Call 855-808-4530 or email [email protected] to receive your discount on a new subscription.
While much of the privacy community has been focused — for good reason — on the COVID-19 public health emergency, plaintiffs' counsel have started to lay the groundwork for a broad private right of action under the California Consumer Privacy Act (CCPA), Cal. Civ. Code §§1798.100 to 1798.198.
The first part of this article provides an overview of how the CCPA addresses private rights of action. The second section summarizes recent class action complaints that attempt to use CCPA violations as the basis for class-wide claims, either via claims asserted directly under the CCPA or through the California Unfair Competition Law. The third and final part provides suggestions for prioritizing activity in CCPA compliance programs in this new litigation environment.
|The California Consumer Privacy Act was the end product of a negotiation with the backers of a proposed ballot initiative, Californians for Consumer Privacy, that, if successful, would have granted California residents the right to be notified of and to opt out from sales of personal information. See, The California Consumer Privacy Act of 2018, Ballot Initiative No. 17-0027, draft stamped as received by California Attorney General on Oct. 9, 2017. One of the primary objectives of the business community in supporting the negotiations was to eliminate a proposed private right of action. See, California Senate, Senate Judiciary Committee, Tuesday, April 9th, 2019 at 3:34:00-3:39:25. The final statute, a product of compromise on both sides, promised to limit any private right of action to claims for certain data security incidents resulting from a failure to comply with pre-existing standards of California law. See, Cal. Civ. Code §1798.81.5. Privacy attorneys and litigators were, however, quickly skeptical about whether the compromise language would be effective to preclude broader class action suits.
A Private Right of Action under the CCPA with Statutory Damages for Data Breach
Section 1798.150(a) of the CCPA expressly establishes a private right of action for consumers "whose nonencrypted and nonredacted personal information … is subject to an unauthorized access and exfiltration, theft, or disclosure as a result of the business' violation of the duty to implement and maintain reasonable security procedures and practices appropriate to the nature of the information to protect the personal information …." Cal. Civ. Code §1798.150(a). While California residents already had a right to bring private suits arising from certain types of security incidents (see, Cal. Civ. Code §1798.84(a)), the CCPA for the first time established statutory damages for these claims. See, Cal. Civ. Code §1798.150(a).
Is There a Private Right of Action for Violations of the CCPA's Privacy Standards?
The CCPA appears, at first glance, to prohibit private rights of action outside the 1798.150(a) information security breach scenario. The statute provides that "[n]othing in this title shall be interpreted to serve as the basis for a private right of action under any other law." Cal. Civ. Code §1798.150(c). From the time the law was first enacted, however, commentators have noted that this language may not be sufficient to preclude class actions brought under the California Unfair Competition Law (UCL) based on general violations of the privacy standards of the CCPA. See, Cal. Bus. & Prof. Code §§17200 to 172010.
The UCL empowers private litigants to initiate class action proceedings to enjoin unlawful, unfair, and fraudulent business practices and to seek restitution and recovery of attorney's fees. See, Cal. Bus. & Prof. Code §17203. Violations of a statute "may serve as the predicate for a UCL cause of action" for alleged unlawful conduct. See, Rose v. Bank of America, N.A., 304 P.3d 181, 183 (Cal. 2013). A UCL claim based on unlawful conduct evidenced by the violation of a statute will not be precluded unless the statute in question "actually 'bar[s]' the action or clearly permit[s] the conduct." Id. at 186.
The issue then is whether the CCPA "actually 'bar[s]'" a UCL claim based on a violation of the CCPA. The failure to squarely address this question in the new law was raised by interest groups during lobbying processes in 2018 and 2019. See, Letter of Various Business and Industry Associations to Cal. State Sen. Bill Dodd (Aug. 6, 2018). The State Assembly and Senate have thus far declined to clarify the issue. At the same time, a bill backed by Attorney General Xavier Becerra which would have established a direct private right of action, designated Senate Bill 561, failed to attract sufficient support to come to a floor vote last year and died in committee. Comments in the Senate during the debate on SB 561 suggested the legislature had intended specifically not to authorize private litigation beyond security-related claims under Section 1798.150(a). See, California Senate, Senate Judiciary Committee, Tuesday, April 9th, 2019 at 3:34:00-3:39:25.
|A series of recent class action complaints are testing the theory that the UCL affords private plaintiffs the ability to bring class actions for violations of the CCPA beyond the limited right to bring claims for data breach matters under Section 1798.150(a). Whether plaintiffs have a right to initiate private litigation under the CCPA therefore appears bound to be decided in the courts.
