California Attorney General (AG) released third draft of proposed CCPA regulationsRecent putative consumer class action cases filed against Ring and Zoom raise allegations under the California Consumer Privacy Act (“CCPA”) and are likely to be the first battlegrounds over the CCPA’s potential hostility to consumer arbitration clauses. The continued applicability of arbitration agreements is likely to be a significant (and hard-fought) issue with far-reaching implications for consumer litigation under, and involving, the CCPA. This post reviews recent precedent concerning prior attempts by California to bar arbitration or otherwise ignore federal preemption in the context of privacy statutes in an effort to predict how the courts will navigate the CCPA’s attempted restriction on arbitration.

CCPA On Arbitration

The CCPA provides consumers with a private right of action when they are affected by a data breach of certain types of personal information. Cal. Civ. Code § 1798.150. The law permits recovery of statutory damages between $100 to $750 per consumer, per incident, and explicitly envisions actions proceeding on an individual or class-wide basis. Id. at (b). In addition to monetary damages, private consumers may seek injunctive relief under the CCPA. 1798.150(a)(1)(B). These statutory damages and right to collective action make the CCPA a ripe target for consumer class actions. That is further bolstered by the CCPA’s apparent limitation of parties’ ability to contract around public class actions. Specifically, the CCPA directs that:

Any provision of a contract or agreement of any kind that purports to waive or limit in any way a consumer’s rights under this title, including, but not limited to, any right to a remedy or means of enforcement, shall be deemed contrary to public policy and shall be void and unenforceable.

Section 1798.192 (emphasis added). Thus, the CCPA would not permit a company to force an individual arbitration based on a consumer contract where a class-wide CCPA claim is asserted. But is that enforceable?

California’s History of Trying to Limit Arbitration

California’s history of seeking to limit parties’ rights to compel arbitration has, for years, been at the center of the dispute over the strength and reach of the Federal Arbitration Act, 9 U.S.C. § 1 et seq. (“FAA”). The landmark case on this issue is AT&T Mobility LLC v. Concepcion, 563 U.S. 333 (2011). In Concepcion, the United States Supreme Court addressed a clash between the FAA and California’s declaration that arbitration waivers were unconscionable and, thus, unenforceable. The FAA won. Based on the FAA, the Court found California could not reject arbitration agreements, even if such clauses required consumers to arbitrate individually.

In the ensuing decade, the Court has re-confirmed the Concepcion decision against subsequent challenges, including from California. Of particular relevance, in 2015, the Court confirmed that class action waiver clauses in consumer agreements are enforceable, even in the face of contrary California state law. DirecTV, Inc. v. Imburgia, 577 U.S. __, 136 S.Ct. 463, 468, 193 L.Ed.2d 365 (2015). The Court also confirmed that arbitration agreements with a class action waiver remain valid, even where consumers are presented with the practical hurdle that a plaintiff’s costs of individually arbitrating might far exceed the potential individual recovery available. American Express Co. v. Italian Colors Restaurant, 570 U.S. 228 (2013).

In 2017, the California Supreme Court held that arbitration clauses that left individual consumers without the ability to obtain public injunctive relief were unenforceable. McGill v. Citibank, N.A., 2 Cal. 5th 945 (2017). Currently pending before the United States Supreme Court is a petition for a writ of certiorari on the question of whether California’s public-policy rule conditioning the enforceability of arbitration agreements on acquiescence to public-injunction proceedings is preempted by the FAA.” AT&T Mobility LLC v. McArdle, No. 19-1078.

Privacy Laws Cannot Overcome Federal Preemption

Given the unique nature of the privacy protections of the CCPA and lack of parallel federal privacy protections, it is instructive to see how courts have approached preemption of prior California privacy statutes. In 2012, California’s Attorney General brought suit against Delta Airlines alleging that the lack of a clearly-disclosed privacy policy in the Fly Delta” app violated the California Online Privacy Protection Act (CalOPPA), Cal. Bus. & Prof. Code §§ 22575-22579. Delta challenged the state’s ability to bring consumer protection claims against commercial airlines given the federal Airline Deregulation Act of 1978, Pub. L. 95-504, 49 U.S.C. § 1371, et seq. The court dismissed, finding that the federal statute preempted the statutory requirements of CalOPPA. State of California v. Delta Air Lines, Inc., Case No. CGC-12-526741 (Cal. Sup. Ct. May 9, 2013). The decision was affirmed by the California Court of Appeals. Case No. A139238, 2016 WL 3001805 (Cal. Ct. App. May 25, 2016).


Recent precedent supports the continuing viability of arbitration clauses, including as part of consumer contracts that waive class actions. It further confirms that California’s attempts to circumvent federal law, including in the privacy space, are likely to be struck down based on preemption. Thus, all signs point towards the continued ability of companies to compel arbitration, including individual arbitration, over CCPA claims.

That said, it remains to be seen how far the California courts (federal or state) might permit or force litigants to proceed before that likely outcome is reached. Thus, despite potential contract terms that include an otherwise valid arbitration clause and class action waiver, CCPA defendants such as Ring and Zoom may need to engage in multiple rounds of motion practice and appeals before getting clarity on the forum in which their cases will even be heard.

Another consideration: until there is a decision that the CCPA is preempted by the FAA, the CCPA litigation occurring now may be the only cases to provide clarification as to some of the vague provisions of the CCPA (evident by the inconsistent interpretations and compliance applications in the marketplace). Once CCPA claims are addressed mainly through arbitration, guidance will be left to the California Attorney General’s Office and the more limited number of cases initiated by that Office.

If you have privacy, cyber, or related litigation questions, our team of compliance and litigation specialists would be happy to speak with you. More information about Kelley Drye’s Privacy and Information Security Litigation team can be found here.

Ad Law Access Podcast