2021 was another record setting year for the California Consumer Privacy Act (“CCPA”).  Read on for CPW’s highlights of the year’s most significant events concerning CCPA litigation, as well as our predictions for what 2022 may bring.

2020 Recap: The CCPA Comes Into Effect

The CCPA went into effect on January 1, 2020.  It regulates any “business” that “does business in California,” even those without a physical presence in the state, and determines the means and purposes of the processing of “personal information”.

As a recap, what entities qualify as a “business” subject to the CCPA? The statute defines a “business” as a for-profit, private entity that (1) collects “personal information”, (2) determines the means of processing that personal information, (3) does business in California, and (4) meets one of the following criteria:

  • Has annual gross revenues exceeding $25 million;
  • Annually sells/buys or receives/shares for commercial purposes the personal information of 50,000 or more California consumers; or
  • Derives 50% or more of its annual revenue from selling personal information.

Generally, the CCPA covers all information so long as it relates to a California resident or California household.  Aligning with the GDPR, the CCPA defines “personal information” to include “information that identifies, relates to, describes, is reasonably capable of being associated with, or could reasonably be linked, directly or indirectly, with a particular consumer or household.”  Cal. Civ. Code § 1798.140(o).

The CCPA requires compliance with its notification and transparency notices.  First, the CCPA expects businesses to present up to four notices, to be determined by that business’s practices.  Second, businesses must also inform consumers of their rights under the CCPA including their: (1) right to know, (2) right to delete, (3) right to opt out, (4) right to not be discriminated against for exercising their CCPA rights.

Section 1798.150(a)(1) of the CCPA provides a private right of action to “[a]ny consumer whose nonencrypted and nonredacted personal information … is subject to an unauthorized access and exfiltration, theft, or disclosure” due to a business failing to satisfy “the duty to implement and maintain reasonable security procedures and practices….” (emphasis supplied).  Damages available for a private right of action under Section 1798.150(a)(1) include a statutory amount of between $100 and $750 “per consumer per incident or actual damages, whichever is greater”, as well as injunctive or declaratory relief and “any other relief the court deems proper” (emphasis supplied).

The first CCPA lawsuit, Fuentes v. Sunshine Behavioral Health Group, LLC, No. 8:20-cv-00487 (C.D. Cal.), appeared on March 10, 2020, only three months after the law went into effect.  Others soon followed.

Overview of 2021 CCPA Litigations: What Do the Numbers Show?

To date, over 125 cases asserting CCPA claims have been filed this year, with the vast majority (91.2%) filed in federal courts.  Each quarter of 2021 has seen roughly the same number of cases filed (about 30-35 cases).  Not surprisingly, about 60% of all federal cases were filed in California’s federal courts, with the largest number of cases filed in the Northern and Southern Districts of California.  Outside of California, the Western District of Washington had the largest number of CCPA cases filed with ten total cases filed to date.  A handful of cases have also been filed in district courts in each of the Second, Third, Fourth, Fifth, Sixth, Seventh, Eighth, and Eleventh Circuits.  Ten of the eleven state court cases filed have been filed in California Superior Courts.

Interestingly, nearly 40% of all CCPA cases filed this year either concerned the T-Mobile data event or alternatively, another data event involving a financial services company following account hacks on the California Employment Development Department’s (“EDD”) prepaid debit cards.  As such, the largest number of cases filed this year were concentrated in the communications and financial services industries.  The remaining CCPA cases, however, span a wide range of industries—including technology, healthcare, insurance, and hospitality.  Even a hair transplant company had a CCPA lawsuit brought against it this year.

And while cyber theft remains on the rise, plaintiffs (and plaintiffs’ attorneys) have not lost sight of other data use implications mandated by the CCPA.  For example, Flo Health Inc., an ovulation-tracking app has been hit with a number of class action lawsuits alleging the app “secretly collected” (i.e. without consent) personal information of users—including whether women were trying to get pregnant—and shared that data with third-party data collectors and advertisers.  The lawsuits follow the FTC’s investigation into related concerns.  Some of the complaints against Flo Health reference the CCPA as supporting other claims raised by plaintiffs, such as violation of the California’s Unfair Competition Law (Cal. Bus. & Prof. Code §§ 17200, et seq.), without asserting a direct CCPA claim.

