California Judge Dismisses CCPA Claim in Absence of Alleged Security Breach

On February 2, 2021, a California magistrate judge dismissed claims against a defendant tech company based on alleged violations of the California Consumer Privacy Act (CCPA) because the plaintiff admittedly failed to allege a security breach. The case involves allegations that the defendant purportedly used an internal program to monitor and collect sensitive personal data from smartphone users when these users accessed apps owned by other companies. The personal data allegedly collected includes when and how often these apps are used and the amount of time a user spends on the apps. The plaintiff raised CCPA, unfair competition law (UCL), and breach of contract claims, alleging that the defendant's privacy policy allegedly does not adequately disclose its practices or seek consent to monitor, collect, or use smartphone users' personal data while using other companies' apps. Based on these allegations, the plaintiff filed a class action complaint on August 5, 2020, and the defendant responded with a motion to dismiss on September 30, 2020. Last week, the judge dismissed the CCPA claim and partially dismissed the UCL claim to the extent it was based on an alleged CCPA violation because a security breach was not alleged in the case. The CCPA confers a private right of action under Section 1798.150(a) if a business fails to maintain reasonable security procedures and practices and there is a security breach. The law specifically states, in relevant part, "[n]othing in this title shall be interpreted to serve as the basis for a private right of action under any other law." Cal. Civ. Code § 1798.150(c). Although the statute expressly precludes filing a lawsuit based on a CCPA violation not related to a security breach, it is anticipated that plaintiffs may attempt to circumvent this requirement by alleging the underlying CCPA violation under the UCL instead. Notably, the judge in this case rejected plaintiff's attempt to do so, which casts doubt regarding the viability of this approach. A link to the ruling is available here. Click here to learn more about recently filed cases under the CCPA.