The Private Lawsuits Have Started Around CCPA

The California Consumer Protection Act (CCPA) went into effect in January, 2020, and now the private lawsuits are starting.

Jun 15, 2020
By David Harris

The private lawsuits have started around CCPA, individuals can now sue without actual harm. The California Consumer Protection Act (CCPA) went into effect in January, 2020. The private lawsuits are starting now. So far, the several that have been filed alleging a violation of CCPA demonstrate that no company is really safe from lawsuits. The CCPA allows for actual as well as statutory damages, meaning that under the statutory damages clause, individuals can sue and recover damages without showing actual harm. This is a juicy incentive for plaintiff lawyers. Ring, Zoom and Salesforce are a couple cases already filed under CCPA that you should be aware of.

In re: Ring, a class action lawsuit against the smart home video doorbell and security camera manufacturer. Although there is no specific reference to a specific data breach, the complaint asserts that CCPA was violated by the improper compilation and use of personally identifiable information. Ring’s improper procedures including failure to provide notice or the notice and opportunity to opt out of the sale to third parties is one of the claims. This case hinges on Ring’s deficient security measure of personal information and Ring’s failure of notice of the right to opt out of the sale of this information to third parties.

Cullen v. Zoom addresses Zoom’s alleged failure to protect personal data and the improper disclosure of this information to third parties. One of the third parties is Facebook. “Zoom released a new version of the app on March 27, according to the complaint, saying it would no longer send information to Facebook. But plaintiffs say the company neither blocked prior versions of the app, nor assured users that information already collected has been deleted.

The proposed class includes "all persons and businesses in the United States" whose personal information was collected or disclosed to a third party "upon installation or opening" of the Zoom app” Law 360 3/30/2020.

The third case, Barnes v. Hanna Andersson LLC and Salesforce.com Inc. was the first case filed. It shows that CCPA makes smaller breaches more attractive as class action lawsuits. This case alleges that Hanna Andersson was breached, resulting in the loss of personal information. This included credit card as well as other information. This case is significant since the plaintiffs additionally named Salesforce.com in the lawsuit. This personal information was sold on the dark web.

The statutory damages allow for big exposure even when there is not any actual damage to the plaintiff. Think about the math: if there are 10,000 plaintiffs, the possible remedy could range from $1 to $7.5 million dollars; 100,000 plaintiffs could result in $10 million to $75 million exposure to a business. To any business, so potentially your business. Ask yourself these questions; “What is our exposure?” and “What can we do now to minimize it?”

About the author: David Harris has more than two decades of experience as a financial-market executive. He was head of emerging technology at the London Stock Exchange Group before co-founding Manetu. He previously served as Chairman and CEO of the National Stock Exchange and CEO of the CBOE Stock Exchange.