Search ccpa

Since it was enacted just over a year ago, companies have had to deal with the uncertainties surrounding how to interpret the California Consumer Privacy Act (“CCPA”) and the circumstances that might subject them to penalties and fines for violating the CCPA.  As CPW readers are already aware, in an effort to inform the marketplace and minimize those uncertainties, the office of the California attorney general recently published 27 examples that demonstrate what CCPA non-compliance looks like and highlights actions that can be taken to remedy each situation.

In a new webinar, CPW’s Alan Friel and Ankura’s David Manek and Colleen Yushchak will provide an in-depth look at the AG’s various scenarios and a discussion of the common themes they have distilled from their analysis of all 27 examples. In addition to sharing insights, David, Colleen and Alan will provide several essential tools, including a checklist of CCPA enforcement issues you can use as part of your year-end assessment, guidance on current compliance for January 2022 CCPA notice updates, and best practices for planning your 2023 CPRA/CDPA/CPA workstreams.

 

Last week a federal judge dismissed a putative class action alleging that Walmart’s purportedly deficient security practices compromised customers’ personal data in violation of the California Consumer Privacy Act (“CCPA”).  This was on the basis that Plaintiff did not credibly allege that the purported disclosure of personal information occurred after the law went into effect last year, among other reasons.

Readers of CPW are well-versed with the background of this case.  Back in July 2020, Plaintiff filed a class action complaint against Walmart alleging that Walmart suffered a data breach which was never disclosed.  As evidence of the breach, Plaintiff presented claims that the personal information associated with his Walmart account had been discovered on the dark web for sale and presented the results of security scans performed on Walmart’s website, which allegedly showed certain vulnerabilities.  In other words, Plaintiff filed suit on the supposition that Walmart’s systems had been breached, which Walmart denies.  Plaintiff’s complaint included a claim under the California Consumer Privacy Act (“CCPA”), in addition to other California privacy and consumer protection statutes.

However, as with all things, the details matter.  In order for Plaintiff to prevail at this stage in the pleadings, the court had to find that the complaint sufficiently alleged a violation of the CCPA, which went into effect on January 1, 2020.  This meant the data incident at issue had to have happened on or after this date.  However, the original complaint filed in this alleged that found his personal data up for sale on the dark web in 2019.  And when Walmart point out this pleading shortcoming in its motion as a basis for dismissal, Plaintiff filed opposition papers declaring that the actual date was 2020 and categorizing the discrepancy as a “scrivener’s error.”

Assessing the pleadings and the parties’ briefing, the court ruled last Wednesday that the different date now claimed by Plaintiff was not credibly “the result of a typo or misunderstanding.”  Nor was additional amendment of the pleadings a viable option for Plaintiff to state a cognizable CCPA claim.  This is because federal courts (including ones within the Ninth Circuit, where this case was pending) have held that an amended complaint may only allege other facts consistent with the challenged pleading.  Here by contrast, “[w]ere Plaintiff to amend his complaint to allege that the violation occurred on or after January 1, 2020, it would directly contradict the allegation in the FAC that he discovered his PII for sale in 2019.”

Plaintiff’s other claims were also subject to dismissal.   The court acknowledged that under limited circumstances, courts within the Ninth Circuit have found that “[d]iminution of value of personal information can be a viable damages theory.”  Pruchnicki v. Envision Healthcare Corp., No. 20-15460, 2021 U.S. App. LEXIS 11699 (9th Cir. Apr. 21, 2021).  However, in order to prevail on such a theory, “a plaintiff must establish the existence of a market for the personal information and an impairment of the ability to participate in that market.”  The “mere misappropriation of personal information’ does not establish compensable damages.”  (emphasis added).  Instead, a plaintiff must allege that his “personal information actually lost value.”

