And So It Begins: The First CCPA Class Action
Client Alert | 2 min read | 03.20.20
California businesses have been nervously waiting for the first class action asserting a violation of California’s now-infamous California Consumer Privacy Act (CCPA). The wait is now over.
The CCPA, a consumer privacy law that Crowell & Moring has analyzed and written about at lengthprovides California consumers with a private right of action when their “nonencrypted and nonredacted personal information” is “subject to an unauthorized access and exfiltration, theft, or disclosure as a result of the business’s violation of the duty to implement and maintain reasonable security procedures.” Cal. Civ. Code § 1798.150(a). The CCPA’s private right of action allows plaintiffs to collect statutory damages—per breach, which can quickly add up—without proof of actual damage from the unauthorized access. The law broadly applies to any for-profit business doing business in California that collects, shares, or sells California consumers’ personal data, and: (1) has annual gross revenues in excess of $25 million; (2) possesses the personal information of 50,000 or more consumers, households, or devices; or (3) earns more than half of its annual revenue from selling consumers’ personal information.
On March 9, 2020, plaintiffs in a putative data-breach class action filed an amended complaint against Hanna Andersson and Salesforce, its e-commerce platform, alleging a claim for violation of the CCPA. The amended complaint alleges hackers scraped personally identifiable information (PII) from Andersson’s and Salesforce’s platform from September 16, 2019, to November 11, 2019, and used that information to steal the customers’ identities and make fraudulent purchases. According to the amended complaint, neither Andersson nor Salesforce uncovered this breach; instead, law enforcement agents notified both of the breach on December 5, 2019. The amended complaint further alleges that Andersson failed to protect consumers’ data because it did not have an executive in charge of cybersecurity, based on the fact that, after the malware was discovered and removed from the platform, Andersson posted a job opening for a “Director of Cyber Security,” who would be “responsible for safeguarding all systems end points and network infrastructure from all forms of intrusion.” The putative class plaintiffs seek between $100 and $750 for each California resident affected by the alleged breach, along with injunctive relief and attorneys’ fees and costs.
The amended complaint presents a host of novel issues that courts will grapple with as the CCPA makes its way through the judiciary, including:
- Whether a class action can be based on a data breach that occurred before the CCPA went into effect;
- Whether the failure of a businesses to have a cybersecurity lead at the time of the alleged breach is relevant to a liability finding;
- How courts will interpret what is “reasonable” in safeguarding PII; and
- How will courts interpret the “cure” requirement under CCPA to mitigate liability.
This suit is an important test case for how courts will interpret the CCPA for both the plaintiff’s bar and for businesses. Crowell & Moring will continue monitoring and providing updates to this case, as well as to Attorney General Xavier Becerra’s continued modifications to the proposed regulations implementing the CCPA.
Other Crowell & Moring CCPA alerts can be found here
Contacts
Insights
Client Alert | 4 min read | 08.07.25
On July 25, 2025, the Eleventh Circuit Court of Appeals issued its decision in United States ex. rel. Sedona Partners LLC v. Able Moving & Storage Inc. et al., holding that a district court cannot ignore new factual allegations included in an amended complaint filed by a False Claims Act qui tam relator based on the fact that those additional facts were learned in discovery, even while a motion to dismiss for failure to comply with the heightened pleading standard under Federal Rule of Civil Procedure 9(b) is pending. Under Rule 9(b), allegations of fraud typically must include factual support showing the who, what, where, why, and how of the fraud to survive a defendant’s motion to dismiss. And while that standard has not changed, Sedona gives room for a relator to file first and seek out discovery in order to amend an otherwise deficient complaint and survive a motion to dismiss, at least in the Eleventh Circuit. Importantly, however, the Eleventh Circuit clarified that a district court retains the discretion to dismiss a relator’s complaint before or after discovery has begun, meaning that district courts are not required to permit discovery at the pleading stage. Nevertheless, the Sedona decision is an about-face from precedent in the Eleventh Circuit, and many other circuits, where, historically, facts learned during discovery could not be used to circumvent Rule 9(b) by bolstering a relator’s factual allegations while a motion to dismiss was pending. While the long-term effects of the decision remain to be seen, in the short term the decision may encourage relators to engage in early discovery in hopes of learning facts that they can use to survive otherwise meritorious motions to dismiss.
Client Alert | 4 min read | 08.06.25
FinCEN Delays Implementation Date and Reopens AML/CFT Rule for Investment Advisers
Client Alert | 4 min read | 08.06.25
Series of Major Data Breaches Targeting the Insurance Industry
Client Alert | 11 min read | 08.06.25