Privacy Litigation 2022 Year in Review: CCPA Litigation & Enforcement

As the California Consumer Privacy Act concludes its third year in operation, plaintiffs continue to file CCPA claims consistently, although less frequently than in 2021. In 2022, there were nearly 70 new complaints, many of which were brought in connection with a data breach.[1] In addition, 2022 ushered in enforcement guidance from the California Attorney General.[2] Now, 2023 brings the California Privacy Rights Act, which will be enforced by the California AG as well as the new California Privacy Protection Agency, beginning July 1, 2023.[3]

In our prior report, we examined the ways that plaintiffs were bringing claims under the CCPA’s private right of action and how those claims had developed through the CCPA’s second year of life. These included attempts to (i) apply CCPA retroactively or to non-residents of California, (ii) assert claims for violations of sections other than § 1798.150 (the data breach provision) or in the absence of a data breach, and (iii) use the CCPA as a predicate for other claims (such as California’s Unfair Competition Law). In 2022, courts continued to provide guidance on these issues, including the Central District of California in Hayden v. Retail Equation, Inc., which considered many of these issues:[4]

• Retroactive application. The Hayden court confirmed that no part of the CCPA is retroactive, given the absence of an express retroactivity provision.[5] Although plaintiffs argued that defendants had a “pattern and practice of data sharing,” the court determined that was not enough to show that plaintiffs’ personal information had been exposed during the operative period of the CCPA.
• Claims brought by non-California residents. Hayden also concluded that CCPA claims brought by out-of-state plaintiffs fail because the CCPA does not apply to non-California residents.[6]
• Violations based on sections other than § 1798.150 or not concerning data breaches. Hayden limited the private right of action to the data breach context, finding specifically that “the CCPA does not provide for a private right of action for §§ 1798.100(b), 110(c), and 115(d).” In doing so, the court clarified that the private right of action only applies to “violations as defined in subdivision [1798.150](a) and shall not be based on violations of any other section of [the CCPA].”[7]
• CCPA does not provide immunity for UCL violations. While in 2021, courts rejected attempts to use the CCPA as the predicate for a California UCL claim, in one case this past year the Northern District of California concluded that the CCPA did not immunize a defendant from liability under the UCL, either.[8] In Kellman v. Spokeo, Inc., plaintiff asserted a UCL claim against Spokeo based on allegations that Spokeo used plaintiffs’ names and likenesses to advertise paid subscriptions to Spokeo’s website.[9] Spokeo argued that it was permitted to use the data because the CCPA’s notice requirements for using consumers’ personal information contain an exemption for publicly available data; as a result, Spokeo argued, its conduct cannot violate the UCL.[10] The court disagreed on the ground that the CCPA provisions only exempt publicly available data from notice requirements that the statute itself imposes on companies that collect Californians’ data.[11] The CCPA provisions do not expressly or impliedly set aside privacy-based tort claims or related UCL claims.

Decisions from 2022 also provided further insight into how plaintiffs must properly plead CCPA claims:

• Pleading requirements for alleging lack of reasonable security. In our last year-in-review, we discussed a recurring question in CCPA cases: what must plaintiffs plead to adequately allege a violation of the duty to implement and maintain reasonable security procedures and practices under § 1798.150? We highlighted a 2021 Southern District of California case, which rejected a plaintiff’s CCPA claim that failed to allege facts concerning the defendant’s alleged security deficiencies.[12]
  
  
  More recently, in Kirsten v. California Pizza Kitchen, Inc., the Central District of California concluded that plaintiffs can plausibly allege that defendants have failed to maintain reasonable security procedures merely by alleging that defendants allowed unauthorized parties to access plaintiffs’ PII. In Kirsten, plaintiffs’ PII had been the subject of a data breach. The court looked to other Central District opinions, which had ruled similarly.[13] The Kirsten court flagged as a counterpoint a Southern District of California case that required plaintiffs to plead facts indicating a defendant’s failure to comply with industry security standards in order to meet the plausibility requirement.[14] The Kirsten court distinguished that case because it came before the CCPA was enacted and was therefore dealing with a negligence-based “reasonable security” analysis.
• Failure to implement and maintain reasonable security measures is a prerequisite to a civil claim under the CCPA. In Hayden,[15] the court made clear that the disclosure of a customer’s non-anonymized data as part of a business decision was not a basis for a claim under § 1798.150(a). Rather, to support a claim under that section, the disclosure must be the result of a failure to implement and maintain reasonable security procedures and practices appropriate to the nature of the information. Finding the defendant’s release of plaintiff’s personal information in that case to be a business decision to combat retail fraud, not the result of any failure to maintain reasonable security measures, the court dismissed a CCPA claim. The Central District of California has likewise dismissed a CCPA claim, holding that a plaintiff needs to allege that a defendant’s disclosure of plaintiff’s information to a third party was the result of a failure to implement and maintain reasonable security measures.[16]
• Allegation that data is still “out there” is not sufficient to show failure to cure. In In re Waste Mgmt. Data Breach Litigation, the Southern District of New York dismissed a CCPA claim, finding that plaintiffs had not adequately pleaded that Waste Management had (i) breached its duty to implement and maintain reasonable security measures or (ii) failed to cure its alleged violations of the CCPA.[17] While the court concluded plaintiffs’ allegations that their data was still “out there” were insufficient to show a failure to cure, the court did not grapple with the meaning of the CCPA’s cure provision (as it existed at the time).[18] The court did note, however, that the CCPA “does not require businesses that have experienced a data breach to place consumers in the same position they would have been absent a breach.”[19]
  