The court found Plaintiff’s California statutory and common law claims failed to satisfy this standard:

As in Pruchnicki, Plaintiff does not allege that he has been unable to sell, profit from, or monetize his personal information. Instead, he alleges that whether he ever intended to sell his information is irrelevant because it is possible to assign a monetary value to PII using a market approach.  Apart from allegations about the value of PII in general, Plaintiff has not alleged that his purportedly stolen personal information—his name, home address, phone number, and the last four digits and expiration dates of two of his debit cards—is less valuable because of the breach. Indeed, Plaintiff’s allegations suggest that his PII may be valueless for reasons unrelated to the alleged breach.

(emphasis in original).  As such, the court dismissed Plaintiff’s amended complaint (the original pleading had already been kicked out earlier in the year, but Plaintiff had been given another shot by being granted leave to file an amended pleading).

This case is noteworthy for its narrow application of the CCPA as well as for its damages ruling which builds upon the Ninth Circuit’s decision in Pruchnicki.  And for more on data privacy litigations, stay tuned.  CPW will be there to keep you in the loop.

As covered by Glenn A. BrownKyle DullKyle Fath and Alan Friel at SPB, “on July 19, the Office of the Attorney General of California (OAG) issued a press release summarizing its first year of CCPA enforcement. Seventy-five percent of companies receiving a notice to cure are said to have come into compliance within the 30-day cure period, with 25% reportedly still within that period or under ongoing investigation. The OAG also published summaries of 27 resolved exemplary cases. The OAG was careful to note that the summaries do not constitute advice and do not include all of the facts, however they do offer some insights. Disappointingly, however, the summaries often lack enough detail to allow readers to surmise the enforcement posture that was taken by the OAG, the exact nature of the alleged violations, or the specific actions taken by the company that satisfied the OAG’s inquiry.”

Read their full analysis here, which also discusses how the OAG announced the launch of a new consumer complaint tool that allows consumers to answer certain gating questions to create a notice of noncompliance that can be sent to a business.

For more on this, stay tuned.  CPW will be there to keep you in the loop.

On July 19, the Office of the Attorney General of California (OAG) issued a press release summarizing its first year of CCPA enforcement. Seventy-five percent of companies receiving a notice to cure are said to have come into compliance within the 30-day cure period, with 25% reportedly still within that period or under ongoing investigation. The OAG also published summaries of 27 resolved exemplary cases. The OAG was careful to note that the summaries do not constitute advice and do not include all of the facts, however they do offer some insights. Disappointingly, however, the summaries often lack enough detail to allow readers to surmise the enforcement posture that was taken by the OAG, the exact nature of the alleged violations, or the specific actions taken by the company that satisfied the OAG’s inquiry.

Continue Reading California AG Offers Cryptic CCPA Enforcement Summaries, and Launches Complaint Tool

It has been a year for the record books for data privacy litigation (and we are only into Q2-who knows what Q3 and Q4 will bring!)  CPW has been tracking significant developments in this area of the law—including in regards to the California Consumer Privacy Act (“CCPA”).  While the statute has been in effect for a little over a year, it has already become a battleground for plaintiffs seeking to assert statutory claims against defendants for failing to maintain reasonable security procedures (even if the only harm plaintiffs allegedly suffered is speculative risk of future injury).  In fact, the flood of litigation under the CCPA was cited this week as a reason for the Florida legislature to consider dropping a private right of action from a data privacy bill under consideration.

The underlying reasons for this trend are clear.  First, the number of data breaches continues to rise.  Current estimates place the number of cyberattacks occurring in Q1 in the U.S. as ~320.  This is a slight uptick from Q1 2020.  Most significantly, however, the number of individuals in the U.S. whose information was disclosed in a data event in 2021 is up 500%.  Second, the CCPA is an attractive option for plaintiffs who claim they were “harmed” from the disclosure of their personal information as the statute purportedly provides for significant liquidated statutory damages (even in the absence of proof of identity theft, fraudulent charges on accounts, and the like—although how that actually shakes out in litigation is far from settled).

We are going to dig into what this all means and where things may be headed.  But first, let’s go back to the basics for any CCPA newbies out there.

