Home > Insights > Blogs > Cybersecurity Bits and Bytes > Class-action case against Ring may test CCPA’s private right of action

Class-action case against Ring may test CCPA’s private right of action

Elizabeth Casale Luke Sosnicki February 24, 2020

On February 18, 2020, a putative class of consumers who purchased Ring’s video-surveillance cameras filed a class-action complaint against the company in federal court in the Central District of California. The named plaintiff, a resident of Seattle, alleges (among other things) that his right to privacy was violated because Ring’s “wholly inadequate security measures” have put him at an increased risk of “unauthorized third-party access” to his personal information.

Many of the allegations mirror those made in lawsuits previously filed against Ring in the same court in late December 2019 and early January 2020. But unlike the prior lawsuits, the more recent complaint pleads a cause of action under the new California Consumer Privacy Act (CCPA). The complaint alleges that plaintiffs were entitled to a CCPA notice informing them what information Ring was collecting and how it would be used—a notice that Ring allegedly failed to provide. For this alleged omission, the complaint seeks injunctive relief, as well as “actual, punitive, and statutory” damages under the CCPA.

In addition to certain arguments often raised as defenses in data-privacy cases (including Article III standing), the case may lead to what could be the first judicial interpretation of the CCPA’s private right of action.

If the case does get to an adjudication on the plaintiff’s CCPA claim, two key issues may be litigated for the first time.

First, the CCPA’s private right of action is currently limited only to data breaches. Specifically, only a consumer whose unencrypted information is “subject to an unauthorized access and exfiltration, theft, or disclosure” may sue. Other alleged violations of the CCPA—including the requirement to provide proper notices—are enforceable by California’s Attorney General, but not by private litigants. The complaint as drafted does not explain why a failure to provide a proper notice would be privately-actionable under the CCPA.

Second, Ring may well seek to compel arbitration based on its terms of use. If it does so, another issue that is likely to be litigated is the following provision in the CCPA, which the plaintiff may argue on its face invalidates arbitration provisions as to CCPA claims:

Any provision of a contract or agreement of any kind that purports to waive or limit in any way a consumer’s rights under this title, including, but not limited to, any right to a remedy or means of enforcement, shall be deemed contrary to public policy and shall be void and unenforceable.

If Ring elects to pursue arbitration, the plaintiff may argue that the applicable arbitration agreement cannot apply to any claims made under the CCPA.

But it is unclear whether the provision itself passes muster under the Federal Arbitration Act (FAA) and established U.S. Supreme Court precedent. Indeed, in a recent decision, Judge Kimberly Mueller of the Eastern District of California entered a preliminary injunction relating to another California statute, AB 51, which sought to ban employers from mandating arbitration agreements as a condition of employment. Judge Mueller held (among other things) that the plaintiffs had carried their burden of showing that the FAA likely preempts AB 51, which is state law, because AB 51 places arbitration agreements on unequal footing with other contracts and because AB 51 interferes with the FAA’s goal of promoting arbitration as a means to resolve disputes. A similar challenge to the CCPA’s anti-arbitration may be forthcoming, with possibly similar results.

Given the novel issues involved, this may be a case that all entities subject to the CCPA may want to closely watch.

Luke Sosnicki is a Los Angeles partner in Thompson Coburn’s Business Litigation group who has written and spoken extensively about the California Consumer Privacy Act (CCPA). Jim Shreve is the chair of Thompson Coburn's Cybersecurity group. Libby Casale is an associate in Thompson Coburn’s Business Litigation group and holds CIPP/US certification.

The Supreme Court of Illinois does not recognize certifications of specialties in the practice of law, and the CIPP/US certificate is not a requirement to practice law in Illinois.