Back to the Library
With the close of the California state legislative session on Sept. 14, 2019, the final shape of the California Consumer Privacy Act (CCPA)—which is set to take effect on Jan. 1, 2020—came into focus. The most recent amendments included carve-outs for business-to-business contracts and employee records, though both sunset after a year. While the statutory language is settled for now, many questions remain about how it will be enforced. The Attorney General has issued proposed regulations clarifying some of this uncertainty. However, one issue that may be left for future judicial interpretation is the interplay between the CCPA and California’s preexisting consumer protection statutes such as the Unfair Competition Law (UCL) and the Consumer Legal Remedies Act (CLRA). As discussed below, the CCPA contains an explicit prohibition, along with implicit safe harbors, likely to limit certain UCL and/or CLRA claims related to the use or disclosure of information subject to the CCPA.
The CCPA Likely Bars Derivative UCL Claims
The CCPA provides for enforcement by the Attorney General, but §1798.150(a) creates a private right of action for consumers whose personal information “is subject to an unauthorized access and exfiltration, theft, or disclosure as a result of the business’s violation of the duty to implement and maintain reasonable security procedures and practices.” Despite several legislative attempts to broaden the private right of action—which were supported by California’s Attorney general—it is currently limited to “violations as defined in subdivision (a),” precluding CCPA claims related to violations of other statutory provisions. (Notably, the CCPA contains no express provision permitting attorney fees for prosecution of claims under §1798.150, though plaintiffs’ attorneys may argue that such fees should be awarded as “other relief the court deems proper” (§1798.150(a)(1)(C)), or pursuant to the private attorney general attorney fee statute, CCP §1021.5.)
Given the narrow private right of action in the CCPA, consumers may seek an indirect route to CCPA liability under the “unlawful” prong of the UCL, which prohibits business practices that violate another law. However, §1798.150(c) of the CCPA states that “[n]othing in this title shall be interpreted to serve as the basis for a private right of action under any other law.” While California courts have held that the absence of a statutory private right of action does not preclude derivative UCL liability, a plaintiff may not “plead around an absolute bar to relief simply by recasting the cause of action as one for unfair competition.” Cel-Tech Commc’ns v. Los Angeles Cellular Tel. Co., 20 Cal. 4th 163, 182 (1999) (emphasis added). In other words, statutes that explicitly preclude private rights of action cannot be enforced through the UCL. For this reason, courts have rejected UCL “unlawful” claims where, for example, the predicate statute expressly exempted the defendants from liability for the alleged violation at issue, or stated that it was “not intended to create new civil causes of action.” Hobby Indus. Assn. of Am. v. Younger, 101 Cal. App. 3d 358, 370 (1980); LegalForce RAPC Worldwide P.C. v. UpCounsel, No. 18-02573, 2019 WL 160335, at *16 (N.D. Cal. Jan. 10, 2019). The CCPA’s admonition that the statute not be interpreted to “serve as the basis for a private right of action under any other law” is a strong basis on which a court could preclude UCL claims based on the same rationale.
Separate and apart from the statutory bar, consumers may lack standing to seek redress under the UCL for violations of the CCPA. This is because the UCL requires proof that a plaintiff “has lost money or property as a result of the unfair competition” (Cal. Bus. & Prof. Code §17204), and a plaintiff may need to allege something more than, for example, the unlawful collection or sale of her personal information to satisfy this requirement.
The CCPA May Provide ‘Safe Harbor’ Protections Against Other Consumer Protection Claims
Even assuming a bar against UCL “unlawful” claims based on express CCPA violations, consumers may assert UCL or CLRA claims based on allegedly unfair or deceptive conduct related to the collection, sale, or disclosure of personal information when such conduct does not directly violate the CCPA. In those cases, compliance with the CCPA could defeat UCL or CLRA claims that implicate conduct permitted by the CCPA or its implementing regulations, since the California Supreme Court has held that “[w]hen specific legislation provides a ‘safe harbor,’ plaintiffs may not use the general unfair competition law to assault that harbor.” Cel-Tech Commc’ns, 20 Cal. 4th at 182; see also Alvarez v. Chevron, 656 F.3d 925, 934 (9th Cir. 2011) (safe harbor provisions of California regulations prohibited CLRA claim). For example, a UCL or CLRA claim related to a business’ allegedly deceptive sale of consumers’ personal information to third parties may be barred by the business’s provision of a “clear and conspicuous” opt-out link on its Internet homepage in compliance with CCPA §1798.135(a). Additionally, a UCL or CLRA claim related to a business’ practice of charging more to consumers who prohibit that business from selling their personal information may be precluded if the difference is “reasonably related to the value provided to the business by the consumer’s data,” as permitted by CCPA §1798.125.
Thus, while the CCPA imposes new and arguably stringent requirements for businesses handling personal information, compliance with those requirements could provide protection against UCL and CLRA lawsuits regarding the allegedly deceptive treatment of consumers’ personal information.
Reprinted with permission from the November 5 issue of The Recorder. ©  ALM Media Properties, LLC. Further duplication without permission is prohibited. All rights reserved. The original article can be viewed here.