A quarter into 2021, our review confirms that the slew of lawsuits filed under the CCPA remains concentrated in the area of data events.  But there should be no surprise there.  Section 1798.150(a)(1) of the CCPA provides a private right of action to “[a]ny consumer whose nonencrypted and nonredacted personal information … is subject to an unauthorized access and exfiltration, theft, or disclosure” due to a business failing to satisfy “the duty to implement and maintain reasonable security procedures and practices….” (emphasis supplied).  Damages available for a private right of action under Section 1798.150(a)(1) include a statutory amount of between $100 and $750 “per consumer per incident or actual damages, whichever is greater”, as well as injunctive or declaratory relief and “any other relief the court deems proper” (emphasis supplied).

So what do most of the CCPA cases filed in 2021 look like?  Good question.

Over one third of the CCPA litigations filed thus far are related to the account hacks on the California Employment Development Department’s (“EDD”) prepaid debit cards issued through Bank of the America.  In case you missed it, a number of individuals had the balances on their EDD debit cards wiped out (without any prior notice or security alert).  On January 14, 2021, the first class-action lawsuit related to this event was filed against Bank of America, claiming the bank did not do enough to stop the scammers.  Since then, over 13 other similar lawsuits have been filed, which may be consolidated down the road.

In these litigations, plaintiffs raise claims under the CCPA concerning Bank of America’s alleged “failure to secure” private account information.  To put it differently, Bank of America allegedly breached its duty to implement and maintain reasonable security procedures and practices appropriate to the nature of individuals personal information, including “issuing EDD debit cards to plaintiff and class members with magnetic stripes but without EMV chip technology.”  Most of the filed complaints allege the lack of chip technology enabled scammers to access the funds in the debit cards resulting in accounts being frozen and many individuals being left without payments for weeks (and some to date).

Bank of America is not the only institution that has been a victim of recent cyber theft.  Accellion’s File Transfer Appliance was also recently compromised, resulting in a number of CCPA class action lawsuits filed this year relating to—you guessed it—its alleged failure to maintain reasonable security procedures.  As alleged in one of the complaints:

Defendant [Accellion Inc.] violated § 1798.150 of the CCPA by failing to prevent Plaintiffs’ and class members’ nonencrypted and nonredacted personal information from unauthorized access and exfiltration, theft, or disclosure as a result of Defendant’s violations of their duty to implement and maintain reasonable security procedures and practices appropriate to the nature of the information

Brown v. Accellion, Inc., Case No. 5:21cv1155, Dkt. #1 at ¶70.

Another major data breach this year involving a large number of CCPA suits related to Automatic Funds Transfer Services, Inc. (“AFTS”).  On February 17, 2021, the California Department of Motor Vehicles announced that AFTS had been the subject of a “security breach” and ransomware attack that may have compromised “the last 20 months of California vehicle registration records that contains the names, addresses, license plate numbers and vehicles identification numbers” of California drivers.  Not surprising to those in the consumer privacy space, this resulted in numerous class action lawsuits being filed under the CCPA.  In those litigations, plaintiffs allege “AFTS violated the CCPA by subjecting Class Members’ PI to unauthorized access and exfiltration, theft, or disclosure as a result of AFTS’s violation of its duty to implement and maintain reasonable security procedures and practices appropriate to the nature and protection of that information.”  Atachbarian v. Automatic Funds Transfer Services, Inc., Case No. 2:21-cv-02645, Dkt. #1 at 61¶.

And while cyber theft remains on the rise, plaintiffs (and plaintiffs’ attorneys) have not lost sight of other data use implications mandated by the CCPA.  For example, Flo Health Inc., an ovulation-tracking app has been hit with a number of class action lawsuits alleging the app “secretly collected” (i.e. without consent) personal information of users—including whether women were trying to get pregnant—and shared that data with third-party data collectors and advertisers.  The lawsuits follow FTC’s investigation into related concerns.  Some of the complaints against Flo Health reference the CCPA as supporting other claims raised by plaintiffs, such as violation of the California’s Unfair Competition Law (Cal. Bus. & Prof. Code §§ 17200, et seq.), without asserting a direct CCPA claim.  See, e.g., Tesha Gamino v. Flo Health Inc., Case No. 5:21-cv-00198-JWH-SHK, Dkt. #1.  This is something we have noticed in a handful of other lawsuits filed this year–listing the CCPA without asserting a direct cause of action or under the statute.

