In Wynne v. Audi of Am., No. 21-cv-08518-DMR, 2022 U.S. Dist. LEXIS 131625, at *2-4 (N.D. Cal. July 25, 2022), Judge Ryu found that the CCPA, by itself, does not confer Article III standing under the SCOTUS’ TransUnion decision.  The facts of the data breach were as follows:

Wynne makes the following allegations in the amended complaint: Defendant Audi is a wholly-owned subsidiary of Volkswagen. Shift Digital is a vendor that works with Audi and Volkswagen. Am. Compl. ¶¶ 7, 15. Wynne alleges that at some point between August 2019 and May 2021, Defendants were the target of a data breach and her personally identifiable information (“PII”) was accessed and compromised. Id. at ¶¶ 1, 2, 15-25. The PII included names, home and business addresses, email addresses, driver’s license numbers, social security numbers, dates of birth, account and loan numbers, and tax identification numbers. Id. at ¶ 18. She alleges that Defendants failed to implement reasonable security procedures to adequately protect her and the putative class members’ PII from data breaches, which “resulted in an invasion of her privacy interests.” Id. at ¶ 6. Further, given the sensitive nature of the information at issue, she and the putative class members are at “imminent, immediate, and continuing risk of further identity theft-related harm.” Id. at ¶¶ 3, 6, 21, 22.  Wynne defines the putative class as “[a]ll Volkswagen of America, Inc./Audi customers and interested buyers residing in California whose PII was accessed or otherwise compromised in the Data Breach, which, according to the Notice of Data Breach provided by Volkswagen of America, Inc./Audi, occurred at some point between August 2019 and May 2021.” Id. at ¶ 37. She brings the following claims on behalf of herself and the class: 1) violation of California’s Unfair Competition Law (“UCL”), California Business & Professions Code section 17200; and 2) violation of the California Consumer Privacy Act (“CCPA”), California Civil Code section 1798.150 et seq. 2 Wynne seeks an award of statutory damages under the CCPA, injunctive and equitable relief, and an award of attorneys’ fees and costs. Prayer for Relief.  On November 2, 2021, Shift Digital removed the case under CAFA jurisdiction. Wynne now moves to remand the case to state court, arguing that this court lacks subject matter jurisdiction because she does not satisfy the requirements of Article III standing.

Judge Ryu found that California’s CCPA conferred no Article III standing in and of itself.

To the extent that Shift Digital contends that an alleged violation of the CCPA alone is sufficient to confer standing, TransUnion expressly rejected such an argument, holding that “[u]nder Article III, an injury in law is not an injury in fact. Only those plaintiffs who have been concretely harmed by a defendant’s statutory violation may sue that private defendant over that violation in federal court.” TransUnion, 141 S. Ct. at 2205. However, the injury that gives rise to the alleged violation of the CCPA—that is, the “invasion of [Wynne’s] privacy interests” that occurred as a result of the theft of her PII, is a concrete injury that establishes Article III standing. See Am. Compl. ¶ 6. As noted, the Supreme Court instructed in TransUnion that “courts should assess whether the alleged injury to the plaintiff has a ‘close relationship’ to a harm ‘traditionally recognized as providing a basis for a lawsuit in American courts,” and noted that “disclosure of private information” is an intangible harm that is “traditionally recognized as providing a basis for lawsuits in American courts.” TransUnion, 141 S. Ct. at 2204. This is consistent with longstanding Ninth Circuit precedent recognizing that historical privacy rights “‘encompass[ ] the individual’s control of information concerning his or her person’ . . . the violation of which gives rise to a concrete injury sufficient to confer standing.” See In re Facebook, Inc. Internet Tracking Litig., 956 F.3d 589, 598 (9th Cir. 2020) (quoting Eichenberger v. ESPN, Inc., 876 F.3d 979, 983 (9th Cir. 2017)). For example, in In re Facebook, the Ninth Circuit held that plaintiffs had standing to bring privacy-related claims under the Wiretap Act, Stored Communications Act, and California Invasion of Privacy Act based on Facebook’s collection of personal information that provided “a cradle-to-grave profile without users’ consent.” Id. at 598-99. The Ninth Circuit concluded that the plaintiffs had “adequately alleged that Facebook’s tracking and collection practices would cause harm or a material risk of harm to their interest in controlling their personal information.” Id. at 599.  In this case, Wynne alleges that sensitive personal information, including names, addresses, driver’s license numbers, social security numbers, dates of birth, account and loan numbers, and tax identification numbers, were stolen in a massive data breach. See Am. Compl. ¶¶ 2, 18. According to Wynne, the data breach that resulted in the disclosure of Wynne’s and the putative class members’ PII violated their “fundamental privacy rights.” Id. at ¶ 3. Under TransUnion and Ninth Circuit precedent, these allegations establish an injury that is sufficiently concrete for purposes of Article III standing. See, e.g., Al-Ahmed v. Twitter, Inc., No. 21-cv-08017-EMC, 2022 WL 1605673, at *7-8 (N.D. Cal. May 20, 2022) (holding that “invasion of privacy” resulting from Twitter employees’ unauthorized access of Twitter accounts containing private information “is a particularized injury sufficient to establish Article III standing”). The court thus has subject matter jurisdiction over this action. At the hearing, Wynne’s counsel argued that Wynne has not alleged a concrete injury for purposes of Article III standing because she only seeks statutory damages for Defendants'”violation of the duty to implement and maintain reasonable security procedures and practices . . . to protect the personal information” that was accessed in the data breach. See Cal. Civ. Code § 1798.150(a)(1) (authorizing damages of up to $750 per consumer per incident). Although it is true that the CCPA provides a private right of action that is tied to a defendant’s failure to protect California residents’ personal information, counsel’s argument ignores that such an action may only be brought upon the “unauthorized access and exfiltration, theft, or disclosure” of the individual’s information. In other words, a defendant’s failure “to provide reasonable security” for personal information is actionable only in the event that the private information is disclosed, resulting in an individual’s loss of “control over their personal information” and violation of their right to privacy. See Eichenberger, 876 F.3d at 983. The violation of Wynne and the putative class members’ right to privacy is precisely what is at issue in this action.