And So It Begins: First CCPA Lawsuit Filed in California

A first reported class action litigation alleging a violation of the California Consumer Privacy Act was filed in a California federal court on February 3, 2020.  The lawsuit, Barnes vs. Hanna Andersson, LLC, 3:20-cv-00812 (N.D.Cal.) against retailer Hanna Andersson and its contractor, an online CRM platform Salesforce, alleges negligence and failure to maintain adequate security procedures and practices leading to a data breach.  The breach was caused by a malware that allegedly scraped Hanna customers’ unencrypted and unredacted credit card information from the Salesforce eCommerce platform.

The Complaint alleges that plaintiffs suffered injuries as a result, among others, “deprivation of rights they possess under [the CCPA].”

The CCPA provides for consumer lawsuits with statutory damages of between $100 and $750 per consumer per incident, or actual damages, whichever is greater.  These lawsuits may be brought if “nonencrypted or nonredacted personal information” is subject to “an unauthorized access and exfiltration, theft, or disclosure as a result of the business’s violation of the duty to implement and maintain reasonable security procedures and practices appropriate to the nature of the information …” Cal. Civ. Code § 1798.150(a)(1).

In assessing statutory damages, the law suggests courts consider, among other things, the nature and seriousness of the misconduct, the number of violations, the persistence of the misconduct, the length of time over which the misconduct occurred, the willfulness of the defendant’s misconduct, and the defendant’s assets, liabilities, and net worth.

Notably, the Hanna lawsuit does not allege a direct claim under the CCPA (although it explicitly reserves a right to do so at some point).  The CCPA requires that before a Section 1798.150 claim for statutory damages is filed in court, a consumer must provide a 30-day cure notice to a defendant business.  It is possible that the complaint will be amended with a direct CCPA claim once the cure period passes.

However, the Complaint already asserts claims for violations of California’s Unfair Competition Law which might serve as a vehicle for raising indirect claims under the CCPA, even in cases which do not involve data breaches.  Whether class action plaintiffs are permitted to pursue such indirect CCPA claims will certainly be litigated in the near future.

In the meantime, companies that are subject to the CCPA but are still vacillating about compliance should take notice.  Take action towards compliance today so as not to be on the receiving end of the enforcement action or litigation tomorrow.

Ask Clarip today how we can solve your biggest compliance pain points, Call Clarip at 1-888-252-5653