Avoiding the California Privacy and Security Litigation Tsunami: CCPA FAQ: Can a company be sued under the CCPA for using behavioral advertising?

February 27, 2019

Many companies, such as online retailers and social media websites, participate in “behavioral advertising.”  To participate in the network, the company places code on its website that permits a third party (the behavioral advertising network) to either (1) place tracking technology (e.g., a cookie) on the computer of people who visit the website, or (2) receive information that the visitor’s computer transmits to the website that the visitor intends to visit.  The third party behavioral advertising network then collects and aggregates the information in order to monitor a consumer (or at least the consumer’s computer) across all of the websites that participate in the network and to build a profile from which the behavioral advertising provider can discern characteristics about the consumer to help deliver targeted advertising.

The Law Before The CCPABefore the California CCPA was enacted, a company could be sued for using behavioral advertising if it failed to disclose to the consumer that it was collecting and disseminating the consumer’s information to third-parties, or if its privacy policy otherwise misled the consumer into believing the information was not being shared.  Plaintiffs have pursued such actions under the California Unfair Competition Law (“UCL”) or the California Consumer Legal Remedies Act (“CLRA”).  The biggest hurdle for Plaintiffs in pursuing these actions under the UCL or the CLRA was often establishing a monetary injury as a result of the dissemination of the information, in order to establish standing under either statute.

For example, in In Re Facebook Privacy Litigation, a class of Facebook users brought an action against Facebook for sharing their personal information with third-party advertisers without the users’ knowledge or consent and in violation of Facebook’s own privacy policy.  The Court dismissed both the UCL and CLRA claims with prejudice:

To assert a UCL claim, a private plaintiff needs to have suffered injury in fact and ... lost money or property as a result of the unfair competition. A plaintiff's ‘personal information’ does not constitute property under the UCL.

Here, Plaintiffs do not allege that they lost money as a result of Defendant's conduct. Instead, Plaintiffs allege that Defendant unlawfully shared their ‘personally identifiable information’ with third-party advertisers. (Complaint ¶¶ 1–3.) However, personal information does not constitute property for purposes of a UCL claim.

Plaintiffs do not allege that they paid fees for Defendant's services. Instead, they allege that they used Defendant's services ‘free of charge.’ (Complaint ¶ 12.) Because Plaintiffs allege that they received Defendant's services for free, as a matter of law, Plaintiffs cannot state a UCL claim under their own allegations.1

The Court dismissed the CLRA claim for similar reasons – finding Plaintiffs did not qualify as “consumers” under that statute because they did not “‘purchase[] or lease[] any goods or services,’” but instead, received Facebook’s services for free.2

In contrast to the Facebook case, courts in California have upheld UCL and CLRA claims alleging that plaintiffs did not consent to the sharing of their data with advertisers where the plaintiffs alleged (i) they paid for the goods or services used, and (ii) would have paid less for them had they known their information was being shared. 

Thus, before the CCPA, a plaintiff (or group of plaintiffs) could allege state law claims related to behavioral advertising, if they alleged the defendant failed to disclose or otherwise deceived the plaintiff(s) into believing their information would not be shared, and the plaintiff suffered some monetary harm in connection with the purchase of a good or service.  

The CCPA’s Impact On Lawsuits Concerning Behavioral Advertising. The CCPA requires that a business that “sells” personal information disclose within its privacy policy a “list of the categories of personal information it has sold about consumers in the preceding 12 months."The CCPA broadly defines the term “sell” as including the act of “disclosing” or “making available” personal information “for monetary or other valuable consideration."4  “Personal information” is also defined broadly as including any information that “could reasonably be linked, directly or indirectly, with a particular consumer or household” such as, in certain instances, IP addresses, unique online identifiers, browsing history, search history and “information regarding a consumer’s interaction with an Internet Web site, application, or advertisement.”5

While the definition of “sale” under the CCPA contains an exception for situations in which information is shared with a service provider, the exception may not apply to behavioral advertising networks.  Specifically, the service provider exception requires that three conditions be present: First, the transfer of information to the service provider must be “necessary” for the website’s business purpose.6  While the facilitation of targeted advertising may be desirable, it is questionable whether a court would view targeted advertising as a necessity.  Second, the transfer of the information to the service provider must be disclosed to consumers.  Many websites arguably meet this requirement by disclosing their participation in behavioral advertising networks within their privacy policies.  Third, the agreement with a service provider must “prohibit” the service provider “from retaining, using, or disclosing the personal information for any purpose other than for the specific purpose of performing the services specified in the contract with the business.”7  As behavioral advertising networks typically retain the information that they obtain from websites within their network, and use that information for the benefit of themselves a plaintiff’s attorney is likely to argue that the contracts in-place between websites and advertising networks are insufficient to convert the advertising network into a “service provider.”

