2022 saw cases continue to be filed under the California Consumer Privacy Act (“CCPA”), although perhaps reflecting the increasing reliance of the plaintiffs’ bar on negligence and tort-based privacy claims concerning a defendant’s alleged failure to maintain “reasonable security,” the number of cases of CCPA based claims declined. Read on for Privacy World’s highlights of the year’s most significant events concerning the CCPA, as well as our predictions for what 2023 may bring.

Background

The CCPA went into effect on January 1, 2020, with the vast majority of its provisions applying to entities that qualify as “businesses.”

As a recap, what entities qualify as a business under the CCPA? The statute defines a business as a for-profit, private entity that (1) collects “personal information”, (2) determines the purposes and means of processing that personal information, (3) does business in California, and (4) meets certain revenue thresholds (>$25 million global gross revenue annually) and/or data collection/selling/sharing thresholds.

In addition to imposing numerous compliance obligations* on businesses, CCPA covered businesses are also subject to the law’s limited private right of action for certain security breaches.

*While the majority of this post focuses on the private right of action and enforcement-related issues, for those interested in the CCPA’s compliance obligations, effectiveness of the California Privacy Rights Act (“CPRA,”* which substantially amends the CCPA and became effective as of Jan. 1 this year), applicability of the CCPA to human resources and business-to-business data, and information on other state privacy laws, please see our recent post Are You Ready for the 2023 Privacy Laws? *References to CPRA in the remainder of this article mean the CCPA as amended by the CPRA, unless otherwise indicated.

Back to the private right of action, Section 1798.150(a)(1) of the CCPA provides a private right of action to “[a]ny consumer whose nonencrypted and nonredacted personal information … is subject to an unauthorized access and exfiltration, theft, or disclosure” due to a business failing to satisfy “the duty to implement and maintain reasonable security procedures and practices….” (emphasis supplied).

Damages available for a private right of action under Section 1798.150(a)(1) include a statutory amount of between $100 and $750 “per consumer per incident or actual damages, whichever is greater”, as well as injunctive or declaratory relief and “any other relief the court deems proper” (emphasis supplied).

CCPA Litigation Activity in 2022

Since the CCPA came into effect, nearly 300 cases have been filed by plaintiffs alleging violations of the statute.  The majority of these have been filed in California federal court (Northern and Central Districts of California being the most favored jurisdiction for such filings), with some also being brought in California state court and in other jurisdictions.

Although the number of CCPA filings declined from 2021, this may be due to the plaintiffs’ bar shifting towards alleging negligence and tort-based privacy claims in the wake of a data event.  This can be explained in part that such claims typically (although not always) are less burdensome to plead for them to survive past the motion to dismiss stage.  By contrast, it appears that based on at least rulings thus far courts have attempted to narrowly construe the CCPA’s limited private right of action.

Courts have consistently dismissed CCPA claims when it is clear from the face of the complaint that Plaintiff’s allegations do not concern a security breach as required to plead a civil cause of action under the CCPA.  Additional rulings this year reinforced the temporal requirements of the statute (that it must involve conduct arising as of the CCPA’s date of enactment, not before) and that the CCPA could not be relied upon by a defendant as a basis for refusing to comply with its discovery obligations in litigation.  Although many CCPA litigations involve software based claims and the tech industry in the wake of a data breach, healthcare and financial services entities, among others, have also been targeted.

CCPA Claims, Article III standing and Settlement Activity

As longtime readers of the blog are aware, Article III standing in the context of data privacy cases is in a constant state of flux—particularly in the Ninth Circuit.

When a CCPA claim is asserted in federal court, it must meet that “irreducible minimum,” as it is frequently described.  Article III standing consists of 1) suffering some actual or threatened injury; 2) fairly traceable to the defendant; which 3) is likely to be redressed by a favorable decision.  The injury must be concrete, rather than abstract, and particularized, meaning that it affects the plaintiff in a personal and individual way.  Spokeo, Inc. v. Robins, 578 U.S. 330, 339 (2016).  But as the Supreme Court held in 2021, “an injury in law is not an injury in fact,” and a plaintiff must do more than show a bare statutory violation for a claim to exist. TransUnion LLC v. Ramirez, 141 S. Ct. 2190, 2205 (2021).

In Kirsten, 2022 WL 16894503, the Central District of California addressed a defendant’s contention that a plaintiff lacked standing to pursue a CCPA claim, among others, because they could not fairly trace instances of identity theft, fraudulent credit card charges, and inability to access online accounts to the data breach at issue.  The court rejected the defendant’s argument, holding instead that past injury from misappropriated personal information gave rise to a substantial risk of threatened injury in the future.  Particularly notable is the court’s premising standing both on the actual injuries the plaintiffs experienced and the injuries they might experience in the future.

In Hayden v. Retail Equation, Inc., 2022 WL 2254461 (reconsidered and vacated in part on other grounds), the Central District of California addressed the specific requirements necessary to give rise to an injury under the CCPA.  Plaintiffs, retail consumers, sued a variety of retailers for their use of a “risk scoring” system that collected and shared individualized personal data with a vendor in order to assess the risk of fraud when a consumer attempted a product return or exchange.

