In a first-of-its-kind ruling interpreting the CCPA, a federal judge concluded that a business was subject to the CCPA because the complaint allegations satisfied the "for profit" requirement of this California privacy law. In Blackbaud Inc. Customer Data Security Breach Litigation, No. 3:20-mn-02972 (D.S.C. Aug. 12, 2021), the judge concluded that Defendant Blackbaud Inc. was bound by the CCPA, despite its assertion that it did not qualify as a "business."
The court found it especially notable that Blackbaud (1) was registered as a data broker in California under a law that used the same definition of "business" as the CCPA and (2) used consumers' data to improve and test its services.
The court also allowed at least one named plaintiff to assert a claim under the the California Confidentiality of Medical Information Act (CMIA), while dismissing the same claim by three other plaintiffs because they hadn't "plausibly alleged that 'information relating to [their] medical history, mental or physical condition, or treatment' was disclosed during the ransomware attack."
This decision is important for two reasons. It signals that courts are interpreting the CCPA language broadly, with the aim towards consumer protection. It also sets a clear threshold for the CMIA claims, indicating that more than the bare-minimum allegations must be pleaded to survive a motion to dismiss.