  
  The court’s decision predates the CPRA, which amends the CCPA’s cure provision, and provides that implementing and maintaining reasonable security procedures and practices “following a breach does not constitute a cure with respect to that breach.”[20] The CPRA thus limits the means by which a company can cure its alleged breach of the duty to maintain reasonable security measures. This change arguably lessens the importance of Waste Management, by changing the standard of what constitutes a cure of a violation of the duty to maintain reasonable security procedures and practices.

Finally, while the focus to date has been on private litigation, last year the California Attorney General took its private enforcement activities public.

• Though enforcement activity broadly encompassed multiple provisions of the CCPA, “sales” of personal information were a focal point.[21] The California AG began sending notices of violation to companies beginning on July 1, 2020, when enforcement of the CCPA began. In August 2022, the AG updated its “CCPA Enforcement Examples” list with 13 new examples.[22] These examples cover businesses across a number of industries (including consumer retail, hospitality, technology, and healthcare) and issues such as the failure to honor opt-outs of sales, non-compliant notices of financial incentives, non-compliant privacy policies and request methods, and erroneous handling of requests to know as requests to delete.
  
  
  On August 24, 2022, the AG settled with Sephora, Inc. for a fine of $1.2 million in penalties. The enforcement action arose out of Sephora’s failure to disclose that it “sold” consumer personal information when it provided the information to third parties in exchange for free or discounted analytics and advertising benefits.[23] This result gives businesses much-needed insight into the AG’s interpretation of what qualifies as “anything of value” in determining whether a disclosure of information is a “sale” under the law.

Although judges and regulators have provided some guidance for businesses on how to navigate the CCPA (and by extension, the CPRA), after three years many open questions remain. As Waste Management highlights, the meaning of the CCPA’s cure provision has been a source of confusion since the CCPA was enacted, and the new CPRA provision only adds to the confusion. Additionally, it remains to be seen how the California Privacy Protection Agency will coordinate its efforts with the California AG and what new enforcement actions 2023 will bring. We look forward to guidance from courts, the California AG, and the California Privacy Protection Agency on these questions, and to seeing how the law further develops in the coming year.

[1] The pace of filings fell in 2022, from about 100 CCPA complaints filed in 2021 to less than 70 in 2022.

[2] https://oag.ca.gov/privacy/ccpa/enforcement.

[3] The CPRA does not expand the CCPA’s private right of action beyond the data breach context. See our outline of changes the CPRA will bring.

[4] No. SA CV 20-01203-DOC-DFM, 2022 WL 2254461 (C.D. Cal. May 4, 2022).

[5] 2022 WL 2254461, at *4, on reconsideration, No. SA CV 20-01203-DOC-DFM, 2022 WL 3137446 (C.D. Cal. July 22, 2022) (citing Gardiner v. Walmart, Inc., No. 20-CV-04618-JSW, 2021 WL 2520103, at *2 (N.D. Cal. Mar. 5, 2021)).

[6] Id.

[7] 2022 WL 2254461, at *4.

[8] Kellman v. Spokeo, Inc., 599 F. Supp. 3d  (N.D. Cal. 2022), denying cert, to, No. 3:21-cv-08976-WHO, 2022 WL 2965399 (N.D. Cal. July 8, 2022).

[9] Id. at *884.

[10] Id. at *897.

[11] Id.

[12] Maag v. U.S. Bank, Nat’l Ass’n, No. 21-cv-00031-H-LL, 2021 WL 5605278, at *2 (S.D. Cal. Apr. 8, 2021).

[13] No. 2:21-CV-09578-DOC-KES, 2022 WL 16894503, at *3, 9 (C.D. Cal. July 29, 2022), reconsideration denied, No. 2:21-CV-09578-DOC-KES, 2022 WL 16894880 (C.D. Cal. Sept. 8, 2022).

[14] Razuki v. Caliber Home Loans, Inc., No. 17cv1718-(LAB)(WVG), 2018 WL 6018361 at *2 (S.D. Cal. Nov. 15, 2018).

[15] 2022 WL 2254461, at *5.

[16] No. SACV 21-262 PSG (JDEx), 2022 WL 3012528, at *7 (C.D. Cal. Jan. 24, 2022).

[17] No. 21 cv 6147 (DLC), 2022 WL 561734, at *6 (S.D.N.Y. Feb. 24, 2022).

[18] Id. at 19.

[19] Id.

[20] CPRA § 1798.150(b).

[21] The California AG also issued its first CCPA opinion in March 2022, taking an expansive view of the “right to know” the specific pieces of personal information that a business collects, which includes inferences about a consumer (whether generated internally or obtained from another source) unless an exception applies. Read our prior client alert for more details.

[22] https://oag.ca.gov/privacy/ccpa/enforcement.

[23] See CCPA § 1798.140 (defining “sale” as “the exchange of personal information for anything of value”).