Plaintiffs sued under Cal. Civ. Code § 1798.150(a), which required them to show that “nonencrypted and nonredacted personal information” was “subject to an unauthorized access and exfiltration, theft, or disclosure as a result of the business’s violation of the duty to implement and maintain reasonable security procedures and practices appropriate to the nature of the information to protect the personal information.”  The Court found that Plaintiffs had not asserted a claim under the CCPA because the disclosure of their information was not the result of a failure to implement and maintain reasonable security procedures and practices; rather, it was “a business decision to combat retail fraud.”  Plaintiffs’ failure to allege a violation of specific duties under the CCPA, as opposed to a more generalized complaint about the misuse of their data, could not support their claim.  The Hayden court also found that non-California residents lacked standing to bring suit under the CCPA.

The most significant CCPA settlement of 2022 was the $350 million T-Mobile settlement to resolve multidistrict litigation brought by T-Mobile customers whose data was allegedly exposed in a 2021 data breach.  In August 2021, T-Mobile disclosed that it had been the victim of a cyberattack that resulted in the compromise of some current, former and prospective customers’ SSN, name, address, date of birth and driver’s license/ID information the “Data Event”).  By T-Mobile’s account, no “customer financial information, credit card information, debit or other payment information” was exposed in the attack.  Nevertheless, over 40 putative class action claims were filed seeking damages for the improper disclosure of Plaintiffs’ personal information.

On July 22, 2022, Plaintiffs in the T-Mobile case filed an unopposed motion for preliminary approval of a proposed settlement to the class.  As part of the settlement, T-Mobile agreed to fund a non-reversionary $350 million settlement fund to pay class claims for out-of-pocket losses or charges incurred as a result of identity theft or fraud, falsified tax returns, or other alleged misuse of a class member’s personal information.  The settlement fund will then make payments to class members on a claims-made basis with a $25,000 aggregate claims cap per class member.  The proposed settlement also contemplates attorneys’ fees of no more than 30% of the settlement fund, approximately $105 million, and $2,500 individual service awards to class representatives.

2022: Continued Enforcement Activity by California OAG

As we predicted at the end of last year, 2022 saw continued enforcement activity at the state level. Headlines were ablaze in August with California’s Office of the Attorney General announcing its first settlement of a CCPA enforcement action.

Readers of the blog will know that the CA OAG’s CCPA enforcement efforts started in July 2020. While numerous cookie DNS and GPC cases were initially (and quietly) settled by the OAG without monetary penalty or public settlements, that all changed in August 2022 with the OAG announcing its required payment of $1.2 million from a retailer to settle claims of alleged CCPA violations.

The settlement marks a new era of CCPA enforcement in which real repercussions, including monetary penalties, may be imposed. In addition to the settlement, the OAG released “illustrative examples” of other non-public enforcement cases, including the types of violations, remediation activities carried out by the alleged violators, and the alleged violators’ type of business/industry (which included a number of industries that surprised many who thought they were perhaps not on the OAG’s radar for CCPA compliance, such as B2B-focused businesses and companies that are largely (but not fully) exempt from the CCPA, such as healthcare businesses and financial and insurance businesses.  For detailed analysis of the OAG’s settlement, see our blog post here.

Litigation and Enforcement in 2023 and Beyond

Litigation

The CPRA’s amendments to the CCPA brought some changes to the private right of action for certain security breaches, namely an expansion of the private right of action where a breach involves data in the form of an email address in combination with a password or security question and an answer that would permit access to an account. In addition, the CPRA’s amendments provide that that remediation of vulnerabilities post-breach are an insufficient cure to preclude statutory damages.

There is not otherwise a private right of action for non-security breach related violations under the CPRA; however, the CPRA opens the possibility of enforcement by all California county district attorneys and the four largest city district attorneys (though that is up for debate). In addition, despite the clarity that the private right of action is limited to certain types of security incidents, it is conceivable that an incomplete or inaccurate response to a consumer request might also give rise to an independent deception claim, and plaintiffs’ lawyers are expected to otherwise test the scope of the limitation on private consumer and class action relief. There is no private right of action for violations of the Virginia Consumer Data Protection Act (“VCDPA”), Colorado Privacy Act (“CPA”), Utah Consumer Privacy Act (“UCPA”), or Connecticut Act Concerning Personal Data Privacy and Online Monitoring (referred to as the “CTPA” herein). Put another way, this means there is not a private right of action for security breaches or security-breach related violations under those laws.

Enforcement

The enforcement risk will certainly increase under the CPRA in 2023 with the California Privacy Protection Agency, or CPPA, enforcing the CPRA alongside the OAG starting on July 1, 2023. In addition to California, Virginia’s privacy law came into effect and was enforceable as of January 1, and privacy laws in Colorado, Connecticut, and Utah will become effective throughout the year (see chart below).

  CPRA VCDPA CPA UCPA CTPA
Effective Date Jan. 1, 2023 Jan. 1, 2023 July 1, 2023 Dec. 31, 2023 July 1, 2023
Enforcement Date July 1, 2023 Jan. 1, 2023 July 1, 2023 Dec. 31, 2023 July 1, 2023
Enforcement Details 30-Day Notice and Cure Provision will remain in effect indefinitely for security breach violations only. 30-Day Notice and Cure Provision will remain in effect indefinitely. 60-Day Notice and Cure Provision will remain in effect until January 1, 2025 30-Day Notice and Cure Provision will remain in effect indefinitely. 30-Day Notice and Cure Provision will remain in effect until December 31, 2024.

