Many have turned to video conferencing applications to stay connected while social distancing during the coronavirus (COVID-19) pandemic. At the same time, the number of complaints alleging violations of the California Consumer Privacy Act of 2018, Cal. Civ. Code § 1798.100 et seq. (CCPA), has increased following the influx of these technologies among the workforce and general public.
On March 30, 2020, in the U.S. District Court for the Northern District of California, the plaintiff filed a proposed class action complaint against Zoom Video Communications, Inc. (Zoom) alleging two CCPA-related causes of action. Specifically, the plaintiff alleges that Zoom violated Section 1798.100(b) of the CCPA by “collecting and using personal information without providing consumers with adequate notice consistent with the CCPA” and further alleges that Zoom violated Section 1798.150(a) of the CCPA by failing to prevent “nonencrypted and nonredacted personal information from unauthorized disclosure” due to the company’s alleged failure to “maintain reasonable security procedures and practices.”
On April 17, 2020, in the U.S. District Court for the Southern District of California, a separate proposed class action complaint was filed against the owners of the Houseparty application which provides group video chat capabilities. The complaint alleges that the Houseparty owners (1) violated Section 1798.100(b) by failing to provide consumers of the requisite notice that Houseparty was selling consumers’ personal information to unauthorized third parties; (2) failed to provide notice to consumers of their “right to opt-out” of the “disclosure of their [personal information] to unauthorized third parties like Facebook”, resulting in an alleged violation of Section 1798.120(b); and (3) Houseparty failed to provide a “clear and conspicuous link” titled “Do Not Sell My Personal Information” to enable consumers to opt out of the sale of their personal information under Section 1798.135(a)(1).
The CCPA, which went into effect on January 1, 2020, grants consumers a limited private right of action against the unauthorized access and exfiltration, theft, or disclosure of certain types of personal information, including the right to seek statutory damages. The limited private right of action does not apply to the broader definition of “personal information” under the CCPA, which includes, for example, commercial information, biometric information, geolocation data, internet or other electronic network activity, audio, electronic, visual, thermal, olfactory, or similar information, among many other types of information that “identifies, relates to, describes, references, is capable of being associated with, or could reasonably be linked, directly or indirectly, with a particular consumer or household.” Cal. Civ. Code § 1798.140(o).
On its face, the CCPA private right of action differs from the federal court standard applied to data breaches where constitutional or Article III standing is required to establish a concrete injury. Under the CCPA as written, it may be possible to have statutory damages imposed without proof of actual damages from the unauthorized access, although it is likely that such a result would be subject to court challenges. If a business experiences a data security incident that meets CCPA requirements, California consumers may file a lawsuit alleging a private right of action under the CCPA, and can seek a number of remedies.
With respect to damages, consumers can seek the greater of actual damages or statutory damages for each violation. Statutory damages under the CCPA are set to be not less than $100 and not greater than $750 per consumer per incident. Id. § 1798.150(a)(1)(A). The CCPA also authorizes injunctive or declaratory relief and “[a]ny other relief the court deems proper.” Id. § 1798.150(a)(1)(C).
Even if the proposed class actions do not allege a specific data security incident, the actions may attract unwanted attention to the platforms’ data security and privacy compliance efforts under the CCPA. On July 1, 2020, the California Attorney General is set to begin enforcement of the CCPA and to act on any violations since the Act went into effect on January 1, 2020. Despite pleas from businesses to delay enforcement until 2021, the California Attorney General appears committed to the July 1 enforcement date and recently issued a statement reminding Californians of their privacy rights under the CCPA.
The best defense against litigation is compliance. Businesses can address CCPA compliance by developing a written record of data processing activities, drafting an external facing privacy notice that adequately sets consumers’ expectation of privacy prior to collection, implementing procedures to respond to data rights requests, and maintaining appropriate data security controls, among other compliance steps. Counsel can assist in the development of a compliance program tailored to the unique data collection and security issues confronting each business.