On August 24, 2022, California Attorney General Rob Bonta issued a press release announcing the first public settlement by the Office of the Attorney General (OAG) involving alleged violations of the CCPA. The settlement involves a judicial judgment, civil penalties and ongoing monitoring and reporting. The use of noncompliance letters to cajole companies into compliance over many months now appears to be a closed chapter in the CCPA saga. Season 2 promises more drama, more action and more money. Entertaining unless you are the next target!

Continue Reading The Cookie Crumbles – Lessons from First California Consumer Privacy Act (CCPA) Monetary Settlement

In a record-setting proposed settlement filed last week, T-Mobile has agreed to pay $350 million and boost its data security by $150 million over the next two years to resolve multidistrict litigation brought by T-Mobile customers whose data was allegedly exposed in a 2021 data breach.  Read on for the terms of the settlement, which may serve as a model in other high stakes data security cases going forward.

Recall that in August 2021, T-Mobile disclosed that it had been the victim of a cyberattack that resulted in the compromise of some current, former and prospective customers’ SSN, name, address, date of birth and driver’s license/ID information the “Data Event”).  By T-Mobile’s account, no “customer financial information, credit card information, debit or other payment information” was exposed in the attack.  Nevertheless, over 40 putative class action claims were filed seeking damages for the improper disclosure of Plaintiffs’ personal information.  In December 2021, the Judicial Panel on Multidistrict Litigation transferred and centralized the putative class actions into the MDL standing before the Western District of Missouri.

Continue Reading T-Mobile Agrees in MDL to Record Setting $350 Million Data Breach Settlement to Resolve CCPA and Other Privacy Claims

As we covered at the end of last month, the California Attorney General is targeting loyalty programs in a recent enforcement sweep alleging noncompliance with the California Consumer Privacy Act (CCPA). CPW’s Kyle Dull, a Senior Associate in Squire Patton Boggs Data Privacy, Cybersecurity & Digital Assets Practice, was recently interviewed by Law360 concerning businesses’ data practices in the operation of their loyalty programs. You can check out the Law360 article and his comments here. From the article: Continue Reading Loyalty Program CCPA Compliance: Kyle Dull Talks to Law360

On Friday, Feb. 18, California Assemblymember Evan Low (D) introduced two bills (AB 2871 and AB 2891) that propose to extend the CCPA’s HR and B2B data exemptions, one through Dec. 31, 2026 and the other indefinitely. These proposed amendments were introduced just 10 months prior to the main provisions of the California Privacy Rights Act (“CPRA”) coming into effect, particularly the CPRA’s consequential provisions which cause HR and B2B data – specifically, personal information of HR data subjects (e.g., employees, applicants and independent contractors) and collected in certain B2B transactions and communications – to become subject to the full scope of California’s omnibus privacy law. It’s not yet clear whether either of these bills has widespread support. However, if either does pass, it is almost certain that the legislature’s authority to do so will be challenged by privacy advocates on a constitutional basis, as we analyze below. Organizations for now should therefore proceed as if the HR and B2B will be in full scope of the CPRA starting Jan. 1, 2023.

The California Constitution prescribes when the legislature can amend a statute that was passed through a ballot referendum (the CPRA was approved as a referendum by California voters on Election Day 2020). In particular, Article II, Section 10(c) of the California Constitution states that “The Legislature may amend or repeal an initiative statute by another statute that becomes effective only when approved by the electors unless the initiative statute permits amendment or repeal without the electors’ approval.” The initiative statute – here the CPRA – does permit amendment or repeal without elector approval,

provided that such amendments are consistent with and further the purpose and intent of this Act as set forth in Section 3, including amendments to the exemptions in Section 1798.145 if the laws upon which the exemptions are based are amended to enhance privacy and are consistent with and further the purposes and intent of this Act. CPRA, Section 25(a).

The purpose and intent of the CPRA as to the extension of the HR and B2B exemption is stated directly: “It is the purpose and intent of the Act to extend the exemptions in this title for employee and business to business communications until January 1, 2023.” It’s not clear whether further extending the exemption as these proposed bills would are consistent with this purpose and intent, or if doing so could arguably serve to enhance privacy, especially  in the absence of corresponding efforts to establish statutory privacy protections for these types of data subjects. Notably, the preamble of the CPRA additionally states, “The privacy interests of employees and independent contractors should also be protected, taking into account the differences in the relationship between employees or independent contractors and businesses, as compared to the relationship between consumers and businesses.” This additional proviso leaves open the door for legislation that treats at least HR data subjects somewhat differently than traditional consumers.

