When the California Consumer Privacy Act 2018 (“CCPA”) went into effect on January 1, 2020, it brought with it the potential for a wave of class action lawsuits from California consumers whose personal identifiable information is compromised in data breaches.
While the California Attorney General’s enforcement of the CCPA began only recently (July 1), the private right of action has been available since January 1. Now, nine months into the CCPA, a handful of cases have been filed, some of which directly allege CCPA violations under the private right of action, some that merely cite to the CCPA, and some that cite to the CCPA to support allegation of violations of another law.
The first CCPA case filed this year was Barnes v. Hanna Andersson, LLC, Case No. 20-cv-00812 (N.D. Cal. Feb. 3, 2020) now known as In re Hanna Andersson and Salesforce.com Data Breach Litigation. Plaintiffs amended their complaint in March, related actions were consolidated on May 5, and plaintiffs field a consolidated amended class action complaint on June 3. Plaintiffs allege negligence; declaratory relief; and violations of the California Unfair Competition Law (“UCL”), Business and Professions Code § 17200. The plaintiffs also claim that Salesforce, a cloud-based software company, and Hanna Andersson, a children’s clothing company, failed to protect their data, provide adequate cybersecurity warnings, and safeguard their platforms. This case was filed just weeks after hackers “scraped” customers’ names, addresses, and credit card information from the company’s website and put it up for sale on the dark web. Salesforce was allegedly responsible for hosting the data. Salesforce says it was “infected with malware” making it susceptible to breach. In the initial version of their complaint, the Barnes plaintiffs predicated their UCL § 17200 causes of action, in part, on alleged violations of the CCPA. The consolidated complaint adds a CCPA cause of action seeking statutory damages, as well as claims for negligence, violation of the CA unfair competition law, and violation of the Virginia Personal Information Breach Notification Act. Plaintiffs bring this lawsuit on behalf of (1) a nationwide class and (2) a California Class, and (3) a Virginia class. They seek injunctive and declaratory relief, free credit monitoring, statutory damages, punitive damages, disgorgement and restitution, and attorneys’ fees and costs. As the first case filed, the privacy bar watched Barnes closely; hoping it would clarify perceived ambiguities in the CCPA as written. But we may not be so lucky. On July 1, Judge Chen granted the parties stipulated request to stay the case for 60 days pending settlement of the action. On August 17 Judge Chen granted the parties stipulated request for an additional 30 days stay pending settlement.
Fuentes v. Sunshine Behavioral Health Group, LLC, Case No. 8:20-cv-00487 (C.D. Cal. Mar. 10, 2020) was also filed in March. This action arose from a data breach that allegedly exposed highly sensitive personal and medical information of thousands of defendants’ patients. The Fuentes complaint was filed by Hector Fuentes, a Pennsylvania resident. Sunshine operates drug and alcohol rehabilitation facilities in California, Colorado, and Texas. Sunshine reportedly learned that it had experienced a data breach that started as far back as 2017 and was continuously exposing highly personal and medical information (including credit card numbers, Social Security numbers, insurance policy numbers, and medical information) to unauthorized third parties, who ultimately exfiltrated that data. Despite allegedly learning of this breach on September 4, 2019, Sunshine did not notify any affected individuals until January of 2020.
In addition to seeking statutory damages under the CCPA, Mr. Fuentes pleads actual damages including increased risk and fear of identity theft, a fraudulent attempt to open a credit card in his name, unauthorized paid magazine subscriptions he received after the breach, and over 10 hours of his personal time spent on post-remedial measures. In addition to the CCPA cause of action, it pleads myriad other causes of action including (1) negligence and negligence per se, (2) multiple contract- and unjust enrichment-type claims, (3) violations of the UCL, (4) violations of the California Consumer Records Act, (5) violations California’s Confidentiality of Medical Information Act (“CMIA”), (6) violations of Pennsylvania’s Unfair Trade Practices Act (for the “Pennsylvania Sub-Class”), and (7) injunctive relief.
The key issue in this case will be whether the CCPA offers protection to non-California residents, since Mr. Fuentes admittedly resides in Pennsylvania, and therefore arguably lacks standing to bring this claim. As a result, another likely issue here will be whether plaintiffs are able to obtain pre-certification discovery of the defendants’ list of class members who were subjected to the breach. Defendants will also likely argue that Mr. Fuentes did not serve proper notice to cure under the CCPA, and that the CCPA should not apply retroactively to breaches that occurred before the CCPA’s effective date of January 1, 2020. On July 13, Defendants filed a Motion to Compel Arbitration, or in the alternative, dismiss the Complaint. This may be the first case to test whether CCPA’s invalidation of mandatory arbitration clauses will survive, or whether the Federal Arbitration Act will preempt.
On April 3, plaintiff Arifur Rahman filed Rahman v. Marriott International, Inc., Case No. 8:20-cv-00654 (C.D. Cal., Apr. 3, 2020), a putative class action on behalf of California residents against Marriott for a data breach that was announced on March 31, 2020. Plaintiff alleged violation of the CCPA and California’s Unfair Competition Law, as well as breach of contract and implied contract, negligence, and unjust enrichment. The breach at issue allegedly involved 5 million customer records and included names, addresses, phone numbers, and email addresses. On June 29 Plaintiffs filed an amended complaint adding statutory damages under CCPA, motion to dismiss briefing is ongoing.