2021 Developments in CCPA Case Law

This year has seen a number of developments in CCPA litigation case law.  We highlight a few of those developments here.

At the beginning of this year, one federal court held that the CCPA does not limit the scope of discovery in litigation.  Will Kaupelis v. Harbor Freight Tools USA, Inc., Case No. 19-01203 (C.D. Cal.).  This case was brought as a putative class action and concerned claims that the defendant allegedly manufactured and sold chainsaws with a design defect.  After defendant’s motion to dismiss was denied, plaintiff sought discovery that included the PI of customers who had complained about the purported product defect (including individuals in California).  The defendant resisted production of this information, in reliance on the CCPA.  Specifically, the defendant argued that the CCPA expanded the privacy rights previously provided under California law.  As such, the defendant argued that the court should “protect the consumers’ PI by allowing consumers an opportunity to opt out from disclosure.”   The defendant claimed this approach was consistent with the CCPA’s notice and consent requirements.  The court, however, granted plaintiff’s motion to compel, stating that, “[n]othing in the CCPA presents a bar to civil discovery.  Notably, no other case has so held.  And the statute itself explicitly says that it is not a restriction on a business’s ability to comply with federal law.”  The court later dismissed an amended complaint on similar grounds.

In March, Walmart scored a massive win for defendants in data privacy litigation in the Lavarious Gardiner v. Walmart Inc. et al. case.  The Court adopted Walmart’s narrow interpretation of the CCPA and dismissed Plaintiff’s non-cognizable CCPA claim.  As a reminder, this case involved a plaintiff inferring, from finding his information on the dark web, that Walmart had suffered a data breach.  In response, Walmart argued first, that Plaintiff’s failure to allege when the breach purportedly occurred was fatal to the Complaint because the CCPA is not retroactive.  The Court sided with Walmart and agreed that Plaintiff needed to plead a breach occurring after January 1, 2020:  “Absent allegations establishing that Walmart’s alleged violation of the CCPA occurred after it went into effect, Plaintiff’s CCPA claim is not viable. Second, the Court also held that Plaintiff’s CCPA claim failed for the additional reason that Plaintiff did not sufficiently allege disclosure of his personal information as defined in the CCPA.  Cal. Civ. Code § 1798.81.5.  The Court found insufficient the Complaint’s allegation that the purported breach compromised the full names, financial account information, credit card information, and other PII of Walmart customers: “[a]lthough in the Complaint Plaintiff generally refers to financial information and credit card fraud, he does not allege the disclosure of a credit or debit card or account number, and the required security or access code to access the account.”  (emphasis added).

In July, 2021 the Central District of California denied a motion to compel arbitration brought by the Gap in the data breach litigation, Shadi Hayden v. Retail Equation et al., No. 20-cv-01203 (C.D. Cal. July 07, 2020).  There the court reasoned that, because the Gap was not a party to the arbitration agreement it attempt to invoke, the arbitration agreement did not apply to bar the litigation.  The Gap subsequently appealed, and the case remains pending.

In an August decision, a federal judge found the majority of Plaintiffs’ statutory claims to withstand a Rule 12(b)(6) motion to dismiss in the In re Blackbaud data privacy multi-district litigation.  MDL No. 2972 (D.S.C. Aug. 12, 2021).  Plaintiffs’ allegations that a cyberattack resulting from Blackbaud’s “deficient security program” and failure to comply with industry and regulatory standards, was sufficient to withstand a motion to dismiss.   As to the CCPA, the Court found that Blackbaud was alleged to be a “business” under the CCPA, relying largely on its registration as a “data broker” under California law.  The Court notably rejected Blackbaud’s argument that it was a “service provider” as insulating it from liability under the CCPA.

In another significant ruling, in Brooks v. Thomson Reuters Corp., No. 21-cv-01418-EMC, 2021 U.S. Dist. LEXIS 154093 (N.D. Cal. Aug. 16, 2021) the Northern District of California recently denied in part a defendant’s motion to dismiss a complaint alleging violations of various consumer privacy statutes. Of note, the Court found that an affirmative defense of compliance with one privacy statute, the CCPA, did not shield defendant from liability for alleged violations of other state laws.

