Companies that do business in California know that it is a magnet for class action litigation. The California Consumer Privacy Act ("CCPA"), a new privacy law that applies to data collected about California residents, will provide even more incentive to plaintiff’s attorneys to bring suit in California.
The CCPA was enacted in early 2018 as a political compromise to stave off a poorly drafted ballot initiative. Although the CCPA is scheduled to go into force in early 2020, there is a great deal of confusion regarding the requirements of the CCPA, including the degree to which it aligns with other privacy regulations such as the European General Data Protection Regulation (“GDPR”). To help address that confusion, BCLP is publishing a multi-part series to address the most frequently asked litigation-related questions concerning the CCPA. BCLP is also working with clients to assess – and mitigate – litigation risks for when the CCPA goes into effect by putting in place the policies, procedures, and protocols needed to comply with the Act.
Q. Does the CCPA permit national class actions, or only state actions?
The CCPA applies only to information about a “consumer” – a term which is defined within the statute as including only “a natural person who is a California resident.”1 As a result, Plaintiffs’ lawyers pursuing class actions under the Act will be forced to narrow their actions to individuals residing in California, rather than out-of-state residents or legal entities affected by a data breach.
In comparison, the European GDPR is often misunderstood as only applying to data about European Union “citizens.” In reality the scope of the GDPR varies based, in part, on which of two jurisdictional “hooks” apply to a company.
The first jurisdictional hook is found within Article 3(1) which purports to apply the GDPR to the processing of personal data in the context of activities of any “establishment” of a controller or processor in the European Union. If the GDPR is triggered because a company is established in the European Union an argument could be made that the GDPR is intended to apply to the processing of data relating to all data subjects – regardless of whether they are citizens or residents of the European Union, the United States, or of another country. Such an interpretation would align with the European Commission’s statement that companies should respect the principles within the GDPR “whatever the nationality or residence” of a data subject.2
The second jurisdictional hook is found within Article 3(2) which purports to apply the GDPR to companies that are “not established in the Union” if they offer goods or services or monitor the behavior of “data subjects who are in the Union.” The term “data subjects who are in the Union” refers to individuals that are physically present in the European Union regardless of their citizenship, nationality, or long-term residence. As a result, it theoretically could apply to United States citizens studying in Europe, vacationing in Europe, or temporarily travelling through Europe.
The CCPA’s reach is, by definition, not as broad, providing some relief to companies facing a data breach with a national impact.