CCPA Case Tracker

The California Consumer Privacy Act (CCPA) imposes significant obligations on companies with respect to the personal information of California residents. The CCPA took effect on January 1, 2020, with enforcement beginning on July 1, 2020. Enforcement is expected to be vigorous, with the California Attorney General making several public statements that his office will actively enforce the law. In addition, civil litigants have already filed class actions seeking statutory damages under the CCPA for security breaches. With information about the most significant lawsuits filed under the CCPA, our case tracker can help you stay abreast of litigation and regulatory developments.

McCoy v. Alphabet, Inc. et al., No. 5:20-cv-05427 (N.D. Cal.)

Date Filed: August 5, 2020

Cause of Action / Trigger of Claim

Proposed class action against Alphabet Inc. and Google LLC alleging that the companies monitored and collected personal data of Android users without obtaining consent. The personal data allegedly monitored and collected includes the duration of time spent on non-Google apps, and how frequently those apps are opened and used.

Complaint alleges a violation of § 1798.100(b) because the Defendant’s failed to disclose that they collected data related to “non-Google apps, including the duration of time spent on non-Google apples and the frequency that non-Google apps are opened.”

On February 2, 2021, the court dismissed Plaintiff’s CCPA claims, holding that the law does not provide a private right of action outside of the data breach context. The court highlighted that the Plaintiff’s had not plead a data security incident and had further conceded during arguments that the CCPA claims should be dismissed because no data breach occurred. In a plain reading of the statute, the order states that the CCPA “confers a private right of action for violations of section [Cal. Civ. Code § 1798.150](a), which is related to personal information security breaches. Further, it explicitly states that ‘[n]othing in this title shall be interpreted to serve as the basis for a private right of action under any other law.’ Cal. Civ. Code § 1798.150(c).”

This is the first case to decide that there is no general private right of action under CCPA, although it remains to be seen if this interpretation will be adopted in other cases.

Claims for Relief

The CCPA claim sought injunctive relief and statutory damages.

Status

Dismissed (no private right of action on February 2, 2021)

Atkinson et al v. Minted, Inc., No. 3:20-cv-03869 (N.D. Cal.)

Date Filed: June 11, 2020

Cause of Action / Trigger of Claim

Suit against Minted.com arising out of an April 2020 data breach that resulted in the exfiltration of 73.2 million records that included passwords, names, email addresses, and other information. Complaint alleges a violation of § 1798.150 by defendant’s failure to prevent the unauthorized access and exfiltration, theft, or disclosure of class members’ non-encrypted PII.

Claims for Relief

Plaintiffs and class members seek injunctive or other equitable relief to ensure the defendant safeguards customers’ PII in the future. Plaintiffs will also seek statutory damages if the defendant “cannot cure the data breach within 30 days.”

Status

Pleadings

Alma Fidela Cercas et al v. Ambry Genetics Corp., No. 8:20-cv-00791 (C.D. Cal.)

Date Filed: April 27, 2020

Cause of Action / Trigger of Claim

Suit against a clinical genomic diagnostic company arising out of a January 2020 data breach that resulted in the exposure and exfiltration of sensitive personal and medical information of more than 232,200 patients. Defendant began notifying effected patients in April 2020.

Claims for Relief

Plaintiffs seek injunctive relief, and under § 1798.150(b)'s written notice to defendant provision, plaintiffs state “If Defendant fails to respond to Plaintiff’s notice letter or agree to rectify the violations detailed above, Plaintiff also will seek actual, punitive, and statutory damages, restitution, attorneys’ fees and costs, and any other relief the Court deems proper as a result of Defendant’s CCPA violations.” 

Plaintiffs claim defendant violated § 1798.150(a)'s prohibition of unauthorized access and exfiltration, theft, or disclosure of PII.

Plaintiffs also bring various claims for violations of California Confidentiality of Medical Information Act, California Medical Records Act, California UCL, negligence, and unjust enrichment.

Status

Pleadings

In Re: Zoom Video Communications, Inc. Privacy Litigation, No. 5:20cv2155 (N.D. Cal.)

Date Filed: April 24, 2020

Cause of Action / Trigger of Claim

Claims arise out of a Vice Media report detailing unauthorized sharing and data vulnerabilities of Zoom. The claims specifically allege that Zoom collected personal data in the form of unique advertiser identifier data and shared that data with third party operators such as Facebook and LinkedIn without notifying consumers or giving them the right to opt out.

Buxbaum v. Zoom also tries to characterize the sharing of information as a data breach or “exfiltration” under §1798.150 alleging: “[b]y allowing user names and passwords to be exfiltrated, Zoom violated the CCPA.”

