The only certainties in life used to be death and taxes. In 2020, it would be safe to add California Consumer Privacy Act (CCPA) class actions to that “distinguished” list. On February 3, Barnes v. Hanna Andersson, LLC, N.D. Cal., Case No. 20-cv-00812, was filed in the Northern District of California, setting in motion the certainty that CCPA class actions are on their way, if not already here.* Filed on behalf of all California residents, the Barnes complaint alleges that between September and November 2019, clothing retailer Hanna Andersson and Salesforce, its online payment services provider, failed to properly safeguard the personally identifiably information (PII) of its customers after hackers stole customers' private information and posted it to the dark web for sale.

What You Need to Know

  • Under the CCPA, a data breach is any unauthorized access, theft or disclosure of a consumer’s non-encrypted and non-redacted personal information that results from a company’s failure to implement and maintain “reasonable” security procedures and practices. Here, the complaint alleges that the defendants failed to maintain reasonable security procedures and practices in order to protect the consumers' PII.
  • Although the CCPA is largely viewed as new law related to California consumers’ privacy rights (and placement of subsequent obligations to companies doing business in California), the CCPA includes potentially draconian damages for a data breach permitted by unreasonable cybersecurity. Under the new law, an individual need not show any actual harm caused by a data breach, yet he/she may seek statutory fines of up to $750 per incident per individual in the event of a breach. Plaintiffs estimate that at least 10,000 California residents could have been affected by this breach, thereby exposing defendants to up to $7.5 million dollars in damages if proven true.
  • There exists a duty to monitor and ensure that third party organizations are properly safeguarding a company’s data. During the course of the investigation into the breach, it was discovered that the Salesforce ecommerce platform was infected with malware which allowed the hackers to steal consumers' PII from Hanna Andersson’s website.
  • The CCPA went into effect on January 1, 2020, yet enforcement by the California Attorney General is not allowed until July 2020. However, no such delay is required for private litigation under the data breach portion of the CCPA. Interestingly, although the complaint alleges that the data breach occurred in 2019, the court could choose to apply the CCPA but that is still yet to be determined.

While Barnes may be the first class action lawsuit to mention violation of the CCPA, it certainly will not be the last. In fact, numerous class actions lawsuits have been filed in the new year which either mention the CCPA or utilize CCPA-like language to style particular claims. As such, it is evident that the Plaintiffs’ bar sees the CCPA as a potential for extensive class action litigation. Expect to see an ongoing deluge of class action litigation in California under the data breach portions of the CCPA. In addition, although the Barnes’ plaintiffs may not be able to invoke the CCPA due to the data breach occurring in 2019 (before the CCPA took affect), Barnes serves as a stark reminder that implementing and maintaining reasonable data security is vital to defend a business against CCPA claims. Newmeyer Dillion can assist companies analyze their cyber risk profile, and provide access to experienced forensic teams which can ensure reasonable security exists in your organization.

*While Barnes does not yet expressly state a cause of action under the CCPA, relying upon violations of the California Unfair Competition Law in its place, we anticipate that an amendment will soon be filed to include a CCPA claim.