District Court (Cal.) Says CCPA’s “Opt-Out” Notice Provides No Defense to UCL Claim that CLEAR Shared Consumer Data Without Notice

In Brooks v. Thomson Reuters Corp., No. 21-cv-01418-EMC, 2021 U.S. Dist. LEXIS 154093, at *18-22 (N.D. Cal. Aug. 16, 2021), Judge Chen found that the CCPA did not insulate CLEAR from a claim asserting that CLEAR improperly sold consumer data.  The facts were as follows:

Thomson Reuters “aggregates both public and non-public information about millions of people” to create “detailed cradle-to-grave dossiers on each person, including names, photographs, criminal history, relatives, associates, financial information, and employment information.” See Docket No. 1-1 (Compl.) ⁋ 2. Other than publicly available information on social networks, blogs, and even chat rooms, Thomson [*3] Reuters also pulls “information from third-party data brokers and law enforcement agencies that are not available to the general public, including live cell phone records, location data from billions of license plate detections, real-time booking information from thousands of facilities, and millions of historical arrest records and intake photos.” Id. The company collects everything from credit information, DMV records, social-media posts, utility records, and even records indicating whether a person has had an abortion. Id. ¶¶ 2, 16, 20, 35(a).  Thomson Reuters then sells this information to its customers—without the knowledge or consent of the persons to whom the information concerns—through an online platform it calls CLEAR. Id. ⁋⁋ 2-3, 12. CLEAR users pay a fixed fee for a dossier report with all the information Thomson Reuters has on an individual in the company’s database, as well as information on their family members and associates. Id. ⁋⁋ 24-26, 28, 62. The company’s “pay-as-you-go” pricing model even goes so far as to place a specific dollar value on the different types of information it sells. Id. ¶ 62. Its website “advertises that CLEAR enables its users to access ‘both [*4] surface and deep web data to examine intelligence’ about people ‘not found in public records or traditional search engines.’ This allows CLEAR users ‘to uncover’ personal ‘facts hidden online,’ by scraping ‘real-time information’ about individuals.” Id. at 2, 14-15. Because the company updates this information in real time, Id. ⁋⁋ 2, 17, the New York Times has described CLEAR as “an ever-evolving 360-degree view of U.S. residents’ lives.” Id. (quoting McKenzie Funk, How ICE Picks Its Targets in the Surveillance Age, N.Y. Times (Oct. 3, 2019)). Thomson Reuters makes significant profits from selling these reports. Id. ⁋⁋ 58-63. The named Plaintiffs are Californians whose identities Thomson Reuters sells to its customers through CLEAR. Id. ¶¶ 6-7. Neither consented to the company selling their personal information—and neither wants the company to do so. Id. ¶¶ 41-42, 50-51. Both are Black civil rights activists concerned about being targeted because of their work. Id. They do not want a 360-degree view of their lives available to those willing to pay for it. Id. In fact, Ms. Brooks even subscribes to a service that routinely deletes her information from the internet. Id. ¶ 41. Mr. Shabazz also alleges that Thomson Reuters’s CLEAR profile on him incorrectly indicates that he is divorced and has failed to pay child support when he was never legally married and at the time had no children. Id. ⁋ 54.  On December 23, 2020, Plaintiffs filed their class action complaint in the Superior Court of California, County of Alameda, on behalf of all California residents “whose name, photographs, personal identifying information, or other personal data is or was included in the CLEAR database during the limitations period.” Id. ⁋ 70. They assert four causes of action on behalf of the proposed class: (1) violations of the California common law right of publicity; (2) a claim for monetary relief for violations of California’s Unfair Competition Law (UCL), Cal Bus. & Prof. Code § 17200; (3) unjust enrichment; and (4) a claim for injunctive relief for violations of the UCL. Id. ⁋⁋ 81-118.

Judge Chen found that the CCPA did not insulate the defendant.

