The California Consumer Privacy Act (“CCPA”), which went into effect on January 1, 2020, has changed the landscape of privacy protection. This statute added five substantive privacy rights for consumers: (1) the right to notice, (2) the right to access, (3) the right to opt out (or right to opt in), (4) the right to request deletion, and (5) the right to equal services and prices. The CCPA does not by its plain language give an individual a private right of action to sue for a purported violation of these five rights, but instead relies on the California Attorney General to enforce them. The CCPA, however, does create a limited private right of action that applies when consumers’ personal information is “subject to an unauthorized access and exfiltration, theft, or disclosure as a result of the business’s violation of the duty to implement and maintain reasonable security procedures and practices appropriate to the nature of the information to protect the personal information.” Cal. Civ. Code § 1798.150(a). Despite this clear language, we have observed that plaintiffs’ lawyers are seeking to extend the CCPA’s private right of action by alleging that a business’s voluntary disclosure of protected consumer data can give rise to a data breach claim under Section 1798.150 of the CCPA. This creative interpretation of the CCPA stretches the bounds of permissible statutory interpretations, but businesses should watch this litigation closely given the potential sizeable statutory damages under Section 1798.150.
Scope of the private right of action under the CCPA
Section 1798.150 of the CCPA grants a private right of action to consumers whose personal information as defined in Section 1798.81.5(d)(1)(A) of California’s Customer Records Act is affected by a data breach. Cal. Civ. Code § 1798.150(a)(1). Even before the advent of the CCPA, California law provided for a private right of action for failing to protect a consumer’s personal information. Cal. Civ. Code § 1798.81.5 (West 2016); id. at § 1798.84(b). The novelty and potential increased exposure of the CCPA arises from its remedies: statutory damages ranging between $100 and $750 per consumer per incident, actual damages, injunctive or declaratory relief, or “any other relief the court deems proper.” § 1798.150(a).
Recent class action plaintiffs assert that the CCPA’s private right of action covers businesses’ voluntary data disclosures
A few recent class action complaints—including, for example, Cullen v. Zoom Video Communications and Hayden v. The Retail Equation, Inc., discussed below—have attempted to broaden the private right of action to cover the defendant businesses’ voluntary disclosures of consumer data. If the private right of action is given plaintiffs’ sweeping interpretation, these cases would make businesses liable for data sharing with partners in the ordinary course of business unless affirmatively authorized by consumers.
Cullen v. Zoom
In Cullen v. Zoom Video Communications, No. 5:20-cv-02155-SVK (N.D. Cal.) (now consolidated, In Re: Zoom Video Communications Inc. Privacy Litigation, Case No. 5:20-cv-02155-LHK), named plaintiff Robert Cullen alleged that Zoom voluntarily shared personal information about its users with Facebook when users signed into Zoom on their mobile devices. This data sharing, Cullen alleged, constituted an “unauthorized disclosure” of their personal information under California Civil Code § 1798.150(a). Compl. at 5. The personal information allegedly shared by Zoom included the user’s IP address along with their language setting, time zone setting, and information about their mobile device. Id. The Cullen case was filed on March 30, 2020, and has subsequently been consolidated with seven other cases. It appears that, post-consolidation, the plaintiffs decided not to pursue this novel CCPA theory: The Consolidated Amended Class Action Complaint, filed on July 31, 2020 (Dkt. 114) does not raise Cullen’s original cause of action under the CCPA’s private right of action section. See generally Consolidated Amended Complaint; see also Defendant’s Motion to Dismiss at 9 n. 6 (noting that the CCPA claim alleged in the underlying individual actions “was dropped” from the consolidated complaints).
Hayden v. The Retail Equation, Inc.
This novel CCPA theory was resuscitated in a subsequently-filed action. In an amended complaint filed on August 3, 2020 in Hayden v. The Retail Equation, Inc., No 8:20-cv-01203 (C.D. Cal.), plaintiffs allege that Sephora and thirteen other national retailers improperly shared consumer data with The Retail Equation, a company that analyzes consumer merchandise return data to prevent fraudulent and abusive returns. This voluntary data sharing, plaintiff alleges, is an “unauthorized disclosure” giving rise to a private right of action under claim under Section 1798.150. Amended Class Action Complaint (Dkt. 15) at 37. Under the court’s most recent scheduling order, The Retail Equation has until November 6 to file its motion to dismiss, the national retail chains have until November 6 to file a joint motion to dismiss, and any retailer with a Rule 12 argument not addressed in the joint motion must file its motion by November 30. Order Granting Joint Stipulation Regarding Briefing Schedule And Structure For Defendants’ Motions In Response To First Amended Class Action Complaint (Dkt. 134) at 2. Judge Holcomb has set a hearing date of March 19, 2021 for the defendants’ motions to dismiss. Id. Many routine business practices are at stake in the court’s ruling.
The assertion that CCPA’s private right of action covers businesses’ voluntary data disclosures runs headlong into the legislators’ demonstrated intent
The California Supreme Court has explained that “[t]he fundamental purpose of statutory construction is to ascertain the intent of the lawmakers so as to effectuate the purpose of the law. … [I]t is a settled principle of statutory interpretation that language of a statute should not be given a literal meaning if doing so would result in absurd consequences which the Legislature did not intend. Thus, the intent prevails over the letter, and the letter will, if possible, be so read as to conform to the spirit of the act.” Horwich v. Superior Court, 21 Cal. 4th 272, 276 (1999) (internal citations omitted). Legislative draft language, committee report language, and the amendment to the original California Consumer Privacy Act of 2018 implemented by SB-1121 all support a narrow reading of the private right of action to cover only involuntary data breaches.
