pdf

CCPA Case Tracker

July 1, 2020

The California Consumer Privacy Act (CCPA) imposes significant obligations on companies with respect to the personal information of California residents. The CCPA took effect on January 1, 2020, with enforcement beginning on July 1, 2020. Enforcement is expected to be vigorous, with the California Attorney General making several public statements that his office will actively enforce the law. In addition, civil litigants have already filed class actions seeking statutory damages under the CCPA for security breaches. With information about the most significant lawsuits filed under the CCPA, our case tracker can help you stay abreast of litigation and regulatory developments.


Atkinson et al v. Minted, Inc., No. 3:20-cv-03869 (N.D. Cal.)

Date Filed: June 11, 2020

Cause of Action / Trigger of Claim

Suit against Minted.com arising out of an April 2020 data breach that resulted in the exfiltration of 73.2 million records that included passwords, names, email addresses, and other information. Complaint alleges a violation of § 1798.150 by defendant’s failure to prevent the unauthorized access and exfiltration, theft, or disclosure of class members’ non-encrypted PII.

Claims for Relief

Plaintiffs and class members seek injunctive or other equitable relief to ensure the defendant safeguards customers’ PII in the future. Plaintiffs will also seek statutory damages if the defendant “cannot cure the data breach within 30 days.”

Status

Pleadings


Alma Fidela Cercas et al v. Ambry Genetics Corp., No. 8:20-cv-00791 (C.D. Cal.)

Date Filed: April 27, 2020

Cause of Action / Trigger of Claim

Suit against a clinical genomic diagnostic company arising out of a January 2020 data breach that resulted in the exposure and exfiltration of sensitive personal and medical information of more than 232,200 patients. Defendant began notifying effected patients in April 2020.

Claims for Relief

Plaintiffs seek injunctive relief, and under § 1798.150(b)'s written notice to defendant provision, plaintiffs state “If Defendant fails to respond to Plaintiff’s notice letter or agree to rectify the violations detailed above, Plaintiff also will seek actual, punitive, and statutory damages, restitution, attorneys’ fees and costs, and any other relief the Court deems proper as a result of Defendant’s CCPA violations.” 

Plaintiffs claim defendant violated § 1798.150(a)'s prohibition of unauthorized access and exfiltration, theft, or disclosure of PII.

Plaintiffs also bring various claims for violations of California Confidentiality of Medical Information Act, California Medical Records Act, California UCL, negligence, and unjust enrichment.

Status

Pleadings


In Re: Zoom Video Communications, Inc. Privacy Litigation, No. 5:20cv2155 (N.D. Cal.)

Date Filed: April 24, 2020

Cause of Action / Trigger of Claim

Claims arise out of a Vice Media report detailing unauthorized sharing and data vulnerabilities of Zoom. The claims specifically allege that Zoom collected personal data in the form of unique advertiser identifier data and shared that data with third party operators such as Facebook and LinkedIn without notifying consumers or giving them the right to opt out.

Buxbaum v. Zoom also tries to characterize the sharing of information as a data breach or “exfiltration” under §1798.150 alleging: “[b]y allowing user names and passwords to be exfiltrated, Zoom violated the CCPA.”

Under 798.100(b), Plaintiffs gave written notice of alleged violations forcing Zoom to “cure” the alleged violations within 30 days.

Plaintiffs claim that the Defendant violated:

  • § 1798.100(b): Failure to provide adequate notice
  • § 1798.150(a) and § 1798.120(b): Sharing information with a third party without notifying or giving individuals a right to opt out
  • § 1798.150: Data breach or exfiltration violation

Plaintiffs also bring various claims for violations of UCL and CLRA and for negligence, invasion of privacy, and unjust enrichment.

Claims for Relief

  • Injunctive Relief
  • Declaratory Relief
  • Attorneys Fees

Status

Pleadings


Sweeney v. Life On Air, et al., No. 20cv742 (S.D. Cal.)

Date Filed: April 17, 2020

Cause of Action / Trigger of Claim

Claim against Houseparty, a video chat and social media app, alleges that the company shared PII (including personal identifiers, IP addresses, time zone details, phone carrier, device information, and unique advertiser identifier (“IDFA”)) with Facebook and other third parties without notifying users or giving them the option to opt out. Similar to the operative facts in the Zoom cases, the complaint focuses on the use of Facebook’s software development kits (“SDKs”).

