First California Consumer Privacy Act-based class action litigation filed
A California resident has filed a putative class action asserting that a clothing retailer and its e-commerce platform failed to reasonably secure consumer personal information, resulting in a data breach that exposed more than 10,000 California residents’ personal information. This is the first lawsuit filed citing violations of the California Consumer Privacy Act (CCPA), a new law effective as of Jan. 1, 2020, that seeks to enhance the privacy rights of California residents by imposing data security requirements (among other obligations) on certain business organizations and providing a private cause of action (including class actions) when those requirements are not met.1
At first glance, the complaint’s main theory of liability seems to be based on the CCPA. But a closer reading of the complaint reveals that the actual theory of liability revolves around the assertion that violating the CCPA’s data security provisions amounts to negligence and an unfair or unlawful business practice under another statute—the California Unfair Competition Law (UCL). In other words, the plaintiff is asserting UCL causes of action wherein the underlying unlawful or unfair act is the failure to maintain reasonable security procedures and practices prescribed under the CCPA.
In so pleading, the plaintiff may have intended to avoid the CCPA’s prerequisite that a consumer notify a prospective defendant of alleged CCPA violations and allow that party 30 days to cure the violations before filing a lawsuit.2
But this just raises complex issues that courts will have to sort out. For example, a plaintiff asserting CCPA claims will list the parade of horribles that can arise from a data breach and plead that a cure is not possible. Will courts enforce the cure provision or render it illusory? After all, the California Rosenthal Fair Debt Collection Practices Act (RFDCPA) has a similar cure provision, but the United States Court of Appeals for the Ninth Circuit has previously ruled it inapplicable when the cure only prevented future harms.3
Similarly, will courts enforce the notice and cure provision even when the CCPA violation is underlying a UCL claim? As an analogy, courts have dismissed UCL claims in data breach cases where the underlying statutory violation was not adequately pled.4
Additionally, the statute is not clear as to what is to be cured—the harm or potential harm to the consumer, the alleged failure to maintain reasonable security, or both? Indeed, many are perplexed by how an organization can logistically cure violations of this CCPA provision (consider, for example, how difficult it would be to truly cure a hacker’s unauthorized acquisition of personal information). Do businesses have to fear that representations that they fixed their security measures could be used to imply that they previously did not have adequate security measures? Further, how can a business represent that “no further violations shall occur” when the breach likely arose from a hacker or other malicious attack, a mischievous employee, or simply an accident?
At this juncture, it is unclear whether the court will accept the complaint’s allegations of UCL violations premised on underlying CCPA violations. The court’s forthcoming rulings in this litigation will provide future litigants with a very early sketch of a roadmap to navigate the unclear landscape of CCPA-based litigation.
McDonald Hopkins’ Data Privacy and Cybersecurity Practice Group will continue to monitor this and future CCPA-based litigation and report on key developments.
1. See CCPA § 1798.150(a)(1) (any consumer whose nonencrypted and nonredacted personal information is subject to unauthorized access and exfiltration, theft, or disclosure as a result of a business’ violation of the duty to implement and maintain reasonable security procedures can sue and collect statutory damages between $100 and $750 per consumer per incident or actual damages if greater).
2. See CCP §1798.150(b)(“In the event a cure is possible, if within [ ] 30 days the business actually cures the noticed violation and provides the consumer an express written statement that the violations have been cured and that no further violations shall occur, no action for individual statutory damages or class-wide statutory damages may be initiated against the business.”)
3. See Romero v. Dept. Stores Nat. Bank, 725 F. App’x 537 (9th Cir. Feb. 28, 2018) (cure “defense does not apply if the creditor cannot undo the harm to a debtor that its violation has already caused”).
4. Razuki v. Caliber Home Loans, Inc., 2018 WL 6018361, at *1 (S.D. Cal. Nov. 15, 2018) (“[Customer Records Act] claim fails, so it cannot serve as the basis for his UCL claim”); Anderson v. Kimpton Hotel & Rest. Grp., LLC, 2019 WL 3753308, at *5 (N.D. Cal. Aug. 8, 2019) (same).