Enforcement of the CPRA is delayed until July 1, 2023 and, unlike the CCPA between its effective and enforcement dates, there is an explicit grace period between January 1 and July 1, 2023. However, the CCPA’s provisions (without the CPRA’s amendments) will remain effective and enforceable between January 1 and July 1, and the required 30-day cure period no longer exists. Importantly, this means that the full scope of the CCPA also currently applies to HR and B2B data, and there is no delay in enforcement with respect to the same.

Under the CPRA, both agencies can seek civil penalties of $2,500 for each violation or $7,500 for each intentional violation or violations involving the data of minors. Violations may be potentially calculated based on each applicable piece of data or consumer, and, thus, exposure could be substantial. The existing requirement in the CCPA to provide notice of violation and give a 30-day cure period before bringing an enforcement action is eliminated by the CPRA, but the law permits the agencies to consider good faith cooperation efforts by the business when calculating the fine, and prosecutorial discretion is not limited. Further, CPPA actions are subject to a probable cause hearing prior to commencement of an administrative enforcement proceeding.

In Virginia, Utah, and Connecticut, the Attorney General has exclusive enforcement authority. The Virginia Attorney General may seek injunctive relief and civil penalties of $7,500 per violation. In Colorado, the state Attorney General or District Attorneys may bring an action for injunctive relief and civil penalties under the Colorado Consumer Protection Act, which provides for civil penalties of $500 per violation, actual damages, or three times actual damages if bad faith is shown. In Utah, the Attorney General may bring an action for actual damages to consumers and civil penalties of up to $7,500 per violation. In Connecticut, the Attorney General may treat a violation of CTPA as an unfair trade practice under the Connecticut Unfair Trade Practices Act (“CUTPA”); however, the private right of action and class action provisions of CUTPA dot not extend to violations of the CTPA. Nevertheless, remedies available for violations of CUTPA include restraining orders; actual and punitive damages, costs, and reasonable attorneys’ fees; and civil penalties of up to $5,000 for willful violations and $25,000 for restraining order violations.

However, like the CCPA (but unlike the CPRA), the respective Attorneys General of Virginia and Utah must provide a controller or processor with 30 days’ written notice of any violation of the VCDPA/UCPA, specifying the provisions that the Attorney General alleges have been violated. In Virginia and Utah, a controller or processor can avoid statutory damages if, within this 30-day cure period, it cures the noticed violation and provides the Attorney General with an express written statement that the alleged violations have been cured and that no further violations will occur. Under Connecticut and Colorado’s laws, their respective AGs must provide violators with notice of alleged violations and an opportunity to cure any such violations within a 60-day period following delivery of the notice. The requirement to allow for a cure period in Colorado sunsets on January 1, 2025 (though, the AG would almost certainly have prosecutorial discretion to allow for a cure). In Connecticut, the cure requirement becomes discretionary on January 1, 2025, as well.

Check back often for our continued updates on privacy litigation and enforcement trends and updates.  Privacy World will be there to keep you in the loop.

2021 was another record setting year for the California Consumer Privacy Act (“CCPA”).  Read on for CPW’s highlights of the year’s most significant events concerning CCPA litigation, as well as our predictions for what 2022 may bring.

2020 Recap: The CCPA Comes Into Effect

The CCPA went into effect on January 1, 2020.  It regulates any “business” that “does business in California,” even those without a physical presence in the state, and determines the means and purposes of the processing of “personal information”.

As a recap, what entities qualify as a “business” subject to the CCPA? The statute defines a “business” as a for-profit, private entity that (1) collects “personal information”, (2) determines the means of processing that personal information, (3) does business in California, and (4) meets one of the following criteria:

  • Has annual gross revenues exceeding $25 million;
  • Annually sells/buys or receives/shares for commercial purposes the personal information of 50,000 or more California consumers; or
  • Derives 50% or more of its annual revenue from selling personal information.

Generally, the CCPA covers all information so long as it relates to a California resident or California household.  Aligning with the GDPR, the CCPA defines “personal information” to include “information that identifies, relates to, describes, is reasonably capable of being associated with, or could reasonably be linked, directly or indirectly, with a particular consumer or household.”  Cal. Civ. Code § 1798.140(o).

The CCPA requires compliance with its notification and transparency notices.  First, the CCPA expects businesses to present up to four notices, to be determined by that business’s practices.  Second, businesses must also inform consumers of their rights under the CCPA including their: (1) right to know, (2) right to delete, (3) right to opt out, (4) right to not be discriminated against for exercising their CCPA rights.

Section 1798.150(a)(1) of the CCPA provides a private right of action to “[a]ny consumer whose nonencrypted and nonredacted personal information … is subject to an unauthorized access and exfiltration, theft, or disclosure” due to a business failing to satisfy “the duty to implement and maintain reasonable security procedures and practices….” (emphasis supplied).  Damages available for a private right of action under Section 1798.150(a)(1) include a statutory amount of between $100 and $750 “per consumer per incident or actual damages, whichever is greater”, as well as injunctive or declaratory relief and “any other relief the court deems proper” (emphasis supplied).

The first CCPA lawsuit, Fuentes v. Sunshine Behavioral Health Group, LLC, No. 8:20-cv-00487 (C.D. Cal.), appeared on March 10, 2020, only three months after the law went into effect.  Others soon followed.

Overview of 2021 CCPA Litigations: What Do the Numbers Show?

