Companies that do business in California know that it is a magnet for class action litigation.  The California Consumer Privacy Act ("CCPA"), a new privacy law that applies to data collected about California residents, will provide even more incentive to plaintiff’s attorneys to bring suit in California. 

The CCPA was enacted in early 2018 as a political compromise to stave off a poorly drafted ballot initiative.  Although the CCPA is scheduled to go into force in early 2020, there is a great deal of confusion regarding the requirements of the CCPA, including the degree to which it aligns with other privacy regulations such as the European General Data Protection Regulation (“GDPR”).  To help address that confusion, BCLP is publishing a multi-part series to address the most frequently asked litigation-related questions concerning the CCPA.  BCLP is also working with clients to assess – and mitigate – litigation risks for when the CCPA goes into effect by putting in place the policies, procedures, and protocols needed to comply with the Act.

Q. Does the CCPA’s Statutory Damages And Other Provisions Apply To Businesses and Service Providers?

The CCPA allows consumers whose personal information has been compromised in a data breach to recover hefty statutory damages of up to $750 “per customer per incident or actual damages, whichever is greater.”¹  The statutory damages provision provides incentives to plaintiffs’ lawyers to pursue large class actions, even if the actions are based only on a single data breach incident.   

But, the CCPA only imparts obligations directly upon a “business” – a term that is defined as a for-profit legal entity that collects personal information about California residents, “determines the purpose and means of the processing” of that information, does business in California, and hits one of the three threshold volume triggers set forth under the Act (i.e., $25 million gross revenue, data about 50,000 Californians, or generates 50% of its revenue from selling personal information).[1]  If an entity is a “business” then all of the other obligations of the CCPA kick-in as well, such as the obligation to post a privacy notice, respond to consumer access requests, respond to consumer deletion requests, disclose the sale of consumer information, and offer consumer’s the ability to opt-out of such sales.

The statutory damages provision itself is tied to the definition of “business.”  It states: “[a]ny consumer whose nonencrypted or nonredacted personal information … is subject to unauthorized access and exfiltration, theft, or disclosure as a result of a business’s  violation of the duty to implement and maintain reasonable security procedures and practices appropriate to the nature of the information to protect the personal information may institute a civil action” for statutory damages.

In contrast, the CCPA defines a “service provider” as a for-profit legal entity that “processes information on behalf of a business, and is contractually prohibited from retaining, using, or disclosing that information for any purpose other than to provide service.”²  Unlike “businesses,” the CCPA imposes no direct privacy obligations on service providers (although indirectly the service provider would be subject to the contractual retention, use, and disclosure restrictions).³

The net result is that if a company falls under the definition of a “service provider,” but does not fall under the definition of a “business,” the CCPA imposes no statutory obligations upon it and does not subject it to statutory damages.  That, of course, begs the question of whether a company might be both a “service provider” and a “business.”  Theoretically nothing within the CCPA precludes a dual designation, and, as the terms are currently defined, they do not appear to be mutually exclusive.  To understand why consider a hypothetical company (e.g., an accounting firm) that collects personal information on behalf of its client (e.g., while conducting an audit), has gross revenue of over $25 million, but is contractually bound not to use, share, or disclose that information other than to provide service.  The company would satisfy the definition of a “service provider.”  The company would also satisfy every element of the definition of a “business” with the possible exception that it may not be intuitively clear whether the company “determines the purpose and means” of the processing.  

In order to understand whether the hypothetical company could both be a “service provider” and determine the “purpose and means” of the processing, it is important to understand that the phrase “determines the purpose and means of the processing” was borrowed directly from the definition of a “controller” within the European GDPR.⁴   In the context of the GDPR, European regulators examined whether a service provider that is generally bound to retention, use, and disclosure restrictions might also retain sufficient autonomy concerning the purpose and means of processing as to be classified under the GDPR as a “controller.”  The regulators ultimately identified a non-exhaustive list of service providers that fit such a description including the following:

• Accountants,⁵
• Attorneys,⁶
• Mail delivery services (when providing tracking functionality),⁷
• Market research companies,⁸
• Payment processors,⁹
• Social network service providers that provide online communications platforms,¹⁰

While there remains a great deal of uncertainty whether California courts will look to European regulators for guidance when interpreting the CCPA, plaintiff’s attorneys are likely to argue that because European regulators have determined that various classes of service providers retain sufficient control over the purpose and means of processing to be considered “service providers” and “controllers,” California courts should similarly find that such companies are “service providers” and “businesses” under the CCPA.  If the argument succeeds, service providers may find themselves with the same regulatory obligations as their clients.  From a litigation standpoint, both service providers and their clients may also become the targets of class actions aimed at recovering the large statutory damages authorized by the CCPA.

1. CCPA, Section 1798,150(a)(1).

2. CCPA, Section 1798.140(c). 

3. CCPA, Section 1798.140(v).

4. In comparison, the European GDPR imposes direct regulatory requirements on both “controllers” and “processors.”  Some of the obligations imposed by the GDPR apply equally to both groups, such as the obligation to take steps to secure data.  Other obligations imposed by the GDPR apply only to one group or the other.

5. Compare CCPA, Section 1798.140(C) to GDPR, Article 4(7).

6. United Kingdom Information Commissioner’s Office (“ICO), Data Controllers and Data Processors: What the Difference Is and What the Governance Implications Are (2014) at 13.

7. United Kingdom Information Commissioner’s Office (“ICO), Data Controllers and Data Processors: What the Difference Is and What the Governance Implications Are (2014) at 12.

8. United Kingdom Information Commissioner’s Office (“ICO), Data Controllers and Data Processors: What the Difference Is and What the Governance Implications Are (2014) at 12.

9. United Kingdom Information Commissioner’s Office (“ICO), Data Controllers and Data Processors: What the Difference Is and What the Governance Implications Are (2014) at 10.

10. United Kingdom Information Commissioner’s Office (“ICO), Data Controllers and Data Processors: What the Difference Is and What the Governance Implications Are (2014) at 11.

11. WP 169 at 21.

[View source.]