Companies that do business in California know that it is a magnet for class action litigation.  The California Consumer Privacy Act ("CCPA"), a new privacy law that applies to data collected about California residents, will provide even more incentive to plaintiff’s attorneys to bring suit in California. 

The CCPA was enacted in early 2018 as a political compromise to stave off a poorly drafted ballot initiative.  Although the CCPA is scheduled to go into force in early 2020, there is a great deal of confusion regarding the requirements of the CCPA, including the degree to which it aligns with other privacy regulations such as the European General Data Protection Regulation (“GDPR”).  To help address that confusion, BCLP is publishing a multi-part series to address the most frequently asked litigation-related questions concerning the CCPA.  BCLP is also working with clients to assess – and mitigate – litigation risks for when the CCPA goes into effect by putting in place the policies, procedures, and protocols needed to comply with the Act.

1. Does the CCPA allow an individual whose work email address or business contract information is compromised through a data breach to bring a cause of action for damages?

Section 1798.150(a)(1) allows “[a]ny consumer whose nonencrypted or nonredacted personal information, as defined in subparagraph (A) of paragraph (1) of subdivision (d) of Section 1798.81.5, is subject to unauthorized access and exfiltration, theft, or disclosure” to recover statutory damages and other nonmonetary relief if they can show the access, exfiltration, theft, or disclosure resulted from the “business’s violation of the duty to implement and maintain reasonable security procedures and practices appropriate to the nature of the information….”¹

Elsewhere in the Act, “personal information” is defined as “information that identifies, relates to, describes, is capable of being associated with, or could reasonably be linked, directly or indirectly, with a particular consumer or household.”²  The Act also provides a non-exhaustive list of examples of personal information which includes “employment,”³ as well as “professional or employment-related information.”⁴

The net result of this definition is that work email addresses that contain an employee’s name or business contact information, such as the employee’s name, job title, company, business address, work phone number, etc. are arguably covered within the definition of “personal information.”  In contrast, generic business names, business addresses, generic email addresses or any other general business information, as long as the information has not been linked to an individual, are arguably not covered within the definition.  So, for example, “John.Smith@acme.com” would most likely be considered “personal information” governed generally by the CCPA whereas “contact@acme.com” would not, even if the latter is used by the same employee to communicate with the public.

Yet, while the Act may generally regulate work email addresses and other business contact information, the statutory damages provision relies upon the much narrower definition of “personal information” set forth in Civil Code section 1798.81.5(d)(1)(A).  That section states:

(1) “Personal information” means either of the following: (A)  An individual’s first name or first initial and his or her last name in combination with any one or more of the following data elements, when either the name or the data elements are not encrypted or redacted: (i) Social security number. (ii) Driver’s license number or California identification card number. (iii) Account number, credit or debit card number, in combination with any required security code, access code, or password that would permit access to an individual’s financial account. (iv) Medical information. (v) Health insurance information.⁵

Thus, although the CCPA generally regulates employment-related information (including certain work email addresses and business contact information), the statutory damages provision would only permit a claim involving such information if the following was also disclosed during the data breach: (i) a social security number, (ii) driver’s license or California identification card number, (iii) account numbers, (iv) medical information, or (v) health insurance information.  Disclosure of a work email address or business contact information alone would appear to be insufficient to state a claim under the CCPA’s statutory damages provision.

1. CCPA, Section 1798.150(a)(1)

2. CCPA, Article 1798.140 (o)(1).

3. CCPA, Section 1798.140(o)(1)(B); California Civil Code Section 1798.80(e).

4. CCPA, Section 1798.140(o)(1)(I).

5. Cal. Civil. Code. Section 1798.81.5(d)(1)(A)

[View source.]