Ruling on a motion to dismiss a cause of action for violation of CCPA following a data breach, the Eastern District of Pennsylvania held that plaintiffs failed to plead sufficient facts to show that defendant was a “business” that determined the how and why of processing personal information as opposed to only being a “service provider.” As a “service provider,” the private right of action doesn’t apply.
NCB contends that it cannot be held liable under the CCPA because it is not a “business” as defined by the statute. Instead, it asserts that it is a “service provider.” It argues that a “business” under the CPPA collects consumers’ personal information from consumers, and a “service provider” receives personal information from the business.
The CCPA defines a “business” as a:
sole proprietorship, partnership, limited liability company, corporation, association, or other legal entity … that collects *287 consumers’ personal information, or on the behalf of which such information is collected and that alone, or jointly with others, determines the purposes and means of the processing of consumers’ personal information, that does business in the State of California, and [meets a revenue or customer base threshold].
Cal. Civ. Code § 1798.140(d). In other words, to be deemed a “business” under the CCPA, it must: (1) collect PII and (2) determine why and how the PII should be processed. In re Accellion, Inc. Data Breach Litig.,, ––– F.Supp.3d ––––, ––––, No. 5:21-CV-01155-EJD, 2024 WL 333893, at *10 (N.D. Cal. Jan. 29, 2024).
Noting that the Bank Defendants — not the plaintiffs — provided NCB with the plaintiffs’ PII, NCB contends that it did not “collect” the PII. Without performing that function, it claims that it cannot be deemed a “business” for purposes of bringing a CCPA claim.
Instead of a business, NCB asserts that it is a “service provider.” The CCPA defines a “service provider” as an individual or entity that processes personal information on behalf of a business and that receives from or on behalf of the business a consumer’s personal information for a business purpose pursuant to a written contract, provided that the contract prohibits the [entity] from: .. [s]elling or sharing the personal information … [, r]etaining, using, or disclosing the personal information for any purpose other than for the business purposes specified in the contract, … [or r]etaining, using, or disclosing the information outside of the direct business relationship between the service provider and the business ….”
Cal. Civ. Code § 1798.140(ag)(1).
NCB argues that the distinction between a “business” and a “service provider” is important because consumers are permitted to sue only a “business” for failing to implement and maintain reasonable security procedures, while only the California Attorney General and the California Privacy Protection Agency are authorized to bring an action against “service providers.” NCB’s Br. at 34–35 (citing Karter v. Epiq Sys., Inc., No. SACV2001385CJCKESX, 2021 WL 4353274, at *2 (C.D. Cal. July 16, 2021); Cal. Civ. Code § 1798.155)).
The California plaintiffs claim that NCB qualifies as a “business” under the CPPA. First, they argue that an entity can qualify as both a “business” and a “service provider” under the CCPA. Pls.’ Br. at 28 (citing Blackbaud, Inc., Customer Data Breach Litig. (“Blackbaud”), No. 3:20-MN-02972-JMC, 2021 WL 3568394, at *5 (D.S.C. Aug. 12, 2021) (finding that the defendant was not “insulated from liability under the CCPA” when it qualified as both a “service provider” and a “business” under the CCPA). Thus, even assuming NCB is a “service provider,” they contend that this does not preclude a finding that it is also a “business” under the CPPA.
Second, they argue that NCB meets both requirements of “collecting” PII and determining why and how the PII should be processed to qualify as a “business” under the CPPA. They claim that the “indirect collection of consumers’ PII by way of a third party falls within the definition of ‘collects’ under the CCPA.” Pls.’ Br. at 28. They also contend that NCB, “jointly with” the Bank Defendants, “determined the purposes and means of the processing of consumers’ personal information” because NCB uses the PII to provide its debt collection services to the Bank Defendants. Id.
The Court finds that NCB is a “service provider” under the CPPA. However, the Court agrees with the plaintiffs that a defendant can qualify as both a “business” and a “service provider” under the CCPA. Therefore, NCB is not insulated from liability even though it qualifies as a “service provider.”
The Court also agrees with the plaintiffs that they have adequately plead that NCB meets the first requirement to be deemed a “business” under the CCPA — that it “collected” plaintiffs’ PII. The CCPA defines “collects” as “buying, renting, gathering, obtaining, receiving, or accessing any personal information pertaining to a consumer by any means.” Cal. Civ. Code § 1798.140(f). The complaint alleges that NCB “obtained” and “received” the plaintiffs’ PII from the Bank Defendants. Compl. ¶¶ 70–71. Because the statute defines the “collection” of PII to include the defendant’s “obtaining” or “receipt” of the PII “by any means,” the plaintiffs have adequately alleged that NCB “collected” their personal information.
However, the California plaintiffs have not adequately plead that NCB meets the second requirement to be deemed a “business” — that NCB determined why and how their PII should be processed. The CPPA defines “processing” as “any operation or set of operations that are performed on personal information or on sets of personal information ….” Cal. Civ. Code § 1798.140(y). The complaint lacks any allegations about “determinations” that NCB made regarding why and how the plaintiffs’ PII was to be processed. The allegation that NCB used their PII to provide its debt collection services to the Bank Defendants is a far cry from alleging it played any role in determining how to process the plaintiffs’ PII.
The two cases that the plaintiffs cite — Blackbaud and Karter — are distinguishable from the case at bar. In Blackbaud, the defendant allegedly “collect[ed] and stor[ed]” the PII that its customers collected from their clients, who were donors, patients, students, and congregants; “use[d] consumers’ personal data to provide services at customers’ requests, as well as to develop, improve, and test [its] services;” “develop[ed] software solutions to process its customers’ patrons’ personal information;” and “offer[ed] professional and managed services in which its expert consultants provide[d] data conversion, implementation, and customization services for each of its software solutions.” Blackbaud, 2021 WL 3568394, at *5. Thus, the defendant was alleged to have actively interacted with and analyzed the PII data at issue. In Karter, the plaintiffs alleged that the defendant, a class action settlement administrator, worked with its clients to determine how it would use the consumers’ PII to provide class notice and manage claims and opt-outs. Karter, 2021 WL 4353274, at *2. There, the defendant directly participated in determining how the consumers’ PII would be used.
The complaint here, in contrast, lacks any allegations about “determinations” that NCB made regarding why and how the plaintiffs’ PII was to be processed. Therefore, the plaintiffs have not sufficiently alleged that NCB was a “business” under the CCPA, and this claim will be dismissed.
In re NCB Mgmt. Servs., Inc. Data Breach Litig., 748 F. Supp. 3d 262, 286–88 (E.D. Pa. 2024).