Under 798.100(b), Plaintiffs gave written notice of alleged violations forcing Zoom to “cure” the alleged violations within 30 days.

Plaintiffs claim that the Defendant violated:

• § 1798.100(b): Failure to provide adequate notice
• § 1798.150(a) and § 1798.120(b): Sharing information with a third party without notifying or giving individuals a right to opt out
• § 1798.150: Data breach or exfiltration violation

Plaintiffs also bring various claims for violations of UCL and CLRA and for negligence, invasion of privacy, and unjust enrichment.

Claims for Relief

• Injunctive Relief
• Declaratory Relief
• Attorneys Fees

Status

Pleadings

Sweeney v. Life On Air, et al., No. 20cv742 (S.D. Cal.)

Date Filed: April 17, 2020

Cause of Action / Trigger of Claim

Claim against Houseparty, a video chat and social media app, alleges that the company shared PII (including personal identifiers, IP addresses, time zone details, phone carrier, device information, and unique advertiser identifier (“IDFA”)) with Facebook and other third parties without notifying users or giving them the option to opt out. Similar to the operative facts in the Zoom cases, the complaint focuses on the use of Facebook’s software development kits (“SDKs”).

Plaintiff claims that the defendant violated:

• 1798.100(b): Failure to provide adequate notice of collection, use or sale of PII
• 1798.120(b): Sharing information with a third party without notifying or giving individuals a right to opt out
• 1798.135(a)(1): Failure to provide a clear and conspicuous “do not sell my personal information” link on webpage
• 1798.135(a)(B)(6): Failure to keep PII private

Claims for Relief

Plaintiffs seek injunctive relief in the form of an order enjoining Defendant from continuing to violate CCPA and actual damages.

Status

Pleadings

Rahman v. Marriott International, No. 20-cv-00654 (C.D. Cal.)

Date Filed: April 3, 2020

Cause of Action / Trigger of Claim

Cal. Civ. Code § 1798.150(a)(1)

The CCPA provides consumers with the right to institute a civil action where the consumers’ “nonencrypted and nonredacted personal information” was the subject of “an unauthorized access and exfiltration, theft, or disclosure as a result of the business’s violation of the duty to implement and maintain reasonable security procedures and practices appropriate to the nature of the information to protect the personal information.”

This action arises out of a cybersecurity breach affecting 5.2 million consumers. Marriott announced the data breach on March 31, 2020 and sent e-mails to affected customers.

Claims for Relief

• injunctive relief
• enjoining Marriott from continuing to violate the CCPA
• requiring Marriott to employ adequate security practices consistent with law and industry standards to protect class members’ personal information
• requiring Marriott to complete its investigation
• issuing an amended statement to the public and affected guests that is not evasive and contains no equivocations (e.g., phrases such as “may have,” the investigation is “ongoing,” “no reason to believe,” etc.) and to instead confirm and confess, with certainty, what categories of data were stolen and accessed without class members’ authorization, how the data breach occurred, and what specifically occurred to cause the breach

Status

Pleadings

Fuentes v. Sunshine Behavioral Health Group, No. 8:20-cv-00487 (C.D. Cal.)

Date Filed: March 10, 2020

Cause of Action / Trigger of Claim

Sensitive PII including medical information of patients of a drug and alcohol rehabilitation center was searchable, findable, viewable, and downloadable by anyone with access to an internet search engine. The breach occurred for a period of almost 30 months from March 2017 to September 2019, and the company put up a public notice in January 2020.

CCPA is mentioned towards the end of the pleadings as Count X action (over less than a page, so it seems that it is not a significant part of this lawsuit).

Defendant violated CCPA by subjecting the nonencrypted and nonredacted Personal and Medical Information of Plaintiff and Class members to unauthorized access and exfiltration, theft, or disclosure as a result of Defendant’s violation of its duty to implement and maintain reasonable security procedures and practices appropriate to the nature and protection of that information. Cal. Civ. Code § 1798.150(a).

Claims for Relief

• Injunctive relief
• Plaintiff seeks injunctive relief in the form of an order enjoining Defendant from continuing to violate the CCPA. If Defendant fails to respond to Plaintiff’s notice letter or agree to rectify the violations detailed above, Plaintiff also will seek actual, punitive, and statutory damages, restitution, attorneys’ fees and costs, and any other relief the Court deems proper as a result of Defendant’s CCPA violations.

Status

Pleadings

In Re Ring Litigation, No. 2:19-cv-10899 (C.D. Cal.)

