Although the California Consumer Privacy Act (“CCPA”) went into effect on January 1, 2020 and over 100 class actions referencing the CCPA have been filed to date, very few class actions have actually made their way to court approval. That is about to change.
Last week, Judge Chhabria of the Northern District of California granted preliminary approval in a data breach class action involving 4.1 million potential class members, styled as Atkinson et al v. Minted, Inc., Case No. 3:20-cv-03869 (N.D. Cal.). The $5 million non-reversionary settlement fund will be paid to consumers whose personal information was exfiltrated by a hacking group known as ShinyHunters, as reported here. In or around May 2020, ShinyHunters reportedly exfiltrated the consumer information from San Francisco-based Minted, Inc. (“Minted”) (along with 11 other companies) and then tried to sell that personal identifying information (“PII”) on the dark web. In total, approximately 73 million consumers were affected by the breach, spread out over the 11 companies. Of those 73 million, nearly 4.1 million were consumers of Minted, who were purportedly impacted by the breach.
On June 11, 2020, shortly after the breach, putative class plaintiffs filed a putative class action against Minted, alleging causes of action under the CCPA, negligence, and California’s unfair competition law, Business & Professions Code section 17200, as we previously reported here. What made this class action stand out is that the putative class plaintiffs partially complied with the CCPA pre-filing requirement and reportedly provided the statutorily required notice of the breach and an opportunity to cure to Minted. When they did not receive a response to their notice, the plaintiffs amended their complaint to seek statutory penalties and non-monetary relief.
The CCPA gives consumers a private right of action and provides statutory damages of up to $750 per violation for data breaches that allegedly result from a company’s failure to implement reasonable security procedures. Less than a year after this lawsuit was filed, the parties reached a settlement, which is now pending final court approval, with the preliminary approval having been granted on May 14, 2021.
Though the settlement did not end up anywhere near the potential statutory range of the maximum allowable CCPA damages, it includes valuable non-monetary components available to the class members and injunctive relief. In addition to the non-revisionary $5 million settlement fund, the proposed settlement requires Minted to implement certain mandatory data security measures, to conduct two cybersecurity audits, and to offer credit monitoring and personal identity restoration services to affected U.S. residents. These additional forms of relief are not uncommon in data breach class actions. In the motion for approval, the Parties estimate that they expect participating class members to receive an estimated cash payment of $43 per person, as well as two years of credit monitoring services, valued at approximately $10 per month per person.
As one of the first of many anticipated data breach settlements involving the CCPA, the structure provided in the Minted settlement may end up setting helpful guidance and parameters for CCPA class settlements going forward. Companies can take solace in the court’s finding that the settlement amount was reasonable, notwithstanding the available $750 CCPA penalty. As more data breach settlements trickle in, we will continue to report on future CCPA settlements of interest.