Burke v. Clearview AI, Inc.
The plaintiffs filed a class action complaint on February 27, 2020, following press reports of allegations that the defendant Clearview AI had collected billions of images from sources across the Internet and processed the images in a manner designed to create biometric faceprints. The plaintiffs pled claims under the Illinois Biometric Privacy Information Act (740 Ill. Compiled Statutes 14/1 et seq.) and for common law commercial appropriation and unjust enrichment. But Count I of the complaint seeks relief under the UCL for the defendant's alleged violation of the CCPA's "notice at collection" requirements set forth in Section 1798.100(b). See, No. 20-cv-0370, Dkt. No. 1 (S.D. Cal. filed Feb. 27, 2020).
The Zoom Lawsuits
Plaintiffs have filed class action complaints against Zoom in three separate proceedings since late March that arise from well-publicized reports concerning Zoom's alleged data practices. See, Johnston v. Zoom Video Comms., Inc., No. 5:20-cv-2376, Dkt. No. 1 (N.D. Cal. filed Apr. 8, 2020); Taylor v. Zoom Video Comms., Inc., No. 5:20-cv-2170, Dkt. No. 1 (N.D. Cal. filed Mar. 31, 2020); Cullen v. Zoom Video Comms., Inc., No. 5:20-cv-2155, Dkt. No. 1 (N.D. Cal. filed Mar. 30, 2020). All three actions are based on allegations that the Apple iOS version of Zoom's videoconferencing app allegedly contained a software development kit that sent user information to Facebook, and on alleged flaws in Zoom's information security program and controls. The claims allege that: a) the Zoom mobile app sent data to Facebook each time a user used the app, even if the user did not have a Facebook account; and b) Zoom did not notify app users of the collection of this data or the sharing of the data with Facebook. Taylor and Johnston further allege that Zoom failed to notify users of an alleged right to opt out from this information sharing with Facebook pursuant to the CCPA's "do not sell" standards. See, Johnston, supra, at para. 103 (asserting CCPA claim on grounds that Zoom allegedly "fail[ed] to provide notice to [users] of their right to opt out of the disclosure or use of their personal information to third parties"); Taylor, supra, at para. 132 (asserting CCPA claim on grounds that Zoom allegedly "fail[ed] to provide notice to its customers of their right to opt-out of the disclosure of their PII to unauthorized parties like Facebook").
We note two common themes in Cullen, Taylor, and Johnston:
Notices at Collection are a Flash Point of Risk.
Violation of the CCPA's new "notice at collection" requirement are an attractive basis for class action complaints due to the ability of plaintiff's counsel to multiply the violation by the number of times consumers have visited the Web site, downloaded the mobile app, or used relevant features within the app. We suspect this is why alleged violations of this requirement feature so prominently in the Clearview AI and Zoom suits. But truly effective compliance with the notice at collection requirement can be highly complicated and resource intensive for businesses.
Identifying all potential consumer touchpoints where data might be collected can require significant technical due diligence and investigation of direct person-to-person interactions in brick-and-mortar settings. Privacy teams often have limited bandwidth for detailed technical investigations and IT functions can quickly lose patience with probing privacy counsel and staff.
We have worked with many clients to create a catalogue or index of data collection channels with references to point-of-collection notices, with an emphasis on simplicity. We recommend tightly integrating this work with ongoing privacy assessment processes to ensure notices remain complete and accurate over time.