So there you have it.  A quarter into 2021, CCPA cases continue to fill the docket, and occupy our attention.  Stay tuned while we continue to break the latest developments for you.  It is going to be a wild 2021 but CPW will be there.

Security & Privacy Bytes and our sister blog, Consumer Privacy World have been covering developments concerning the California Consumer Privacy Act of 2018 (“CCPA”).  As we discussed the end of last year, on December 10, 2020, the California Attorney General proposed some modifications to the regulations implementing the CCPA.  These were published in response to comments received by the AG following publication of the previous set of proposed CCPA modifications on October 12, 2020.  The CCPA regulations went into effect on August 14, 2020 and the additional amendments to the regulations went into effect on March 15, 2021.  For more information on these additional amendments, see this post by Alan Friel and Kristin Bryan.

CPW and its sister blog SPB have been covering developments concerning the California Consumer Privacy Act of 2018 (“CCPA”).  As we discussed the end of last year, on December 10, 2020, the California Attorney General (“AG”) proposed some modifications to the regulations implementing the CCPA (the “Regulations”).  These were published in response to comments received by the AG following publication of the previous set of proposed CCPA modifications on October 12, 2020.

While the proposed modifications to the Regulations were relatively minor in substance, they provided guidance on the following issues:

  1. Requirement for offline notice of right to opt-out (Section 999.306);
  2. New standards for a “do not sell” opt-out icon (Section 999.306);
  3. Requirement to make it “easy” for consumers to submit opt-out requests with minimal steps, and providing that a process for submitting a request to opt-out shall not require more steps than that process for a consumer to opt-in to the sale of personal information after having previously opted out (Section 315); and
  4. Methods for verifying an authorized agent request (Section 999.326).

As part of the rulemaking the Office of Attorney General (OAG) has clarified through its final statement of reasons (“FSOR”) that the use of the “do not sell” opt-out icon is optional, not mandatory.  That was not altogether clear from the draft regulations and the ambiguity garnered comments.

It should be noted, however, the icon is supplemental, not an alternative, to the “Do Not Sell My Personal Information” link that is required, and the icon, if used, should be placed next to the link, and should be approximately the same size as other icons used by the business on its webpage.  The OAG explains in the FSOR that “[t]his location is mandatory because it promotes awareness of the consumer’s right to opt-out of the sale of personal information.”

The OAG explained that businesses are free to place the icon in other places, but that placing it next to the statutorily mandated link helps users find that link.  With the CPRA and the Virginia CDPA to require yet additional opt-out links for new opt-out rights, and industry self-regulatory frameworks such as the DAA’s Ad Choices “interest-based advertising” opt-out link also requiring home page links, one can only ask how many consumer choice links will be required on a home page, and how will consumers ever make heads or tails of them?  Wouldn’t a single Privacy link on the home page to a privacy navigation and FAQs center be more effective in helping consumers sort out what the OAG referred to, by reference to an academic study, as a “scavenger hunt” for transparency and choice information.

For more on the history of the development of the icon, see our prior post here.

The CCPA regulations went into effect on August 14, 2020 and the additional amendments to the regulations went into effect on March 15, 2021.

For more information on these issues, contact the authors, Alan Friel and Kristin Bryan, or any member of the SPB Global Data Practice.

CPW has been tracking for some time the Lavarious Gardiner v. Walmart Inc. et al. case.  In a massive win for Walmart (and defendants in data privacy litigation), on Friday the Court adopted Walmart’s narrow interpretation of the California Consumer Privacy Act (“CCPA”) and dismissed Plaintiff’s non-cognizable CCPA claim.  Because this case involves issues of first impression regarding the scope of the CCPA, it is sure to impact other litigations.  For the scoop on this decision, read on below.