Finally, in December, the Northern District of California denied a motion to intervene and oppose a preliminary approved settlement in the litigation that followed a widespread data event Accellion had suffered.  Cochran v. Accellion, Inc., 2021 U.S. Dist. LEXIS 214686 (N.D. Cal. Nov. 5, 2021).  In Cochran, one of the entities that used Accellion as a services provider agreed as part of a $5 million dollar settlement to modify its business practices going forward.  This would include switching to a “new secure file transfer solution,” securing or destroying the personal information subject to the data event and boosting its third-party vendor risk management program.  In denying the Proposed Intervenor’s Motion to Intervene, the Court analyzed intervention as a matter of right and permissive intervention. The Court, however, rejected that intervenors could intervene as a matter of right because the Court heard the Proposed Intervenors’ objections to the proposed settlement on two occasions, the settlement agreement allows putative intervenors to protect their interests by opting out of the settlement class, and because the Court found that the Proposed Intervenors interest in a preliminary settlement approval is not a “significant protectable interest.”  The Court denied permissive intervention because, among other things, the Proposed Intervenors already had the opportunity to participate in the fairness hearings.

Predictions for CCPA Litigation in 2022

So what is on the horizon for 2022? Certainly an expansion of consumer privacy laws that follow California’s lead.  This past year saw Virginia and Colorado launch privacy legislation and that trend will continue in 2022.  While claims invoking the consumer privacy law of other states may be kept at bay during 2022, the lessons learned from CCPA litigation will come into play in 2023 as those new laws, particularly those with a private right of action, start going into effect.

In the meantime, we can expect that the lawsuits making their way through the courts will continue shaping the contours of CCPA litigation.  Of particular interest will be the impact of the Ramirez v. TransUnion decision upon class action litigation, including CCPA claims arising from a data incident.  As previously noted, which commentators worried that Ramirez might preclude data breach litigations from being brought in federal courts, those concerns have not materialized, with CCPA claims remaining just at home in federal court in state court.

We can also expect to see continued enforcement activity at the state level.  In July 2021, California’s Attorney General Bonta issued a press release summarizing its first year of CCPA enforcement and reinforcing its commitment to CCPA enforcement.  The pressure will remain on companies to annually update their California privacy notices to avoid finding themselves the target of enforcement activities.

2022 is going to remain busy for CCPA litigation and enforcement.  Not to worry, CPW will be there to keep you in the loop.  Stay tuned.

Registration is open for a series of upcoming not-to-be-missed webinars covering key areas for companies seeking to regulate the global compliance landscape.  Register below for insights from CPW’s Alan Friel, Marisol Mork, Eric Troutman and others.

Webinar Series: Advertising, Media and Brands – Global Compliance Challenges

2021 has provided unique challenges for businesses operating across the advertising, media and brands industry. Aside from the impact of the pandemic, we are seeing a changing and challenging landscape due to increasing economic, consumer, regulatory and compliance pressures.

With increased exposure as a result of these pressures, Squire Patton Boggs and BDO will be hosting four webinars to support the advertising, media and brands industry in navigating these challenges:

  • November 11, 2021 – Global Data, Technology and Tax
  • November 30, 2021 – M&A Landscape, Post-COVID-19 Transaction Trends and Tips, and Top Five Due Diligence Risks
  • January 12, 2022 – Global Anti-counterfeiting and Brand Protection Trends, and Top Five AMB Hot Topics
  • February 2, 2022 – The Rise of ESG and Global Workplace Challenges

Hosted by Squire Patton Boggs and BDO

Click here to register.

Conference: ANA/BAA Marketing Law Conference (In-Person and Virtual)

Nov. 15-17, 2021: San Diego

Session: California Privacy: What Direction Next From CCPA and CRPA?

Alan Friel (Squire Patton Boggs) will review California’s privacy laws with representatives from the California Privacy Protection Agency and the OAG.

Session: State and Local Attorney General Enforcement updates by Marisol Mork (Squire Patton Boggs)

Session: TCPA updates by Eric Troutman (Squire Patton Boggs)

Hosted by ANA.

Click here to register.

On Friday, October 15 readers of CPW are invited to join CPW’s Alan Friel from Squire Patton Boggs and Ankura experts David Manek and Colleen Yushchak as they discuss key themes from California attorney general’s examples of CCPA non-compliance.  Please join for their insights, which will include essential CCPA compliance tools at TrustWeek OneTrust User Conference on October 15.

