Subject to certain exceptions, the California Consumer Privacy Act (CCPA) provides a private right of action to “[a]ny consumer whose nonencrypted and nonredacted personal information … is subject to an unauthorized access and exfiltration, theft, or disclosure as a result of the business’s violation of the duty to implement and maintain reasonable security procedures and practices appropriate to the nature of the information to protect the personal information ….” This provision raises many questions, including what constitutes “reasonable security procedures and practices” and how those “reasonable security procedures and practices” differ based on the information involved. But just as important, if not more important, is what the consumer must show to establish “access and exfiltration, theft, or disclosure.”
How these terms will be interpreted by the courts likely will dictate how cases filed under the CCPA will be litigated. For example, a similar California statute – the Confidentiality of Medical Information Act (CMIA) – requires that the plaintiff establish that his information was “released” before he is eligible to receive statutory damages. Initially, plaintiffs took the position that “released” meant any loss of control of information. But ultimately, California courts interpreted “released” to mean a breach of the confidential nature of the information, not just loss of possession of the information. This interpretation allowed defendants to successfully argue that even if information was, in fact, stolen, the plaintiff had still not alleged a viable cause of action under the CMIA because he could not establish that his information was actually viewed.
Struggles over similarly vague language in the CCPA will undoubtedly impact early CCPA litigation. As an initial matter, because “access” and “exfiltration, theft, or disclosure” are separated by an “and” in the CCPA, it is clear that a plaintiff must always demonstrate access. Additionally, because “exfiltration,” “theft” and “disclosure” are separated by an “or,” plaintiffs will argue that they need only show one of the three. If that is correct, a plaintiff bringing suit under the CCPA’s private-right-of-action provision must demonstrate two things: (1) access to and (2) exfiltration, theft or disclosure of his or her personal information.
The meanings of “access,” “exfiltration,” “theft” and “disclosure” under the CCPA will be hotly contested. The CCPA does not currently define any of these terms, so courts interpreting them might initially look to their ordinary or dictionary definitions. Merriam-Webster, for example, defines access, exfiltrate, theft and disclose as follows:
- Access: to get at; to be able to use, enter, or get near (something); to open or load (a computer file, an Internet site, etc.).
- Exfiltrate: to steal (sensitive data) from a computer (as with a flash drive).
- Theft: the act of stealing; an unlawful taking (as by embezzlement or burglary) of property.
- Disclose: to make known or public; to expose to view.
Although these definitions seem relatively straightforward, the fact that they overlap makes interpreting them more complicated. Generally, courts interpreting a statute operate under the assumption that the legislature purposefully included each word, and therefore they try to avoid interpreting a statute in a manner that makes certain words superfluous. For example, if a court were to utilize the definitions above, it arguably could read either “exfiltration” or “theft” out of the statute because they mean the same thing. The same is true with “access” and “disclose” because an argument could be made that “to get at” and “to make known” mean the same thing.
With no courts having yet interpreted the CCPA, how these terms will be interpreted by any individual judge in the first instance is anyone’s guess. But it is a near certainty that courts initially will differentiate the terms based on context.
For example, “exfiltrate” is a term that can be used in connection with electronic records, whereas “theft” can be used in connection with both paper records and equipment on which electronic records are stored. Thus, a court may find that the California legislature intended “exfiltrate” to apply to electronic records and “theft” to apply to everything else (i.e., paper records, computers or hard drives containing personal information). Such an interpretation could be one way to give a distinct meaning to each word, depending on the circumstances of the case.
When comparing “access” and “disclosure,” a court may look to the party doing the action. For example, the unauthorized party may be the party doing the “accessing” while the business does the “disclosing.” Under this one possible interpretation, a plaintiff claiming that a business “disclosed” his or her information would have to establish (1) that the business actively disclosed the information and (2) the unauthorized party was capable of viewing it.
This interpretation would also provide distinct definitions to “exfiltration,” “theft” and “disclosure.” For example, “exfiltration” could mean an unauthorized third party obtained electronic records under certain circumstances. “Theft” could mean an unauthorized third party obtained paper records (or equipment containing personal information). And “disclosure” could mean the business affirmatively provided the information to an unauthorized third party.
Again, how these terms will ultimately be interpreted by the courts based on the circumstances of each case is unknown. But the above interpretations provide a few possible ways that courts could interpret the private-right-of action provision without reading out of the provision any of the words the California legislature included in it.
The only thing that is certain is that the language of the CCPA will be subject to significant litigation in the coming months and years, just like the language of other California laws, such as the CMIA.