Many companies, such as online retailers and social media websites, participate in “behavioral advertising.” To participate in the network, the company places code on its website that permits a third party (the behavioral advertising network) to either (1) place tracking technology (e.g., a cookie) on the computer of people who visit the website, or (2) receive information that the visitor’s computer transmits to the website that the visitor intends to visit. The third party behavioral advertising network then collects and aggregates the information in order to monitor a consumer (or at least the consumer’s computer) across all of the websites that participate in the network and to build a profile from which the behavioral advertising provider can discern characteristics about the consumer to help deliver targeted advertising.
To assert a UCL claim, a private plaintiff needs to have suffered injury in fact and ... lost money or property as a result of the unfair competition. A plaintiff's ‘personal information’ does not constitute property under the UCL.
Here, Plaintiffs do not allege that they lost money as a result of Defendant's conduct. Instead, Plaintiffs allege that Defendant unlawfully shared their ‘personally identifiable information’ with third-party advertisers. (Complaint ¶¶ 1–3.) However, personal information does not constitute property for purposes of a UCL claim.
Plaintiffs do not allege that they paid fees for Defendant's services. Instead, they allege that they used Defendant's services ‘free of charge.’ (Complaint ¶ 12.) Because Plaintiffs allege that they received Defendant's services for free, as a matter of law, Plaintiffs cannot state a UCL claim under their own allegations.1
The Court dismissed the CLRA claim for similar reasons – finding Plaintiffs did not qualify as “consumers” under that statute because they did not “‘purchase or lease any goods or services,’” but instead, received Facebook’s services for free.2
In contrast to the Facebook case, courts in California have upheld UCL and CLRA claims alleging that plaintiffs did not consent to the sharing of their data with advertisers where the plaintiffs alleged (i) they paid for the goods or services used, and (ii) would have paid less for them had they known their information was being shared.
Thus, before the CCPA, a plaintiff (or group of plaintiffs) could allege state law claims related to behavioral advertising, if they alleged the defendant failed to disclose or otherwise deceived the plaintiff(s) into believing their information would not be shared, and the plaintiff suffered some monetary harm in connection with the purchase of a good or service.
While the definition of “sale” under the CCPA contains an exception for situations in which information is shared with a service provider, the exception may not apply to behavioral advertising networks. Specifically, the service provider exception requires that three conditions be present: First, the transfer of information to the service provider must be “necessary” for the website’s business purpose.6 While the facilitation of targeted advertising may be desirable, it is questionable whether a court would view targeted advertising as a necessity. Second, the transfer of the information to the service provider must be disclosed to consumers. Many websites arguably meet this requirement by disclosing their participation in behavioral advertising networks within their privacy policies. Third, the agreement with a service provider must “prohibit” the service provider “from retaining, using, or disclosing the personal information for any purpose other than for the specific purpose of performing the services specified in the contract with the business.”7 As behavioral advertising networks typically retain the information that they obtain from websites within their network, and use that information for the benefit of themselves a plaintiff’s attorney is likely to argue that the contracts in-place between websites and advertising networks are insufficient to convert the advertising network into a “service provider.”
In order to mitigate the risk that permitting behavioral advertising networks to deploy cookies on a website will be interpreted as a “sale” of information, a website has two main options:
If the company fails to request consent or adequately disclose the sale of information, plaintiffs may seek to pursue causes of action against the company under the CCPA. However, the CCPA itself provides a private right of action only in the narrow circumstance of a data breach. Section 1798.150 provides for statutory damages where a “consumer whose nonencrypted or nonredacted personal information, as defined in subparagraph (A) of paragraph (1) of subdivision (d) of Section 1798.81.5, is subject to unauthorized access and exfiltration, theft, or disclosure.” It does not provide for statutory damages for a company’s failure to disclose that it shares a consumer’s information with a third-party advertiser.
Moreover, the statutory damages section expressly states: “Nothing in this title shall be interpreted to serve as the basis for a private right of action under any other law.” In other words, while the CCPA provides stricter requirements on companies to disclose that they are disseminating user’s information to third-parties, it does not itself appear to create a cause of action for failure to satisfy these requirements under the “unlawfulness” prong of the UCL or any other state law.10
Nevertheless, the CCPA makes clear that it does not “relieve any party from any duties or obligations imposed under other law or the United States or California Constitution.”11 Thus, the case law under the UCL and CLRA that pre-dates the CCPA remains good law.
The CCPA merely imposes additional restrictions on companies’ privacy policies, while not relieving companies of any liability under the UCL or CLRA for failure to adequately implement such policies. To the extent that a class of plaintiffs can allege actual monetary harm (as a result of, for example, overpayment of a good or a service), then they would continue to be able to bring UCL and CLRA causes of actions against companies that fail to properly disclose the transmission of consumers’ information to third-parties for advertisement purposes. This is all the more reason for companies to either (i) request consent of a user before transmitting his or her information to advertisers; or (ii) disclose the transmittal as a “sale” of information and provide the opportunity to opt out.
Proposed Legislation Amending The CCPA. While the CCPA itself merely leaves existing law intact, and does not itself create a private right of action for disseminating consumers’ information to third-parties, proposed legislation may change this. State Senate Bill 561, backed by California Attorney General Xavier Becerra, expands the CCPA’s private right of action to all of the CCPA’s privacy protections – including those concerning sale of information to third-party advertisers. If passed, the amended CCPA would create a new statutory basis for plaintiffs to sue for the unauthorized dissemination of their personal information to advertisers.
Conclusion. In sum, the CCPA, as enacted, provides additional restrictions on companies that use behavioral advertising, but does not provide a separate private action for plaintiffs to sue for violation of these restrictions. The CCPA also does not do away with current law under the UCL and CLRA, which permits claims concerning behavioral advertising, if the defendant failed to disclose or otherwise deceived the plaintiff(s) into believing their information would not be shared, and the plaintiff suffered some monetary harm in connection with the purchase of a good or service. If passed, a proposed amendment to the CCPA, backed by the California Attorney General, would markedly change this landscape – providing an additional statutory basis to sue for violation of the CCPA’s regulations concerning sale of information to third-parties.
1. In re Facebook Privacy Litig., 791 F. Supp. 2d 705, 714–15 (N.D. Cal. 2011), aff'd, 572 F. App'x 494 (9th Cir. 2014) (citations and internal quotation marks omitted).
2. Id. at 717.
3. CCPA, § 1798.130(A)(5)(C)(i).
4. CCPA Section 1798.140(t)(1).
5. CCPA, Section 1798.140(o)(1)(A), (F).
6. CCPA, Section 1798.t)(2)(C).
7. CCPA, Section 1798.140(t)(2)(C)(ii), (v).
8. CCPA, Section 1798.140(t)(2)(A).
9. CCPA, Section 1798.135(a)(1).