CCPA Definitions Confuse the Judge in a Data Breach Case–In re Blackbaud

Blackbaud “provides data collection and maintenance software solutions for administration, fundraising, marketing, and analytics to social good entities such as non-profit organizations, foundations, educational institutions, faith communities, and healthcare organizations.” In a very unfortunate development, cybercriminals hacked into Blackbaud’s database and exfiltrated personal data. I got a few notices about this breach…did you? It was a significant and damaging event because it shook the confidence of donors to Blackbaud’s customers, and we need more charitable giving right now, not less. Blackbaud paid a Bitcoin ransom to the cybercriminals in exchange for their representation that they would destroy the exfiltrated data. It’s hard to believe the cybercriminals actually honored that promise.

Many plaintiffs around the country sued Blackbaud for its security breach, which got consolidated a complex MDL with nearly 100 different causes of action. As part of a complicated ruling, the court specifically addressed the applicability of the CCPA’s private right of action.

Blackbaud argued that it’s not a regulated “business” pursuant to the CCPA. However, the judge says it was sufficient for the plaintiffs to allege that Blackbaud processes data at its customers’ requests and has over $25M in annual revenue. Plus, Blackbaud registered as a data broker in California, and the definition of “business” in the data broker law is identical to the CCPA. So the judge implies that the data broker registration functioned like an admission.

Nevertheless, Blackbaud argued that it’s a “service provider,” not a “business.” As everyone familiar with the CCPA knows, the CCPA botched the distinctions between “business” and “service provider.” The idea was to replicate the GDPR distinctions between controllers and processors, with processors having less duties than controllers, but the CCPA drafters mishandled this (and pretty much everything else). The court says that “service providers” are a subset of “businesses” (“the statutory definition of ‘service provider’ suggests that ‘business’ is a broader term that encompasses ‘service provider'”), so any service provider should also qualify as a “business” (at least for purposes of the data breach private right of action).

Well…service providers could meet all of the statutory requirements of a business, but the whole reason to have separate definitions is that sometimes businesses have different obligations than service providers–and the data breach provision expressly only applies to “businesses.” The two terms clearly cannot be treated as the same because there are at least four times when the CCPA uses the phrase “businesses or service providers,” which would be unnecessary if service providers are always businesses. What I think the court meant to say is that Blackbaud, in this circumstance, was functioning as the business and not as the service provider with respect to the data breach, but that required the court to provide more explanation and wrestle with the statutory construction. Instead, the court’s more succinct equation of “service provider = business” is clearly wrong. I blame the judge for that mistake, but the CCPA drafters really deserve most of the blame.

Case citation: In re Blackbaud, Inc., Customer Data Breach MDL Litigation, 2021 U.S. Dist. LEXIS 151831 (D.S.C. Aug. 12, 2021)

UPDATE: Kanter v. Epiq Systems, Inc., 2021 WL 4353274 (C.D. Cal. July 16, 2021), covers similar ground about the intersection between “service provider” and “business” in a data breach case. The court says the plaintiff adequately alleged the defendant was a business because:

Plaintiff alleges that in order to perform its services, which it performs pursuant to contracts with other entities, Epiq collects consumers’ personal information from consumers. This is an activity for a business, not a service provider, which receives personal information from the business… [and] Plaintiff alleges that Epiq works with its clients to determine how it will use consumers’ personal information to provide notice and manage claims and opt-outs.

Prior CCPA/CPRA Posts

* A Roundup of CCPA Court Decisions (I Only Know of 7)
CCPA Data Breach Lawsuit Against Walmart Fails–Gardiner v. Walmart
The Anticipated Domino Effect: Virginia Passes Second State “Comprehensive” Privacy Law (Guest Blog Post)
SF Chronicle Op-Ed: “Prop. 24 is the Wrong Policy Approach, at the Wrong Time, via the Wrong Process”
Over 50 Privacy Professionals & Experts Oppose Prop. 24
Californians: VOTE NO ON PROP. 24, The California Privacy Rights Act (CPRA)
A Review of the “Final” CCPA Regulations from the CA Attorney General
The CCPA Proposed Regs’ Data Valuation Calculation Provisions Provide Flexibility, But Raise Ambiguity & Transparency Concerns (guest blog post)
My Third Set of Comments to the CA DOJ on the CCPA Regulations
Comments on the DOJ’s Proposed Modifications to the CCPA Regulations
Eric Goldman’s Comments to the California DOJ Draft Regulations for the Consumer Privacy Act (CCPA) (Part 3 of 3)
Some Lessons Learned from the California Consumer Privacy Act (CCPA), 18 Months In (Part 2 of 3)
Resetting the California Consumer Privacy Act (CCPA)…with 2 Weeks To Go! (Part 1 of 3)
And At the End of the Day, the CCPA Remains Very Much the Same (Guest Blog Post)
A Recap of the Senate Judiciary Committee Hearing on Amending the California Consumer Privacy Act (Guest Blog Post)
Want Companies to Comply with the CCPA? Delay Its Effective Date (Guest Blog Post)
Recap of the California Assembly Hearing on the California Consumer Privacy Act
A Status Report on the California Consumer Privacy Act
41 California Privacy Experts Urge Major Changes to the California Consumer Privacy Act
California Amends the Consumer Privacy Act (CCPA); Fixes About 0.01% of its Problems
Recent Developments Regarding the California Consumer Privacy Act
The California Consumer Privacy Act Should Be Condemned, Not Celebrated
A First (But Very Incomplete) Crack at Inventorying the California Consumer Privacy Act’s Problems
Ten Reasons Why California’s New Data Protection Law is Unworkable, Burdensome, and Possibly Unconstitutional (Guest Blog Post)
A Privacy Bomb Is About to Be Dropped on the California Economy and the Global Internet
An Introduction to the California Consumer Privacy Act (CCPA)