After the California Consumer Privacy Act (CCPA) took effect on January 1, 2020, a surge of class action lawsuits predicated on alleged CCPA violations hit businesses. Because of the act’s novelty, it was unclear whether courts would hold to the narrow construction of the CCPA’s private right of action or allow plaintiffs to plead around these statutory restrictions to recover damages. Early last year, we discussed how defendants could move to dismiss these claims based on the CCPA’s explicit limitations and that plaintiffs would be facing an uphill battle.
Indeed, defendants have been moving to dismiss on those grounds. But in at least one case, the court dismissed the complaint without even needing to reach the defendant’s argument that plaintiffs failed to allege a viable CCPA claim. On January 12, 2021, the federal District Court for the Central District of California granted Marriott International, Inc.’s (“Marriott”) motion to dismiss due to plaintiffs’ lack of standing to sue.
Arifur Rahman v. Marriott International, Inc. et al.
The case, Arifur Rahman v. Marriott International, Inc. et al., No.: 8:20-cv-00654, arose from a cybersecurity breach at Marriott after two Marriott employees in Russia allegedly accessed class members’ names, addresses, phone numbers, email addresses, genders, birth dates, and loyalty account numbers without authorization. The complaint asserted a violation of the CCPA, along with five other causes of action.
In its motion responding to the complaint, Marriott argued for dismissal on two independent grounds. First, Marriott argued that plaintiffs had not established standing to sue as required under Article III of the U.S. Constitution, because they had not alleged a concrete injury as a result of the data breach. Second, Marriott argued that, even if plaintiffs had satisfied the standing requirements, they had not alleged facts that, if proven true, would be legally adequate to establish a CCPA violation and their other causes of action.
The court granted Marriott’s motion and dismissed the complaint based solely on the standing grounds. In doing so, the court relied on Ninth Circuit precedent that pre-dates the CCPA, holding that the personal information allegedly compromised in the data breach lacked “the degree of sensitivity required by the Ninth Circuit to establish an injury in fact.” Plaintiffs’ suit failed because, while the data breach undisputedly compromised some categories of personal information, it did not involve the theft of sensitive categories of personal information—such as social security numbers or credit card numbers—necessary to establish an imminent injury, such as the threat of identity theft, to the plaintiff. Because the court found that the plaintiffs lacked standing, it decided it “need not consider Defendant’s Rule 12(b)(6) argument” challenging the sufficiency of the plaintiff’s allegations in each cause of action.
The Marriott case demonstrates how, so far, despite the CCPA’s enactment of a new private right of action and statutory damages, courts in the Ninth Circuit remain a challenging forum for plaintiffs bringing data breach claims under state law due to the constitutional standing requirements unique to federal courts. We’ll be watching to see whether the plaintiffs appeal this ruling and will report on any further developments of interest.