The California Consumer Privacy Act (CCPA): class action lawsuits and their effects on companies and consumers

The adoption of consumer privacy laws is gaining traction in the United States. Many American companies must address their responsibilities regarding consumers’ data privacy and security at home. Both with data they’ve already collected, and data they want to collect and monetize in the future.

In the absence of a federal consumer privacy law, it is up to each state to draft this legislation, balancing consumers’ rights with companies’ needs and wants in doing business. Not to mention the potential influence of the tech giants.

The California Consumer Privacy Act (CCPA) came into effect on January 1st, 2020, intended to provide and enhance consumer protection and privacy rights for California residents in the United States.

The CCPA gives consumers several key rights:

• The right to know about the personal information a business collects about them and how it is used and shared
• The right to know whether, and to whom, their personal information is sold and/or disclosed
• The right to delete personal information collected from them (with some exceptions)
• The right to opt out of the sale of their personal information
• The right to non-discrimination for exercising their CCPA rights

The CCPA also gives companies more responsibilities with regards to communicating with customers whose data they collect, as well as in safeguarding that data. 

For further information about what constitutes consumers “personal information” under the CCPA, please see “Personally Identifiable Information (PII) vs. Personal Data – What’s the difference”? The CCPA’s definitions of personal information cover both sensitive/linked and non-sensitive/linkable data that companies collect about consumers.

The United States does not have a single federal or regional statute for consumers’ privacy rights and protections like the General Data Protection Regulation (GDPR) in the European Union or the Lei Geral de Proteção de Dados (LGPD) in Brazil. 

Without state-level laws, consumers’ privacy rights and protections would be even more piecemeal and challenging to enforce. The CCPA was the first such state-level law passed, and to date it’s the most sweeping internet-focused data privacy legislation passed in the US, extending consumer protections online. It has been influential on both the Virginia Consumer Data Protection Act (CDPA) and the Colorado Privacy Act (CPA), the other two state-level laws that have been passed.

The long-term success of federal laws has varied. Additionally, there has never been consensus if or how federal law would override state and/or local laws, or the scope of consumers’ recourse against violators. However, with the passage of the California Privacy Rights Act (CPRA) and CPA, there appears to be movement toward the states’ Attorneys General having oversight over interpretation and enforcement.

As a result, new state-level regulations will have significant impact. The CCPA has already proved influential on other states that passed laws and those that are pursuing similar legislation. Several of these state bills are considered “copycat laws” due to their degree of similarity to or having directly copied language from the CCPA.

State-level laws may not encompass the entire United States, but California’s population is just under 40 million people and has the world’s fifth largest economy. New York’s population is almost 19.5 million and has the world’s tenth largest economy. Laws passed in these states affect numbers of consumers greater than the populations of many countries, and the businesses with which they interact.

Several states, particularly Washington and California, are also home to a number of the world’s largest technology companies. Those certainly have influence with both state and federal governments when laws are being drafted and revised.

Given the complexity and ambiguities that companies face trying to navigate a patchwork of state-level laws, it would not be surprising for companies that collect consumer data to support federal legislation. At the very least in order to simplify requirements for businesses, but also perhaps to push for weaker overall regulation.

Companies in the EU and other countries with established federal privacy laws would likely also welcome a single federal regulation for data privacy – rather than wrangling with state-by-state minutiae – if they do business in the US, or plan to.

The United States has made legislative efforts to bolster privacy-related laws in the past. But each has had a specific scope, like the Children’s Online Privacy Protection Act (COPPA), or the Health Insurance Portability and Accountability Act (HIPAA).

The CCPA applies to consumers who are California residents. However, what qualifies as residency? That question will be addressed in some of the lawsuits filed to date.

Under the CCPA, consumers have to be provided with their personal information dating back one year from the date they requested it. Companies can choose to disclose data from a longer period of time, or all of the consumer’s data that they have collected.

It is not yet clear, however, if consumers can be denied access to data collected about them more than 12 months prior to the request date. Companies could also find themselves in a tricky spot depending upon when they achieved CCPA compliance. For example, what if the data that a customer requests is from before the company started accurate date stamping of consents or personal data collected?

A business can require the consumer requesting the data to provide identity authentication, given the personal nature of the information requested. If the consumer has an account with the business, the consumer can be required to submit the request through that account. 

If the consumer does not have an account with the business, however, that person cannot be required to create an account to make an authenticated request. The request only has to be in writing and submitted via a format that can be readily accessed and used.

