California’s all-inclusive privacy law, the California Consumer Privacy Act (CCPA), which took effect on January 1, 2020, has already been cited in numerous lawsuits. Over this next year, employers are likely to see lawsuits testing the waters of the new statute. For now, the first wave of CCPA lawsuits raise several unsettled questions and serve as an important reminder to implement procedures to bring your business in compliance.
The First Case Citing to the CCPA
On February 3, a plaintiff filed a class action against Salesforce.com, Inc. and Hanna Andersson, LLC. The lawsuit alleges that Salesforce, a cloud-based software company, and Hanna Andersson, a children’s apparel retailer, failed to provide adequate security measures to protect consumers’ personal information. The plaintiffs claim Salesforce was infected by malware that caused an increased risk of theft of personal information of consumers who accessed Hanna Andersson’s website between September 16, 2019, and November 11, 2019, before the CCPA took effect.
While no cause of action was explicitly alleged under the CCPA, the plaintiffs base their claim for a violation of California’s Unfair Competition Law (UCL), in part, on allegations that Salesforce and Hanna Andersson have violated the CCPA. Specifically, the complaint claims that the companies used sub-standard security practices and failed to take reasonable measures to safeguard consumers’ personal information in breach of the CCPA. Further, the plaintiffs’ complaint alleges that Hanna Andersson knew that malware infected Salesforce’s e-commerce platform for almost six weeks before Hanna Andersson launched an investigation with the FBI. Most concerningly, the plaintiffs claim they did not receive notice of the security breach until January 15, 2020.
As currently enacted, the CCPA provides consumers with a private right of action if their personal information is stolen or disclosed to an unauthorized person because the business responsible for the information failed to maintain reasonable security measures. In the event of a data breach, consumers can potentially recover between $100 and $750 per consumer per incident or their actual damages, whichever is greater, and they can sue for this on an individual or class basis.
While the plaintiffs’ claim for violation of the CCPA is likely untimely because the data breach occurred before the January 1, 2020 effective date of the law, this case serves as a reminder to make sure your business has implemented reasonable security measures to protect consumers’ personal information in all its forms and wherever it may be stored. This includes employee information. Additionally, you should confirm that any vendors or service providers to which your business discloses consumers’ or employees’ personal information have taken reasonable security measures to protect the data. You should work with privacy counsel to proactively prepare for a data breach by implementing an incident response plan.
In the event of a data breach, you should immediately contact privacy counsel and take corrective action. The best practice for employers in the midst of a data breach is to notify authorities and the affected consumers as soon as possible. If you are an employer covered by the General Data Protection Regulation (GDPR), more restrictive time limits apply when reporting a data breach to the proper authorities. The same is true if the data breach affects individuals in certain other states or territories (such as Connecticut, Florida, New Mexico, Ohio, Puerto Rico, Rhode Island, Tennessee, Vermont, Washington, and Wisconsin), where the law may require notifying the affected individuals and a state agency within a certain number of days after discovering the data breach, ranging from 14 to 90 days.
The First Case Alleging a Violation of the CCPA
Another class action lawsuit was filed on February 18, 2020, against the security and smart home company Ring. The plaintiff, on behalf of a class of consumers who purchased Ring’s security devices, alleges that the company failed to implement adequate security and shared its consumers’ personal information with unauthorized third parties without their consent. The plaintiffs allege that Ring violated provisions of the CCPA that require businesses to provide a notice to consumers of their right to opt-out of the sale of their personal information to third parties. This lawsuit is the first to expressly state a cause of action under the CCPA.
The lawsuit highlights several issues that businesses doing business in California should pay close attention to as the case proceeds.
- Does the CCPA provide consumers a private right of action to sue a business for failing to provide a notice to consumers?
Under the CCPA, businesses must provide a notice to consumers at or before the collection of consumers’ personal information. On top of that, businesses that sell consumers’ personal information must include methods for consumers to opt out of the sale of their personal information. The language of the CCPA provides that the Attorney General may file a civil action on behalf of the people of the State of California if a business is in violation of the CCPA, including the sections that require businesses to provide a notice to consumers. The only private right of action that the CCPA permits is for consumers to bring an action if their data is subject to unauthorized disclosure or theft because the business failed to implement reasonable security measures. The plaintiffs, in this case, do not explain how failure to provide a proper notice under the CCPA is actionable by consumers when the statute seems to indicate otherwise. If the matter proceeds through litigation, the court will have to decide whether to allow consumers to sue for other violations of the CCPA.
- Does the CCPA invalidate arbitration provisions?
The lawsuit against Ring also presents the potential question of whether the CCPA invalidates arbitration provisions. Specifically, the CCPA states, “Any provision of a contract or agreement of any kind that purports to waive or limit in any way a consumer’s rights under this title, including, but not limited to, any right to a remedy or means of enforcement, shall be deemed contrary to public policy and shall be void and unenforceable.” If Ring seeks to compel the plaintiffs to arbitration based on their terms and conditions that plaintiffs agreed to when they purchased Ring security products, the plaintiffs will likely ask the court to enforce the section of the CCPA that seems to restrict arbitration agreements from applying to disputes with consumers. Civil Code section 1798.192 states:
Any provision of a contract or agreement of any kind that purports to waive or limit in any way a consumer’s rights under this title, including, but not limited to, any right to a remedy or means of enforcement, shall be deemed contrary to public policy and shall be void and unenforceable.
If Ring’s arbitration agreement is challenged, the court will have to decide whether this provision is preempted by the Federal Arbitration Act (FAA) and should be struck down.
Recently, a federal judge issued a preliminary injunction against AB 51, a new law that would have prohibited employers from requiring employees to sign mandatory arbitration agreements as a condition of employment. After business groups sought an injunction against enforcement of this law, the court held that AB 51, which was scheduled to take effect on January 1, 2020, is likely preempted by the FAA because AB 51 treats arbitration agreements differently from other contracts and is contrary to the goal of the FAA.
The same analysis may apply in the Ring case if its arbitration clause is challenged based on the provision of the CCPA quoted above. However, it remains to be seen whether Ring will attempt to enforce its arbitration provisions in the first place.
What Does This Mean For Businesses Covered by the CCPA?
What does this mean for your business? If you have decided to take the “wait and see approach” to comply, now is the time to consult with your privacy counsel to immediately start implementing the requirements of the CCPA.
As a preliminary step, we recommend that your business engage in the process of “data mapping,” also referred to by others as “data inventory.” Data mapping involves identifying the specific data that your business collects, retains, and shares, where that data is located, who has access to the data, whom that data is shared with, and the business purpose for which the data is used or shared, among other steps. The data map will help your business implement protections for the data and retrieve and/or delete data requested by consumers.
Next, your business should undergo an external security audit by an independent security consulting firm, not by your internal or outscored IT vendor. A security audit will identify risks and system vulnerability which will further indicate steps your business will need to take to protect personal information. When undergoing a security audit, it is best to work with privacy counsel so that the relevant communications can be protected by the attorney-client privilege.
Finally, we recommend working with privacy counsel to develop a notice to provide to consumers that complies with the requirements of the CCPA. When you start receiving requests from consumers to know, access, or delete their data, your business should have in place a method for verifying the identity of the consumer making the request, tracking the consumer request, and complying with the request in a timely manner.
As the year continues, businesses will undoubtedly see more litigation under the CCPA. We will continue to monitor and provide updates on these lawsuits, as well as lawsuits that will undoubtedly soon follow.