To Be A Business Under The CCPA, That Entity Must Determine How Or Why To Process Consumer PI

Judge Davila of the Northern District of California held that the file transfer service was not a “business” under the CCPA and grants defendant’s motion to dismiss.  The analysis turns on whether or not defendant determine how or why to process consumer PI.

Accellion moves to the dismiss Plaintiffs’ CCPA claim on two grounds: (1) Accellion is not a “business” within the meaning of the statute; and (2) the Complaint does not allege a specific non-conclusory failure to implement reasonable security measures. Mot. 14. Because Accellion is not a “business” under the CCPA, the Court need not and will not address Accellion’s arguments as to its reasonable security measures.

The CCPA provides a limited civil cause of action for “[a]ny consumer whose nonencrypted and nonredacted personal information … is subject to an unauthorized access and exfiltration, theft, or disclosure as a result of the business’s violation of the duty to implement and maintain reasonable security procedures.” Cal. Civ. Code § 1798.150(a)(1) (emphasis added). The CCPA defines “business,” in relevant part², as follows:

[A] legal entity that is organized or operated for the profit or financial benefit of its shareholders or other owners, that collects consumers’ personal information, or on the behalf of which such information is collected and that alone, or jointly with others, determines the purposes and means of the processing of consumers’ personal information….

Id. § 1798.140(d)(1) (emphasis added). Accordingly, to qualify as a “business” under the CCPA, the entity must both (1) collect PII and (2) determine why and how (“the purposes and means”) the PII should be processed. See Karter v. Epiq Sys., Inc., 2021 WL 4353274, at *2 (C.D. Cal. July 16, 2021). The CCPA further defines “collects” as “buying, renting, gathering, obtaining, receiving, or accessing any personal information pertaining to a consumer by any means”; and defines “processing” as “any operation or set of operations that are performed on personal information or on sets of personal information.” Cal. Civ. Code § 1798.140(f), (y).

As to the first requirement, the Complaint contains several allegations of Accellion collecting consumers’ PII. See, e.g., Compl. ¶¶ 2 (“Entities … hired Accellion—a cloud solutions company—to collect and securely transfer sensitive Personally Identifiable Information.”), 158 (“Defendants collect personal information from, among other sources, consumers who request information from them, consumers who use their services, including users of their mobile applications, and consumers who submit customer support requests.”). The CCPA also adopts a broad understanding of “collects,” defining it to mean “buying, renting, gathering, obtaining, receiving, or accessing any personal information pertaining to a consumer by any means.” Cal. Civ. Code § 1798.140(f) (emphasis added). On a Rule 12(b)(6) motion, the Complaint’s allegations are sufficient (though barely) to state that Accellion “collects consumers’ personal information” under the CCPA’s broad definition.

*11 The second half of the “business” definition, however, entails a more nuanced analysis. The Complaint alleges that Accellion was hired by various companies to “securely transfer” and to “facilitate secure, encrypted file sharing that exceeded limits imposed on the size of emails attachments.” Compl. ¶¶ 2, 25 (“Instead of transferring documents by email, the intended recipient would receive a link to files, hosted on Accellion’s FTA, which could then be viewed or downloaded.”). Therefore, the relevant inquiry is whether, by enabling the secure transfer of files by hosting them on FTA, Accellion determined why and how consumers’ PII was processed.

So alleged, the Court finds that Accellion did not. Critically, the Complaint lacks any allegations regarding the “determinations” Accellion made with respect to why and how Plaintiffs’ PII was processed. The allegation that Accellion “developed, marketed, and sold a file sharing transfer software product” (Compl. ¶ 25) does not indicate that Accellion would be making decisions about the data its software would transfer after the software was licensed or made available to a customer. Nor does the Complaint allege that Accellion decides or “determines” anything about PII processing whenever one of its customers uses the FTA product to send files. To the contrary, the Complaint contains statements indicating that it is Accellion’s customer who makes the decision for each file transfer. Compl. ¶¶ 2, 28 (alleging that Accellion “enables millions… from every walk of life to do their jobs without putting their organization at risk. When they click the Accellion button, they know it’s the safe and secure way to share information with the outside world”) (emphasis added). The relevant CCPA inquiry is not whether Accellion simply enabled or was involved in transmitting Plaintiffs’ PII; rather, the Court must ask whether Accellion determined how and why Plaintiffs’ PII was transmitted. Without any allegations as to what Accellion decides or “determines” with respect to processing Plaintiffs’ PII, the Court cannot find that the Complaint has alleged that Accellion is a “business” for the purposes of the CCPA.

