Author: Stella Lee (Research Volunteer)

The California Consumer Privacy Act(CCPA) is a state-wide legislation designed to ensure data privacy protection of California Residents. Passed in 2018, CCPA is known to be one of the strongest data privacy regulations in the United States, as well as being known as the first comprehensive consumer privacy regulations in the United States. 

Key Summary

  • CCPA is the first comprehensive consumer privacy legislation in the United States.
  • The use of CCPA could lead to disparate legal outcomes in court cases.
  • It is crucial to note that CCPA does not always grant consumers more rights.
  • Consumers should examine the CCPA guidelines thoroughly to frame their claims better under CCPA

The Problem

Before CCPA was passed, consumers had very limited access to how their information is being used by private companies. Although FOIA(Freedom of Information Act) did address data transparency by allowing individuals to access their personal data from federal government agencies, this law did not extend to private companies. That being said, consumers could not get help from FOIA to access their information held by private companies, so consumers had minimal control and knowledge about their data.

Furthermore, prior to CCPAโ€™s enactment, most federal-level data privacy laws focused on a specific area of data privacy, rather than focusing on creating a comprehensive framework for consumer data protection.

As an example, the Health Insurance Portability and Accountability Act (HIPAA) focused on protecting childrenโ€™s online information and the Children’s Online Privacy Protection Act (COPPA) was made to protect the privacy of children. However, no federal laws are designed to protect data privacy of consumers in the United States in general.

Solution

Under CCPA, consumers have the right to know about the entirety of the information that companies collect and store about them. Consumers also have the right to be aware of what other third-parties the companies have shared their information with. Last but not least, CCPA gives consumers the power to sue a company if they for some reason feel that their data privacy has been violated.

The CCPA holds core data privacy principles:

  1. Transparency of data collection and processing: California consumers have the right to know what data the companies collect about themselves or their children
  2. Control over Data: California consumers have the right to ban companies from selling their private information to another third-party, and businesses can not, by any means, retaliate customers regarding services or goods; and
  3. Accountability of Businesses with Consumer Data: Under CCPA, businesses hold responsibility to conduct more mindful data collection for customers.

CCPA in Court Cases

Does CCPA, the strongest data privacy regulation in the United States, always grant consumers more rights regarding their data privacy? In order to examine the answer to this question, 4 court cases involving legal conflicts with CCPA were analyzed.

Barnes v. Hanna Andersson and Salesforce

  • Background: In 2019, Hannah Andersen, a childrenโ€™s apparel store, experienced a data breach while using Salesforceโ€™s e-commerce platform. Over three months, hackers accessed customersโ€™ sensitive information, including names, addresses, and CVV codes. Hannah Andersen informed consumers and the California attorney general of the breach in January 2020, following law enforcement notification.
  • Key Legal Issues: Customers filed a lawsuit against Hannah Andersen and Salesforce, arguing both should be liable under CCPA. Although the complaint doesnโ€™t explicitly cite CCPA violations, it uses CCPA standards to support UCL claims for โ€œunlawfulโ€ and โ€œunfairโ€ business practices. This case is notable as one of the first class-action lawsuits related to CCPA.
  • Outcome: In December 2020, a preliminary approval was granted for a class action settlement. The settlement included a $400,000 fund, cash payments up to $500 per class member, and up to $5,000 for extraordinary situations. Hannah Andersen was also required to improve cybersecurity, including hiring a director of cybersecurity, implementing multi-factor authentication, and conducting a risk assessment per the NIST Risk Management Framework.
  • Significance: The case outcome strengthened consumer privacy rights by mandating cybersecurity improvements and providing financial redress to affected consumers, addressing the harm caused by the breach.

Gardiner v. Walmart Inc.