In order to mitigate the risk that permitting behavioral advertising networks to deploy cookies on a website will be interpreted as a “sale” of information, a website has two main options:

  • Ask for consent. The CCPA excepts from the definition of “sale” the situation where a “consumer uses or directs the business to intentionally disclose personal information.”8  As a result, if a website deploys a cookie banner, and a consumer agrees or “opts-in” to the use of tracking cookies, the website arguably has not “sold” information to behavioral advertisers.
  • Disclose the sale of information and offer opt-out. If opt-in consent is not obtained, a website could disclose within its privacy policy that it is “selling” information (as that term is defined within the CCPA) to behavioral advertising networks.  Note, however, that if a company sells personal information, the CCPA requires that the company provide a “Do Not Sell My Personal Information” link on its homepage, and honor requests to opt-out from such sales.9

If the company fails to request consent or adequately disclose the sale of information, plaintiffs may seek to pursue causes of action against the company under the CCPA.  However, the CCPA itself provides a private right of action only in the narrow circumstance of a data breach.  Section 1798.150 provides for statutory damages where a “consumer whose nonencrypted or nonredacted personal information, as defined in subparagraph (A) of paragraph (1) of subdivision (d) of Section 1798.81.5, is subject to unauthorized access and exfiltration, theft, or disclosure.”  It does not provide for statutory damages for a company’s failure to disclose that it shares a consumer’s information with a third-party advertiser.  

Moreover, the statutory damages section expressly states: “Nothing in this title shall be interpreted to serve as the basis for a private right of action under any other law.” In other words, while the CCPA provides stricter requirements on companies to disclose that they are disseminating user’s information to third-parties, it does not itself appear to create a cause of action for failure to satisfy these requirements under the “unlawfulness” prong of the UCL or any other state law.10 

Nevertheless, the CCPA makes clear that it does not “relieve any party from any duties or obligations imposed under other law or the United States or California Constitution.”11  Thus, the case law under the UCL and CLRA that pre-dates the CCPA remains good law. 

The CCPA merely imposes additional restrictions on companies’ privacy policies, while not relieving companies of any liability under the UCL or CLRA for failure to adequately implement such policies.  To the extent that a class of plaintiffs can allege actual monetary harm (as a result of, for example, overpayment of a good or a service), then they would continue to be able to bring UCL and CLRA causes of actions against companies that fail to properly disclose the transmission of consumers’ information to third-parties for advertisement purposes.  This is all the more reason for companies to either (i) request consent of a user before transmitting his or her information to advertisers; or (ii) disclose the transmittal as a “sale” of information and provide the opportunity to opt out. 

Proposed Legislation Amending The CCPA.  While the CCPA itself merely leaves existing law intact, and does not itself create a private right of action for disseminating consumers’ information to third-parties, proposed legislation may change this.  State Senate Bill 561, backed by California Attorney General Xavier Becerra, expands the CCPA’s private right of action to all of the CCPA’s privacy protections – including those concerning sale of information to third-party advertisers.  If passed, the amended CCPA would create a new statutory basis for plaintiffs to sue for the unauthorized dissemination of their personal information to advertisers.    

Conclusion.  In sum, the CCPA, as enacted, provides additional restrictions on companies that use behavioral advertising, but does not provide a separate private action for plaintiffs to sue for violation of these restrictions.  The CCPA also does not do away with current law under the UCL and CLRA, which permits claims concerning behavioral advertising, if the defendant failed to disclose or otherwise deceived the plaintiff(s) into believing their information would not be shared, and the plaintiff suffered some monetary harm in connection with the purchase of a good or service.  If passed, a proposed amendment to the CCPA, backed by the California Attorney General, would markedly change this landscape – providing an additional statutory basis to sue for violation of the CCPA’s regulations concerning sale of information to third-parties.  


1. In re Facebook Privacy Litig., 791 F. Supp. 2d 705, 714–15 (N.D. Cal. 2011), aff'd, 572 F. App'x 494 (9th Cir. 2014) (citations and internal quotation marks omitted).

2. Id. at 717.

3. CCPA, § 1798.130(A)(5)(C)(i). 

4. CCPA Section 1798.140(t)(1).

5. CCPA, Section 1798.140(o)(1)(A), (F).

6. CCPA, Section 1798.t)(2)(C).

7. CCPA, Section 1798.140(t)(2)(C)(ii), (v).

8. CCPA, Section 1798.140(t)(2)(A). 

9. CCPA, Section 1798.135(a)(1).

10. Id. 

11. Id.