The CCPA and Belaire Notices: Civil Discovery in California’s New Privacy Era

The California Consumer Privacy Act (CCPA) provides California consumers with opt-out privacy rights, but how do those requirements interact with the rights of plaintiffs seeking civil discovery of would-be class members? A recent Central District of California decision grappled with that question, providing guidance that other courts might follow. In particular, the court held that the CCPA does not expand existing opt-out protections for would-be class members, and declined to take an expansive reading of what constitutes a “sale” under the CCPA.

Belaire Opt-Out Notices

Courts have long sought to strike a balance between a plaintiff’s right to identify potential class members and the privacy rights of those would-be class members under the California Constitution. Over a decade ago, California courts introduced the Belaire notice procedure with the decisions in Pioneer Electronics (USA) v. Superior Court, 40 Cal. 4th 360, 371 (2007), and Belaire-West Landscape v. Superior Court, 149 Cal.App.4th 554 (2007). The Pioneer Electronics and Belaire cases (and their progeny) held that individuals should be given the opportunity to “opt-out” of having their names, addresses, and telephone numbers disclosed to the named plaintiff of putative class action claims involving both defective products and employment claims.

Because would-be plaintiff’s substantive privacy rights are implicated, federal courts have subsequently held that, absent an agreement between the parties, Belaire notices are only required when “special privacy concerns” exist or particularly sensitive personal information such as medical or financial information is sought.¹ Courts have held that protective orders sufficiently protect the lesser privacy interests of would-be class members and thus can be sufficient to permit the release of their contact information to class counsel.²

The CCPA’s Impact on Belaire Notices and Protective Orders

The CCPA’s heightened privacy standards provide California consumers with notice and consent protections that ensure individuals have the right to opt-out of the “sale” of their personal information.³ The CCPA broadly defines both “sale” and “personal information.” A "sale" is the "selling, renting, releasing, disclosing, disseminating, making available, transferring, or otherwise communicating orally, in writing, or by electronic or other means, a consumer's personal information by the business to another business or a third party for monetary or other valuable consideration." Personal information is defined as “information that identifies, relates to, describes, is reasonably capable of being associated with, or could reasonably be linked, directly or indirectly, with a particular consumer or household.”⁴ The law details 11 categories of information—including real name, postal address, and email address—that qualify as personal information if linked to a particular consumer or household. Consumers under the age of 16 are protected by a higher requirement that their information can be shared only if they (or their parent if they are under 13) opt-in to the transfer of their personal information.⁵

Thus, if a Belaire notice is not provided, putative class members arguably are not given the opportunity to opt-out as the CCPA requires, at least for the “sale” of the personal information. And some would-be class members may have already exercised their opt-out rights to prevent businesses from sharing their information with third parties before their contact details are sought in class discovery. Since courts usually do not require Belaire notices for contact information alone, potential class members might potentially have their personal information, as defined by the CCPA, disclosed to a third party despite requesting that the data-holding defendant not “sell” that information.

The Kaupelis Order

These competing issues were addressed in Kaupelis v. Harbor Freight Tools USA, Inc., a putative class action case where plaintiffs alleged that the defendant sold defective chainsaws.⁶  Plaintiffs moved to compel documents and interrogatory responses related to consumers who complained about the alleged defect. Defendant responded that the CCPA precluded the discovery sought because of the law’s prohibition on the sale of personal information without proper notice and consent procedures. Further, defendant argued that the CCPA expanded the California Constitution’s right to privacy in such a way as to expand the use of Belaire notices.

The court rejected defendant’s arguments and ruled that two separate provisions of the CCPA—Cal. Civ. Code § 1798.145(a)(1) and Cal. Civ. Code § 1798.1960—explicitly allow a business to comply with federal law, including the Federal Rules of Civil Procedure, notwithstanding the protections of the CCPA. The court also interpreted the CCPA’s focus on the “sale” of personal information as intended to apply to business purposes, rendering those provisions inapplicable to the disclosure of personal information in response to a civil discovery request. While the order did highlight that the Belaire line of cases has long recognized the need for privacy protections during class discovery, the court deemed those needs—at least in regard to contact information of would-be class members—to be sufficiently addressed through the use of protective orders.

While the Kaupelis court is the first to grapple with the balance between class action litigants’ right to discovery and individuals’ privacy rights as enshrined by the CCPA, it certainly will not be the last. Companies can help manage privacy and cybersecurity liability by ensuring that the information they share with plaintiffs is limited in scope and only done pursuant to an appropriate protective order.