Although the California Consumer Privacy Act (CCPA) specifically precludes private lawsuits except for those resulting from certain data breaches, that has not stopped at least one plaintiff from bringing a putative class action based on an alleged CCPA violation.
A proposed class action was filed on February 27, 2020, in the Southern District of California against Clearview AI (Burke v. Clearview AI, Inc., S.D. Cal., No. 3:20-cv-00370-BAS-MSB). The complaint alleges that Clearview’s facial recognition technology – which scrapes, without notice or consent, social media websites for images of consumers’ faces – violates, among other laws, both the CCPA and the Illinois Biometric Information Privacy Act (BIPA). According to the complaint, Clearview’s facial recognition software uses the billions of scraped images in its database to generate a type of biometric information, known as a “faceprint,” to match a face to other personally identifiable information; it then sells access to the faceprint database to law enforcement agencies and private companies. The complaint charges that Clearview improperly collected personal information without properly notifying consumers.
The Clearview app was profiled recently in The New York Times for offering a groundbreaking solution to identifying individuals. Within the app, the user uploads a picture of a person and is then able to see “public” images of the person, along with links to where those photos appeared. According to the profile, over 600 different law enforcement agencies have started to use the app to help identify criminals and solve crimes, and the company has also licensed its technology to companies for security purposes. While these uses may lead one to believe that the app has an altruistic purpose, it is important to see how it could also be used for less laudatory purposes, for example, to identify an attractive woman in the grocery store or to help determine who is boarding a flight – to learn that person’s home may be unoccupied.
While this lawsuit was only recently filed and Clearview has not yet responded formally, the company’s CEO, Hoan Ton-That, has publicly stated that the company has a First Amendment right to scrape these images since they are “publicly available,” and therefore the scraping is not a privacy violation. While the theory has not yet been tested on a privacy basis, the argument could turn on whether the images found online are actually “public information,” which could be an uphill battle for the company since the images were scraped from social media platforms, giving rise to an interesting consideration as to whether these images are protected speech. Even in the event this activity is deemed to be protected by the First Amendment, it would seem that privacy laws may prevent Clearview’s next action, which, according to the complaint, was creating a database of “faceprints” based on the images and combining it with other personally identifiable information that the company finds online, and profiting by selling access to that database.
The complaint in Burke alleges violations of CCPA and BIPA. Under the CCPA, which went into effect on January 1, 2020, a business must inform consumers “at or before the point of collection” about the categories of personal information – including biometric information – collected and the purposes for which it will be used, and may not collect additional categories or use the personal information already collected for additional purposes without providing consumers with notice. Under BIPA, which has been around since 2008, a company may not collect a consumer’s biometric identifier (which includes face geometry) unless it has first informed the consumer about the collection, purpose, and use of the identifier and has received written consent from the consumer. It will be interesting to see how Clearview defends the “collection” of the images via its scraping.
While BIPA provides a private right of action for any person aggrieved by a violation of the statute, the CCPA limits its private right of action to breaches of unencrypted personal information; notice, collection, and use violations may only be enforced by the California attorney general. Due to that enforcement provision, the complaint frames CCPA violations as violations of California’s Unfair Competition Law (UCL) (Cal. Bus. & Prof. Code sections 17200 et seq.), which prohibits business practices that violate other laws.
Although the CCPA limits private rights of action to data breaches, it is unsurprising that creative attorneys are trying to use the UCL as a backdoor to assert CCPA violations. The language of the CCPA attempted to avoid this, as section 1798.150(c) includes the statement that “Nothing in this title shall be interpreted to serve as the basis for a private right of action under any other law.” See Cal. Civ. Code section 1798.150(c). Further, the current enforcement limitations may act as an absolute bar to relief under current California precedent. See, e.g., Cel-Tech Communications, Inc. v. Los Angeles Cellular Telephone Co., 20 Cal. 4th 163, 182 (1999) (statutes containing “absolute bar” to relief may not be recast as UCL violations). For now, however, these provisions are untested. Until clear precedent confirms that the UCL also precludes a CCPA-based private right of action, businesses that are not properly disclosing, collecting, or using personal information as required by the CCPA should be aware that expensive and disruptive private litigation is a possibility. Moreover, the California attorney general has advocated for a CCPA amendment permitting a more expansive private right of action, and the legislature may eventually permit such suits as well.
Practical tips for businesses
While this may be an early CCPA class action effort, it joins hundreds of BIPA lawsuits that have already been or are currently being litigated. The following practical guidance will help businesses stay on the right side of both CCPA and BIPA.
- Understand your data – Know what information you collect and whether any of the information constitutes personal information under applicable laws. Be wary of how you collect the information, including whether your collection may violate another company’s rules. Understand how you use the information you collect, especially if your business uses any sensitive consumer data, like biometric identifiers, as certain laws may limit your use.
- Provide disclosures – Ensure your business is aware of and in compliance with any and all disclosure requirements. Both the CCPA and BIPA demand clear disclosures to consumers at the point of collection that explain what personal information will be collected and how such personal information will be used. In the CCPA’s case, businesses must also disclose the categories of third parties to whom the information is disclosed or sold. BIPA has a wholesale prohibition on the sale of a person’s biometric personal information and only allows disclosure to another party with consent from the subject of the information.
- Obtain consent where required – Some laws, like BIPA, require consent for the collection and use of personal information. Especially when dealing with sensitive personal information, such as biometric identifiers or children’s information, it is important to understand and obtain appropriate consent.