Details of the OpenAI Lawsuit: The Plaintiffs' Fail to Plead a Violation of the CCPA

MEMORANDUM OF POINTS AND AUTHORITIES

IV. ARGUMENT

C. Plaintiffs’ Claims Fail for Reasons Specific to Each Claim.

7. Plaintiffs Fail to Adequately Plead A Violation of the CCPA.

Plaintiffs’ claim under the CCPA suffers from numerous pleading defects. Plaintiffs lack statutory standing, and they failed to provide the required written notice to the OpenAI Entities prior to filing this complaint. Even if Plaintiffs satisfied these threshold requirements, the CCPA’s limited private right of action does not cover the alleged conduct.

To the extent any of these allegations are actionable, Plaintiffs also failed to allege facts showing that the OpenAI Entities disclosed personal information protected by the CCPA.

As an initial matter, the named Plaintiffs cannot satisfy the statutory requirements for a CCPA claim. Out-of-state plaintiffs lack standing to assert a claim under the CCPA. Cal. Civ. Code § 1798.140(i) (defining “consumer” under the CCPA as “a natural person who is a California resident”); see Hayden v. Retail Equation, Inc., No. SACV2001203DOCDFM, 2022 WL 2254461, at *5 (C.D. Cal. May 4, 2022) (concluding that “CCPA claims brought by out-ofstate Plaintiffs [] fail because the CCPA does not apply to non-California residents”). Here, Doe 3 and Doe 4 are not California residents. (See Compl. ¶¶ 19-20.)

Moreover, Plaintiffs failed to comply with the requirement to provide the OpenAI Entities with written notice of the alleged CCPA violations prior to filing the complaint. Section 1798.150(b) states that “prior to initiating any action” under the CCPA, the customer must provide “written notice identifying the specific provisions [that] have been or are being violated.” Cal. Civ. Code § 1798.150(b). No OpenAI Entity received such notice, and the complaint does not allege otherwise.

The CCPA claim also should be dismissed because it provides only a limited private right of action: a consumer must allege that their “nonencrypted and nonredacted personal information” was “subject to an unauthorized access and exfiltration, theft, or disclosure as a result of a business’s violation of the duty to implement and maintain reasonable security procedures and practices appropriate to the nature of the information.” Cal. Civ. Code § 1798.150(a)(1).

No cause of action exists for “violations of any other section of [the CCPA].” Cal. Civ. Code § 1798.150(c). It is well-settled that “a statute creates a private right of action only if the statutory language or legislative history affirmatively indicates such an intent.” Lil’ Man In the Boat, Inc. v. City and Cnty. of San Francisco, No. C17-CV-00904-JST, 2018 WL 4207260, at *3 (N.D. Cal. Sept. 4, 2018) (cleaned up).

The OpenAI Entities’ alleged failures to provide (i) an opt-out notice, (ii) a clear and conspicuous opt-out link, (iii) a right to deletion, and (iv) a right to access personal information, are not actionable because the CCPA unambiguously reserved enforcement of these provisions to the California Privacy Protection Agency. See Cal. Civ. Code § 1798.155(a).

Finally, Plaintiffs’ vague and conclusory allegations regarding the OpenAI Entities’ security practices fail to state a claim under the CCPA. “[P]lausibility pleading standards are especially important in cases like this, where the Defendant faces the ‘potentially enormous expense of discovery’ if the Court denies [a] motion to dismiss.” Razuki v. Caliber Home Loans, Inc., No. 17cv1718-LAB (WVG), 2018 WL 6018361, at *2 (S.D. Cal. Nov. 15, 2018) (dismissing data breach claims).

In the absence of allegations that show the OpenAI Entities’ security procedures and practices were deficient, Plaintiffs cannot state a CCPA claim. See Maag v. U.S. Bank Nat’l Ass’n, No. 21-cv-00031-H-LL, 2021 WL 5605278, at *2 (S.D. Cal. Apr. 8, 2021) (dismissing CCPA claim where plaintiff made unsupported allegations that “his PII was compromised because Defendant did not ‘implement and maintain security procedures and practices’ [and] ‘failed to effectively monitor its systems for security vulnerabilities’”); Anderson v. Kimpton Hotel & Rest. Grp., LLC, No. 19-CV-01860-MMC, 2019 WL 3753308, at *3-4 (N.D. Cal. Aug. 8, 2019) (dismissing complaint that was “devoid of facts” regarding the “inadequate securities measures” that purportedly caused plaintiff’s alleged injury).

Here, Plaintiffs merely assert that the OpenAI Entities violated the CCPA by “collecting, maintaining, and controlling their customers’ sensitive personal information” and “engineering, designing, maintaining, and controlling systems that exposed their customers’ sensitive personal information” without specifying what type of “sensitive personal information” had been collected or exposed. (Compl. ¶ 233.)

Plaintiffs further allege that the OpenAI Entities were “aware of Copilot’s propensity for revealing PII” and acted to “alter[] Copilot to force it to provide mock PII.” (Id. ¶ 234.) But these allegations do not state a claim under the CCPA’s narrow private right of action. Nowhere in the complaint do Plaintiffs allege that any OpenAI Entity was “subject to an unauthorized access and exfiltration, theft, or disclosure” (b) “as a result of [their] violation of the duty to implement and maintain reasonable and appropriate security procedures and practices.” Cal. Civ. Code § 1798.150(a).

Nor do plaintiffs provide any factual support for their allegation that any PII (much less their own PII) had been “exposed” or “reveal[ed].” (Comp. ¶¶ 233-34.) Plaintiffs’ CCPA claim has nothing to do with a data breach or unauthorized access to defendants’ network—the crux of what this statute was designed to protect.