Date Filed: February 18, 2020

Cause of Action / Trigger of Claim

Ring is a provider of smart security devices, notably a video surveillance doorbell. Ring disclosed PII of users with unauthorized third parties. PII included names, private IP addresses, mobile network carriers, persistent identifiers, and sensor data on devices of customers.

CCPA is mentioned at the very end of the pleadings as the final (8th) cause of action (over less than a page, so it seems that it is not a significant part of this lawsuit).

Plaintiff claims that the defendant violated:

• Cal. Civ. Civil Code § 1798.100(b): Use of PIIA without providing notice.
• Cal. Civ. Civil Code § 1798.120(b): Failure to provide notice to consumers regarding their right to opt-out.

Claims for Relief

• Injunctive relief
• On behalf of Class members, Plaintiff seeks injunctive relief in the form of an order enjoining Defendant from continuing to violate the CCPA. If Defendant fails to respond to Plaintiff’s notice letter or agree to rectify the violations detailed above, Plaintiff will seek actual, punitive, and statutory damages, restitution, attorneys’ fees and costs, and any other relief the Court deems proper as a result of Defendant’s CCPA violations

Summary of the Claim

• Ring devices used third-party trackers and disclosed a plethora of user PIIs with four analytics and marketing companies. Ring devices did not follow industry standards and did not require even basic measures like dual factor authentication to use its devices.
• Reasonable expectation of privacy was violated by failure of adequate security and disclosure of private and personal information to unauthorized third parties without consent.
• PII shared zone, device model, language preference, and unique identifiers in addition to sensor data exposing Plaintiffs to risk.
• Ring was negligent and breached its duty of care by ignoring consumer complaints as well as implied contracts of privacy with consumers.
• Ring’s video doorbell was not a product fit for merchantability as they were not secure and could easily be accessed by third parties.
• Ring received unjust enrichment by selling its products to the consumers.
• Ring violated CCPA by collecting PII without providing notice to consumers and by not proving consumers with an option to opt-out.

Status

Pleadings

In Re: Hanna Andersson and Salesforce.com Data Breach Litigation, No. 20-cv-00812 (N.D. Cal.)

Date Filed: February 3, 2020

Cause of Action / Trigger of Claim

Personally Identifiable Information (PII) of customers of Hanna Andersson was scraped through a ‘malware’ on Salesforce’s cloud-based platform used by the company. Stolen PII included customers’ names, addresses, credit card numbers, credit card expiration dates, and CVV codes.

Law enforcement found unauthorized information on the dark web and informed Hanna Andersson of the breach that occurred from September 16, 2019 to November 11, 2019.

Claims for Relief

Plaintiff’s claim violation of California’s Unfair Competition Law and seek the following reliefs:

• Class Action Certification
• Enjoin Defendants from engaging in inadequate protection of Plaintiff’s PII
• Defendants provide funds for Credit Monitoring of all class members
• Compensatory, statutory, and punitive damages
• Equitable relief and restitution of revenues retained by Defendants as a result of wrongful acts
• Legal fees and costs of Plaintiffs

The CCPA is only mentioned incidentally:

“… (iv) deprivation of rights they possess under the California Unfair Competition Law (Cal. Bus. & Prof. Code § 17200) and California Consumer Privacy Act (Cal. Civ. Code § 1798.100, et seq.);” …

“Whether Defendants violated California’s California Consumer Privacy Act by failing to maintain reasonable security procedures and practices appropriate to the nature of the PII.”

Summary of the Claim

Hanna Andersson (retailer of high-end children’s apparel) and Salesforce (provider of e-cloud based services) both failed to:

1. adequately safeguard PII of users
2. warn users of inadequate information security practices and
3. effectively monitor their platforms for security vulnerabilities and incidents.

Defendants’ conduct amounts to negligence and violates several California statutes.

At least 10,000 California residents and multitudes nationwide were affected by the breach.

Some of this information is still being sold on the dark web and poses a lifetime risk of identity theft to users of Hanna Andersson.

Status

Pleadings

Shadi Hayden v. The Retail Equation, Inc., et al, No. 8:20-CV-01203 (C.D. Cal.)

Date Filed: July 7, 2020

Cause of Action / Trigger of Claim

Claim against Sephora USA, Inc., and The Retail Equation, Inc., alleging the sharing of consumer data collected for a consumer report and “risk score” used to advise Sephora whether attempted product returns and exchanges are fraudulent. Complaint alleges that Sephora shared PII, specifically customers’ name, date of birth, race, sex, photograph, street address, and zip code with the Retail Equation to create the reports and “risk scores” without their knowledge or consent. Complaint alleges Defendants unlawfully invaded Plaintiff’s and Class Members’ right to privacy under sections 1798.100(b), 1798.110(c), and 1798.115(c) of the CCPA.

