A few weeks ago, we wrote about a recent federal lawsuit filed against Ring that may test certain aspects of the California Consumer Privacy Act’s (CCPA) private right of action. Now, another provision of the CCPA relating to private lawsuits may be tested in a new case filed against facial-recognition company Clearview AI.
On February 27, 2020, a California resident and an Illinois resident filed a punitive class-action against Clearview AI in the United States District Court for the Southern District of California. The complaint alleges that Clearview AI unlawfully “scraped” biometric data – mostly images of individuals – from social media and other websites, and applied facial-recognition software to create databases for sale to law enforcement and the private sector. In doing so, plaintiffs allege Clearview AI violated the policies of the websites from which the images were “scraped,” and also violated the California Consumer Privacy Act (CCPA) and the Illinois Biometric Privacy Act (BIPA).
The complaint does not plead a claim under the CCPA itself. Instead, it defines a “CCPA Class” of California individuals who purportedly “had their California Biometric Information collected and/or used by Clearview AI without prior notice by Clearview and without their consent.”
The complaint further pleads a claim under California’s Unfair Competition Law, Business & Professions Code § 17200 (UCL), citing violations of the CCPA as underlying “unlawful” activity. Specifically, the complaint alleges as the basis for the UCL claim that “Clearview collected [plaintiffs’ and the class’] ‘personal information’ as defined in the CCPA and failed to inform [plaintiffs and the class] of the same at or before the point of collection.”
But it is unclear that the CCPA can be used in such a manner, i.e. as the “unlawful” activity supporting a UCL claim. In fact, the CCPA includes a specific provision, section 1798.150(c), that appears to prohibit exactly that type of use:
(c) The cause of action established by this section shall apply only to violations as defined in subdivision (a) and shall not be based on violations of any other section of this title. Nothing in this title shall be interpreted to serve as the basis for a private right of action under any other law.
If “any other law” is read to include the UCL, then on its face the provision appears to prohibit plaintiffs from using the CCPA as a “borrowed” claim to plead a UCL case.
Of course, the plaintiffs are unlikely to concede the point, making this case another that CCPA-covered entities may want to closely watch.
Luke Sosnicki is a Los Angeles partner in Thompson Coburn’s Business Litigation group who has written and spoken extensively about the California Consumer Privacy Act (CCPA). Jim Shreve is the chair of Thompson Coburn's Cybersecurity group.