And So It Begins: The First CCPA Class Action

California businesses have been nervously waiting for the first class action asserting a violation of California’s now-infamous California Consumer Privacy Act (CCPA). The wait is now over.

The CCPA, a consumer privacy law that Crowell & Moring has analyzed and written about at lengthprovides California consumers with a private right of action when their “nonencrypted and nonredacted personal information” is “subject to an unauthorized access and exfiltration, theft, or disclosure as a result of the business’s violation of the duty to implement and maintain reasonable security procedures.” Cal. Civ. Code § 1798.150(a). The CCPA’s private right of action allows plaintiffs to collect statutory damages—per breach, which can quickly add up—without proof of actual damage from the unauthorized access. The law broadly applies to any for-profit business doing business in California that collects, shares, or sells California consumers’ personal data, and: (1) has annual gross revenues in excess of $25 million; (2) possesses the personal information of 50,000 or more consumers, households, or devices; or (3) earns more than half of its annual revenue from selling consumers’ personal information.

On March 9, 2020, plaintiffs in a putative data-breach class action filed an amended complaint against Hanna Andersson and Salesforce, its e-commerce platform, alleging a claim for violation of the CCPA. The amended complaint alleges hackers scraped personally identifiable information (PII) from Andersson’s and Salesforce’s platform from September 16, 2019, to November 11, 2019, and used that information to steal the customers’ identities and make fraudulent purchases. According to the amended complaint, neither Andersson nor Salesforce uncovered this breach; instead, law enforcement agents notified both of the breach on December 5, 2019. The amended complaint further alleges that Andersson failed to protect consumers’ data because it did not have an executive in charge of cybersecurity, based on the fact that, after the malware was discovered and removed from the platform, Andersson posted a job opening for a “Director of Cyber Security,” who would be “responsible for safeguarding all systems end points and network infrastructure from all forms of intrusion.” The putative class plaintiffs seek between $100 and $750 for each California resident affected by the alleged breach, along with injunctive relief and attorneys’ fees and costs.

The amended complaint presents a host of novel issues that courts will grapple with as the CCPA makes its way through the judiciary, including:

• Whether a class action can be based on a data breach that occurred before the CCPA went into effect;
• Whether the failure of a businesses to have a cybersecurity lead at the time of the alleged breach is relevant to a liability finding;
• How courts will interpret what is “reasonable” in safeguarding PII; and
• How will courts interpret the “cure” requirement under CCPA to mitigate liability.

This suit is an important test case for how courts will interpret the CCPA for both the plaintiff’s bar and for businesses. Crowell & Moring will continue monitoring and providing updates to this case, as well as to Attorney General Xavier Becerra’s continued modifications to the proposed regulations implementing the CCPA.

Other Crowell & Moring CCPA alerts can be found here