Privacy Alert: Let the CCPA Class Action Lawsuits Commence

Lathrop GPM

Lathrop GPM

The first post-California Consumer Privacy Act (CCPA) data breach class action was filed on February 3 in the Northern District of California. See Barnes v. Hanna Andersson, LLC , N.D. Cal., Case No. 20-cv-00812.[1]

The Barnes complaint does not yet expressly state a cause of action under the CCPA, instead relying upon violations of the California Unfair Competition Law. Given the nature of the allegations, however, an amendment to include a CCPA claim is anticipated.

Under the CCPA, a plaintiff not need show any actual harm caused by a data breach and can seek statutory damages of up to $750 per incident per victim in the event of a data breach. In Barnes, it is alleged that there are 10,000 California victims of data breach that occurred in the fall of 2019.  

The Barnes plaintiffs claim that defendants put at risk the personally identifiable information (PII) that children’s clothing retailer Hanna Andersson maintained on Salesforce software, and that neither company maintained “reasonable security procedures and practices appropriate to the nature of the information to protect their customers’ valuable PII.”

A data breach under the CCPA is any unauthorized access, theft or disclosure of a consumer’s nonencrypted and nonredacted personal information that is the result of a business failure to implement and maintain reasonable security procedures and practices.

The CCPA became effective on January 1, 2020, and enforcement by the California Attorney General is expected in July 2020. In response, many businesses have been data mapping to find what personal information they collect on California residents and for what purposes, revising their website privacy policies, reviewing vendor agreements, creating new procedures to respond to consumer requests for access to or deletion of data, purchasing cybersecurity insurance and other activities necessary to comply with the CCPA.

These private rights of action — and potential class action lawsuits enabled by this right — are scary. They apply only to data breaches, not privacy complaints. We will continue to monitor this California data breach case, as well as others soon expected under the CCPA.

In the meantime, this case serves as another strong incentive to implement and maintain reasonable data security as a defense against such claims.

[1] See the Complaint here:

DISCLAIMER: Because of the generality of this update, the information provided herein may not be applicable in all situations and should not be acted upon without specific legal advice based on particular situations.

© Lathrop GPM | Attorney Advertising

Written by:

Lathrop GPM

Lathrop GPM on:

Reporters on Deadline

"My best business intelligence, in one easy email…"

Your first step to building a free, personalized, morning email brief covering pertinent authors and topics on JD Supra:
*By using the service, you signify your acceptance of JD Supra's Privacy Policy.
Custom Email Digest
- hide
- hide

This website uses cookies to improve user experience, track anonymous site usage, store authorization tokens and permit sharing on social media networks. By continuing to browse this website you accept the use of cookies. Click here to read more about how we use cookies.