California Consumer Privacy Act not yet resulting in payouts

More than a year and half after the California Consumer Privacy Act took effect, one thing is clear: obtaining damages under the law in US federal court is difficult.

A CCPA provision giving California residents the right to sue if their unencrypted data was compromised in a data breach isn't the boon for plaintiffs' lawyers many predicted. So far, most federal judges are either dismissing CCPA claims as insufficient, or plaintiffs are choosing to drop their claims voluntarily as their case moves forward.

Hundreds of lawsuits seeking damages under the CCPA have been filed since the law took effect in January 2020, with T-Mobile the latest company facing lawsuits alleging CCPA violations following a data breach.

“It was like the California Gold Rush in 1848,” said data breach attorney Ian Ballon, executive director of Stanford University Law School’s Center for the Digital Economy. “Every plaintiffs lawyer added a CCPA claim to their case.”

But no plaintiffs firm has hit the CCPA mother lode yet. No federal judge or jury has awarded damages to plaintiffs under the law, which provides awards of between $100 and $700 per consumer per incident, or actual damages, whichever is greater. Only a handful of lawsuits alleging CCPA violations have survived motions to dismiss.

That won’t stop the lawyers from filing CCPA lawsuits, because eventually they’ll succeed in court, privacy experts predict.

“It’s going to happen,” said David Biderman of Perkins Coie, which has been tracking CCPA lawsuits since the law went into effect.

According to the Perkins Coie tracker, Biderman said, more than 200 lawsuits alleging a range of CCPA violations have been filed in federal court since the law took hold.

Most haven’t gone anywhere, so far. Many have been dismissed because the allegations weren’t directly related to a data breach, but rather claimed a violation of privacy rights under the law.

In February, Google escaped claims that it violated the CCPA by using a program called “Android Lockbox” to spy on Android smartphone users. US Magistrate Judge Susan Van Keulen in San Jose dismissed the CCPA claim after the plaintiffs conceded there were no allegations of a security breach.

For lawsuits that do involve a security breach, there are several hurdles and questions that would have be decided at a trial, an expensive and risky option.

Plaintiffs have to show that their personal information was nonencrypted and nonredacted, and that the alleged breach was the result of a failure to maintain reasonable security practices, as required by the CCPA. They have to prove that there was “exfiltration” of their data.

In July, Walmart escaped claims that it violated the CCPA in part because the complaint didn't allege the disclosure of personal information. US District Judge Jeffrey S. White said the plaintiffs also failed to show how the CCPA applied because the alleged security breach occurred before the law was enacted.

There are also procedural hurdles. Claims for damages must be filed after the CCPA’s 30-day notice and cure period has expired. Marriott tried to evade CCPA claims over a 2020 data breach by arguing that it had not been properly notified.

But Judge David Carter in the Central District of California never reached the question and instead dismissed the case in January because the plaintiff failed to allege any injury or that sensitive information was at issue.

Pursuing CCPA claims can be so tricky that plaintiffs drop them voluntarily along the way. For example, both Zoom and Ring faced lawsuits alleging CCPA violations after the companies were hacked. But when similar class actions against the companies were consolidated in federal court, plaintiffs left off the CCPA claims from their amended joint complaint. Zoom settled its privacy claims for $85 million in July.

There is still hope for plaintiffs' lawyers hoping for a payout under the CCPA. Federal judges have allowed CCPA claims to move forward in a handful of data security cases.

Inmediata Health Group, which provides billing and health record software and service solutions to healthcare providers, was sued in 2019 after personal information from more than 1.5 million people was posted on the Internet. The breach in this case was allegedly caused by “a webpage setting that permitted search engines to index webpages.”

US District Judge Jeffrey T. Miller San Diego said that while the CCPA does not apply to medical information, plaintiffs had alleged that other non-medical information was accessible on the Internet as a result of the breach, which constituted a “disclosure” under the law.

But the plaintiffs are still not likely to be awarded damages under the CCPA. Miller issued an order on Aug. 23 asking the parties why the case should not be transferred to the District of Puerto Rico, where another case against Inmediata was filed three months earlier over the same data breach.

Both sides told Miller today they agreed the case should be transferred to Puerto Rico, where US District Judge Jay A. Garcia-Gregory preliminarily approved a class-action settlement on July 23.

Online brokerage company Robinhood will have to face CCPA claims filed on behalf of 2,000 customers after their accounts were hacked last year. Robinhood argued that customers can't allege any qualifying unauthorized disclosure under the CCPA, or that any such disclosure was the result of a violation of the duty to maintain reasonable and appropriate security procedures.

But Van Keulen, in the Northern District of California, disagreed and referenced Miller’s decision in the Inmediata case. Robinhood’s customers had sufficiently alleged a plausible claim that their personal and financial information “was subject to an unauthorized access based on violation of the CCPA,” Van Keulen said.

And cloud software company Blackbaud will have to face CCPA claims after the firm discovered a ransomware attack in May 2020. Blackbaud had argued that it’s not a “business” regulated by the CCPA because it qualifies as a “service provider” under the law.

On Aug. 12, US District Judge J. Michelle Childs in South Carolina disagreed and said Blackbaud is a regulated business under the CCPA, and pointed to the fact that it’s a registered data broker in California.

“As California Plaintiffs adequately assert that Blackbaud constitutes a ‘business’ under the CCPA, they sufficiently allege violations of the CCPA,” Childs said.