The year is off to a litigious start with the help of the California Consumer Privacy Act (CCPA), which took effect on January 1, 2020. The CCPA has spawned a new kind of class action with consumers asserting CCPA violations against businesses ranging from clothing sellers, to most ironically, home security retailers. Undoubtedly, these lawsuits will be closely monitored by companies and lawyers alike to see how far the courts will go, and the legal standard required, to award significant relief to consumers nationwide.
Already, the lawsuits demonstrate that the CCPA is broad in scope, covering businesses in multiple industries, and will be used by a broad range of plaintiffs bringing a variety of legal claims that — regardless of their legitimacy —will force companies to mount a defense. They also underline the importance of privacy audits and implementation of data privacy best practices.
Five Cautionary Examples
The first to strike was California consumer Bernadette Barnes, who filed a class action complaint against Hanna Anderson, LLC and Salesforce.com, Inc. for a widespread data breach that occurred in fall 2019. Barnes’ complaint posits causes of action including negligence, declaratory relief, and violations of California’s Unfair Competition Law and the CCPA arising from Hanna Anderson’s failure to prevent a breach of customers’ personal and payment information and its three-month delay in detecting the data breach. According to the complaint, Hanna Anderson and e-commerce platform supplier Salesforce failed to implement adequate security systems, protocols and practices to protect customer information in violation of California statutes. As a result of system vulnerability, hackers were able to scrape customer names from the website by infecting it with malware and ultimately succeeded in accessing and offering the personal information for sale on the dark web.
Allegations of CCPA violations were brought by an East Coast plaintiff, Pennsylvania resident Hector Fuentes, against Sunshine Behavioral Health Group (Sunshine), an entity that collected Fuentes’ personal and medical information. Following Sunshine’s notification of a data breach, Fuentes alleges that an individual attempted to fraudulently open a credit card in his name. Among other things, Fuentes asserts causes of action for negligence, breach of contract, California’s Unfair Competition Law and the CCPA.
While some recently filed cases include direct claims under the CCPA, others, such as Almeida v. Slickwraps Inc. cite to the CCPA standard as a basis for a negligence claim. Almeida alleges that the company, which sells customer phone and electronic device cases, maintained an electronic feature that allowed anyone to access its entire network including customer information. As a result of this vulnerability, the system was hacked and consumer information was disseminated to third parties. Almeida alleges negligence, intrusion into private affairs, breach of contract and violations of California’s Unfair Competition Law.
In light of the current pandemic, individuals and corporations rely on technology more than ever before to conduct business. Zoom has been a major player in this market and is now a defendant in a CCPA lawsuit filed by users alleging that the company’s inadequate program design and security measures resulted in the unauthorized disclosure of personal information to third parties. Specifically, in Cullen v. Zoom, the plaintiff and potential class members claim that Zoom was sending information to Facebook upon installation and each open and close of the Zoom app. While Zoom responded to the issue by releasing a new version of the Zoom app that no longer transmits the information to Facebook, the plaintiff and class members contend that the damage was done, and that the company violated their privacy rights and California’s consumer protection laws.
Rounding out the five is an interesting case filed by consumers against Ring, LLC, a smart home security company that sells motion-detecting video surveillance cameras and video doorbells. Plaintiffs allege that Ring shares personal consumer information in real time with third parties by failing to require dual factor authentication and maintaining a vulnerable smartphone application. The failure to “secure” the Ring Security devices by implementing “reasonable protocols” to restrict third-party access to customer information is the allegation that resulted in claims of invasion of privacy, negligence, breach of implied warranty of merchantability, California Unfair Competition Law and the CCPA.
So what do these lawsuits mean for businesses? First, the CCPA is a meaningful weapon that will be used against companies that fail to overhaul security compliance to comport with its standards. Second, the CCPA is broad in scope in terms of the types of businesses it covers, the range of potential plaintiffs who may bring a class action and the plethora of legal claims that may be asserted for violations under the CCPA. Third, class actions under the CCPA are not going away and while some of the causes of action asserted in these cases may be dismissed, companies will shoulder the burden of the costs associated with defending against these claims. Finally, the best way to protect your business is to conduct your own audit of privacy protocols to ensure compliance with best practices.