s New Data Protection Law is Unworkable, Burdensome, and Possibly Unconstitutional (Guest Blog Post)
A Privacy Bomb Is About to Be Dropped on the California Economy and the Global Internet
An Introduction to the California Consumer Privacy Act (CCPA)