To date, over 125 cases asserting CCPA claims have been filed this year, with the vast majority (91.2%) filed in federal courts.  Each quarter of 2021 has seen roughly the same number of cases filed (about 30-35 cases).  Not surprisingly, about 60% of all federal cases were filed in California’s federal courts, with the largest number of cases filed in the Northern and Southern Districts of California.  Outside of California, the Western District of Washington had the largest number of CCPA cases filed with ten total cases filed to date.  A handful of cases have also been filed in district courts in each of the Second, Third, Fourth, Fifth, Sixth, Seventh, Eighth, and Eleventh Circuits.  Ten of the eleven state court cases filed have been filed in California Superior Courts.

Interestingly, nearly 40% of all CCPA cases filed this year either concerned the T-Mobile data event or alternatively, another data event involving a financial services company following account hacks on the California Employment Development Department’s (“EDD”) prepaid debit cards.  As such, the largest number of cases filed this year were concentrated in the communications and financial services industries.  The remaining CCPA cases, however, span a wide range of industries—including technology, healthcare, insurance, and hospitality.  Even a hair transplant company had a CCPA lawsuit brought against it this year.

And while cyber theft remains on the rise, plaintiffs (and plaintiffs’ attorneys) have not lost sight of other data use implications mandated by the CCPA.  For example, Flo Health Inc., an ovulation-tracking app has been hit with a number of class action lawsuits alleging the app “secretly collected” (i.e. without consent) personal information of users—including whether women were trying to get pregnant—and shared that data with third-party data collectors and advertisers.  The lawsuits follow the FTC’s investigation into related concerns.  Some of the complaints against Flo Health reference the CCPA as supporting other claims raised by plaintiffs, such as violation of the California’s Unfair Competition Law (Cal. Bus. & Prof. Code §§ 17200, et seq.), without asserting a direct CCPA claim.

2021 Developments in CCPA Case Law

This year has seen a number of developments in CCPA litigation case law.  We highlight a few of those developments here.

At the beginning of this year, one federal court held that the CCPA does not limit the scope of discovery in litigation.  Will Kaupelis v. Harbor Freight Tools USA, Inc., Case No. 19-01203 (C.D. Cal.).  This case was brought as a putative class action and concerned claims that the defendant allegedly manufactured and sold chainsaws with a design defect.  After defendant’s motion to dismiss was denied, plaintiff sought discovery that included the PI of customers who had complained about the purported product defect (including individuals in California).  The defendant resisted production of this information, in reliance on the CCPA.  Specifically, the defendant argued that the CCPA expanded the privacy rights previously provided under California law.  As such, the defendant argued that the court should “protect the consumers’ PI by allowing consumers an opportunity to opt out from disclosure.”   The defendant claimed this approach was consistent with the CCPA’s notice and consent requirements.  The court, however, granted plaintiff’s motion to compel, stating that, “[n]othing in the CCPA presents a bar to civil discovery.  Notably, no other case has so held.  And the statute itself explicitly says that it is not a restriction on a business’s ability to comply with federal law.”  The court later dismissed an amended complaint on similar grounds.

In March, Walmart scored a massive win for defendants in data privacy litigation in the Lavarious Gardiner v. Walmart Inc. et al. case.  The Court adopted Walmart’s narrow interpretation of the CCPA and dismissed Plaintiff’s non-cognizable CCPA claim.  As a reminder, this case involved a plaintiff inferring, from finding his information on the dark web, that Walmart had suffered a data breach.  In response, Walmart argued first, that Plaintiff’s failure to allege when the breach purportedly occurred was fatal to the Complaint because the CCPA is not retroactive.  The Court sided with Walmart and agreed that Plaintiff needed to plead a breach occurring after January 1, 2020:  “Absent allegations establishing that Walmart’s alleged violation of the CCPA occurred after it went into effect, Plaintiff’s CCPA claim is not viable. Second, the Court also held that Plaintiff’s CCPA claim failed for the additional reason that Plaintiff did not sufficiently allege disclosure of his personal information as defined in the CCPA.  Cal. Civ. Code § 1798.81.5.  The Court found insufficient the Complaint’s allegation that the purported breach compromised the full names, financial account information, credit card information, and other PII of Walmart customers: “[a]lthough in the Complaint Plaintiff generally refers to financial information and credit card fraud, he does not allege the disclosure of a credit or debit card or account number, and the required security or access code to access the account.”  (emphasis added).

In July, 2021 the Central District of California denied a motion to compel arbitration brought by the Gap in the data breach litigation, Shadi Hayden v. Retail Equation et al., No. 20-cv-01203 (C.D. Cal. July 07, 2020).  There the court reasoned that, because the Gap was not a party to the arbitration agreement it attempt to invoke, the arbitration agreement did not apply to bar the litigation.  The Gap subsequently appealed, and the case remains pending.

In an August decision, a federal judge found the majority of Plaintiffs’ statutory claims to withstand a Rule 12(b)(6) motion to dismiss in the In re Blackbaud data privacy multi-district litigation.  MDL No. 2972 (D.S.C. Aug. 12, 2021).  Plaintiffs’ allegations that a cyberattack resulting from Blackbaud’s “deficient security program” and failure to comply with industry and regulatory standards, was sufficient to withstand a motion to dismiss.   As to the CCPA, the Court found that Blackbaud was alleged to be a “business” under the CCPA, relying largely on its registration as a “data broker” under California law.  The Court notably rejected Blackbaud’s argument that it was a “service provider” as insulating it from liability under the CCPA.

