More than a year after the California Consumer Privacy Act (CCPA) became operative, the proverbial jury was still out on whether challenges to standing of CCPA data breach claims brought in federal court could still be effective. Earlier this month, the Central District of California seemingly answered that question in the affirmative when it granted defendant's motion to dismiss in Rahman v. Marriott.1
In Marriott, the plaintiffs alleged six causes of action against the defendant: negligence, violation of the CCPA, breach of contract, breach of implied contract, unjust enrichment, and violation of California's Unfair Competition Law. The incident in question occurred when two Marriott franchise employees in Russia accessed class members' name, address, phone number, email address, gender, birth date, and loyalty account number information.
The district court held that it lacked subject matter jurisdiction over plaintiffs' claims due to plaintiffs' inability to establish Article III standing. The court ruled that plaintiffs could not establish the "injury-in-fact" required for standing because the type of information accessed did not include "sensitive information, such as social security numbers, credit card information, or passwords."
Absent such sensitive information, the court found that there was no credible risk of identity theft or financial loss. The court also rejected plaintiffs' theory that the value of their information had been diminished in some manner or that plaintiffs should be compensated for mitigation costs. Regarding the latter argument, the court took the position that "'mitigation costs… rise and fall together' with claims based on the risk of future harm."
Court Steers Clear of Applying BIPA Argument to Establish Standing
Surprisingly, the court did not address plaintiffs' argument, relying on Patel v. Facebook, Inc.,2 that unauthorized access itself is a tangible injury giving rise to standing. In Patel, the 9th Circuit held that the Illinois Biometric Information Privacy Act created a privacy right in Illinois residents' biometric information that—when obtained without authorization—gives rise to a statutory injury sufficient to confer Article III standing.
In their opposition, plaintiffs attempted to apply this holding generally to all of their claims. Had they limited this argument to their CCPA claim, the court may have addressed it specifically and decided whether, like BIPA, the CCPA creates a statutory right of privacy in personal information obtained through an unauthorized data intrusion such that the mere access and exfiltration of such information creates an injury sufficient to confer standing.
In this instance, though, it probably would not have made any difference because the court could have also dismissed the CCPA claim under Rule 12(b)(6) (failure to state a claim) rather than Rule 12(b)(1) (lack of jurisdiction). Specifically, the court could readily have adopted Marriott's argument that the exposed information on its face did not qualify as "personal information" under Cal. Civ. Code § 1798.81.5(d)(1)(A), incorporated by reference into the CCPA's private right of action provision at section 1798.150(a)(1).
Because the court dismissed the matter for lack of standing, it did not reach this argument. Nor did the court address whether plaintiffs could seek statutory damages under the CCPA where (as appears to be the case here) they failed to fulfill the 30-day pre-suit notice requirement under section 1798.150(b). Ultimately, whether a well-pled CCPA claim in federal court remains subject to an Article III challenge remains an open question, as does whether plaintiffs' claims might have proceeded into discovery in state court, where standing is not typically required.
Do CCPA Claims Increase Data Breach Settlements?
Whether CCPA claims increase the settlement value of cases also remains an open question. Last month we wrote about the pending Hanna Andersson settlement and the similarity of its terms to settlements reached prior to passage of the CCPA. The Northern District of California granted preliminary approval of those terms at the end of December 2020.
On December 11, 2020, another classwide settlement received preliminary approval in Llamas v. Truefire,3 pending in the Middle District of Florida. Truefire is a purveyor of online guitar lessons and suffered a credit card breach from August 3, 2019, to January 14, 2020. The named plaintiff, located in California, allegedly incurred fraudulent charges on their card. Plaintiff asserted a CCPA claim but did not seek statutory damages, likely reflecting that he did not provide the requisite 30-day notice by letter prior to filing the complaint.
The Truefire settlement includes nine months of complimentary access to Truefire, reimbursements of up to $60 for time spent remediating payment card issues, $50 per California sub-class member for damages under the CCPA, and Truefire's agreement to implement certain security and privacy improvements. Plaintiffs estimated the settlement value as exceeding $1.2 million, with almost $900,000 of that value tied to complimentary access for the 4,911 class members.
There were 733 California class members eligible for the $50 payment, meaning that less than $40,000 of the possible settlement value can be directly tied to the CCPA. Truefire has agreed not to oppose a fee and cost application of up to $156,500. Finally, this is a "claims made" settlement, so Truefire's actual out-of-pocket settlement costs are unlikely to approach the $1.2 million figure. Like the Hanna Andersson settlement, Truefire did not appreciably move the goalposts for classwide data breach claims despite including a CCPA claim.
Several more decisions involving CCPA claims are likely to be issued over the next 60 days, including motions to dismiss and a motion to compel arbitration (and enforce a class action waiver). Until then, we will have to be content with what little we have gleaned from the sparse number of CCPA data breach cases that have been brought to fruition.