CCPA Class Actions and Standing Requirements

When the California Consumer Privacy Act (“CCPA”) went into effect on January 1, 2020, most observers expected a flood of CCPA class action lawsuits against companies essentially defenseless against the proscriptive liability of the new law. The number of class actions filed since the effective date of the CCPA may have been somewhat less than expected, and plaintiffs’ lawyers are testing the limits of the new law in many regards. Further, perhaps due to delays related to COVID, the courts have not yet had the opportunity to define the parameters of CCPA, especially in the context of class actions. Nevertheless, there are insights to be gleaned from the initial filings, as we will describe below.

Standing Remains a Requirement in Federal Court Class Actions

Article III of the Constitution limits the jurisdiction of federal courts to “cases” or “controversies.”¹ To establish Article III standing, a plaintiff must have suffered an “injury in fact” – an invasion of a legally protected interest that is “concrete and particularized” and “actual or imminent, not conjectural or hypothetical.”²

Standing has unique application to class actions, particularly whether the class representative, and the members of the class have in fact suffered concrete and particularized injuries. The Supreme Court has held that a plaintiff who seeks to represent a class must show that they personally have been injured, not merely that an injury was suffered by one or more members of the putative class.³

The CCPA provides two different authorizations for claims, and the standing analysis will depend on which type of claims are at issue. A CCPA claim may be based in either (a) an alleged injury to the plaintiffs from unauthorized access to the consumer’s data (data breach claims); or (b) a violation of some other right conferred on consumers under the CCPA, such as the right to be informed of how their data is being used and shared (non-data breach claims).

Standing Requirements for CCPA Data Breach Class Actions

To bring a CCPA claim arising from a data breach,⁴ a plaintiff must show that their unencrypted or nonredacted personal information (as defined in the statute) was accessed, stolen, or disclosed because of a company’s failure to implement and maintain reasonable security procedures and practices. A plaintiff is entitled to recover statutory damages ranging from a minimum of $100 to a maximum of $750 per violation, or actual damages, whichever is greater.⁵

Whether the CCPA’s statutory penalty for data breaches is enough to establish Article III standing in federal court, however, remains an open question. As the plaintiffs recently learned in Rahman v. Marriott,⁶ Article III standing must be independently established even for CCPA data breach claims which trigger statutory damages. In Rahman, consumers brought a class action for violations of the CCPA and other claims after Marriott disclosed that two employees of a Marriott franchise in Russia accessed names, addresses, phone numbers, email addresses, genders, birth dates, and loyalty account numbers without authorization. Reportedly, there was no access to sensitive financial information such as social security numbers, credit card information, or passwords.

The question this case presented was whether the mere possibility of the more sensitive information being accessed constituted a risk of real and immediate injury sufficient to confer Article III standing. Judge David Carter agreed with Marriott and granted its motion to dismiss, finding that the compromised information lacked “the degree of sensitivity required by the Ninth Circuit to establish injury in fact,”⁷ and therefore the plaintiffs could not meet the constitutional requirements of standing.

There are other potential standing arguments, not reached by the Court in Rahman, but based in the language of the statute. The CCPA limits a claim for penalties to those consumers whose personal information “is subject to an unauthorized access and exfiltration, theft, or disclosure as a result of the business’s violation of the duty to implement and maintain reasonable security procedures and practices appropriate to the nature of the information to protect the personal information.”⁸ Given that the Rahman decision is now on appeal to the Ninth Circuit, an open question remains as to whether a mere unauthorized “access” – which from a technical perspective could mean many different things – is sufficient to trigger the CCPA penalties or otherwise constitute a concrete and particularized injury.

Standing Requirements for Other CCPA Violations

Claims that involve an alleged violation of the CCPA unrelated to a data breach may present an even more daunting challenge for standing. Because the CCPA does not provide for a private right of action or remedy for claims not involving the unauthorized access to personal information, most non-breach cases are premised on the theory that the defendant company’s failure to comply with the CCPA constitutes an “unlawful” practice under California’s Unfair Competition Law (“UCL”), which prohibits any business practice that is unlawful, unfair, or fraudulent.⁹ “In prohibiting any unlawful business practice, the UCL borrows violations of other laws and treats them as unlawful practices that the [UCL] makes independently actionable.”¹⁰

The UCL has its own robust body of law dealing with its standing requirements, which are premised on financial harm.¹¹ A plaintiff has standing to bring a UCL claim only when he or she “has suffered injury in fact and has lost money or property as a result of the unfair competition.”¹² A UCL plaintiff must “(1) establish a loss or deprivation of money or property sufficient to qualify as injury in fact, i.e., economic injury, and (2) show that that economic injury was the result of, i.e., caused by, the unfair business practice or false advertising that is the gravamen of the claim.”¹³ A UCL plaintiff-representative must satisfy these requirements in order to represent a class.¹⁴

The question of whether the plaintiff alleging a non-breach violation of the CCPA is permitted to bring its action under the UCL’s “unlawful” prong is complicated by the fact that the CCPA expressly states that “nothing in this title shall be interpreted to serve as the basis for a private right of action under any other law.”¹⁵ Even assuming the CCPA can be so used, the question becomes whether the plaintiff has a sufficient economic injury. Whether a violation of the CCPA’s notification requirements (in contrast to a data breach claim) constitutes lost money or property as required for UCL standing remains unclear. California courts have not yet found that personal information constitutes a property interest, and a mere violation of a law with no resulting injury to the plaintiff is insufficient to satisfy UCL standing.¹⁶

Developments in the Supreme Court

As state and federal courts continue to wrestle with these issues in the current pipeline of CCPA cases, the U.S. Supreme Court may provide additional clarity on Article III standing requirements applicable to class actions. The Supreme Court recently granted certiorari in Ramirez v. TransUnion LLC¹⁷ to decide whether Article III or Federal Rule of Civil Procedure 23 applies to class actions where the vast majority of the class suffered no actual injury.

We will continue to monitor this area of the law carefully as the courts continue to address the details of how the CCPA applies in these circumstances. Contact your Dorsey privacy counsel for assistance in navigating CCPA requirements and assessing the evolving landscape of class action defense strategies.