CCPA Lawsuits Are Starting
Numerous complaints have already been filed under the California Consumer Privacy Act (CCPA). In 2020, companies will start seeing more lawsuits as consumers start to test their rights under the new data privacy law.
The First Lawsuit Was Filed on February 3
A plaintiff filed a class action suit against SalesForce.com and Hanna Andersson. The lawsuit alleges that Salesforce and Hanna Andersson, a children’s apparel retailer, failed to provide adequate procedures to protect consumer’s personal information.
The lawsuit claims that Sales Force was infected with malware that caused an increased risk of personal information of consumers who accessed Hanna Andersson’s website between September 16 and November 11, 2019, before the CCPA took effect.
While no cause of action was explicitly alleged under the CCPA, the plaintiffs are basing their claim as a violation of California’s Unfair Competition Law (UCL), in part, on allegations that both companies violated the CCPA. Specifically, the lawsuit alleges that Sales Force and Hanna Andersson provided sub-par security practices and failed to take reasonable measures to safeguard consumers’ personal information in breach of the CCPA. The plaintiff’s complaint alleges that Hanna Andersson waited six weeks to report a data breach to the FBI that occurred within the Sales Force e-commerce platform. In the lawsuit, the plaintiff’s claim they didn’t receive notification of the data breach until January 15, 2020.
Consumer Rights Under CCPA
The CCPA provides consumers with a private right of action if their personal information is stolen or disclosed to an unauthorized person because the business responsible for the information failed to maintain reasonable security measures.
In the event of a data breach, consumers can potentially recover between $100 and $750 per consumer, per incident or their actual damages. They can sue for this on an individual or class basis.
Although the CCPA wasn’t officially the law when this data breach took place, it’s still a good example of why your business should have the proper security protocols in place to protect consumers’ personal information. This also includes employee information. You should also make sure that any third party or service provider you work with has identified and secured any personal data. Make sure you develop a response plan in case of any future data breaches.
The security and smart home company, Ring, had a class action suit filed against them on February 18. The plaintiff alleges that the company failed to implement adequate security and shared its’ consumers’ personal information with third parties without their consent. The lawsuit alleges that Ring violated provisions under the CCPA that requires businesses to provide a notice to consumers of their right to opt-out. This is the first law of its kind to state a cause of action under the CCPA.
This lawsuit highlights several important things that businesses should pay attention to:
1. Consumers right of action to sue a business for failing to provide a notice of opt out to consumers
Under the CCPA, businesses must provide a notice to consumers at or before the collection of consumers’ personal information. Businesses who sell this data must include methods for consumers to opt out of the sale of their personal information. If this case proceeds through litigation, the court will have to decide whether to allow consumers to sue for other violations under the CCPA. Regardless, your business should have the proper procedures in place to avoid potential lawsuits.
2. Does the CCPA invalidate arbitration provisions?
The lawsuit against Ring presents the potential question of whether the CCPA invalidates arbitration provisions. Meaning, if Ring seeks to compel the plaintiffs’ arbitration based on their terms and conditions that plaintiffs agreed to when they purchased Ring security products, the plaintiffs will likely ask the court to enforce the section of the CCPA that seems to restrict arbitration agreements from applying to disputes with consumers. This section states:
Any provision of contract or agreement of any kind that purports to waive or limit in any way a consumer’s rights under this title, including, but no limited to, any right to a remedy or means of enforcement, shall be deemed contrary to public policy and shall be void and unenforceable.
If Ring’s arbitration agreement is challenged, the court will have to decide whether this provision is preempted by the Federal Arbitration Act (FAA) and should be struck down.
What Does This Mean for Your Business?
If you have decided to take the ‘wait and see’ approach to comply, you need to reconsider. Now is the time to start implementing the requirements of the CCPA.
As a preliminary step, you should engage your business in a process called data mapping or data inventory. This involves identifying the specific data that your business collects, retains, and shares, where that data is located, who has access to it, whom the data is shared with, and the business purpose for which the data is used or shared, among other steps. This will help your business implement protections for the data and retrieve or handle requests by consumers.
Your next step is to undergo a security audit. This will help you identify which areas of your business are most vulnerable to data breaches.