These amendments will almost certainly tee up a challenge. Even if one or both of the amendments gain steam, organizations should be reluctant to forego preparation for compliance with the CPRA as it relates to HR and B2B data because of the potential challenges these bills could face even if passed into law.

2021 was another record setting year for the California Consumer Privacy Act (“CCPA”).  Read on for CPW’s highlights of the year’s most significant events concerning CCPA litigation, as well as our predictions for what 2022 may bring.

2020 Recap: The CCPA Comes Into Effect

The CCPA went into effect on January 1, 2020.  It regulates any “business” that “does business in California,” even those without a physical presence in the state, and determines the means and purposes of the processing of “personal information”.

As a recap, what entities qualify as a “business” subject to the CCPA? The statute defines a “business” as a for-profit, private entity that (1) collects “personal information”, (2) determines the means of processing that personal information, (3) does business in California, and (4) meets one of the following criteria:

  • Has annual gross revenues exceeding $25 million;
  • Annually sells/buys or receives/shares for commercial purposes the personal information of 50,000 or more California consumers; or
  • Derives 50% or more of its annual revenue from selling personal information.

Generally, the CCPA covers all information so long as it relates to a California resident or California household.  Aligning with the GDPR, the CCPA defines “personal information” to include “information that identifies, relates to, describes, is reasonably capable of being associated with, or could reasonably be linked, directly or indirectly, with a particular consumer or household.”  Cal. Civ. Code § 1798.140(o).

The CCPA requires compliance with its notification and transparency notices.  First, the CCPA expects businesses to present up to four notices, to be determined by that business’s practices.  Second, businesses must also inform consumers of their rights under the CCPA including their: (1) right to know, (2) right to delete, (3) right to opt out, (4) right to not be discriminated against for exercising their CCPA rights.

Section 1798.150(a)(1) of the CCPA provides a private right of action to “[a]ny consumer whose nonencrypted and nonredacted personal information … is subject to an unauthorized access and exfiltration, theft, or disclosure” due to a business failing to satisfy “the duty to implement and maintain reasonable security procedures and practices….” (emphasis supplied).  Damages available for a private right of action under Section 1798.150(a)(1) include a statutory amount of between $100 and $750 “per consumer per incident or actual damages, whichever is greater”, as well as injunctive or declaratory relief and “any other relief the court deems proper” (emphasis supplied).

The first CCPA lawsuit, Fuentes v. Sunshine Behavioral Health Group, LLC, No. 8:20-cv-00487 (C.D. Cal.), appeared on March 10, 2020, only three months after the law went into effect.  Others soon followed.

Overview of 2021 CCPA Litigations: What Do the Numbers Show?

To date, over 125 cases asserting CCPA claims have been filed this year, with the vast majority (91.2%) filed in federal courts.  Each quarter of 2021 has seen roughly the same number of cases filed (about 30-35 cases).  Not surprisingly, about 60% of all federal cases were filed in California’s federal courts, with the largest number of cases filed in the Northern and Southern Districts of California.  Outside of California, the Western District of Washington had the largest number of CCPA cases filed with ten total cases filed to date.  A handful of cases have also been filed in district courts in each of the Second, Third, Fourth, Fifth, Sixth, Seventh, Eighth, and Eleventh Circuits.  Ten of the eleven state court cases filed have been filed in California Superior Courts.

Interestingly, nearly 40% of all CCPA cases filed this year either concerned the T-Mobile data event or alternatively, another data event involving a financial services company following account hacks on the California Employment Development Department’s (“EDD”) prepaid debit cards.  As such, the largest number of cases filed this year were concentrated in the communications and financial services industries.  The remaining CCPA cases, however, span a wide range of industries—including technology, healthcare, insurance, and hospitality.  Even a hair transplant company had a CCPA lawsuit brought against it this year.

And while cyber theft remains on the rise, plaintiffs (and plaintiffs’ attorneys) have not lost sight of other data use implications mandated by the CCPA.  For example, Flo Health Inc., an ovulation-tracking app has been hit with a number of class action lawsuits alleging the app “secretly collected” (i.e. without consent) personal information of users—including whether women were trying to get pregnant—and shared that data with third-party data collectors and advertisers.  The lawsuits follow the FTC’s investigation into related concerns.  Some of the complaints against Flo Health reference the CCPA as supporting other claims raised by plaintiffs, such as violation of the California’s Unfair Competition Law (Cal. Bus. & Prof. Code §§ 17200, et seq.), without asserting a direct CCPA claim.

2021 Developments in CCPA Case Law

This year has seen a number of developments in CCPA litigation case law.  We highlight a few of those developments here.