“Since it was enacted just over a year ago, companies are now having to deal with the uncertainties surrounding the interpretation of the California Consumer Privacy Act (CCPA) and the circumstances that might subject them to penalties and fines for violations. In an effort to inform the marketplace and minimize those uncertainties, the office of the California attorney general recently published 27 examples that demonstrate what CCPA non-compliance looks like and highlights actions that can be taken to remedy each situation. Ankura’s David Manek and Colleen Yushchak will be joined by Alan Friel from the law firm of Squire Patton Boggs for an in-depth look at the AG’s various scenarios and provide an analysis of their review. In addition to sharing insights on how the OneTrust technology can be applied to the scenarios, David, Colleen and Alan will provide several essential tools, including a checklist of CCPA enforcement issues you can use as part of your year-end assessment and best practices for planning your 2023 CPRA/CDPA/CPA workstreams.”

Registration is available at: https://www.trustweek2021.com/

Since it was enacted just over a year ago, companies have had to deal with the uncertainties surrounding how to interpret the California Consumer Privacy Act (“CCPA”) and the circumstances that might subject them to penalties and fines for violating the CCPA.  As CPW readers are already aware, in an effort to inform the marketplace and minimize those uncertainties, the office of the California attorney general recently published 27 examples that demonstrate what CCPA non-compliance looks like and highlights actions that can be taken to remedy each situation.

In a webinar, CPW’s Alan Friel and Ankura’s David Manek and Colleen Yushchak provide an in-depth look at the AG’s various scenarios and a discussion of the common themes they have distilled from their analysis of all 27 examples. In addition to sharing insights, David, Colleen and Alan provide several essential tools, including a checklist of CCPA enforcement issues you can use as part of your year-end assessment, guidance on current compliance for January 2022 CCPA notice updates, and best practices for planning your 2023 CPRA/CDPA/CPA workstreams.

You can watch it here.

In a significant ruling, the Northern District of California recently denied in part a defendant’s motion to dismiss a complaint alleging violations of various consumer privacy statutes. It found that an affirmative defense of compliance with one privacy statute, the California Consumer Privacy Act (“CCPA”), did not shield defendant from liability for alleged violations of other state laws.

First, the facts. In Brooks v. Thomson Reuters Corp., No. 21-cv-01418-EMC, 2021 U.S. Dist. LEXIS 154093 (N.D. Cal. Aug. 16, 2021), Plaintiffs alleged that defendant Thomson Reuters aggregated publically-available information about millions of individuals, in addition to pulling information from third-party brokers, to create “dossiers” that it sells through an online platform called CLEAR. Plaintiffs were two individuals who claimed that defendant was selling their personal information through CLEAR without their consent; one plaintiff also claimed that his CLEAR profile included inaccurate information. Plaintiffs alleged violations of the California common law right of publicity, the California Unfair Competition Law (“UCL”), and brought claims for unjust enrichment and injunctive relief.

After removing the action to state court, defendant filed the motion to dismiss. One of its primary defenses was that its conduct was not “unfair” under the UCL because such conduct was permitted under the CCPA, which provides that a consumer has an opt-out right to “direct a business that sells personal information about the consumer to third parties not to sell the consumer’s personal information.” As defendant interpreted this language, it was permitted to sell plaintiffs’ information so long as it provided plaintiffs a mechanism to opt out of the sale.

The Court disagreed, pointing to the statutory intent of the CCPA, which provided that the law was not intended to curtail other privacy statutes and should be interpreted to allow the greatest privacy protections possible. Following this reading, the Court observed that the fact that defendant provided an opt-out mechanism did not necessarily mean that its conduct was fair. It also observed that there was a question of fact as to whether CLEAR’s opt-out mechanism was “reasonably accessible” and “clear and conspicuous” to consumers in the manner required by the CCPA, based on the allegations in the Complaint.

On this basis, the Court proceeded to consider plaintiffs’ UCL claim, and found that plaintiffs had sufficiently stated a claim under the UCL. It also allowed plaintiffs’ remaining claims to survive defendant’s motion to dismiss.