Understanding How SDKs Interoperate with Consumer-Facing Mobile Apps
Software development kits or "SDKs" integrated into mobile apps are a rough equivalent from a data collection and targeting perspective to cookies, pixels, and other tracking technologies on traditional Web sites. We have long cautioned of the need to understand in detail how third party SDKs interoperate with mobile apps to ensure the continued accuracy of disclosures in privacy notices. The alleged failure to do so is at the core of the recent Zoom class action complaints.
Consider using the app maintenance and update cycle to require regular scans and reviews of app components prior to enterprise release. Regular reviews can also serve as a springboard for ongoing documentation of app functionalities and SDKs, as well as the measures taken to ensure their compliance.
Understand Whether and How All Consumer Products, Equipment Components and Other Tangible Items Distributed By the Business Collect and Share Data
The sale and distribution of networked products has exploded. Businesses may now find themselves distributing consumer products, equipment components, or even giveaway items that have embedded sensors collecting data from end users or regarding the location and environments in which the products are deployed. Much of the discussion around such Internet of Things or "IoT" products involves the security they provide for data they collect from users. The allegations in the Zoom lawsuits suggest that notice-at-collection should be an equal part of this discussion.
We recommend as initial steps focusing on high profile products and marketing initiatives that result on large-scale distribution of products, compiling details regarding networked devices, zeroing in on including notices in customer terms and conditions, and integrating the work going forward with a privacy assessment process for new products/R&D and the digital marketing team.
*****
David Keating is one of the co-leaders of the Privacy and Data Security Practice at Alston & Bird. David has been practicing in the privacy and cybersecurity area for nearly 20 years. He assists clients with compliance strategies, data monetization and data use analyses, data issues in transactions, new product development, and privacy enforcement matters. Particular areas of focus include emerging technologies, European Union data protection, and California Consumer Privacy Act readiness and compliance.
Jim Harvey founded and co-chairs Alston & Bird's Privacy & Data Security Practice and its Cybersecurity Preparedness & Response Team. Jim's practice involves board-level and enterprise-wide strategic issues at the intersection of cybersecurity, privacy, global data rights and usage, and technology. Jim's experience includes not only handling some of the largest breaches on record but also includes everything from data-related regulatory actions and litigation, the intricacies of the adtech ecosystem, preparing companies and their boards for cybersecurity risks, and leveraging and monetizing personal and corporate data around the globe.
Dan Felz is a senior associate in Alston & Bird's Privacy & Data Security Practice. Dan's practice leverages significant experience in the privacy, security, and litigation arenas across jurisdictions. Dan was a professor of law in Germany with privacy and security as a research focus, and also litigated class actions and MDL cases in state and federal courts. Dan's experience includes assisting with breaches, data-related litigation and regulatory enforcement proceedings, technical expertise in adtech and similar data-intensive industries, and data-driven products and initiatives in organizations of all sizes. Dan has also helped lead clients' privacy compliance strategies in the United States, European Union, and globally.
|ENJOY UNLIMITED ACCESS TO THE SINGLE SOURCE OF OBJECTIVE LEGAL ANALYSIS, PRACTICAL INSIGHTS, AND NEWS IN ENTERTAINMENT LAW.
Already a have an account? Sign In Now Log In Now
For enterprise-wide or corporate acess, please contact Customer Service at [email protected] or 877-256-2473
In June 2024, the First Department decided Huguenot LLC v. Megalith Capital Group Fund I, L.P., which resolved a question of liability for a group of condominium apartment buyers and in so doing, touched on a wide range of issues about how contracts can obligate purchasers of real property.
With each successive large-scale cyber attack, it is slowly becoming clear that ransomware attacks are targeting the critical infrastructure of the most powerful country on the planet. Understanding the strategy, and tactics of our opponents, as well as the strategy and the tactics we implement as a response are vital to victory.
Latham & Watkins helped the largest U.S. commercial real estate research company prevail in a breach-of-contract dispute in District of Columbia federal court.
The Article 8 opt-in election adds an additional layer of complexity to the already labyrinthine rules governing perfection of security interests under the UCC. A lender that is unaware of the nuances created by the opt in (may find its security interest vulnerable to being primed by another party that has taken steps to perfect in a superior manner under the circumstances.