In another significant ruling, in Brooks v. Thomson Reuters Corp., No. 21-cv-01418-EMC, 2021 U.S. Dist. LEXIS 154093 (N.D. Cal. Aug. 16, 2021) the Northern District of California recently denied in part a defendant’s motion to dismiss a complaint alleging violations of various consumer privacy statutes. Of note, the Court found that an affirmative defense of compliance with one privacy statute, the CCPA, did not shield defendant from liability for alleged violations of other state laws.

Finally, in December, the Northern District of California denied a motion to intervene and oppose a preliminary approved settlement in the litigation that followed a widespread data event Accellion had suffered.  Cochran v. Accellion, Inc., 2021 U.S. Dist. LEXIS 214686 (N.D. Cal. Nov. 5, 2021).  In Cochran, one of the entities that used Accellion as a services provider agreed as part of a $5 million dollar settlement to modify its business practices going forward.  This would include switching to a “new secure file transfer solution,” securing or destroying the personal information subject to the data event and boosting its third-party vendor risk management program.  In denying the Proposed Intervenor’s Motion to Intervene, the Court analyzed intervention as a matter of right and permissive intervention. The Court, however, rejected that intervenors could intervene as a matter of right because the Court heard the Proposed Intervenors’ objections to the proposed settlement on two occasions, the settlement agreement allows putative intervenors to protect their interests by opting out of the settlement class, and because the Court found that the Proposed Intervenors interest in a preliminary settlement approval is not a “significant protectable interest.”  The Court denied permissive intervention because, among other things, the Proposed Intervenors already had the opportunity to participate in the fairness hearings.

Predictions for CCPA Litigation in 2022

So what is on the horizon for 2022? Certainly an expansion of consumer privacy laws that follow California’s lead.  This past year saw Virginia and Colorado launch privacy legislation and that trend will continue in 2022.  While claims invoking the consumer privacy law of other states may be kept at bay during 2022, the lessons learned from CCPA litigation will come into play in 2023 as those new laws, particularly those with a private right of action, start going into effect.

In the meantime, we can expect that the lawsuits making their way through the courts will continue shaping the contours of CCPA litigation.  Of particular interest will be the impact of the Ramirez v. TransUnion decision upon class action litigation, including CCPA claims arising from a data incident.  As previously noted, which commentators worried that Ramirez might preclude data breach litigations from being brought in federal courts, those concerns have not materialized, with CCPA claims remaining just at home in federal court in state court.

We can also expect to see continued enforcement activity at the state level.  In July 2021, California’s Attorney General Bonta issued a press release summarizing its first year of CCPA enforcement and reinforcing its commitment to CCPA enforcement.  The pressure will remain on companies to annually update their California privacy notices to avoid finding themselves the target of enforcement activities.

2022 is going to remain busy for CCPA litigation and enforcement.  Not to worry, CPW will be there to keep you in the loop.  Stay tuned.

As the first year for litigation and enforcement, 2020 was a big year for the California Consumer Privacy Act (“CCPA”).  Read on for ConsumerPrivacyWorld’s highlights of the year’s most significant events, as well as our predictions for what 2021 may bring.

Recap – What is the CCPA?

Following the lead of the European Union’s General Data Privacy Regulation (“GDPR”), the CCPA is the nation’s first definitive set of data privacy laws and went into effect on January 1, 2020.  It regulates any “business” that “does business in California,” even those without a physical presence in the state, and determines the means and purposes of the processing of “personal information”.

So what entities qualify as a “business” subject to the CCPA? The statute defines a “business” as a for-profit, private entity that (1) collects “personal information”, (2) determines the means of processing that personal information, (3) does business in California, and (4) meets one of the following criteria:

  • Has annual gross revenues exceeding $25 million;
  • Annually sells/buys or receives/shares for commercial purposes the personal information of 50,000 or more California consumers; or
  • Derives 50% or more of its annual revenue from selling personal information.

Generally, the CCPA covers all information so long as it relates to a California resident or California household.  Aligning with the GDPR, the CCPA defines “personal information” to include “information that identifies, relates to, describes, is reasonably capable of being associated with, or could reasonably be linked, directly or indirectly, with a particular consumer or household.”  Cal. Civ. Code § 1798.140(o).

The CCPA requires compliance with its notification and transparency notices.  First, the CCPA expects businesses present up to four notices, to be determined by that business’s practices.  Second, businesses must also inform consumers of their rights under the CCPA including their: (1) right to know, (2) right to delete, (3) right to opt out, (4) right to not be discriminated against for exercising their CCPA rights.

Check out our CCPA Power Center for more detailed information.

Key Developments in CCPA Litigation and Enforcement

January 1, 2020 and July 1, 2020 were important dates for the CCPA.  The former date set the act into motion, and saw the commencement of private rights of action.  The latter marked the start of enforcement proceedings.

Litigation

It didn’t take long for litigants to begin alleging violations of the CCPA. The first such lawsuit, Fuentes v. Sunshine Behavioral Health Group, LLC, No. 8:20-cv-00487 (C.D. Cal.), appeared on March 10, 2020, only three months after the law went into effect.  Besides being the first lawsuit to expressly allege a specific violation of the CCPA, this putative class action lawsuit also presented a notable standing issue:  whether a Pennsylvania resident that stayed in a California treatment facility for one month could be a “consumer” under the CCPA.

