In a first-of-its-kind ruling interpreting the CCPA, a federal judge concluded that a business was subject to the CCPA because the complaint allegations satisfied the "for profit" requirement of this California privacy law. In Blackbaud Inc. Customer Data Security Breach Litigation, No. 3:20-mn-02972 (D.S.C. Aug. 12, 2021), the judge concluded that Defendant Blackbaud Inc. was bound by the CCPA, despite its assertion that it did not qualify as a "business."
The court found it especially notable that Blackbaud (1) was registered as a data broker in California under a law that used the same definition of "business" as the CCPA and (2) used consumers' data to improve and test its services.
The court also allowed at least one named plaintiff to assert a claim under the the California Confidentiality of Medical Information Act (CMIA), while dismissing the same claim by three other plaintiffs because they hadn't "plausibly alleged that 'information relating to [their] medical history, mental or physical condition, or treatment' was disclosed during the ransomware attack."
This decision is important for two reasons. It signals that courts are interpreting the CCPA language broadly, with the aim towards consumer protection. It also sets a clear threshold for the CMIA claims, indicating that more than the bare-minimum allegations must be pleaded to survive a motion to dismiss.
In finding that the plaintiffs had adequately alleged that Blackbaud fell under this definition, Judge Childs pointed to their assertions that Blackbaud uses consumers' personal data to provide, develop, improve and test its services; that the cloud computing provider develops software solutions to process the personal information belonging to its clients' customers; that it has annual gross revenues of more than $25 million; and that it's registered as a data broker in California under a law that "explicitly employs the same definition of 'business' as the CCPA."