The CCPA and Belaire Notices: Civil Discovery in California’s New Privacy Era

The California Consumer Privacy Act (CCPA) provides California consumers with opt-out privacy rights, but how do those requirements interact with the rights of plaintiffs seeking civil discovery of would-be class members? A recent Central District of California decision grappled with that question, providing guidance that other courts might follow. In particular, the court held that the CCPA does not expand existing opt-out protections for would-be class members, and declined to take an expansive reading of what constitutes a “sale” under the CCPA.

Belaire Opt-Out Notices

Courts have long sought to strike a balance between a plaintiff’s right to identify potential class members and the privacy rights of those would-be class members under the California Constitution. Over a decade ago, California courts introduced the Belaire notice procedure with the decisions in Pioneer Electronics (USA) v. Superior Court, 40 Cal. 4th 360, 371 (2007), and Belaire-West Landscape v. Superior Court, 149 Cal.App.4th 554 (2007). The Pioneer Electronics and Belaire cases (and their progeny) held that individuals should be given the opportunity to “opt-out” of having their names, addresses, and telephone numbers disclosed to the named plaintiff of putative class action claims involving both defective products and employment claims.

Because would-be plaintiff’s substantive privacy rights are implicated, federal courts have subsequently held that, absent an agreement between the parties, Belaire notices are only required when “special privacy concerns” exist or particularly sensitive personal information such as medical or financial information is sought. 1 Courts have held that protective orders sufficiently protect the lesser privacy interests of would-be class members and thus can be sufficient to permit the release of their contact information to class counsel. 2

The CCPA’s Impact on Belaire Notices and Protective Orders

The CCPA’s heightened privacy standards provide California consumers with notice and consent protections that ensure individuals have the right to opt-out of the “sale” of their personal information. 3 The CCPA broadly defines both “sale” and “personal information.” A "sale" is the "selling, renting, releasing, disclosing, disseminating, making available, transferring, or otherwise communicating orally, in writing, or by electronic or other means, a consumer's personal information by the business to another business or a third party for monetary or other valuable consideration ." Personal information is defined as “information that identifies, relates to, describes, is reasonably capable of being associated with, or could reasonably be linked, directly or indirectly, with a particular consumer or household.” 4 The law details 11 categories of information—including real name, postal address, and email address—that qualify as personal information if linked to a particular consumer or household. Consumers under the age of 16 are protected by a higher requirement that their information can be shared only if they (or their parent if they are under 13) opt-in to the transfer of their personal information. 5

Thus, if a Belaire notice is not provided, putative class members arguably are not given the opportunity to opt-out as the CCPA requires, at least for the “sale” of the personal information. And some would-be class members may have already exercised their opt-out rights to prevent businesses from sharing their information with third parties before their contact details are sought in class discovery. Since courts usually do not require Belaire notices for contact information alone, potential class members might potentially have their personal information, as defined by the CCPA, disclosed to a third party despite requesting that the data-holding defendant not “sell” that information.

The Kaupelis Order

These competing issues were addressed in Kaupelis v. Harbor Freight Tools USA, Inc., a putative class action case where plaintiffs alleged that the defendant sold defective chainsaws. 6 Plaintiffs moved to compel documents and interrogatory responses related to consumers who complained about the alleged defect. Defendant responded that the CCPA precluded the discovery sought because of the law’s prohibition on the sale of personal information without proper notice and consent procedures. Further, defendant argued that the CCPA expanded the California Constitution’s right to privacy in such a way as to expand the use of Belaire notices.

The court rejected defendant’s arguments and ruled that two separate provisions of the CCPA—Cal. Civ. Code § 1798.145(a)(1) and Cal. Civ. Code § 1798.1960—explicitly allow a business to comply with federal law, including the Federal Rules of Civil Procedure, notwithstanding the protections of the CCPA. The court also interpreted the CCPA’s focus on the “sale” of personal information as intended to apply to business purposes, rendering those provisions inapplicable to the disclosure of personal information in response to a civil discovery request. While the order did highlight that the Belaire line of cases has long recognized the need for privacy protections during class discovery, the court deemed those needs—at least in regard to contact information of would-be class members—to be sufficiently addressed through the use of protective orders.

While the Kaupelis court is the first to grapple with the balance between class action litigants’ right to discovery and individuals’ privacy rights as enshrined by the CCPA, it certainly will not be the last. Companies can help manage privacy and cybersecurity liability by ensuring that the information they share with plaintiffs is limited in scope and only done pursuant to an appropriate protective order.

1 Austin v. Foodliner, Inc., 2018 WL 1168694, at *2 (N.D. Cal. Mar. 6, 2018).
2 Salazar v. McDonald’s Corp., 2016 WL 736213, at *5 (N.D. Cal. Feb. 25, 2016).
3 Cal. Civ. Code §§ 1798.10(t)(1) and 1798.120(a). Emphasis added.
4 Id. § 1798.140(o)(1).
5 Id. § 1798.120(c).
6 8:19-cv-01203-JVS-DFM, Dkt, No. 158 (C.D. Cal Jan. 22, 2021)

This memorandum is a summary for general information and discussion only and may be considered an advertisement for certain purposes. It is not a full analysis of the matters presented, may not be relied upon as legal advice, and does not purport to represent the views of our clients or the Firm. Tod Cohen, an O’Melveny partner licensed to practice law in the District of Columbia, Randall W. Edwards, an O’Melveny partner licensed to practice law in California, Scott W. Pink, an O’Melveny special counsel licensed to practice law in California and Illinois, John Dermody, an O’Melveny counsel licensed to practice law in California and the District of Columbia, and Ben Seelig, an O’Melveny associate licensed to practice law in California contributed to the content of this newsletter. The views expressed in this newsletter are the views of the authors except as otherwise noted.

© 2021 O’Melveny & Myers LLP. All Rights Reserved. Portions of this communication may contain attorney advertising. Prior results do not guarantee a similar outcome. Please direct all inquiries regarding New York’s Rules of Professional Conduct to O’Melveny & Myers LLP, Times Square Tower, 7 Times Square, New York, NY, 10036, T: +1 212 326 2000.