Readers should take note that—while creative—simply claiming compliance with one privacy statute may not serve as a shield against other consumer privacy claims. Also noteworthy is the Court’s broad interpretation of the privacy laws at issue to allow for the greatest possible consumer protections. CPW will continue to keep an eye on this litigation for you.

Since it was enacted just over a year ago, companies have had to deal with the uncertainties surrounding how to interpret the California Consumer Privacy Act (“CCPA”) and the circumstances that might subject them to penalties and fines for violating the CCPA.  As CPW readers are already aware, in an effort to inform the marketplace and minimize those uncertainties, the office of the California attorney general recently published 27 examples that demonstrate what CCPA non-compliance looks like and highlights actions that can be taken to remedy each situation.

In a new webinar, CPW’s Alan Friel and Ankura’s David Manek and Colleen Yushchak will provide an in-depth look at the AG’s various scenarios and a discussion of the common themes they have distilled from their analysis of all 27 examples. In addition to sharing insights, David, Colleen and Alan will provide several essential tools, including a checklist of CCPA enforcement issues you can use as part of your year-end assessment, guidance on current compliance for January 2022 CCPA notice updates, and best practices for planning your 2023 CPRA/CDPA/CPA workstreams.

You can register for the webinar (and for attorneys, obtain 1 hour of CLE credit) which will be held September 9th at 11 am CST here.

Last week a federal judge dismissed a putative class action alleging that Walmart’s purportedly deficient security practices compromised customers’ personal data in violation of the California Consumer Privacy Act (“CCPA”).  This was on the basis that Plaintiff did not credibly allege that the purported disclosure of personal information occurred after the law went into effect last year, among other reasons.

Readers of CPW are well-versed with the background of this case.  Back in July 2020, Plaintiff filed a class action complaint against Walmart alleging that Walmart suffered a data breach which was never disclosed.  As evidence of the breach, Plaintiff presented claims that the personal information associated with his Walmart account had been discovered on the dark web for sale and presented the results of security scans performed on Walmart’s website, which allegedly showed certain vulnerabilities.  In other words, Plaintiff filed suit on the supposition that Walmart’s systems had been breached, which Walmart denies.  Plaintiff’s complaint included a claim under the California Consumer Privacy Act (“CCPA”), in addition to other California privacy and consumer protection statutes.

However, as with all things, the details matter.  In order for Plaintiff to prevail at this stage in the pleadings, the court had to find that the complaint sufficiently alleged a violation of the CCPA, which went into effect on January 1, 2020.  This meant the data incident at issue had to have happened on or after this date.  However, the original complaint filed in this alleged that found his personal data up for sale on the dark web in 2019.  And when Walmart point out this pleading shortcoming in its motion as a basis for dismissal, Plaintiff filed opposition papers declaring that the actual date was 2020 and categorizing the discrepancy as a “scrivener’s error.”

Assessing the pleadings and the parties’ briefing, the court ruled last Wednesday that the different date now claimed by Plaintiff was not credibly “the result of a typo or misunderstanding.”  Nor was additional amendment of the pleadings a viable option for Plaintiff to state a cognizable CCPA claim.  This is because federal courts (including ones within the Ninth Circuit, where this case was pending) have held that an amended complaint may only allege other facts consistent with the challenged pleading.  Here by contrast, “[w]ere Plaintiff to amend his complaint to allege that the violation occurred on or after January 1, 2020, it would directly contradict the allegation in the FAC that he discovered his PII for sale in 2019.”

Plaintiff’s other claims were also subject to dismissal.   The court acknowledged that under limited circumstances, courts within the Ninth Circuit have found that “[d]iminution of value of personal information can be a viable damages theory.”  Pruchnicki v. Envision Healthcare Corp., No. 20-15460, 2021 U.S. App. LEXIS 11699 (9th Cir. Apr. 21, 2021).  However, in order to prevail on such a theory, “a plaintiff must establish the existence of a market for the personal information and an impairment of the ability to participate in that market.”  The “mere misappropriation of personal information’ does not establish compensable damages.”  (emphasis added).  Instead, a plaintiff must allege that his “personal information actually lost value.”