Legislative draft language. The original text of the private right of action provision shows that what legislators hoped to solve with this section were involuntary data breaches. Introduced by Assembly Member Chau and Senator Hertzberg as of June 21, 2018, the draft CCPA stated that “[t]he bill … would provide a private action in connection with specified security breaches.” The private right of action section began with the language: “Any consumer of a business whose personal information is subject to a security breach of the business as described in Section 1798.82 ….” Section 1798.82 is a part of California’s data breach notification law; the same statute provides that “[g]ood faith acquisition of personal information by an … agent of the … business for the purposes of the … business” are not covered data breaches. The original reference to this language shows that the statute’s drafters wished to provide a private right of action for involuntary breaches, not voluntary sharing of personal information.
Later drafts and the final version of the CCPA preserve a reference to the data breach notification law, applying its narrower definition of personal information rather than the broader one used elsewhere in the statute. This narrower definition of personal information—limited to the kinds of information that, if leaked, would be immediately vulnerable to cybercrime and identity theft—shows continuing intent to target data breaches. Amendments also narrowed the “personal information” covered to “nonencrypted and nonredacted” information, focusing on ways that a malicious party acting without the business’s authorization could access the information.
Committee report language. The Senate Judiciary Committee’s report on AB 375 also shows a clear expectation that the private right of action would target involuntary disclosures:
[1798.150] would create a private right of action for those whose personal information has been compromised through the failure of a business to properly maintain that information[.]”
Cal. S. Judiciary Comm., AB 375 (Chau), 2018 (Comm. Rep.) at 21. The terms “compromised” and “failure” show that the private right of action was concerned with disclosures that the business did not intend. Voluntary disclosures to business partners are not the product of maintenance failures, and they ordinarily do not entail that the information is “compromised,” which the American Heritage Dictionary defines as “expose[d] or ma[d]e liable to danger, suspicion, or disrepute.”
Assembly’s concurrence in Senate amendments. When the California Assembly concurred in the Senate’s introduction of the CCPA, it also expressed a clear intent that Section 1798.150 provide only a “limited private right of action” for “specified data breaches.” Cal. Assem. Conc. in Sen. Amends. to A. Bill No. 375 (2017–2018 Reg. Session) at 8. Enacting the CCPA was a “legislative compromise,” consisting of “tradeoffs to address industry concerns and counterbalance the consumer rights added within this bill.” Id. at 7. One such tradeoff was a “limitation of public enforcement to actions by the AG and explicit authorization to receive guidance from the AG on compliance as the single regulatory entity.” Id. Under the CCPA framework, private enforcement for a data breach was the exception, not the rule: “[T]he AG” would “generally provide for enforcement of the rights and obligations of the bill by way of public enforcement.” Id. at 8.
The SB-1121 amendment to the CCPA. Finally, legislators passed an amendment shortly after the CCPA was first passed on June 28, 2018 to “clarify that” the scope of “the only private right of action permitted under the act” was narrow. S. Bill 1121, 2017-2018 Reg. Sess. (Cal. 2018). The amendment added language to subsection (c) of § 1798.150 to establish that the private right of action “shall apply only to violations as defined in subdivision (a) and shall not be based on violations of any other section of this title.” (Emphasis added). This addition shows a clear effort by legislators to foreclose creative attempts by plaintiffs to shoehorn grievances addressed elsewhere in the statute—such as those based on a business’s voluntary data sharing—into the private right of action.
The novel interpretation of Section 1798.150 is also inconsistent with the statute as written
Plaintiffs will also face a textual hurdle in arguing that under Section 1798.150 a business’s voluntary disclosure of consumer data can constitute an “unauthorized access and … disclosure” giving rise to a private right of action. Cal. Civ. Code § 1798.150(a).
Causation requirement. Plaintiffs’ novel interpretation of Section 1798.150 is inconsistent with the private right of action’s causation requirement. Under Section 1798.150, a plaintiff must prove that the voluntary “disclosure” was “a result of the business’s violation of the duty to implement and maintain reasonable security procedures and practices appropriate to the nature of the information to protect the personal information.” (Emphasis added.) In other words, the plaintiffs must argue that voluntarily disclosing information for a business reason is caused by a failure to use proper security procedures and practices. But voluntary disclosures have nothing to do with whether the business’s security practices are weak, strong, or somewhere in between; security practices protect against involuntary disclosures, not voluntary ones. It is illogical to argue that these voluntary business disclosures are “a result” of poor security procedures and practices.
The CCPA’s structure and 1798.150(c)’s exclusion provision. Their interpretation is also hard to square with the statute’s structure. The CCPA tasks the California Attorney General with enforcing five substantive privacy rights on behalf of consumers. See §§ 1798.100, 1798.120 (right to notice); §§ 1798.100, 1798.115 (right to access); § 1798.120 (right to opt out); § 1798.105 (right to request deletion); CCPA § 1798.115 (right to equal treatment). These are the sections that define the permissible bounds of business’s voluntary data sharing, as limited by a consumer’s rights to privacy. Section 17980.150, on the other hand, has the distinct function of covering exposure of data as a result of involuntary data breaches.
A reading that conflates the voluntary data sharing with involuntary data breaches is impossible to square with § 1798.150(c), where legislators explicitly limit the private right of action to claims arising under the same section. There is no private right of action for violations of “other section[s]” of the CCPA. § 1798.150(c). This language is particularly significant because, as noted above, it was added to the statute to clarify the narrow reach of the private right of action. Permitting plaintiffs to shoehorn claims about voluntary data sharing—which is addressed in “other section[s]” of the CCPA—into a § 1798.150 private action would thus conflict with its express language of the CCPA.
The bottom line
Although plaintiffs face serious obstacles in asserting a private action for voluntary disclosures under the CCPA, this novel interpretation should not be taken lightly given its far-reaching implications for business practices and the sizeable statutory damages available.