At the beginning of this year, one federal court held that the CCPA does not limit the scope of discovery in litigation.  Will Kaupelis v. Harbor Freight Tools USA, Inc., Case No. 19-01203 (C.D. Cal.).  This case was brought as a putative class action and concerned claims that the defendant allegedly manufactured and sold chainsaws with a design defect.  After defendant’s motion to dismiss was denied, plaintiff sought discovery that included the PI of customers who had complained about the purported product defect (including individuals in California).  The defendant resisted production of this information, in reliance on the CCPA.  Specifically, the defendant argued that the CCPA expanded the privacy rights previously provided under California law.  As such, the defendant argued that the court should “protect the consumers’ PI by allowing consumers an opportunity to opt out from disclosure.”   The defendant claimed this approach was consistent with the CCPA’s notice and consent requirements.  The court, however, granted plaintiff’s motion to compel, stating that, “[n]othing in the CCPA presents a bar to civil discovery.  Notably, no other case has so held.  And the statute itself explicitly says that it is not a restriction on a business’s ability to comply with federal law.”  The court later dismissed an amended complaint on similar grounds.

In March, Walmart scored a massive win for defendants in data privacy litigation in the Lavarious Gardiner v. Walmart Inc. et al. case.  The Court adopted Walmart’s narrow interpretation of the CCPA and dismissed Plaintiff’s non-cognizable CCPA claim.  As a reminder, this case involved a plaintiff inferring, from finding his information on the dark web, that Walmart had suffered a data breach.  In response, Walmart argued first, that Plaintiff’s failure to allege when the breach purportedly occurred was fatal to the Complaint because the CCPA is not retroactive.  The Court sided with Walmart and agreed that Plaintiff needed to plead a breach occurring after January 1, 2020:  “Absent allegations establishing that Walmart’s alleged violation of the CCPA occurred after it went into effect, Plaintiff’s CCPA claim is not viable. Second, the Court also held that Plaintiff’s CCPA claim failed for the additional reason that Plaintiff did not sufficiently allege disclosure of his personal information as defined in the CCPA.  Cal. Civ. Code § 1798.81.5.  The Court found insufficient the Complaint’s allegation that the purported breach compromised the full names, financial account information, credit card information, and other PII of Walmart customers: “[a]lthough in the Complaint Plaintiff generally refers to financial information and credit card fraud, he does not allege the disclosure of a credit or debit card or account number, and the required security or access code to access the account.”  (emphasis added).

In July, 2021 the Central District of California denied a motion to compel arbitration brought by the Gap in the data breach litigation, Shadi Hayden v. Retail Equation et al., No. 20-cv-01203 (C.D. Cal. July 07, 2020).  There the court reasoned that, because the Gap was not a party to the arbitration agreement it attempt to invoke, the arbitration agreement did not apply to bar the litigation.  The Gap subsequently appealed, and the case remains pending.

In an August decision, a federal judge found the majority of Plaintiffs’ statutory claims to withstand a Rule 12(b)(6) motion to dismiss in the In re Blackbaud data privacy multi-district litigation.  MDL No. 2972 (D.S.C. Aug. 12, 2021).  Plaintiffs’ allegations that a cyberattack resulting from Blackbaud’s “deficient security program” and failure to comply with industry and regulatory standards, was sufficient to withstand a motion to dismiss.   As to the CCPA, the Court found that Blackbaud was alleged to be a “business” under the CCPA, relying largely on its registration as a “data broker” under California law.  The Court notably rejected Blackbaud’s argument that it was a “service provider” as insulating it from liability under the CCPA.

In another significant ruling, in Brooks v. Thomson Reuters Corp., No. 21-cv-01418-EMC, 2021 U.S. Dist. LEXIS 154093 (N.D. Cal. Aug. 16, 2021) the Northern District of California recently denied in part a defendant’s motion to dismiss a complaint alleging violations of various consumer privacy statutes. Of note, the Court found that an affirmative defense of compliance with one privacy statute, the CCPA, did not shield defendant from liability for alleged violations of other state laws.