The court found Plaintiff’s California statutory and common law claims failed to satisfy this standard:

As in Pruchnicki, Plaintiff does not allege that he has been unable to sell, profit from, or monetize his personal information. Instead, he alleges that whether he ever intended to sell his information is irrelevant because it is possible to assign a monetary value to PII using a market approach.  Apart from allegations about the value of PII in general, Plaintiff has not alleged that his purportedly stolen personal information—his name, home address, phone number, and the last four digits and expiration dates of two of his debit cards—is less valuable because of the breach. Indeed, Plaintiff’s allegations suggest that his PII may be valueless for reasons unrelated to the alleged breach.

(emphasis in original).  As such, the court dismissed Plaintiff’s amended complaint (the original pleading had already been kicked out earlier in the year, but Plaintiff had been given another shot by being granted leave to file an amended pleading).

This case is noteworthy for its narrow application of the CCPA as well as for its damages ruling which builds upon the Ninth Circuit’s decision in Pruchnicki.  And for more on data privacy litigations, stay tuned.  CPW will be there to keep you in the loop.

As covered by Glenn A. BrownKyle DullKyle Fath and Alan Friel at SPB, “on July 19, the Office of the Attorney General of California (OAG) issued a press release summarizing its first year of CCPA enforcement. Seventy-five percent of companies receiving a notice to cure are said to have come into compliance within the 30-day cure period, with 25% reportedly still within that period or under ongoing investigation. The OAG also published summaries of 27 resolved exemplary cases. The OAG was careful to note that the summaries do not constitute advice and do not include all of the facts, however they do offer some insights. Disappointingly, however, the summaries often lack enough detail to allow readers to surmise the enforcement posture that was taken by the OAG, the exact nature of the alleged violations, or the specific actions taken by the company that satisfied the OAG’s inquiry.”

Read their full analysis here, which also discusses how the OAG announced the launch of a new consumer complaint tool that allows consumers to answer certain gating questions to create a notice of noncompliance that can be sent to a business.

For more on this, stay tuned.  CPW will be there to keep you in the loop.

On July 19, the Office of the Attorney General of California (OAG) issued a press release summarizing its first year of CCPA enforcement. Seventy-five percent of companies receiving a notice to cure are said to have come into compliance within the 30-day cure period, with 25% reportedly still within that period or under ongoing investigation. The OAG also published summaries of 27 resolved exemplary cases. The OAG was careful to note that the summaries do not constitute advice and do not include all of the facts, however they do offer some insights. Disappointingly, however, the summaries often lack enough detail to allow readers to surmise the enforcement posture that was taken by the OAG, the exact nature of the alleged violations, or the specific actions taken by the company that satisfied the OAG’s inquiry.

Continue Reading California AG Offers Cryptic CCPA Enforcement Summaries, and Launches Complaint Tool

It has been a year for the record books for data privacy litigation (and we are only into Q2-who knows what Q3 and Q4 will bring!)  CPW has been tracking significant developments in this area of the law—including in regards to the California Consumer Privacy Act (“CCPA”).  While the statute has been in effect for a little over a year, it has already become a battleground for plaintiffs seeking to assert statutory claims against defendants for failing to maintain reasonable security procedures (even if the only harm plaintiffs allegedly suffered is speculative risk of future injury).  In fact, the flood of litigation under the CCPA was cited this week as a reason for the Florida legislature to consider dropping a private right of action from a data privacy bill under consideration.

The underlying reasons for this trend are clear.  First, the number of data breaches continues to rise.  Current estimates place the number of cyberattacks occurring in Q1 in the U.S. as ~320.  This is a slight uptick from Q1 2020.  Most significantly, however, the number of individuals in the U.S. whose information was disclosed in a data event in 2021 is up 500%.  Second, the CCPA is an attractive option for plaintiffs who claim they were “harmed” from the disclosure of their personal information as the statute purportedly provides for significant liquidated statutory damages (even in the absence of proof of identity theft, fraudulent charges on accounts, and the like—although how that actually shakes out in litigation is far from settled).

We are going to dig into what this all means and where things may be headed.  But first, let’s go back to the basics for any CCPA newbies out there.