Employees of companies doing business in California are also defined as consumers under the CCPA, so compliance is also an HR issue. Companies must notify employees, contractors, and job applicants when their personal information is collected. The data collected can only be used for specific reasons provided in notices to employees.

By some estimates the CCPA does or will affect over 500,000 companies. However, it doesn’t apply to all California businesses, and consumers can’t request their personal information from just any company. 

The CCPA applies to any for-profit entity, doing business in California, that collects consumers’ personal data. So not just companies headquartered there. Companies must also meet at least one of these thresholds:

• The company has at least $25 million annual gross revenue; or
• The company receives, buys, sells, or shares for commercial purposes, alone or in combination, personal information on at least 50,000 California residents, households, or devices; or
• The company derives more than half of its annual revenues from the sale of personal information

Currently, companies only need to comply with the CCPA for their California-based employees, not their entire workforces. However, as more and more states adopt privacy laws, or if federal legislation is ever passed, this will change. 

Full compliance from the beginning may save headaches in the future. Businesses will have to train all employees who will have access to consumers’ data. As relevant companies’ employees are defined as consumers, that will include their coworkers. EU companies moving into the California market may already have an advantage, as achieving GDPR compliance will have completed the lion’s share of the work CCPA compliance would require.

Businesses have to provide consumers with at least two methods to submit requests. If they have a website, consumers have to be able to submit requests there. For businesses operating exclusively online, at least an email address must be provided. Bricks and mortar businesses have to at least provide a toll-free telephone number. 

Businesses have 45 days from when they receive a consumer request to disclose and provide the information. They are also responsible for verifying the identity of the consumer making the request. But verification cannot be the excuse for invoking the one-time additional 45-day extension due to “reasonable” extenuating circumstances.

Dozens of class action lawsuits have been filed in state and federal courts, alleging companies’ consumer data-related violations under the CCPA. The companies named in the lawsuits range from tech companies to medical services providers to hotel chains.

Some lawsuits are fairly straightforward, alleging that consumers’ data was unlawfully accessed or used, and seeking damages. Other lawsuits may have less clear standing regarding whether they meet the CCPA’s requirements. But those have broader implications in testing the Act’s boundaries and definitions.

Under the CCPA, consumers now have “private right of action”. They can begin and prosecute an action in court, if their “nonencrypted and nonredacted personal information” is:

“…subject to an unauthorized access and exfiltration, theft, or disclosure as a result of the business’s violation of the duty to implement and maintain reasonable security procedures and practices appropriate to the nature of the information to protect the personal information…”

Consumers can recover damages between $100 and $750 USD per consumer per incident, or actual damages, whichever is greater. Interestingly, disagreement regarding the inclusion of private right of action contributed to the failure of passing the Florida Privacy Act in April 2021. The Colorado Privacy Act does not include private right of action, only empowering the Attorney General with enforcement.

Under the CCPA, consumers can also pursue civil action to receive injunctive or declaratory relief. This would be more an official record that a company did, indeed, commit a violation, and help prevent them from committing future ones. The court can also levy any other relief deemed proper.

Some of the most high profile CCPA lawsuits to date relate to issues of consent regarding data collection and disclosure. Others raise questions regarding who can bring actions, what really is a data breach, definitions of “sensitive personal information”, and what constitutes resulting injury or harm.

L.P. v. Shutterfly Inc., G.R., et al. v. Tiktok, Inc., McCoy v. Alphabet, Inc., and Robert Cullen, et al v. Zoom Video Comms are based on similar claims. The companies named failed to get consumer consent for collection and disclosure of consumers’ data, which was sold to third parties.

The plaintiffs also assert that in addition to not being informed of what data was being collected, opt-in or parental consent were not requested or required, and there was no opportunity for data deletion.

In the Shutterfly and TikTok cases, some of the data was that of minors, and biometric data, including faces mapped from images, were among the data collected. 

TikTok agreed to pay $92 million USD to settle 21 federal lawsuits. This represents 89 million American users whose personal information, according to the allegations, was tracked and sold. Some of the data was sold to third parties in other countries. The Shutterfly case is ongoing. 

Learn more about TikTok’s privacy issues and what they mean for online advertisers.

The Cullen lawsuit was the first of several filed against Zoom. The company is alleged to have falsely represented its data collection and disclosure to users, and to have transferred the data to Facebook and possible other third parties without authorization. (In the subsequently amended complaint the Facebook claim was dropped).

