Defendant Seeks to Limit CCPA’s Private Right of Action and Force Massive Class Action into Binding Arbitration
CPW has previously covered how companies are increasingly turning to consumer arbitration agreements to limit litigation exposure. While an arbitration agreement does not allow a defendant to avoid a lawsuit outright, it does provide an escape mechanism from the public scrutiny and cost of litigation. Issues concerning application of arbitration agreements continue to come up in privacy class actions, with litigations brought under the California Consumer Privacy Act (“CCPA”) presenting unique considerations. A recent CCPA class action may answer some open questions—read on below. Shadi Hayden v. Retail Equation et al., No. 20-cv-01203 (C.D. Cal. July 07, 2020).
First, some background. The CCPA went into effect on January 1, 2020. The CCPA applies to any “business” that “does business in California,” regardless of whether the business has a physical presence in California, and regulates the means and purposes of the processing of “personal information.” Similar to the European Union’s General Data Privacy Regulation’s definition, the CCPA defines “personal information” to include “information that identifies, relates to, describes, is reasonably capable of being associated with, or could reasonably be linked, directly or indirectly, with a particular consumer or household.” Cal. Civ. Code § 1798.140(o).
The CCPA provides for a private right of action and has been used as a hook for several class action lawsuits. However, many questions concerning application of the CCPA in litigation remain unresolved (although at least one court has held the CCPA does not limit the scope of discovery). For instance, courts have not yet ruled on the scope of the CCPA’s private right of action provision, which allows consumers to bring suits when their personal data “is subject to an unauthorized access and exfiltration, theft, or disclosure” by businesses that fail “to implement and maintain reasonable security procedures and practices. Cal. Civ. Code § 1798.150.
Now, let’s take a look at the TJ Maxx litigation. In July 2020, a California consumer filed a class action lawsuit in the District Court for the Central District of California alleging that T.J. Maxx unlawfully shared customer data with a computer software firm without informing consumers or obtaining their consent, as required by the CCPA. Shadi Hayden v. Retail Equation et al., No. 20-cv-01203 (C.D. Cal. July 07, 2020). T.J. Maxx is one of twelve retail companies involved in the class action litigation because it uses “Retail Equation,” which collects customer data to create “risk scores” to identify potentially fraudulent customer returns. This allegedly includes T.J. Maxx collecting data on what a customer buys, the locations where a customer buys and exchanges merchandise, and what form of payment a consumer uses. The complaint alleged this practice violated the CCPA, among other privacy and consumer protection laws.
In November 2020 T.J. Maxx moved to dismiss the lawsuit and compel arbitration. In its motion to dismiss, T.J. Maxx argued that Plaintiff’s claims misconstrued the narrow private right of action provision in the CCPA. Specifically, T.J. Maxx argued that the CCPA’s private suit provision is only applicable when businesses suffer cyber-attacks or other breaches that expose sensitive customer data, but is inapplicable in this case because T.J. Maxx voluntarily gave customer data to Retail Equation. Additionally, T.J. Maxx filed a motion to compel arbitration, which was based on a provision in T.J Maxx’s terms of service that customers purportedly agree to while online shopping.
A hearing has been scheduled on the motions pending before the court for March 19, 2021. Stay tuned to find out how the court rules on the scope of the CCPA’s private right of action and whether Plaintiffs must arbitrate their claims.