Companies that do business in California know that it is a magnet for class action litigation. The California Consumer Privacy Act ("CCPA"), a new privacy law that applies to data collected about California residents, will provide even more incentive to plaintiff’s attorneys to bring suit in California.
The CCPA was enacted in early 2018 as a political compromise to stave off a poorly drafted ballot initiative. Although the CCPA is scheduled to go into force in early 2020, there is a great deal of confusion regarding the requirements of the CCPA, including the degree to which it aligns with other privacy regulations such as the European General Data Protection Regulation (“GDPR”). To help address that confusion, BCLP is publishing a multi-part series to address the most frequently asked litigation-related questions concerning the CCPA. BCLP is also working with clients to assess – and mitigate – litigation risks for when the CCPA goes into effect by putting in place the policies, procedures, and protocols needed to comply with the Act.
Q. Does the CCPA allow an individual whose IP address is compromised through a data breach to recover statutory damages?
Section 1798.150(a)(1) allows “[a]ny consumer whose nonencrypted or nonredacted personal information, as defined in subparagraph (A) of paragraph (1) of subdivision (d) of Section 1798.81.5, is subject to unauthorized access and exfiltration, theft, or disclosure” to recover statutory damages and other nonmonetary relief if they can show the access, exfiltration, theft, or disclosure resulted from the “business’s violation of the duty to implement and maintain reasonable security procedures and practices appropriate to the nature of the information….”1
Elsewhere in the Act, “personal information” is defined as “information that identifies, relates to, describes, is capable of being associated with, or could reasonably be linked, directly or indirectly, with a particular consumer or household.”2 While the Act provides a list of examples of personal information – which explicitly includes “Internet Protocol Address” – it qualifies the examples by stating that they only fall within the definition of personal information if they identify, relate to, describe, are “capable of being associated with,” or “could be reasonably be linked” with a particular person.3
While the Act generally includes IP addresses within the definition of “personal information,” the statutory damages provision relies upon the much narrower definition of “personal information” set forth in Civil Code section 1798.81.5(d)(1)(A). That section states:
(1) “Personal information” means either of the following: (A) An individual’s first name or first initial and his or her last name in combination with any one or more of the following data elements, when either the name or the data elements are not encrypted or redacted: (i) Social security number. (ii) Driver’s license number or California identification card number. (iii) Account number, credit or debit card number, in combination with any required security code, access code, or password that would permit access to an individual’s financial account. (iv) Medical information. (v) Health insurance information.4
Thus, although the CCPA may generally regulate the privacy of consumers’ IP addresses, the statutory damages provision appears to expressly exclude a cause of action based on unauthorized access, exfiltration, theft, or disclosure of an IP address.