CCPA Update- The first wave of lawsuits are well underway in California

At Helpy, we have been anxious to see how enforcement and legal action surrounding the new California Consumer Protection Act (otherwise known as the CCPA) would play out.

It has now been more than six months since the CCPA went into law, and almost a month since the California Attorney General was to commence enforcement actions.

If you remember, the CCPA allows for class-action lawsuits against companies who violate customer’s privacy rights and features a relatively broad definition of what constitutes private information.  

As of July 1, 2020, The California Attorney Generals office also can bring enforcement actions and fines against companies who are in violation of the law.

A business can be sued for a failure to abide by CCPA data security stipulations themselves, or by engaging with a third-party vendor who fails to adequately comply with the CCPA.  The important takeaway here is that your business can be targeted, simply for using a vendor who does not comply with the CCPA.

So what kind of lawsuits have there been?

No surprise here, it didn’t take long for the first legal action to take place in early February.  It came in the form of a class action suit against both and one of their customers, children’s apparel retailer Hanna Andersson.  The complaint focuses on Hanna Andersson’s failure to use adequate security measures to protect customer data, in breach of the CCPA.  The actual reason for this assertion is because HA’s vendor, Salesforce, was infected with malware allowing hackers to obtain customer data.

The alleged data theft occurred before the CCPA was officially in law, possibly sparing the two defendants the worst of the permitted penalties.  This suit is now heading towards settlement but illustrates how both the provider (Salesforce) and their customer (Hanna Andersson) can be targeted at the same time.

Another early suit was filed against Sunshine Behavioral Health Group when a data breach exposed around 3500 patient records.  No word on how the breach occurred, but a customer discovered it when a credit card was fraudulently opened in their name.

Think about that for a moment… it is bad enough when our customers discover bugs.  But how bad would it be for your customer to discover a security flaw by having their identity stolen?

Several other lawsuits are also underway, including against TikTok, Zoom, Houseparty, and Database broker ZoomInfo.  The suit against TikTok is focused on the mishandling of a minor’s data, while the Zoom and Houseparty suits focus more on the handling of customer’s personal data.  The ZoomInfo suit alleges that ZI is unlawfully collecting consumer data without permission.

Walmart is one of the latest companies to be hit with a lawsuit after a number of their customer’s records appeared for sale on the dark web.

Should you care about the CCPA?

The CCPA is America’s answer to the GDPR and gives consumers broad new data protection rights.  Unlike the GDPR, it allows for class-action lawsuits against companies in addition to fines brought by the California Attorney Generals office.  The CCPA is like the GDPR, but with real teeth!

The CCPA applies to any company in the world that collects data on California residents and meets one of the following three thresholds:

  1. Annual Gross Revenues of at least $25 million
  2. Collects or Processes personal information of at least 50,000 California residents in a year
  3. Earns at least 50% of their annual revenue by selling California resident’s data

This means if you have 50,000 website visitors from California in a single year, you would be subject to the CCPA, regardless of where your business is located.

How much is the penalty?

Under the CCPA, a penalty of $100 to $750 is allowed, per consumer, per incident.  That means if you suffer a breach, you could be sued by your entire customer base in a class action.  Likewise, your customers could sue you because you are using a third-party platform that does not adequately protect your data.  This was illustrated by the first example above.

Hypothesize that you have 10,000 customers. This could put you on the hook for a $7.5 million penalty. Ouch!

If the sheer cost of the penalty does not sink your business, the negative PR and associated consequences certainly could. Consumers and businesses have demonstrated a strong preference for avoiding business that they don’t trust to safeguard their data.