Some background.  In July 2020, Plaintiff filed a class action complaint against Walmart alleging that Walmart suffered a data breach, albeit one which was never disclosed.  As “evidence” of the breach, Plaintiff asserted that the personal information associated with his Walmart account had been discovered on the dark web and presented the results of security scans performed on Walmart’s website, which allegedly showed certain vulnerabilities.  In other words, Plaintiff filed suit on the inference that Walmart’s systems had been breached, which Walmart denied.

Plaintiff’s Complaint included a claim under CCPA, in addition to other California privacy and consumer protection statutes.  [Note: For more on Walmart’s Motion to Dismiss in the litigation check out here and here]. This brings us to the Court’s ruling on Walmart’s Motion to Dismiss.  According to the Court (and in agreement with Walmart), Plaintiff’s CCPA claim had to be dismissed for two independent reasons.

First, Plaintiff’s failure to allege when the breach purportedly occurred was fatal to the Complaint.  Recall that the CCPA provides that “[a]ny consumer whose nonencrypted and nonredacted personal information […] is subject to an unauthorized access and exfiltration, theft, or disclosure as a result of the business’s violation of the duty to implement and maintain reasonable security procedures and practices appropriate to the nature of the information to protect the personal information may institute a civil action” to recover damages or injunctive relief.  Cal. Civ. Code § 1798.150(a)(1).  The CCPA went into effect on January 1, 2020, and it does not contain an express retroactivity provision.  Moreover, under well-settled California law, in the absence of an express retroactivity provision, a statute will usually not be applied retroactively.

As such, the Court held that the CCPA does not apply retroactively, and therefore the alleged breach involving Walmart was only actionable under the CCPA if it occurred after January 1, 2020.  However, on this specific issue, the Complaint was silent.  Although Plaintiff alleged his personally identifiable information (“PII”) was presently for sale on the dark web and argued that this allegation in itself sufficed for purposes of pleading a CCPA claim, the Court disagreed:  “Absent allegations establishing that Walmart’s alleged violation of the CCPA occurred after it went into effect, Plaintiff’s CCPA claim is not viable.”

Second, the Court also held that Plaintiff’s CCPA claim failed for the additional reason that Plaintiff did not sufficiently allege disclosure of his personal information as defined in the CCPA.  Recall that the CCPA provides that “personal information” means:

(A) An individual’s first name or first initial and the individual’s last name in combination with any one or more of the following data elements, when either the name or the data elements are not encrypted or redacted:

(i) Social security number.

(ii) Driver’s license number, California identification card number, tax identification number, passport number, military identification number, or other unique identification number issued on a government document commonly used to verify the identity of a specific individual.

(iii) Account number or credit or debit card number, in combination with any required security code, access code, or password that would permit access to an individual’s financial account […]

(B) A username or email address in combination with a password or security question and answer that would permit access to an online account.

Cal. Civ. Code § 1798.81.5.  Why does this matter?  Well in the Complaint Plaintiff merely alleged that that the purported breach compromised the full names, financial account information, credit card information, and other PII of Walmart customers.  The Court found this allegation insufficient, noting that “[a]lthough in the Complaint Plaintiff generally refers to financial information and credit card fraud, he does not allege the disclosure of a credit or debit card or account number, and the required security or access code to access the account.”  (emphasis added).  Accordingly Plaintiff’s allegations, without more, did not suffice to plead a disclosure of “personal information” as defined in the CCPA.

Well, what about the OTHER claims pled in the Complaint-surely one of them had to move past the pleadings stage, right?  Nope.  Walmart had moved to dismiss Plaintiff’s remaining claims for negligence, contract, and violations of California Unfair Competition Law (“UCL”) for failure to allege any cognizable injury.  The Court accepted Walmart’s arguments on this front.