In early motion practice, the defendant seized on this standing issue, asserting that plaintiff’s one-month stay in California did not render him a consumer as required by the statute.  The CCPA defines a “consumer” as “a natural person who is a California resident.”  The applicable regulations in turn define as resident as:  (1) individuals who are in California for other than a temporary or transitory purpose; or (2) individuals domiciled in California who are outside the state for a temporary or transitory purpose.

Unfortunately, the Court did not have an opportunity to weigh in on this dispute before the parties filed a notice of voluntary dismissal of suit.

At least one CCPA class action, G.R. v. TikTok, No. 2:20-cv-04537 (C.D. Cal.), has already been consolidated with a several other lawsuits in an MDL in the U.S. District Court for the Northern District of Illinois.  On May 20, 2020, “G.R.,” a minor, filed a putative class action suit against popular social media platform TikTok and its parent company, ByteDance.  Seeking to represent a class of “[a]ll minor persons who registered for or used the TikTok app from at least May 14, 2017 to the present,” the plaintiff alleged that TikTok violated the CCPA when it allegedly failed to provide notice of the app’s alleged use and collection of its users’ data.  The complaint alleged that this use and collection included scanning every video uploaded to the app with facial recognition technology, extracting geometric data regarding the unique points and contours of each face as they appear in each uploaded video, and then creating and storing a template of each face from that data.

In September, G.R. was consolidated with several other lawsuits against TikTok into an MDL.  The MDL currently features over 30 plaintiffs, many of which are alleged to be minors.  On December 18, 2020 an amended consolidated class action complaint was filed.  Check back here for updates on how this case develops.

On the litigation front, one district court held that the CCPA’s focus on privacy does not restrict the scope of discovery.  In Kaupelis v. Harbor Freight Tools USA, Inc., No. 8:19-cv-01203 (C.D. Cal.), the court granted a motion to compel, stating that, “[n]othing in the CCPA presents a bar to civil discovery.  Notably, no other case has so held.  And the statute itself explicitly says that it is not a restriction on a business’s ability to comply with federal law”.

Another case, Stasi v. Inmediata Health Grp. Corp., No. 3:19-cv-02353 (S.D. Cal.),  confirmed that the CCPA does not apply to medical information that is governed by the California Confidentiality of Medical Information Act (“CMIA”) but can apply to disclosed non-medical information.

2020 also recently saw a settlement in a putative class action that when filed, was among the first to cite a violation of the CCPA.  High-end children’s clothing retailer Hanna Andersson faced numerous claims in the putative class action that followed a widespread data breach.  The alleged breach affected the personal information of over 200,000 customers who made online purchases on the Hanna Andersson website between September 16 and November 11, 2019.  The personal information included names, shipping and billing addresses, payment card numbers, CVV codes, and expiration dates.  This information was then exfiltrated and used to make fraudulent purchases using the affected customers’ credit cards.  On January 15, 2020, Hanna Andersson notified its customers of the breach.

In a settlement reached last month, Hanna Andersson agreed to create a settlement fund of $400,000 and implement new security measures.  These measures include hiring a director of cyber security, conducting a risk assessment of the its data assets and environment consistent with the NIST Risk Management Framework, and completing PCI Attestation of Compliance (AOC) in conjunction with a PCI-certified Qualified Security Assessor (QSA).  For more information on the significance of this settlement, including how the financial component of the settlement compares to other settlements, be sure to read ConsumerPrivacyWorld’s previous, in-depth coverage.

Legislation and Enforcement

As reported on our sister blog, Security & Privacy Bytes, 2020 was an incredibly active year for CCPA-related legislation and enforcement activity.

State enforcement of the CCPA began on July 1, 2020, when the Attorney General of California started to issue violation notice letters to a swath of online businesses. Although the letters themselves remain confidential, California’s Supervising Deputy Attorney General, Stacey Schesser, has provided some insight into their substance.  The letters targeted multiple industries and business sectors, which dispelled the belief that certain industries would be prioritized over others.  Additionally, the letters focused on businesses that operated online and were missing either key privacy disclosures or a “Do Not Sell” link (where the Attorney General thought one was necessary).  Finally, the targets of the letters were identified, at least in part, based on consumer complaints, including complaints made using social media.

On August 14, 2020, several regulations concerning the CCPA went into effect or were dropped.  The issues addressed by the regulations included the ease with which consumers could submit requests to opt out, whether certain businesses were required to provide offline notices of the right to opt-out, and the wording that businesses must incorporate when the sale of personal information is involved.  For more information, our sister blog, Security & Privacy Bytes, previously provided in-depth coverage.

This year, California also enacted a law to resolve the disconnect between the CCPA and HIPAA.  On September 14, 2020, Governor Gavin Newsom signed AB 713 into law.  AB 713 expands the CCPA exceptions for HIPAA business associates and HIPAA de-identified data, which may be particularly helpful in research.  AB 713 solves a disconnect between the CCPA and HIPAA’s arguably less burdensome de-identification standards.  Without this “fix,” data could have been sufficiently deidentified to be exempt from HIPAA, yet not sufficiently deidentified to be exempt from CCPA, creating a much more complicated legal regime for health companies.  Check out Security & Privacy Bytes’ coverage here.

