A lawsuit filed on Monday, February 3, 2020, against online retailer Hanna Andersson and its e-commerce platform Salesforce is the first class-action lawsuit to cite the new California Consumer Privacy Act (CCPA) since it took effect on January 1.
The class-action lawsuit was filed by plaintiff and California-resident Bernadette Barnes, who alleges that Salesforce and Hanna Andersson failed to protect user data, safeguard platforms or provide cybersecurity warnings after hackers infected Hanna Andersson’s e-commerce platform with malware that compromised customers’ names and credit card information.
Barnes claims that this violated state laws including the California Consumer Privacy Act.
What is the CCPA?
The California Consumer Privacy Act came into effect on January 1, 2020, and is designed to give permanent residents of California more consumer protection when it comes to misuse of their personal data.
CCPA gives Californian consumers the right to know which personal information is being collected and how it’s being used, the right to delete personal information held by businesses, to opt-out of the reselling of the personal information and to non-discrimination of price and service when they exercise their right to privacy under these regulations.
While the CCPA took effect as of January 1, 2020, and California residents can start making requests on this date, the California Attorney General's Office will not start enforcing the CCPA until July 1, 2020.
What happened with the Barnes V. Hanna Andersson case?
Since the Barnes V. Hanna Andersson class action lawsuit was filed over a data breach that allegedly occurred before the CCPA came into effect on January 1, the case will not test the CCPAs legal limits.
Despite this, it’s still important for companies to closely follow this suit, as well as others that mention CCPA, as the statute makes it significantly easier for consumers in California to seek damages than under typical state consumer-protection laws.
How can businesses prepare for more CCPA-related cases?
So, what can businesses with Californian customers learn from this first CCPA-related case? Troutman Sanders attorneys, as published in Bloomberg Law, have listed five tips that will help businesses prepare for future CCPA lawsuits:
1 - The CCPA does not define which rights can be claimed in a lawsuit
In the Barnes V. Hanna Andersson class-action lawsuit, Barnes claimed that she, along with the putative class members, were deprived of their rights under CCPA. The CCPA does not afford consumers rights in the data breach context, instead, it allows consumers to recover statutory damages for a breach if certain steps are followed.
In this case, it’s unclear what “rights” the plaintiff has been deprived of.
2 - The CCPA does not create a duty to maintain “reasonable security procedures”
In the lawsuit, Barnes claims that the defendants violated the CCPA by failing to maintain “reasonable security procedures” which is a common class issue. However, the CCPA imposes no obligation on businesses to maintain reasonable security procedures.
In fact, the CCPA only states that, under certain circumstances, consumers may be entitled to statutory damage in the event of a data breach.
3 - The CCPA has a cure provision
The CCPA has a “cure provision”, which may provide businesses with an out if a consumer brings an action of statutory damage in the event of a data breach.
Prior to bringing the action, the consumer must provide the business with 30 days written notice, identifying the specific violation. This gives the business time to “cure” the violations and provide the consumer with a written statement indicating such. If done so successfully, statutory damages are not available.
4 - CCPA statutory damages for data breaches do not apply to service providers
The CCPA draws a clear distinction between businesses and service providers, with service providers generally processing personal information on behalf of a business. Only “businesses” that fail to implement reasonable security procedures may be held liable for statutory damages - not service providers.
5 - If your business “owns, licenses or maintains” personal information you must maintain reasonable security procedures
California law only requires business that own, license or maintain personal information to maintain reasonable security procedures. That means if your business does not do any of these, you are arguably under no obligation to maintain reasonable security procedures and therefore not liable for CCPA statutory damages.
Are you looking for more tips that will ensure your business is compliant with the California Consumer Privacy Act? Get in touch with Enzuzo today. Our team of privacy experts will be happy to answer any questions you have.