  • Background: Gardiner claimed hackers breached Walmartโ€™s online service, stealing his and othersโ€™ personal information, including credit card details, which was allegedly sold on the dark web. He and the proposed class spent time and money mitigating the breachโ€™s effects, citing harm from improper disclosure, lack of breach notification, and loss of PII value.
  • Legal Issues: Gardiner accused Walmart of violating the CCPA and UCL, along with negligence, breach of express and implied contracts, and breach of good faith.
  • Outcome: The court dismissed Gardinerโ€™s claims, citing insufficient specifics regarding the breach date, lack of evidence that โ€œPersonal Informationโ€ was disclosed under CCPA definitions, and failure to prove that data security costs were part of the goodsโ€™ price or that he agreed to the privacy policy. The court, however, did not strike the class allegations.
  • Significance: The case highlights the need for specificity and strong evidence in data breach claims under CCPA, illustrating challenges for consumers seeking redress.

McCoy v. Alphabet, Inc

  • Background: In 2020, a plaintiff filed a class action against Alphabet Inc. and Google, alleging they collected Android usersโ€™ personal data without consent during non-Google app activities. Defendants sought dismissal, arguing the plaintiff, a New York resident, wasnโ€™t protected under CCPA, which applies only to California residents, and that no data breach occurred.
  • Legal Issues: The plaintiff claimed Alphabet and Google violated Cal. Civ. Code ยง 1789.100(b) by not informing users about the data collection and its purpose when monitoring interactions with non-Google apps.
  • Outcome: In 2021, the court dismissed the plaintiffโ€™s CCPA claims, stating CCPA does not apply as no data breach occurred. The court also dismissed other privacy-related claims, noting the data was anonymized and aggregated, not meeting Californiaโ€™s privacy law standards. However, the case was not fully dismissed.
  • Significance: The case highlights that CCPA applies primarily to data breaches, not general data collection, potentially setting a precedent that limits consumer protections under CCPA.

Atkinson et al. v. Minted, Inc.

  • Background: In 2020, Minted, an online art and home goods marketplace, experienced a data breach that exposed customersโ€™ personal information. The breach, detected only after public reporting on May 15, 2020, led to a lawsuit alleging violations of Californiaโ€™s data protection laws, specifically the CCPA.
  • Legal Issues: The case focused on whether Mintedโ€™s security practices were sufficient under the CCPA. Plaintiffs argued that Minted lacked reasonable security safeguards, as evidenced by the breach and the exposure of inadequately protected PII, including hashed but not encrypted passwords. The timeliness and adequacy of Mintedโ€™s notification to affected customers were also key issues.
  • Outcome: Minted agreed to a $5 million settlement fund and committed to improving its data security practices. The settlement underscores the importance of adhering to CCPA requirements and promptly notifying consumers in the event of a breach.
  • Significance: The settlement enhances data security for Minted and provides a $5 million fund for compensating affected users, demonstrating an effective redress mechanism for consumers.

Variability of CCPA Case Outcomes

Although CCPA was introduced as one of the strongest comprehensive, consumer-focused data privacy regulations in the United States, the use of CCPA does not always guarantee a positive outcome for consumers; instead, depending on how consumers frame their claims under CCPA and the type of data security violation, CCPA could either grant consumers a significant amount of consumer rights or pose huge challenges against consumers.

The chart below shows the consumer rights scores of the 4 CCPA law cases discussed in the previous section. The more positive and greater the score is, the more rights were granted to the consumers as a result of the outcome of the case.

As the bar chart shows both negative and positive scores with different magnitudes, the chart demonstrates how CCPA cases differ significantly when it comes to granting rights to consumers.

How Score Were Calculated

To objectively categorize cases as either (1) granting more rights or (2) posing setbacks to consumers, I decided to assign a score to each caseโ€™s outcome. A higher score indicates that the case granted more rights. The key variables used for scoring are based on the definition of consumer rights, referencing and adapting the eight principles defined by Consumer International (2009) to fit the scope of data privacy.

Conclusion

In order for consumers to use CCPA to protect their data privacy, it is crucial that consumers read the guidelines provided by CCPA thoroughly and study the cases in which CCPA is applicable. Furthermore, the government and humanitarian organizations should focus on educating the public about not only CCPA but also data protection laws besides CCPA so that consumers can maximize their data protection under a more comprehensive legal framework.