In the current technology-driven age, nearly every type of information is available at the click of a button. This pervasive accessibility makes it all the more important to protect online privacy and personal data. The California Consumer Privacy Act (CCPA), which became effective on January 1, 2020, was created to address some of these privacy concerns of modern life. The CCPA grants consumers greater transparency into how businesses are using their personal data. It also gives consumers the right to completely opt-out of data collection and demand that companies delete their information altogether.
In the wake of the Act’s recent enaction, the California court system has already begun to see a surge of litigation citing consumer rights under the CCPA. Though personal data breaches have been the subject of many class actions before, the CCPA provides a new, specialized avenue for aggrieved California consumers to pursue justice for their privacy rights.
What is the California Consumer Privacy Act?
The California Consumer Privacy Act outlines substantial data privacy rights for the state’s nearly 40 million residents. Specifically, the Act provides consumers the right to demand that businesses disclose what personal information they have collected on the consumer. The consumer has the right to be notified before their information is sold to a third party, and may elect to opt-out of the business’s sale of their data.
The Act also seeks to increase visibility into how businesses plan to use collected user data. Businesses that sell consumers’ personal data must provide a link on their website, clearly and conspicuously stating, Do Not Sell My Personal Information. By clicking the link, consumers may opt-out of this sale. In some cases, the consumer can demand that the business delete their personal information entirely. If the consumer elects to exercise these rights, the business cannot discriminate against them nor can any business force the consumer to waive their rights via a contractual provision.
What is Considered Personal Information?
According to the CCPA, personal information is any information that “identifies, relates to, or could reasonably be linked” to a person or household. This includes names, social security numbers, email addresses, product purchase records, internet browsing history, geolocation data, or fingerprints. It also includes any information that could create a profile about the consumer’s preferences and characteristics—all valuable information in the digital marketing and e-commerce age. Publicly available information, such as property records or other information in government records, are not considered personal under the provisions of the CCPA.
It is also crucial for California residents to understand the limited circumstances of the CCPA’s private rights of action. For instance, consumers may only sue under the CCPA if a data breach linked to a business’s failure to maintain reasonable security measures leads to a consumer’s information being stolen. In such a case, consumers may seek the actual damages that they suffered or statutory damages valued between $100 to $750—whichever amount is greater. If seeking statutory damages, the consumer must give the business written notice of the CCPA sections that it violated and the business has 30 days to issue a written statement that it has remedied the violations. Otherwise, the Attorney General of California, upon identifying patterns of misconduct, has the authority to file actions against businesses on behalf of the collective interests of consumers. Despite these limitations, class actions have already seen an uptick under the CCPA.
Class Actions Under the CCPA
The first citation of the California Consumer Privacy Act in a class action lawsuit occurred in February 2020 in Barnes, et al., v. Salesforce.com, Inc. and Hanna Andersson, LLC., 20-CV-812, filed in the Northern District of California. The lawsuit alleges that Salesforce, a cloud-based sales software company, was infected by a malware that targeted the personal information of visitors to the website of children’s clothing retailer, Hanna Andersson. The plaintiffs did not sue under the CCPA, but rather, California’s Unfair Competition Law, among other legal theories. However, the complaint cited the CCPA to establish that the defendants were required “to take reasonable steps and employ reasonable methods of safeguarding” personal identifiable information of the class members.
The first class action to allege CCPA violations as an actual count to the complaint is Sheth, LLC v. Ring, LLC, 20-CV-1538, filed in the Central District of California. The plaintiffs allege that Ring, a security and smart home company, violated the CCPA, among other charges, when they sold customers’ personal data without providing notice of their right to opt-out. According to the complaint, Ring’s security devices, such as its video doorbell, did not provide adequate safety measures, such as two-factor authentication and login attempt limitations. The complaint further alleges that Ring’s smartphone app was “packed with third-party trackers” distributing customers’ personal information to other websites, such as Facebook. Pursuant to CCPA requirements, the plaintiffs sent a notice to the defendant concerning these violations but the defendant did not respond. The plaintiffs seek injunctive relief to enjoin the defendant from further violations.
CCPA Security Breach Claims
Among the strongest claims for consumers under CCPA are for actual data security breaches that stem from a business’s failure to adequately protect consumers’ personal information. A number of lawsuits have already been filed on this basis, citing CCPA as a cause of action. In Fuentes, et al. v. Sunshine Behavioral Health Group, LLC, 20-CV-00487, the defendant, an operator of drug and alcohol addiction rehabilitation facilities, allegedly failed to protect against a data breach. This breach resulted in the dissemination of personal and medical information of approximately 3,500 patients. Similarly, in Lopez, et al. v. Tandem Diabetes Care, Inc., 3:20-cv-00723, the plaintiffs claimed that the defendant, a medical device company, did not maintain reasonable security measures to protect patients’ medical information as required under the CCPA. As a result, this sensitive information was exposed to third parties.
A third data breach claim, this time from the hotel industry, alleges Marriott also failed to safely store customer data. In Rahman, et al., v. Marriott International Inc., 20-CV-00654, the plaintiffs allege that the hotel chain’s lax security led to a data breach that shared personal information with third parties.
CCPA Data Privacy Allegations
The CCPA falls short of granting a consumer the right to sue solely on the basis of invasion of privacy. But this has not stopped plaintiffs from highlighting the data privacy protections afforded through the CCPA to support their other consumer data violation allegations. In Cullen v. Zoom Video Communications, Inc., 20-CV-2155, a case that has been consolidated with other similar lawsuits, the plaintiff alleged the popular video conferencing company failed to properly provide notice to its customers of their right to opt-out of data sales to third parties, in violation of the CCPA. Similarly, in Hurvitz, et al. v. Zoom Video Communications, Inc., Facebook, and LinkedIn Corporation, 2:20-cv-03400, the plaintiffs alleged that both Facebook and LinkedIn failed to inform consumers that their personal information was collected when logging into Zoom from their social media accounts.
Business Violations Under the CCPA
In some class actions, plaintiffs have not cited the CCPA as a cause of action at all, but merely reference the Act as part of a larger allegation of unlawful business practices. For example, in Burns v. Mammoth Media, Inc., 20-CV-4855, the plaintiff alleged that the defendant, the parent company of social polling app, Wishbone, exposed the 14-year-old plaintiff’s personal data to third parties. The plaintiff alleged he was not notified of the app’s data breach until four years later—after his information had been placed on the dark web. As the complaint states, Wishbone’s “failure to implement and maintain reasonable security measures also was contrary to legislatively declared public policy that seeks to protect consumers’ data and ensure that entities that are trusted with it use appropriate security measures.” Though the CCPA is not the crux of this case, there is a clear reference to its consumer protections.
Final Thoughts
The California Consumer Privacy Act provides consumers with additional protections but does not grant restriction-free authority to privately sue. But these recently filed class action lawsuits will certainly play a significant role in the CCPA’s future. As the courts begin to interpret this new Act under California law, both the power and the limitations of the CCPA will be put to the legal test.