Lopez v. Tandem Diabetes Care, Inc., Case No., 3:20-cv-00723-LAB-LL (S.D. Cal. Apr. 16, 2020) was also filed in April.This case arose from a breach of confidential medical information by a national medical device manufacturer. Plaintiff’s claims included violations of the CCPA, California Confidentiality of Medical Information Act, violation of the California consumer records act, violation of the California Unfair Competition Law, unjust enrichment, breach of implied covenant of good faith and fair dealing, breach of implied contract, breach of contract, and negligence and negligence per se. Plaintiff sought injunctive and declaratory relief in addition to monetary damages. Plaintiff also alleged that it would amend the complaint in 30 days if defendant failed to cure the violations. The plaintiff in this case was a Texas resident, which again raised the issue CCPA’s extra-territorial application, and it did not define a separate class of California residents. Unfortunately, privacy onlookers will not get to see how this case unfolds; it was voluntarily dismissed on May 22.
The Consolidated Ambry Genetics Cases, Case No. 8:20-cv-00791 (C.D. Cal.)are a series of four putative consumer class action cases filed against Ambry Genetics, a company that provides genetic testing services, following a data breach in January 2020. Plaintiffs allege that the breach resulted in unauthorized access to customer PII and Protected Health Information (PHI0, and that Ambry failed to report the breach to the government until March 2020 or to customers until April 2020. On June 16, Chief Judge Cormac J. Carney consolidated these cases under the caption Cercas v. Ambry Genetics Corp., Case No. 8:20-cv-00791. While the complaint in the lead case Cercas does not allege a CCPA cause of action, the remaining three complaints – Brodsky v. Ambry Genetics, Case No. 8:20-cv-00811 (C.D. Cal.); Pascoe v. Ambry Genetics, Case No. 8:20-cv-00838 (C.D. Cal.); and McMurphy v. Ambry, Case No. 8:20-cv-00904 (C.D. Cal.) – do allege violations of the CCPA, either directly or as a predicate to claims under the UCL.
In late May, plaintiffs filed Gupta v. Aeries Software, Inc., Case No. 8:20-cv-00995-FMO-ADS (C.D. Cal., May 28, 2020) on behalf of a class of consumers whose data was breached against defendant Aeries Software, Inc., maker of the Aeries School Information System, a student data management software. Plaintiffs allege that Aeries did not adequately safeguard the personally identifiable information of thousands of vulnerable students, resulting in unauthorized third parties accessing that data. In this case plaintiffs allege numerous causes of action, including intrusion upon seclusion, negligence, breach of confidence, violation of the California Unfair Competition Law, and violation of the CCPA. This case alleges an ongoing breach that Defendant was aware of “no later than January 2020.” Since it is unclear whether any part of this breach occurred after the CCPA’s effective date of January 1, 2020, it will be interesting to see whether the plaintiff’s CCPA claim can survive. Motion to dismiss briefing is ongoing.
On May 20,California minor G.R. filed a putative class action G.R. v. TikTok, Case No. 2:20-cv-04537 (C.D. Cal.) against video social networking application provider TikTok and parent company ByteDance, Inc. Plaintiff alleges that TikTok scans every video uploaded to the application for faces, extracts biometric identifiers of each face, and uses the data to create and store a template of each face without disclosing this process to its users. TikTok then allegedly disseminates the biometric identifiers to third parties without requisite notice. Plaintiff seeks to represent a class composed of “[a]ll minor persons who registered for or used the TikTok app from at least May 14, 2017 to the present.” Plaintiff alleges that California law applies to all class members based on TikTok’s California-based U.S. headquarters. Plaintiff asserts claims for violations of the CCPA based on the defendants’ failure to provide required notice to users about the application’s collection and use of their data and of their right to opt out. Plaintiff does not allege that she provided Defendants with the requisite notice and opportunity to cure under the CCPA. The CCPA cause of action in this case does not appear to be based on a data breach involving the relevant CCPA definition of PII, making it an interesting test of the limits of the private right of action. Like other cases we have seen and reviewed here, Plaintiff also alleges violation of the CCPA as a predicate for its UCL claim. On July 10, the Court entered an Order to Stay the Proceedings pending the later of (i) a ruling by the Judicial Panel on Multidistrict Litigation on a motion to transfer this action and (ii) the parties’ August 13 mediation.
Finally, in June MoginRubin LLP (where the author of this article is employed), filed Atkinson v. Minted, Inc., Case No. 3:20-cv-03869-JSC (N.D. Cal., Jun. 11, 2020), a class action complaint on behalf of consumers nationwide against online stationary giant Minted. This case arose from a series of data breaches perpetrated in May 2020 by a hacking group using the pseudonym “Shiny Hunters.” The “hunters” were able to infiltrate approximately a dozen companies, steal users’ data, and put it up for sale on the dark web. It has been reported that 5 million Minted consumer records were compromised in the breach. Plaintiffs allege negligence and breach of contract, as well as claims for relief under the CCPA and violation of California’s Unfair Competition Law on behalf of California consumers only. Plaintiffs filed an amended complaint seeking statutory damages under the CCPA once the 30-day cure period expired on July 27, and responsive pleadings are expected in late September.