Plaintiff claims that the defendant violated:

  • 1798.100(b): Failure to provide adequate notice of collection, use or sale of PII
  • 1798.120(b): Sharing information with a third party without notifying or giving individuals a right to opt out
  • 1798.135(a)(1): Failure to provide a clear and conspicuous “do not sell my personal information” link on webpage
  • 1798.135(a)(B)(6): Failure to keep PII private

Claims for Relief

Plaintiffs seek injunctive relief in the form of an order enjoining Defendant from continuing to violate CCPA and actual damages.

Status

Pleadings


Rahman v. Marriott International, No. 20-cv-00654 (C.D. Cal.)

Date Filed: April 3, 2020

Cause of Action / Trigger of Claim

Cal. Civ. Code § 1798.150(a)(1)

The CCPA provides consumers with the right to institute a civil action where the consumers’ “nonencrypted and nonredacted personal information” was the subject of “an unauthorized access and exfiltration, theft, or disclosure as a result of the business’s violation of the duty to implement and maintain reasonable security procedures and practices appropriate to the nature of the information to protect the personal information.”

This action arises out of a cybersecurity breach affecting 5.2 million consumers. Marriott announced the data breach on March 31, 2020 and sent e-mails to affected customers.

Claims for Relief

  • injunctive relief
  • enjoining Marriott from continuing to violate the CCPA
  • requiring Marriott to employ adequate security practices consistent with law and industry standards to protect class members’ personal information
  • requiring Marriott to complete its investigation
  • issuing an amended statement to the public and affected guests that is not evasive and contains no equivocations (e.g., phrases such as “may have,” the investigation is “ongoing,” “no reason to believe,” etc.) and to instead confirm and confess, with certainty, what categories of data were stolen and accessed without class members’ authorization, how the data breach occurred, and what specifically occurred to cause the breach

Status

Pleadings


Fuentes v. Sunshine Behavioral Health Group, No. 8:20-cv-00487 (C.D. Cal.)

Date Filed: March 10, 2020

Cause of Action / Trigger of Claim

Sensitive PII including medical information of patients of a drug and alcohol rehabilitation center was searchable, findable, viewable, and downloadable by anyone with access to an internet search engine. The breach occurred for a period of almost 30 months from March 2017 to September 2019, and the company put up a public notice in January 2020.

CCPA is mentioned towards the end of the pleadings as Count X action (over less than a page, so it seems that it is not a significant part of this lawsuit).

Defendant violated CCPA by subjecting the nonencrypted and nonredacted Personal and Medical Information of Plaintiff and Class members to unauthorized access and exfiltration, theft, or disclosure as a result of Defendant’s violation of its duty to implement and maintain reasonable security procedures and practices appropriate to the nature and protection of that information. Cal. Civ. Code § 1798.150(a).

Claims for Relief

  • Injunctive relief
  • Plaintiff seeks injunctive relief in the form of an order enjoining Defendant from continuing to violate the CCPA. If Defendant fails to respond to Plaintiff’s notice letter or agree to rectify the violations detailed above, Plaintiff also will seek actual, punitive, and statutory damages, restitution, attorneys’ fees and costs, and any other relief the Court deems proper as a result of Defendant’s CCPA violations.

Status

Pleadings


In Re Ring Litigation, No. 2:19-cv-10899 (C.D. Cal.)

Date Filed: February 18, 2020

Cause of Action / Trigger of Claim

Ring is a provider of smart security devices, notably a video surveillance doorbell. Ring disclosed PII of users with unauthorized third parties. PII included names, private IP addresses, mobile network carriers, persistent identifiers, and sensor data on devices of customers.

CCPA is mentioned at the very end of the pleadings as the final (8th) cause of action (over less than a page, so it seems that it is not a significant part of this lawsuit).

Plaintiff claims that the defendant violated:

  • Cal. Civ. Civil Code § 1798.100(b): Use of PIIA without providing notice.
  • Cal. Civ. Civil Code § 1798.120(b): Failure to provide notice to consumers regarding their right to opt-out.