Finally, in December, the Northern District of California denied a motion to intervene and oppose a preliminary approved settlement in the litigation that followed a widespread data event Accellion had suffered.  Cochran v. Accellion, Inc., 2021 U.S. Dist. LEXIS 214686 (N.D. Cal. Nov. 5, 2021).  In Cochran, one of the entities that used Accellion as a services provider agreed as part of a $5 million dollar settlement to modify its business practices going forward.  This would include switching to a “new secure file transfer solution,” securing or destroying the personal information subject to the data event and boosting its third-party vendor risk management program.  In denying the Proposed Intervenor’s Motion to Intervene, the Court analyzed intervention as a matter of right and permissive intervention. The Court, however, rejected that intervenors could intervene as a matter of right because the Court heard the Proposed Intervenors’ objections to the proposed settlement on two occasions, the settlement agreement allows putative intervenors to protect their interests by opting out of the settlement class, and because the Court found that the Proposed Intervenors interest in a preliminary settlement approval is not a “significant protectable interest.”  The Court denied permissive intervention because, among other things, the Proposed Intervenors already had the opportunity to participate in the fairness hearings.

Predictions for CCPA Litigation in 2022

So what is on the horizon for 2022? Certainly an expansion of consumer privacy laws that follow California’s lead.  This past year saw Virginia and Colorado launch privacy legislation and that trend will continue in 2022.  While claims invoking the consumer privacy law of other states may be kept at bay during 2022, the lessons learned from CCPA litigation will come into play in 2023 as those new laws, particularly those with a private right of action, start going into effect.

In the meantime, we can expect that the lawsuits making their way through the courts will continue shaping the contours of CCPA litigation.  Of particular interest will be the impact of the Ramirez v. TransUnion decision upon class action litigation, including CCPA claims arising from a data incident.  As previously noted, which commentators worried that Ramirez might preclude data breach litigations from being brought in federal courts, those concerns have not materialized, with CCPA claims remaining just at home in federal court in state court.

We can also expect to see continued enforcement activity at the state level.  In July 2021, California’s Attorney General Bonta issued a press release summarizing its first year of CCPA enforcement and reinforcing its commitment to CCPA enforcement.  The pressure will remain on companies to annually update their California privacy notices to avoid finding themselves the target of enforcement activities.

2022 is going to remain busy for CCPA litigation and enforcement.  Not to worry, CPW will be there to keep you in the loop.  Stay tuned.

Registration is open for a series of upcoming not-to-be-missed webinars covering key areas for companies seeking to regulate the global compliance landscape.  Register below for insights from CPW’s Alan Friel, Marisol Mork, and others.

Webinar Series: Advertising, Media and Brands – Global Compliance Challenges

2021 has provided unique challenges for businesses operating across the advertising, media and brands industry. Aside from the impact of the pandemic, we are seeing a changing and challenging landscape due to increasing economic, consumer, regulatory and compliance pressures.

With increased exposure as a result of these pressures, Squire Patton Boggs and BDO will be hosting four webinars to support the advertising, media and brands industry in navigating these challenges:

  • November 11, 2021 – Global Data, Technology and Tax
  • November 30, 2021 – M&A Landscape, Post-COVID-19 Transaction Trends and Tips, and Top Five Due Diligence Risks
  • January 12, 2022 – Global Anti-counterfeiting and Brand Protection Trends, and Top Five AMB Hot Topics
  • February 2, 2022 – The Rise of ESG and Global Workplace Challenges

Hosted by Squire Patton Boggs and BDO

Click here to register.

Conference: ANA/BAA Marketing Law Conference (In-Person and Virtual)

Nov. 15-17, 2021: San Diego

Session: California Privacy: What Direction Next From CCPA and CRPA?

Alan Friel (Squire Patton Boggs) will review California’s privacy laws with representatives from the California Privacy Protection Agency and the OAG.

Session: State and Local Attorney General Enforcement updates by Marisol Mork (Squire Patton Boggs)

Hosted by ANA.

Click here to register.

On Friday, October 15 readers of CPW are invited to join CPW’s Alan Friel from Squire Patton Boggs and Ankura experts David Manek and Colleen Yushchak as they discuss key themes from California attorney general’s examples of CCPA non-compliance.  Please join for their insights, which will include essential CCPA compliance tools at TrustWeek OneTrust User Conference on October 15.

“Since it was enacted just over a year ago, companies are now having to deal with the uncertainties surrounding the interpretation of the California Consumer Privacy Act (CCPA) and the circumstances that might subject them to penalties and fines for violations. In an effort to inform the marketplace and minimize those uncertainties, the office of the California attorney general recently published 27 examples that demonstrate what CCPA non-compliance looks like and highlights actions that can be taken to remedy each situation. Ankura’s David Manek and Colleen Yushchak will be joined by Alan Friel from the law firm of Squire Patton Boggs for an in-depth look at the AG’s various scenarios and provide an analysis of their review. In addition to sharing insights on how the OneTrust technology can be applied to the scenarios, David, Colleen and Alan will provide several essential tools, including a checklist of CCPA enforcement issues you can use as part of your year-end assessment and best practices for planning your 2023 CPRA/CDPA/CPA workstreams.”