Accellion’s involvement (or lack thereof) with respect to determining how a consumers’ PII is processed also distinguishes it from other companies that courts have found to be “businesses” under the CCPA. In Karter v. Epiq Systems, Inc., the complaint had specifically alleged that the defendant (a class action settlement administrator) “work[ed] with its clients to determine how it will use consumers’ personal information to provide notice and manage claims and opt-outs.” 2021 WL 4353274, at *2 (C.D. Cal. July 16, 2021). Unlike Accellion, the Epiq defendant was alleged to have directly and affirmatively participated in determining how a consumer’s PII would be used. Similarly, in Blackbaud, the court found that a company that provided software for “administration, fundraising, marketing, and analytics to social good entities” was a “business” under the CCPA. In re Blackbaud, Inc., Customer Data Breach Litig., 2021 WL 3568394 (D.S.C. Aug. 12, 2021). There as well, the defendant was alleged to have actively interacted with and analyzed the data at issue: “Blackbaud uses consumers’ personal data to provide services at customers’ requests, as well as to develop, improve, and test Blackbaud’s services,” that “Blackbaud develops software solutions to process its customers’ patrons’ personal information,” and that “Blackbaud offers ‘professional and managed services in which its expert consultants provide data conversion, implementation, and customization services for each of its software solutions.’ ” Id. at *5 (emphasis added). In both Epiq and Blackbaud, the defendants played much more integral roles in determining how to process consumer PII—they were involved in, analyzed, and even consulted on how consumers’ personal information would be used. Accellion did not.

*12 Plaintiffs argue that “[b]y facilitating the transfer of personal information, Accellion enabled the use of consumers’ PII and determined the means of processing it.” Opp. 15. At oral arguments, Plaintiffs’ counsel expanded on this argument, submitting that the “purpose” of the FTA product was to “put files up on the cloud and transfer them” and the “means is just the proprietary technology.” 10/19/23 Hr’g Tr. 36:10–24. This, however, conflates the “purposes and means” of the FTA software with the “purposes and means of the processing of consumers’ personal information,” a construction that is not supported by the CCPA or the Complaint. The CCPA specifically defines “processing” as “any operation or set of operations that are performed on personal information or on sets of personal information.”³ Cal. Civ. Code § 1798.140(y) (emphasis added). The Complaint, however, does not allege that the FTA software performs any operation on the information that it transfers, only that it “facilitate[s] secure, encrypted file sharing.” Compl. ¶ 25. Accordingly, the Court will decline Plaintiffs’ invitation to find that Accellion “determine[d] the purposes and means of the processing of consumers’ personal information” by simply developing and marketing a file sharing software.

Additionally, Plaintiffs rely on statements Accellion made in its privacy policy that it controls information provided directly to it. Compl. ¶ 28. However, the information referenced by this privacy policy appears to relate only to Accellion’s interactions with its direct clients (e.g., Flagstar), as opposed to information transmitted between Accellion’s clients and the Plaintiffs. See Accellion Privacy Policy, Kiteworks, https://www.kiteworks.com/privacy-policy/ (“We respectfully use appropriate personal information in order to market, sell, deliver, and support the solutions that we offer. We do not collect personal information that is not necessary for the marketing, selling, delivery, and support of our solutions, such as demographic, biometric, medical, social information…. Our systems, employees, contractors, and affiliates can not access personal information collected by our customers even when that information may be contained in customer applications which use the Accellion Services under the control of customers.”). Plaintiffs contend that the CCPA does not require that the information involved in a breach be the same type of information a business collects or processes. Opp. 15–16. However, even if Accellion may be a “business” with respect to data it collects from its website, the CCPA expressly provides that the duty of “reasonable security procedures and practices” imposed on businesses only runs to the personal information that the business collects. Cal. Civ. Code § 1798.100(e). On that point, the Complaint asserts no CCPA claim against the security measures protecting the personal information collected pursuant to Accellion’s privacy policy.

Because the Complaint fails to allege that Accellion is a “business” under the CCPA with respect to Plaintiffs’ PII, Plaintiffs cannot maintain their CCPA claim against Accellion, and the Court need not address Accellion’s other CCPA arguments. Accellion’s motion to dismiss the CCPA claim is GRANTED. Because the Court cannot conclude that Plaintiffs would be unable to resolve these deficiencies with further factual amendment regarding the FTA product’s operation on their PII, the Third Claim is DISMISSED WITH LEAVE TO AMEND.

IN RE ACCELLION, INC. DATA BREACH LITIGATION, No. 5:21-CV-01155-EJD, 2024 WL 333893, at *10–12 (N.D. Cal. Jan. 29, 2024).