Judge Davila of the Northern District of California held that the file transfer service was not a "business" under the CCPA and grants defendant's motion to dismiss. The analysis turns on whether or not defendant determine how or why to process consumer PI. Accellion moves to the dismiss Plaintiffs' CCPA claim on two grounds: (1) Accellion is not a “business”… Read More
On a motion to dismiss, Judge Cormac Carney in the Central District of California discusses whether plaintiff alleged sufficient facts to show that defendant lacked reasonable security procedures for a cause of action under the CCPA: MKS first argues that Plaintiff's CCPA claim must be dismissed because his “threadbare and conclusory” allegations “fail[ ] to allege any facts to support… Read More
In Chien v. Bumble Inc., 641 F. Supp. 3d 913, 927–30 (S.D. Cal. 2022), District Court Judge Gonzalo P. Curiel addressed the sufficiency of California contacts for specific personal jurisdiction in a data privacy case that includes a claim for violation of the CCPA. In the context of a nationally accessible website, “something more” than operating a passive website is… Read More
Judge Larry Alan Burns of the Northern District of California addressed four different arguments on a Motion to Dismiss a CCPA cause of action. Holding No. 1: allegations that a business failed to utilize alleged industry technology was sufficient to plead a failure to implement and maintain reasonable security measures. [Defendant] argues that the CCPA doesn't impose a duty to… Read More
A District Court in Washington dismissed Plaintiffs' claim for statutory damages because they failed to give pre-suit notice under the CCPA. The Court dismissed the request for statutory damages without prejudice meaning Plaintiffs can give notice (despite the pending action) and then seek to amend and add back in a request for statutory damages. Plaintiffs ... insist that they seek… Read More
On June 30, 2023, the Sacramento County Superior Court granted Cal Chamber's petition for writ of mandate. The Court stayed the California Privacy Protection Agency's ability to enforce CPRA regulations for twelve months from implementation. The regulations that became final on March 29, 2023 may not be enforced by the Agency until March 29, 2024. Read More
Ruling on a motion to dismiss a claim for violation of the California Consumer Privacy Act, the Hon. Mary M. Rowland of the United States District Court in the North District of Illinois, held: Defendants argue that [Plaintiff] fails to allege a specific action Defendants took or failed to take that breached a duty under the CCPA to maintain "reasonable"… Read More
On August 11, 2022, the CFPB issued a circular on data security and the question "[c]an entities violate the prohibition on unfair acts or practices in the Consumer Financial Protection Act (CFPA) when they have insufficient data protection or information security?" The short answer is "yes." The CFPB highlights specific security measures to minimize risk. In line with the new… Read More
Ruling on Defendant's Motion to Dismiss (Aviva Kirsten v. Cal. Pizza Kitchen, Inc., No. 2:21-cv-09578-DOC-KES (C.D. Cal. July 29, 2022), Judge David O. Carter of the Central District of California held: Defendant argues that Plaintiffs’ CCPA claim fails because Plaintiffs provide no facts to maintain that Defendant failed to maintain reasonable security procedure and practices. Mot. at 20. However, Defendant… Read More
In Wynne v. Audi of Am., No. 21-cv-08518-DMR, 2022 U.S. Dist. LEXIS 131625, at *2-4 (N.D. Cal. July 25, 2022), Judge Ryu found that the CCPA, by itself, does not confer Article III standing under the SCOTUS' TransUnion decision. The facts of the data breach were as follows: Wynne makes the following allegations in the amended complaint: Defendant Audi is a… Read More
On May 27, 20222, the California Privacy Protection Agency issued its first draft of Proposed Regulations under the California Privacy Rights Act. The rulemaking timeline is unclear but we expect additional information at the upcoming June 8, 2022 board meeting (agenda: https://cppa.ca.gov/meetings/agendas/20220608.pdf). The Proposed Regulations can be found here https://cppa.ca.gov/meetings/materials/20220608_item3.pdf High-level topics in the Proposed Regulations include: Restrictions on the Collection… Read More
Judge David O. Carter, in the Central District of California, made the following findings on a motion to dismiss: the CCPA is not retroactive despite allegations of an ongoing pattern and practice; the CCPA does not include a private right of action for "§§ 1798.100(b), 110(c), and 115(d)"; the "disclosure of consumers’ non-anonymized data was not a result of a… Read More
On a motion to dismiss, Judge Denise Cote of the Southern District of New York, dismissed Plaintiffs' CCPA cause of action. In re Waste Mgmt. Data Breach Litig., No. 21cv6147 (DLC), 2022 U.S. Dist. LEXIS 32798, at *18-19 (S.D.N.Y. Feb. 24, 2022). [T]he [complaint] fails to state a claim for violation of the CCPA, because it does not plausibly allege… Read More
On March 10, 2022, the California Attorney General issued an Opinion letter in response to an inquiry from Assemblymember Kevin Kiley: QUESTION PRESENTED AND CONCLUSION Under the California Consumer Privacy Act, does a consumer’s right to know the specific pieces of personal information that a business has collected about that consumer apply to internally generated inferences the business holds about… Read More
Addressing what constitutes a cure under the current version of the CCPA, Judge Cote in the Southern District of New York, held that: the [Complaint] fails to state a claim for violation of the CCPA, because it does not plausibly allege that Waste Management breached its "duty to implement and maintain reasonable security procedures and practices appropriate to the nature… Read More
On October 6, 2021, Governor Newsom signed several new bills into law: AB 1391 Adds section 1724 to the Civil Code and makes it unlawful for anyone to sell or sell access to data that was unlawfully obtained. Similarly, it is unlawful for anyone to buy or use data that they know, or should know, was unlawfully obtained. AB 694 … Read More
The California Office of the Attorney General (OAG) is responsible for enforcing the CCPA. The OAG began sending notices of alleged noncompliance to companies on July 1, 2020, the first day CCPA enforcement began. Once a company is notified of alleged noncompliance, it has 30 days to cure that noncompliance. The OAG identified 27 case examples summarizing the alleged violations… Read More
A South Carolina District Court Judge denied Blackbaud's Motion to Dismiss a claim for violation of the California Consumer Privacy Act. In re Blackbaud_ Inc._ 2021 U.S. Dist. LEXIS 151831 (August 12, 2021). Here, California Plaintiffs adequately allege that Blackbaud qualifies as a "business" under the CCPA. First, they specifically maintain that "Blackbaud and its direct customers determine the purposes… Read More
In Karter v. Epiq Systems, Inc., et al., Judge Carney denied Epiq's Motion to Dismiss the CCPA cause of action. For two reasons, the Court found that Plaintiff sufficiently alleged Epiq is a "business" under the CCPA and therefore, subject to the private right of action. "First, Plaintiff alleges that in order to perform its services, which it performs pursuant to… Read More
On February 2, 2021, Judge Susan Van Keulen, in the Northern District of California, denied in part and granted in part Defendant's Motion to Dismiss. Flores-Mendez et al v. Zoosk, Inc. et al. (N.D. CA; 3:20-cv-04929-WHA). Evaluating Article III standing based on Plaintiff's consent to Defendant's online privacy policy and terms of use, the Court held that: [i]f “the contract language… Read More