A quarter into 2021, our review confirms that the slew of lawsuits filed under the CCPA remains concentrated in the area of data events.  But there should be no surprise there.  Section 1798.150(a)(1) of the CCPA provides a private right of action to “[a]ny consumer whose nonencrypted and nonredacted personal information … is subject to an unauthorized access and exfiltration, theft, or disclosure” due to a business failing to satisfy “the duty to implement and maintain reasonable security procedures and practices….” (emphasis supplied).  Damages available for a private right of action under Section 1798.150(a)(1) include a statutory amount of between $100 and $750 “per consumer per incident or actual damages, whichever is greater”, as well as injunctive or declaratory relief and “any other relief the court deems proper” (emphasis supplied).

So what do most of the CCPA cases filed in 2021 look like?  Good question.

Over one third of the CCPA litigations filed thus far are related to the account hacks on the California Employment Development Department’s (“EDD”) prepaid debit cards issued through Bank of the America.  In case you missed it, a number of individuals had the balances on their EDD debit cards wiped out (without any prior notice or security alert).  On January 14, 2021, the first class-action lawsuit related to this event was filed against Bank of America, claiming the bank did not do enough to stop the scammers.  Since then, over 13 other similar lawsuits have been filed, which may be consolidated down the road.

In these litigations, plaintiffs raise claims under the CCPA concerning Bank of America’s alleged “failure to secure” private account information.  To put it differently, Bank of America allegedly breached its duty to implement and maintain reasonable security procedures and practices appropriate to the nature of individuals personal information, including “issuing EDD debit cards to plaintiff and class members with magnetic stripes but without EMV chip technology.”  Most of the filed complaints allege the lack of chip technology enabled scammers to access the funds in the debit cards resulting in accounts being frozen and many individuals being left without payments for weeks (and some to date).

Bank of America is not the only institution that has been a victim of recent cyber theft.  Accellion’s File Transfer Appliance was also recently compromised, resulting in a number of CCPA class action lawsuits filed this year relating to—you guessed it—its alleged failure to maintain reasonable security procedures.  As alleged in one of the complaints:

Defendant [Accellion Inc.] violated § 1798.150 of the CCPA by failing to prevent Plaintiffs’ and class members’ nonencrypted and nonredacted personal information from unauthorized access and exfiltration, theft, or disclosure as a result of Defendant’s violations of their duty to implement and maintain reasonable security procedures and practices appropriate to the nature of the information

Brown v. Accellion, Inc., Case No. 5:21cv1155, Dkt. #1 at ¶70.

Another major data breach this year involving a large number of CCPA suits related to Automatic Funds Transfer Services, Inc. (“AFTS”).  On February 17, 2021, the California Department of Motor Vehicles announced that AFTS had been the subject of a “security breach” and ransomware attack that may have compromised “the last 20 months of California vehicle registration records that contains the names, addresses, license plate numbers and vehicles identification numbers” of California drivers.  Not surprising to those in the consumer privacy space, this resulted in numerous class action lawsuits being filed under the CCPA.  In those litigations, plaintiffs allege “AFTS violated the CCPA by subjecting Class Members’ PI to unauthorized access and exfiltration, theft, or disclosure as a result of AFTS’s violation of its duty to implement and maintain reasonable security procedures and practices appropriate to the nature and protection of that information.”  Atachbarian v. Automatic Funds Transfer Services, Inc., Case No. 2:21-cv-02645, Dkt. #1 at 61¶.

And while cyber theft remains on the rise, plaintiffs (and plaintiffs’ attorneys) have not lost sight of other data use implications mandated by the CCPA.  For example, Flo Health Inc., an ovulation-tracking app has been hit with a number of class action lawsuits alleging the app “secretly collected” (i.e. without consent) personal information of users—including whether women were trying to get pregnant—and shared that data with third-party data collectors and advertisers.  The lawsuits follow FTC’s investigation into related concerns.  Some of the complaints against Flo Health reference the CCPA as supporting other claims raised by plaintiffs, such as violation of the California’s Unfair Competition Law (Cal. Bus. & Prof. Code §§ 17200, et seq.), without asserting a direct CCPA claim.  See, e.g., Tesha Gamino v. Flo Health Inc., Case No. 5:21-cv-00198-JWH-SHK, Dkt. #1.  This is something we have noticed in a handful of other lawsuits filed this year–listing the CCPA without asserting a direct cause of action or under the statute.

So there you have it.  A quarter into 2021, CCPA cases continue to fill the docket, and occupy our attention.  Stay tuned while we continue to break the latest developments for you.  It is going to be a wild 2021 but CPW will be there.