Registration is available at: https://www.trustweek2021.com/

Since it was enacted just over a year ago, companies have had to deal with the uncertainties surrounding how to interpret the California Consumer Privacy Act (“CCPA”) and the circumstances that might subject them to penalties and fines for violating the CCPA.  As CPW readers are already aware, in an effort to inform the marketplace and minimize those uncertainties, the office of the California attorney general recently published 27 examples that demonstrate what CCPA non-compliance looks like and highlights actions that can be taken to remedy each situation.

In a webinar, CPW’s Alan Friel and Ankura’s David Manek and Colleen Yushchak provide an in-depth look at the AG’s various scenarios and a discussion of the common themes they have distilled from their analysis of all 27 examples. In addition to sharing insights, David, Colleen and Alan provide several essential tools, including a checklist of CCPA enforcement issues you can use as part of your year-end assessment, guidance on current compliance for January 2022 CCPA notice updates, and best practices for planning your 2023 CPRA/CDPA/CPA workstreams.

You can watch it here.

In a significant ruling, the Northern District of California recently denied in part a defendant’s motion to dismiss a complaint alleging violations of various consumer privacy statutes. It found that an affirmative defense of compliance with one privacy statute, the California Consumer Privacy Act (“CCPA”), did not shield defendant from liability for alleged violations of other state laws.

First, the facts. In Brooks v. Thomson Reuters Corp., No. 21-cv-01418-EMC, 2021 U.S. Dist. LEXIS 154093 (N.D. Cal. Aug. 16, 2021), Plaintiffs alleged that defendant Thomson Reuters aggregated publically-available information about millions of individuals, in addition to pulling information from third-party brokers, to create “dossiers” that it sells through an online platform called CLEAR. Plaintiffs were two individuals who claimed that defendant was selling their personal information through CLEAR without their consent; one plaintiff also claimed that his CLEAR profile included inaccurate information. Plaintiffs alleged violations of the California common law right of publicity, the California Unfair Competition Law (“UCL”), and brought claims for unjust enrichment and injunctive relief.

After removing the action to state court, defendant filed the motion to dismiss. One of its primary defenses was that its conduct was not “unfair” under the UCL because such conduct was permitted under the CCPA, which provides that a consumer has an opt-out right to “direct a business that sells personal information about the consumer to third parties not to sell the consumer’s personal information.” As defendant interpreted this language, it was permitted to sell plaintiffs’ information so long as it provided plaintiffs a mechanism to opt out of the sale.

The Court disagreed, pointing to the statutory intent of the CCPA, which provided that the law was not intended to curtail other privacy statutes and should be interpreted to allow the greatest privacy protections possible. Following this reading, the Court observed that the fact that defendant provided an opt-out mechanism did not necessarily mean that its conduct was fair. It also observed that there was a question of fact as to whether CLEAR’s opt-out mechanism was “reasonably accessible” and “clear and conspicuous” to consumers in the manner required by the CCPA, based on the allegations in the Complaint.

On this basis, the Court proceeded to consider plaintiffs’ UCL claim, and found that plaintiffs had sufficiently stated a claim under the UCL. It also allowed plaintiffs’ remaining claims to survive defendant’s motion to dismiss.

Readers should take note that—while creative—simply claiming compliance with one privacy statute may not serve as a shield against other consumer privacy claims. Also noteworthy is the Court’s broad interpretation of the privacy laws at issue to allow for the greatest possible consumer protections. CPW will continue to keep an eye on this litigation for you.

Since it was enacted just over a year ago, companies have had to deal with the uncertainties surrounding how to interpret the California Consumer Privacy Act (“CCPA”) and the circumstances that might subject them to penalties and fines for violating the CCPA.  As CPW readers are already aware, in an effort to inform the marketplace and minimize those uncertainties, the office of the California attorney general recently published 27 examples that demonstrate what CCPA non-compliance looks like and highlights actions that can be taken to remedy each situation.

In a new webinar, CPW’s Alan Friel and Ankura’s David Manek and Colleen Yushchak will provide an in-depth look at the AG’s various scenarios and a discussion of the common themes they have distilled from their analysis of all 27 examples. In addition to sharing insights, David, Colleen and Alan will provide several essential tools, including a checklist of CCPA enforcement issues you can use as part of your year-end assessment, guidance on current compliance for January 2022 CCPA notice updates, and best practices for planning your 2023 CPRA/CDPA/CPA workstreams.

You can register for the webinar (and for attorneys, obtain 1 hour of CLE credit) which will be held September 9th at 11 am CST here.