Approximately one month after taking effect, the California Consumer Privacy Act (“CCPA”) popped up—albeit in a limited fashion—in consumer litigation.
At the beginning of February, online retailer Hanna Andersson and Salesforce.com were hit with a class action lawsuit stemming from a reported data breach spanning approximately three months in the fall of 2019. The information compromised in the breach is said to include customer names, billing and shipping addresses, credit card numbers, CVV codes, and card expiration dates. In letters sent to customers in January, Hanna Andersson stated that the breach was a result of undetected malware that has since be remedied.
The complaint seeks damages for the defendants’ alleged negligence and violation of California’s Unfair Competition Law (UCL) on grounds that they failed to secure personal information and violated California’s data breach notification statute. The complaint further states that the defendants infringed the plaintiffs’ CCPA rights; however, it does not include formal CCPA allegations. Instead, the plaintiffs reserved the right to amend the complaint in the future to seek CCPA damages. This may be due to the CCPA’s “right to cure” provision or the fact that the breach occurred prior to the CCPA’s January 1, 2020 effective date.
Even if the plaintiffs in this lawsuit cannot recover CCPA damages for a security incident that predates the law’s effective date, the complaint illustrates the increased risk of data breaches in 2020 and beyond. Instead of relying primarily on negligence and UCL claims, as was typical previously, plaintiffs will now seek the statutory damages provided by the CCPA. Although the law requires plaintiffs to provide businesses with notice and an opportunity to cure, it will be difficult to cure the harm or potential harm caused by a data breach. The result will likely be a flood of litigation mirroring what we’ve seen in connection with other laws that provide private rights of action with statutory damages, such as the Telephone Consumer Protection Act, Fair Debt Collection Practices Act, and California Penal Code § 632 (governing call recording practices).
If nothing else, the lawsuit should serve as a wakeup call to business that, in addition to imposing groundbreaking privacy restrictions, the CCPA has significantly increased the risk associated with data breaches. Businesses should continue to invest time and resources to improve their data security protocols.
* Tanner Lawrence contributed to this post.
Michele is the Managing Partner at M&S and former Chief of the Ohio Attorney General’s Consumer Protection Section. Bringing more than two decades of experience in the consumer protection arena, she advises highly regulated businesses on a wide range of telemarketing, privacy, and other consumer protection matters.