Claims for Relief

  • Injunctive relief
  • On behalf of Class members, Plaintiff seeks injunctive relief in the form of an order enjoining Defendant from continuing to violate the CCPA. If Defendant fails to respond to Plaintiff’s notice letter or agree to rectify the violations detailed above, Plaintiff will seek actual, punitive, and statutory damages, restitution, attorneys’ fees and costs, and any other relief the Court deems proper as a result of Defendant’s CCPA violations

Summary of the Claim

  • Ring devices used third-party trackers and disclosed a plethora of user PIIs with four analytics and marketing companies. Ring devices did not follow industry standards and did not require even basic measures like dual factor authentication to use its devices.
  • Reasonable expectation of privacy was violated by failure of adequate security and disclosure of private and personal information to unauthorized third parties without consent.
  • PII shared zone, device model, language preference, and unique identifiers in addition to sensor data exposing Plaintiffs to risk.
  • Ring was negligent and breached its duty of care by ignoring consumer complaints as well as implied contracts of privacy with consumers.
  • Ring’s video doorbell was not a product fit for merchantability as they were not secure and could easily be accessed by third parties.
  • Ring received unjust enrichment by selling its products to the consumers.
  • Ring violated CCPA by collecting PII without providing notice to consumers and by not proving consumers with an option to opt-out.

Status

Pleadings


In Re: Hanna Andersson and Salesforce.com Data Breach Litigation, No. 20-cv-00812 (N.D. Cal.)

Date Filed: February 3, 2020

Cause of Action / Trigger of Claim

Personally Identifiable Information (PII) of customers of Hanna Andersson was scraped through a ‘malware’ on Salesforce’s cloud-based platform used by the company. Stolen PII included customers’ names, addresses, credit card numbers, credit card expiration dates, and CVV codes.

Law enforcement found unauthorized information on the dark web and informed Hanna Andersson of the breach that occurred from September 16, 2019 to November 11, 2019.

Claims for Relief

Plaintiff’s claim violation of California’s Unfair Competition Law and seek the following reliefs:

  • Class Action Certification
  • Enjoin Defendants from engaging in inadequate protection of Plaintiff’s PII
  • Defendants provide funds for Credit Monitoring of all class members
  • Compensatory, statutory, and punitive damages
  • Equitable relief and restitution of revenues retained by Defendants as a result of wrongful acts
  • Legal fees and costs of Plaintiffs

The CCPA is only mentioned incidentally:

“… (iv) deprivation of rights they possess under the California Unfair Competition Law (Cal. Bus. & Prof. Code § 17200) and California Consumer Privacy Act (Cal. Civ. Code § 1798.100, et seq.);” …

“Whether Defendants violated California’s California Consumer Privacy Act by failing to maintain reasonable security procedures and practices appropriate to the nature of the PII.”

Summary of the Claim

Hanna Andersson (retailer of high-end children’s apparel) and Salesforce (provider of e-cloud based services) both failed to:

  1. adequately safeguard PII of users
  2. warn users of inadequate information security practices and
  3. effectively monitor their platforms for security vulnerabilities and incidents.

Defendants’ conduct amounts to negligence and violates several California statutes.

At least 10,000 California residents and multitudes nationwide were affected by the breach.

Some of this information is still being sold on the dark web and poses a lifetime risk of identity theft to users of Hanna Andersson.

Status

Pleadings


This material is a summary for general information and discussion only and may be considered an advertisement for certain purposes. It is not a full analysis of the matters presented, may not be relied upon as legal advice, and does not purport to represent the views of our clients or the Firm. Steve Bunnell, an O’Melveny partner licensed to practice law in the District of Columbia, Lisa Monaco, an O’Melveny partner licensed to practice law in New York, Melody Drummond Hansen, an O’Melveny partner licensed to practice law in California, the District of Columbia, and Illinois, Randall W. Edwards, an O’Melveny partner licensed to practice law in California, Daniel R. Suvor, an O’Melveny partner licensed to practice law in California, and Scott W. Pink, an O’Melveny special counsel licensed to practice law in California and Illinois, contributed to the content of this material. The views expressed in this material are the views of the authors except as otherwise noted.