Additionally, although this year was the first year in which the CCPA was in effect, it was also the year when its successor was determined.  On November 6, 2020, a majority of Californians voted to approve Proposition 24, the “California Privacy Rights Act of 2020” (“CPRA”).  The CRPA will go into effect on January 1, 2023, but will apply to all personal information (PI) collected on or after January 1, 2022.  Security & Privacy Bytes provided more coverage.

Finally, on December 10, 2020, the California Department of Justice released a fourth set of proposed modifications to the regulations regarding the CCPA.  The comment period is set to expire on December 28, 2020.  Stayed tuned to ConsumerPrivacyWorld to know the final outcome.

What Does the Future Hold?

With the CCPA now in effect, all eyes are focused on the significant changes that will be ushered in by the CPRA.  One of the most significant changes will be the creation of a new state agency, the California Privacy Protection Agency (“CalPPA”).  By July 1, 2021, the CalPPA will take over rulemaking and beginning January 1, 2024, the CalPPA will implement and enforce the CPRA.

The CalPPA will be the first enforcement agency in the United States dedicated solely to privacy.  For those familiar with the Consumer Financial Protection Bureau and its significant impact on the industry, the CalPPA is speculated to strengthen the enforcement and compliance with CCPA.  With the creation of the CalPPA – which is set to operate as a key privacy regulator — we know that the CCPA is here to stay.

Additionally, with a new administration and Congress arriving in the new year, the stage may finally be set for enacting comprehensive federal data privacy laws.  ConsumerPrivacyWorld previously reported on the status of federal legislation and glimpsed at the preemption issues that federal legislation would almost surely create.

The CCPA continues to evolve and  remains poised to reshape the data privacy landscape, including in the context of consumer litigation.  How will the CalPPA function?  Will the new administration and Congress make federal regulations?  Will it preempt the CCPA?  We guarantee to keep you informed on everything you need to know.  Stay tuned and do not hesitate to reach out for any questions or advice!

 

In case you missed it, below are recent posts from Privacy World covering the latest developments on data privacy, security and innovation. Please reach out to the authors if you are interested in additional information.

Deep Fake of CFO on Videocall Used to Defraud Company of US$25M | Privacy World

Address Cyber-risks From Quantum Computing | Privacy World

FCC Clarifies and Codifies TCPA Consent Revocation Rules | Privacy World

Asia Data Privacy/Cybersecurity and Digital Assets Partners to speak at the Global Legal ConfEx in Singapore, 20 February 2024 | Privacy World

Potential CCPA Fines “Significant”, California AG’s Office “Plotting” and Other Takeaways From Privacy Regulators during Privacy Summit in Los Angeles | Privacy World

FCC Rules Voice-Cloned Robocalls Are Covered by the TCPA as Artificial/Pre-Recorded | Privacy World

Ten Things About Artificial Intelligence (AI) for GCs in 2024 | Privacy World

CCPA Regs Effective Immediately, No One-Year Delay for Future Regs: Court of Appeal Sides with California Privacy Protection Agency in Regulations Delay Case | Privacy World

Sensitive Data Processing is in the FTC’s Crosshairs | Privacy World

ASEAN and EU Finalise Implementation Guide for Cross-border Data Transfers | Privacy World

The Product Security and Telecommunications Infrastructure (PSTI) Act FAQ | Privacy World

Connecticut Attorney General Report: CTDPA Enforcement Insights & Takeaways | Privacy World

Hundreds of lawyers and several privacy regulators from California, Washington State, Oregon, Colorado, Connecticut, and the Federal Trade Commission gathered in Los Angeles last week for the second annual California Lawyers Association Privacy Summit (“Summit”). Among many engaging sessions on pressing topics, the panels with privacy regulators stood out discussions on enforcement priorities and administrative fines and injunctions, along with punchy and newsworthy statements – including that they are “plotting” and that considering the typical investigation presents “hundreds or thousands of violations,” potential fines are “significant.”

Perhaps even more newsworthy is that due to a California Court of Appeal order laid down as the Summit wound down on Friday, the stay in enforcement of the CCPA regulations was lifted. This happened as many companies were treating March 29, 2024, the end of the stay period, as the effective and enforcement date of regulations promulgated under the CPRA’s amendments by the California Privacy Protection Agency. The appeals order also nullifies the year delay in effectiveness of issued CCPA regulations that the trial court had required, making almost certain that CCPA regulations on risk assessments, cybersecurity assessments, and automated decision-making and profiling will be promulgated and in effect sometime this year, perhaps as early as Q2 or Q3.

Will 2024 be the year of privacy enforcement? In view of signaling from California regulators and those in other jurisdictions, and in view of several upcoming effective dates and regulatory deadlines, ongoing enforcement by regulators in California and beyond, and an impending uptick in privacy enforcement, it just might be. Stay tuned for future posts on these issues. Keep reading for more detailed takeaways regarding the Summit.

Continue Reading Potential CCPA Fines “Significant”, California AG’s Office “Plotting” and Other Takeaways From Privacy Regulators during Privacy Summit in Los Angeles

In case you missed it, below are recent posts from Privacy World covering the latest developments on data privacy, security and innovation. Please reach out to the authors if you are interested in additional information.

