The California Consumer Privacy Act (CCPA) has been in effect only since January 1, but it has already been cited in a lawsuit, apparently for the first time. On February 3, plaintiffs filed a class action complaint in the US District Court for the Northern District of California against retailer Hanna Andersson, LLC and Salesforce.com, Inc., over a data breach suffered by Hanna Andersson. The complaint makes only passing reference to the CCPA and does not rely on it as the basis for a claim, because the breach happened in 2019, before the CCPA took effect. Still, the citation is worth noting, since the CCPA provides for statutory damages where a company’s failure to implement reasonable security practices results in a data breach. The CCPA thus promises to make data breaches much more costly for victim companies. Retailers and other companies should look at the citation of the CCPA in Barnes v. Hanna Andersson, LLC as a shot across the bow, and be sure that their data security practices are up to snuff.
The complaint in Barnes states simply that Hanna Andersson customers’ injuries “may include…deprivation of rights they possess under the California Unfair Competition Law (Cal. Bus. & Prof. Code § 17200) and California Consumer Privacy Act (Cal. Civ. Code § 1798.100, et seq.).” It also later says that plaintiffs “reserve the right to amend th[e] Complaint as of right to seek damages and relief under Cal. Civ. Code § 1798.100, et seq.” It is not clear how the plaintiffs might attempt to apply the CCPA to actions that took place before the statute’s effective date. But never underestimate the creativity of plaintiffs’ lawyers.