Although it may not seem like it, there are privacy-related issues to discuss beyond COVID-19. Before the state of emergency, we saw the first complaint under the California Consumer Privacy Act (CCPA) filed in a California federal court. This action, styled as Fuentes v. Sunshine Behavioral Health Group, LLC, Case No. 8:20-cv-00487 (C.D. Cal. March 10, 2020), arose from a data breach, which allegedly exposed highly sensitive personal and medical information of thousands of patients of Sunshine Behavioral Health Group (“Sunshine”). We have been closely tracking all CCPA-related developments, so we expected a lawsuit of this type to be filed by March or sooner. What is surprising is that this is the only known CCPA class action to date. And, as discussed below, this particular claim may not survive for long, though more cases will surely follow.
Last month, we reported here on the first-of-its kind California class action, Barnes v. Hanna Andersson, LLC, which relied on the CCPA to form a basis for a claim under another California statute, Unfair Competition Law (“UCL”). The Barnes matter, however, did not expressly assert a CCPA cause of action but merely cited its violations. This means that Fuentes, which affirmatively pleads a direct claim for violation of the CCPA, is the first class action to directly allege an actual cause of action for violations of the CCPA.
The Fuentes complaint was filed on March 10th by Hector Fuentes, a Pennsylvania resident, who was briefly a patient of Sunshine. The complaint alleges that his personal and medical information was collected and stored on Sunshine’s computer systems. As alleged, Sunshine operates drug and alcohol rehabilitation facilities in California, Colorado, and Texas. According to the facts in the complaint, Sunshine reportedly learned that it was experiencing a data breach, which may have begun in 2017, and which was continuously exposing highly personal and medical information (including credit card numbers, Social Security numbers, insurance policy numbers, medical information, and other information). The data was viewable online, searchable and was reportedly ultimately exfiltrated. Despite allegedly learning of this breach on September 4, 2019, Sunshine did not notify any affected individuals until January of 2020.
Damages and Standing
The key issues in most privacy class actions have typically centered on damages and standing. Unlike some other laws, CCPA does provide for statutory damages of $100 to $750 per violation. Even in cases involving a smaller number of data-breach victims, penalties can still be lucrative enough, notwithstanding the smaller class size.
Mr. Fuentes’s complaint was safe-proofed to include many typical types of theoretical and concrete harms that could befall a victim of a data breach. For example, Mr. Fuentes pleads an increased risk and fear of identity theft, a fraudulent attempt to open a credit card in his name, unauthorized paid magazine subscriptions he received after the breach, and over 10 hours of his personal time spent on post-remedial measures.
Standing is the reason behind these allegations. Without asserting concrete and particularized damages, a class action complaint is more vulnerable to attacks on standing grounds. A class representative must typically plead an actual injury, as opposed to theoretical damages. The CCPA, however, expressly provides for set statutory damages if no actual damages exist (or if actual damages are low).
The 47-page complaint stems from a data breach, which allegedly occurred in 2017 and was discovered in 2019. It resulted in the exposure of medical and personal information of approximately 3,500 California patients of Sunshine. In addition to the CCPA cause of action, it pleads a myriad of other causes of action including (1) negligence and negligence per se, (2) multiple contract- and unjust enrichment-type claims, (3) violations of the UCL, (4) violations of the California Consumer Records Act, (5) violations California’s Confidentiality of Medical Information Act (“CMIA”), (6) violations of Pennsylvania’s Unfair Trade Practices Act (for the “Pennsylvania Sub-Class”), and (7) injunctive relief.
The CCPA cause of action is neither remarkably long, nor very detailed. In just five short paragraphs, Mr. Fuentes pleaded this claim as an alternative to the CMIA and on behalf of the “California Sub-Class.” He asserted that Sunshine allowed “the nonencrypted and nonredacted Personal and Medical Information of Plaintiff and Class members to [be subject to] unauthorized access and exfiltration, theft, or disclosure,” breaching “its duty to implement and maintain reasonable security procedures and practices.” Mr. Fuentes also pleaded his own compliance with the notice-and-cure provisions, which is a pre-filing requirement to a CCPA class action. See Compl. ¶¶ 211-213. On behalf of the California Sub-Class, he then requested injunctive relief, damages, and fees.
Will This Claim Survive?
Despite being the first, we do not see this CCPA class claim being long-lasting, for many reasons. First and foremost, Mr. Fuentes is currently the only named plaintiff, and he is not a California resident. While some commentators and law firms have already written about the Fuentes complaint, no one seems have picked up on the critical fact that this particular CCPA claim is a three-legged stool, with one missing leg. There are three potentially fatal defects with respect to (1) standing, (2) notice, and (3) timeliness.
Most fundamentally, the CCPA does not protect non-California residents. As such, Mr. Fuentes, who admittedly resides in Pennsylvania, arguably has no standing to even bring this claim. While he undoubtedly will be urgently attempting to obtain pre-certification discovery of the class list, California courts do not routinely sanction such fishing expeditions. Indeed, the Ninth Circuit recently spoke against this very practice. See In re Williams-Sonoma, Inc., 947 F3d 540, 540 (9th Cir 2020) (citing Oppenheimer Fund, Inc. v. Sanders, 437 U.S. 340, 350-53 (1978)) (noting that the U.S. Supreme Court “has determined that seeking discovery of the name of a class member . . . is not relevant within the meaning of” Rule 26(b)(1)).
Additionally, even if Mr. Fuentes successfully tracks down California residents to join him in this lawsuit, the CCPA claim still fails because Sunshine did not receive the required timely notice and an opportunity to cure from those residents before this lawsuit was filed. A strong argument exist, moreover, that Mr. Fuentes’s notice (even if it fully complied with all the pre-filing requirements) does not constitute proper notice because of his non-resident status. The notice provided by Plaintiff was arguably defective insofar as he himself did not suffer a violation of the CCPA, and no cure is or was ever feasible as to him under the CCPA. And now that the complaint is already filed, it is likely too late for any later-added named plaintiffs to provide their own notice to Sunshine because the notice must be give before the case is filed.
Finally, there is a strong argument that the CCPA should not apply retroactively to breaches that occurred before the CCPA’s effective date of January 1, 2020, regardless of the fact that this was reported after January 1, 2020.
As such, we do not see this class action lawsuit as a trend-setter for future cases. We anticipate that it will either be promptly settled or quickly dismissed with respect to the CCPA cause of action, and without the court having to adjudicate any of the complexities or ambiguities of the CCPA. We will continue to actively monitor other cases and filings, which may be better candidates for raising hotly debated and unresolved CCPA issues.