Last week, a federal district court in San Francisco dismissed a claim under the California Consumer Privacy Act (“CCPA”). The plaintiff alleged that Google had collected personal information without complying with the CCPA’s notice and consent requirements. The court held that the CCPA’s private right of action does not extend to these provisions of the law. It appears that this is the first time a court expressly reached this conclusion. The case is McCoy v. Alphabet, No. 20‑cv‑05427 (N.D. Cal. Feb. 2, 2021).
For context, the plaintiff alleged that Google used an internal program called “Android Lockbox” on its Android operating system to monitor and collect data from Android users as they used non-Google apps on their phones. The alleged data collection included when and how often these third-party apps were used and the amount of time users spent on the third-party apps. Based on these allegations, the plaintiff asserted eleven different claims. Among these was a claim that Google violated the CCPA by failing to comply with the law’s requirements related to notice and consent.
The court rejected that claim with a concise and straightforward analysis. The court explained that the CCPA provides a private right of action only for violations “related to personal information security breaches.” And the CCPA expressly provides that no other provision of the statute may “serve as the basis for a private right of action under any other law.” Because there were no allegations of a security breach—a point the plaintiff conceded—the court dismissed the CCPA claim.
The court also dismissed several other of the plaintiff’s claims. For example, it dismissed the plaintiff’s claim of invasion of privacy under the California Constitution and common law. The plaintiff’s allegations did not meet the “high bar” for such claims because the data at issue was anonymized and aggregated. The court also dismissed the plaintiff’s claim under the California wiretap law, the California Invasion of Privacy Act (“CIPA”). It reasoned that the plaintiff failed to allege that the data at issue in the case amounted to the “contents” of a communication—a necessary element of a CIPA claim.