Under the CCPA, “[a] consumer shall have the right, at any time, to direct a business that sells personal information about the consumer to third parties not to sell the consumer’s personal information. This right may be referred to as the right to opt-out.” Cal Civ. Code § 1798.20. Relying on this statutory language, Thomson Reuters argues its conduct cannot be unfair because the CCPA expressly allows it to sell Plaintiffs’ personal information if it provides Plaintiffs a mechanism to opt out of such sale. Mot. at 15-16 (citing Compl. ⁋⁋ 46-47, 57).  This is a meritless argument for multiple reasons. As an initial matter, Thomson Reuters does not cite a single case where the court dismissed a plaintiff’s claim that the dissemination of their personal information is unfair under the UCL simply because the defendant provided an adequate opt-out mechanism under the CCPA. Moreover, several provisions of the CCPA clearly state that the law is not meant to curtail other privacy statutes. For example, the CCPA explains that the private right of action it creates under section 17980.50 for the “unauthorized access and exfiltration, theft, or disclosure [of consumer’s personal information] . . . shall not be construed to relieve any party from any duties or obligations imposed under other law or the United States or California Constitutions.” Cal. Civ. Code § 1798.50(a)(1), (c). More broadly, section 1798.175 explains that the CCPA “is intended to further the constitutional right of privacy and to supplement existing laws relating to consumers’ personal information,” and that, “[w]herever possible, law relating to consumers’ personal information should be construed to harmonize with the provisions of this title.” Id. § 1798.175 (emphasis added). The statute goes further: “in the event of a conflict between other laws and the provisions of [the CCPA] the provisions of the law that afford the greatest protection for the right of privacy for consumers shall control.” Id.  Here, the Court can easily harmonize the CCPA‘s right to opt-out with Plaintiffs’ claim under the unfair prong of the UCL by concluding that CLEAR’s opt-out mechanism does not necessarily mean Thomson Reuters’s unauthorized sale of Plaintiffs’ personal information is fair under the UCL as a matter of law. The UCL fairness prong may provide broader protection than specific statutes such as the CCPA. This interpretation of both statutes controls because it “afford[s] the greatest protection for the right of privacy for consumers.” Id.  Even if providing an opt-out mechanism under the CCPA was a defense, there is a question of fact as to whether CLEAR’s opt-out mechanism complies with the CCPA. To actualize the “right to opt-out” in section 1798.120, [a] business . . . shall, in a form that is reasonably accessible to consumers:  (1) Provide a clear and conspicuous link on the business’s Internet homepage, titled “Do Not Sell My Personal Information,” to an Internet Web page that enables a consumer, or a person authorized by the consumer, to opt-out of the sale of the consumer’s personal information.  Cal Civ. Code §§ 1798.135(a)(1) (emphases added). Similarly, the regulations that implement the CCPA‘s opt-out mandate also specify that  A business’s methods for submitting request to opt-out shall be easy for consumers to execute and shall require minimal steps to allow the consumer to opt-out. A business shall not use a method that is designed with the purpose or has the substantial effect of subverting or impairing a consumer’s choice to opt-out. Cal. Code Regs. tit. 11, § 999.315(h) (emphasis added). The regulations also prohibit an opt-out mechanism [*21]  that “require[]s the consumer to provide personal information that is not necessary to implement the request.” Id. § 999.315(h)(4).  The complaint here alleges that Thomson Reuters places a “tiny link” at the bottom of its CLEAR homepage and “provides no notice to consumers that the link exists. Nor does the company enable consumers who happen to find out about the link to easily make use of it.” Compl. ⁋⁋ 46-48. It also alleges that when both named Plaintiffs attempted to opt out by clicking on the small link at the bottom of the CLEAR website, “Thomson Reuters required that [they] provide a photograph of [their] government-issued identification card as well as a separate picture of [their] face.” Compl. ⁋⁋ 49, 57. Taking these allegations as true and drawing every inference in Plaintiffs’ favor, the Court cannot determine as a matter of law that CLEAR’s opt-out mechanism complies with the CCPA and its implementing regulations. In the words of the statute, CLEAR’s opt-out mechanism—as alleged in the complaint—is not “reasonably accessible to consumers” or “clear and conspicuous.” Cal Civ. Code §§ 1798.135(a)(1). Nor is it “easy for consumers” to opt-out using “minimal steps.” Cal. Code Regs. tit. 11, § 999.315(h). In fact, plaintiff alleges that CLEAR required Plaintiffs’ photo identifications and faces to opt out. If true, those allegations could easily lead a reasonable trier of fact to conclude that CLEAR’s opt-out mechanism, itself, is unfair under the UCL.  Accordingly, compliance with the CCPA is not a defense to Plaintiffs’ claims that the sale of their personal information is an unfair business practice under the UCL. At the very least, there is a serious question of material fact as to whether Thomson Reuters’s opt-out mechanism even complies with the CCPA.