Federal Court Holds Defendant’s Purported Compliance With The CCPA is Not a Shield for Other Privacy Claims
In a significant ruling, the Northern District of California recently denied in part a defendant’s motion to dismiss a complaint alleging violations of various consumer privacy statutes. It found that an affirmative defense of compliance with one privacy statute, the California Consumer Privacy Act (“CCPA”), did not shield defendant from liability for alleged violations of other state laws.
First, the facts. In Brooks v. Thomson Reuters Corp., No. 21-cv-01418-EMC, 2021 U.S. Dist. LEXIS 154093 (N.D. Cal. Aug. 16, 2021), Plaintiffs alleged that defendant Thomson Reuters aggregated publically-available information about millions of individuals, in addition to pulling information from third-party brokers, to create “dossiers” that it sells through an online platform called CLEAR. Plaintiffs were two individuals who claimed that defendant was selling their personal information through CLEAR without their consent; one plaintiff also claimed that his CLEAR profile included inaccurate information. Plaintiffs alleged violations of the California common law right of publicity, the California Unfair Competition Law (“UCL”), and brought claims for unjust enrichment and injunctive relief.
After removing the action to state court, defendant filed the motion to dismiss. One of its primary defenses was that its conduct was not “unfair” under the UCL because such conduct was permitted under the CCPA, which provides that a consumer has an opt-out right to “direct a business that sells personal information about the consumer to third parties not to sell the consumer’s personal information.” As defendant interpreted this language, it was permitted to sell plaintiffs’ information so long as it provided plaintiffs a mechanism to opt out of the sale.
The Court disagreed, pointing to the statutory intent of the CCPA, which provided that the law was not intended to curtail other privacy statutes and should be interpreted to allow the greatest privacy protections possible. Following this reading, the Court observed that the fact that defendant provided an opt-out mechanism did not necessarily mean that its conduct was fair. It also observed that there was a question of fact as to whether CLEAR’s opt-out mechanism was “reasonably accessible” and “clear and conspicuous” to consumers in the manner required by the CCPA, based on the allegations in the Complaint.
On this basis, the Court proceeded to consider plaintiffs’ UCL claim, and found that plaintiffs had sufficiently stated a claim under the UCL. It also allowed plaintiffs’ remaining claims to survive defendant’s motion to dismiss.
Readers should take note that—while creative—simply claiming compliance with one privacy statute may not serve as a shield against other consumer privacy claims. Also noteworthy is the Court’s broad interpretation of the privacy laws at issue to allow for the greatest possible consumer protections.