Ten Things About Artificial Intelligence (AI) for GCs in 2024 | Privacy World

CCPA Regs Effective Immediately, No One-Year Delay for Future Regs: Court of Appeal Sides with California Privacy Protection Agency in Regulations Delay Case | Privacy World

Sensitive Data Processing is in the FTC’s Crosshairs | Privacy World

ASEAN and EU Finalise Implementation Guide for Cross-border Data Transfers | Privacy World

The Product Security and Telecommunications Infrastructure (PSTI) Act FAQ | Privacy World

Connecticut Attorney General Report: CTDPA Enforcement Insights & Takeaways | Privacy World

California Attorney General Announces Industry Investigative Sweep into CCPA Compliance | Privacy World

President Biden Prepares Executive Order to Prohibit Foreign Adversaries’ Access to US Data | Privacy World

New Jersey and New Hampshire Pass Consumer Privacy Laws – and 11 Other States Are Considering Similar Laws | Privacy World

2023 Cybersecurity Year In Review | Privacy World

In case you missed it, below are recent posts from Privacy World covering the latest developments on data privacy, security and innovation. Please reach out to the authors if you are interested in additional information.

Connecticut Attorney General Report: CTDPA Enforcement Insights & Takeaways | Privacy World

California Attorney General Announces Industry Investigative Sweep into CCPA Compliance | Privacy World

President Biden Prepares Executive Order to Prohibit Foreign Adversaries’ Access to US Data | Privacy World

New Jersey and New Hampshire Pass Consumer Privacy Laws – and 11 Other States Are Considering Similar Laws | Privacy World

2023 Cybersecurity Year In Review | Privacy World

FTC Consumer Protection and Data Protection Insights for 2024 | Privacy World

Singapore Invites International Feedback on Model Governance Framework for Generative AI | Privacy World

The Spanish Antitrust Authority (CNMC) Follows the Spanish Data Protection Authority (AEPD) and Joins Forces with Other National and International Institutions to Protect Minors on the Internet and in Social Networks | Privacy World

AEPD’s Position Regarding Transparency (AIA vs. GDPR) | Privacy World

Adequate One Day Keeps Personal Data Transfer Problems (Forever) Away? Let’s See What the EU Doctor Just Said | Privacy World

Government access to personal data in bank accounts: a compliance challenge for banks, and a threat to EU adequacy? | Privacy World

New Jersey’s Consumer Privacy Law Signed by Governor Murphy | Privacy World

Charting the Course: Congress Progresses Towards Meaningful Action on AI | Privacy World

FBI and DOJ Issue Guidance on SEC Incident Reporting Delay Requests | Privacy World

2023 Privacy Compliance Year in Review | Privacy World

2023 was another busy year in the realm of data event and cybersecurity litigations, with several noteworthy developments in the realm of disputes and regulator activity.  Privacy World has been tracking these developments throughout the year.  Read on for key trends and what to expect going into the 2024.

Growth in Data Events Leads to Accompanying Increase in Claims

The number of reportable data events in the U.S. in 2023 reached an all-time high, surpassing the prior record set in 2021.  At bottom, threat actors continued to target entities across industries, with litigation frequently following disclosure of data events.  On the dispute front, 2023 saw several notable cybersecurity consumer class actions concerning the alleged unauthorized disclosure of sensitive personal information, including healthcare, genetic, and banking information.  Large putative class actions in these areas included, among others, lawsuits against the hospital system HCA Healthcare (estimated 11 million individuals involved in the underlying data event), DNA testing provider 23andMe (estimated 6.9 million individuals involved in the underlying data event), and mortgage business Mr. Cooper (estimated 14.6 million individuals involved in the underlying data event). 

Continue Reading 2023 Cybersecurity Year In Review

2023 was an eventful year for privacy legislation, regulation and regulatory enforcement. The compliance landscape continues to develop and evolve rapidly, making it difficult for covered businesses to keep up with the myriad requirements. In this post, we discuss some of the year’s most interesting privacy compliance developments globally.

Continue Reading 2023 Privacy Compliance Year in Review

As of July 1, four states’ privacy laws will be effective and enforceable – the California Consumer Privacy Act as amended by the California Privacy Rights Act of 2020 (CPRA) (collectively, CCPA), effective since January 1, becomes enforceable on that date; the Virginia Consumer Data Protection Act (VCDPA) has been effective and enforceable since January 1; and, on July 1, the Colorado Privacy Act (CPA) and Connecticut Data Privacy Act (CTDPA) are both effective and enforceable.

There are a number of compliance obligations that overlap among these laws where prior compliance efforts for the original CCPA in 2020, and in relation to its updates for January 1 of this year, will suffice for compliance with the other, non-California laws. This said, Colorado’s regulations, promulgated on March 15, 2023, materially deviate from the CCPA in a number of consequential areas in a way that likely requires companies to revisit their January 2023 privacy notices and practices. Now is also a good time to address CPRA, CPA, CTDPA and VCDPA compliance posture generally. While some businesses plan to wait until their end-of-year review and update process, when they can also assess the many additional state laws that have or will pass this year, delaying compliance until then risks enforcement actions, particularly by California and Colorado regulators (interestingly, Connecticut’s Attorney General recently released an FAQ).

This top-level summary of key considerations outlines the issues we are finding that clients have often overlooked in their January 2023 updates. Continue Reading Are You July-1-READY? 2023 Privacy Laws and Regulations Call for Revisiting Your 2022 End-of-Year Compliance Efforts