Similar to the allegations raised in other data breach litigations, Plaintiff alleged that he and the proposed class suffered economic damages and actual harm in the form of: (1) the improper disclosure of their PII; (2) future risk of potential fraud and identity theft; (3) Walmart’s nonexistent notification of the data breach; (4) ascertainable losses in the form of out-of-pocket expenses and value of time spent mitigating the data breach’s effect; (5) losses in the form of deprivation of value of their PII; and (6) overpayments for the goods purchased from Walmart.  Not impressed by these alleged “injuries”?  Neither was the Court, which found “Plaintiff’s vague and conclusory allegations regarding his purported injuries are insufficient to establish the damages element required for his breach of contract, negligence, and UCL claims.”

Walmart may have won this particular battle, but this data privacy litigation is not over yet.  The Court gave Plaintiff the opportunity to cure the deficiencies in the Complaint by granting leave to amend.  Whether Plaintiff is able ultimately to state a claim under the CCPA remains to be seen.  Stay tuned.  CPW will be there.

Just this week Virginia joined California as being one of the few states where consumers have a “right to delete” under applicable state privacy laws.  This loosely follows the approach in the EU General Data Protection Regulation (“GDPR”) that also contains a right to delete which is quite broad (“right to obtain . . . erasure of personal data concerning him or her”), though subject to a number of exceptions.  State approaches to consumers’ “right to delete” are not uniform, however, which makes understanding the nuance in the California Consumer Privacy Act (the “CCPA”), the California Privacy Rights Act, which amends and will essentially replace the CCPA on January 1, 2023 (the “CPRA”), and the Virginia Consumer Data Protection Act (the “VCDPA”) all the more important.

CPW’s Glenn Brown has prepared a detailed analysis that is a must-read in light of the VCDPA’s passage that compares the “right to delete” under the CCPA, CPRA and VCDPA.  As he explains, the CCPA, CPRA and VCDPA each provide that a consumer has the right to request that a business delete their personal information, but they differ in certain respects, including their scope. The CCPA provides that consumers “… have the right to request that a business delete any personal information about the consumer which the business has collected from the consumer.”  (emphasis added).  Notably, the CPRA does not amend the wording of this right.  By comparison, the VCDPA provides that consumers “… have the right to delete personal data provided by or obtained about the consumer.”  (emphasis added).  The VCDPA’s deletion right is therefore broader than that provided by the CCPA and CPRA, in that it applies to personal information that a business has collected from a consumer or that the business has collected about a consumer from another source.

Glenn provides a fantastic breakdown discussing the relevant exceptions to the “right to delete” under each of these laws, including a chart describing the various uses of personal information that will allow a business to retain the relevant personal information subject to these laws, even when a consumer has requested the business to delete it.

*The CCPA and CPRA provide that the exception is available only if: (a) deletion of the information is likely to render impossible or seriously impair the ability to complete such research; and (b) the consumer has provided informed consent.

**The VCDPA requires that the research be approved, monitored, and governed by an institutional review board, or similar independent oversight entities, that determine whether: (i) the deletion of the information is likely to provide substantial benefits that do not exclusively accrue to the controller; (ii) the expected benefits of the research outweigh the privacy risks; and (iii) the controller has implemented reasonable safeguards to mitigate privacy risks associated with research, including any risks associated with reidentification.

The CPRA also requires that such uses be compatible with the context in which the consumer provided the information in order to qualify for the exception.

Be sure to check out Glenn‘s complete analysis here.

CPW’s Glenn Brown and Lydia de la Torre were recently interviewed by Vixio regarding the Virginia Consumer Data Protection Act (“VCDPA”), which establishes a series of consumer privacy rights, including the right to access the data businesses collect, request deletion of that information, and correct inaccuracies.  As Glenn explains, “[t]he drafting of the Virginia bill was certainly informed by businesses’ experience with the CCPA and the challenges with it.”  This is because, he notes, the CCPA’s definition of “sale,” described as an exchange of personal information for monetary or “other valuable consideration,” raised many questions on how it affects online targeted advertising or digital advertising.  By contrast,  Virginia makes compliance easier by providing a clearer definition when describing “sale” as the exchange of personal data for monetary consideration only.  For an overview of key issues anticipated with the VCDPA, be sure to check out Glenn’s and Lydia’s great insights.