In Google parent company Alphabet’s case, plaintiffs allege that Google failed to adequately disclose the data it collects from Android smartphone users. Google employees allegedly used a secret internal program called “Android Lockbox”. With this they monitored and collected users’ personal interaction data with non-Google apps without consent. This case was dismissed, as the court found that the complaints were outside the scope of what is allowed under private right of action.

Google previously had a 100 million Euro fine levied against it by the French data protection authority.

According to the California Attorney General, under the CCPA, a consumer can only sue a business in the event of a data breach. Even then only under limited circumstances. The Act prohibits claims based on violations of its disclosure and opt-out provisions. Some of the lawsuits are based on those provisions, though. So are they nonviable?

It won’t be until these various lawsuits are concluded that there will be a clearer determination of whether the sale of data without notice, opt-in, parental consent, or opportunity for deletion, is equivalent to the “unauthorized access and exfiltration, theft, or disclosure” of the data. 

The lawsuits will also help to establish a concrete definition of “consumer” under the Act. In Fuentes v. Sunshine Behavioral Health Group LLC, there was a data breach that allegedly exposed sensitive personal and medical information for thousands of Sunshine Behavioral Health Group’s patients. 

However, the plaintiff, Fuentes, is not a resident of California, having only spent a month at the defendant’s facility. It is unlikely that this would be considered a sufficient length of time to meet the residency requirement of the CCPA, which does not apply to residents of other states.

This case also has broader implications, since there are likely many groups of people whose residency is harder to categorize. College students, for example, might be from another state, but could reside in California for the majority of each calendar year. 

Considerations may include whether a person is in California for less than six months of the year, if their stay is/was for a specific period of time, or if they maintain a permanent residence in another state.

In Rahman v. Marriott International, Inc., two unauthorized Marriott employees in Russia breached data security by accessing members’ personal information. While the breach itself was not questioned, the plaintiff did not assert a claim for damages when the suit was filed. That was only added in an amendment three months later. This case was dismissed on standing grounds.

The defendants also argued that no sensitive personal information, such as credit card numbers, was compromised. Questions about definitions of personal information sensitivity were also raised in the Fuentes case.

Dozens of the lawsuits brought against companies to date do not unquestionably fit the CCPA’s definitions of acceptable violations allowing private right of action. But clearly some think that these lawsuits are a viable route to get the interpretations expanded.

Not enough of these suits have been resolved yet to say concretely what the standard will become. Will such actions be viable? What will the resolutions be if they are allowed to proceed? Some of the expanded interpretations that plaintiffs are hoping for would certainly encourage far more lawsuits.

These lawsuits are likely to serve as a wake-up call to many companies. Certainly many have or will have had a great deal of work and expense to become compliant with CCPA obligations.

But they might not have thought through the implications of a data breach resulting from compliance failure. Class action litigation could prove far more costly than an audit finding of non-compliance.

Best practice efforts to comply are important to mitigate the risk of litigation. A $92 million settlement may be an inconvenience to some companies, but it would be ruinous to others.

An opt-in model like in the GDPR might help prevent or mitigate a number of potential violations under the CCPA. However, the reality is that many, many companies have already collected, and continue to collect and use, nearly unfathomable amounts of consumer data. Flipping that model would be extremely difficult and expensive and companies would likely fight hard against it.

As seen in the Marriott case, there is likely to be further exploration of data sensitivity and how its compromise relates to potential injury. Like with the definition of a data breach, some of the CCPA lawsuits will question the definition of “personal information” as well as “sensitivity”.

Currently the CCPA takes its definition of personal information from the California Civil Code § 1798.81.5(d)(1)(A), wherein personal information means:

“An individual’s first name or first initial and the individual’s last name in combination with any one or more of the following data elements, when either the name or the data elements are not encrypted or redacted”

or

“A username or email address in combination with a password or security question and answer that would permit access to an online account”

The accepted data elements combined with name or account login details are:

• Social Security Number
• Driver’s license number
• California identification card number
• Tax identification number
• Passport number
• Military identification number
• Other unique government identification number
• Account number or credit or debit card number, combined with security or access code or password
• Medical information
• Health insurance information
• Biometric data, not including a physical or digital photograph, unless used or stored for facial recognition purposes

The data in question in a number of the CCPA lawsuits don’t appear to meet these definitions. So it remains to be seen how broad an interpretation the courts are willing to accept. Potentially, other factors such as how the compromised data was used could also hold some influence.