Claims for Relief

Plaintiff seeks an order that Defendants are permanently enjoined from their improper conduct and practices as alleged, a judgment awarding appropriate monetary relief, and costs associated with the action, including attorneys’ fees and expenses.

Status

Pleadings

Flores-Mendez et al v. Zoosk, Inc., No. 3:20-cv-4929 (N.D. Cal.)

Date Filed: July 22, 2020

Cause of Action / Trigger of Claim

Claim against Zoosk, Inc., an online data company, arising out of a May 2020 data breach in which 30 million user records were subject to unauthorized access. The customer information disclosed in the data breach included a combination of individuals’ names, email addresses, dates of birth, demographical information, gender, and password information.

Complaint alleges a violation of § 1798.150 by Defendant’s failure to prevent the unauthorized access and exfiltration, theft or disclosure of Class Members’ PII.

Claims for Relief

Plaintiff and Class Members seek declaratory, injunctive, and other equitable relief necessary to protect their PII, including, but not limited to, an order compelling Defendants to adopt reasonable security procedures and practices to safeguard customers’ PII and prevent future data breaches.

Status

Pleadings

P. et al v. Shutterfly, Inc., No. 4:20-cv-04960-KAW (N.D. Cal.)

Date Filed: July 23, 2020

Cause of Action / Trigger of Claim

Claim against Shutterfly, Inc., arising out Shutterfly’s use of facial recognition technology to extract biometric identifiers associated with minors’ faces from user-uploaded photographs. The complaint further alleges that Shutterfly subsequently stored said biometric information of users and non-users in its database.

Complaint alleges a violation of § 1798.100(b) by Defendant’s failure to disclose the personal information of minors it collects and not giving consumers the right to decide whether their personal information is collected or have their information deleted.

Complaint also alleges a violation of § 1798.150 by equating the disclosure of minors’ nonencrypted and nonredacted personal information to other companies as a data breach.

Claims for Relief

Plaintiff seeks an order declaring that Defendant’s conduct violates the CCPA and requiring Shutterfly to cease alleged unlawful activities, in addition to an award of damages.

Status

Pleadings

Brekhus et al v. Google LLC and Alphabet Inc., No. 5:20-cv-05488 (N.D. Cal.)

Date Filed: August 7, 2020

Cause of Action / Trigger of Claim

Complaint against Google and Alphabet arising out of allegedly false representations by Google to consumers that it would not record or process conversations or other audio picked up by voice-activated hardware devices unless users say a specific activation phrase. Plaintiff and Class Members allege that information picked up through these devices included recordings of communications and activities inside users’ homes.

Complaint alleges a violation of § 1798.100 by failing to inform Plaintiffs that Google would collect categories of personal data beyond those that Google had identified in its Privacy Policy as being subject to collection. Complaint further alleges that Google’s inability to implement and maintain reasonable security procedures and practices violated § 1798.150 since it subjected the Plaintiffs to a scheme whereby Defendants gained unauthorized access to their private information.

Claims for Relief

Plaintiff and Class Members seek an order enjoining Defendants from continuing to violate the CCPA.

Status

Pleadings

Guzman v. RLI Corp, et al., 2:20-cv-08356 (C.D. Cal.)

Date Filed: September 10, 2020

Cause of Action / Trigger of Claim

Proposed class action arising from an alleged data breach of RLI, a federal sureties company that contracts with an immigration bail bond company, when it failed to redact the personal information of respondents’ date of birth, ssn, addresses and names and contact information of family members, including minor children, in PACER filings.

Complaint alleges violations of § 1798.100(b) and § 1798.115(d) for failing to inform the proposed California Sub-Class of the collection of their personal information and sharing access to that personal information with third parties in violation of § 1798.110(c).

Plaintiffs also allege a violation of § 1798.150(a) because the PACER filing failed to prevent nonencrypted and nonredacted personal information from unauthorized disclosure.

Claims for Relief

Plaintiffs seek actual, punitive, and statutory damages, attorneys’ fees and costs, and any other relief the Court deems proper as a result of RLI’s alleged CCPA violations.

Status

Pleadings

Stoffers v. Dave, Inc., et al., 20STCV35381 (L.A. Superior Court)

Date Filed: September 16, 2020

Cause of Action / Trigger of Claim

Proposed class action arising from a July 2020 data breach of users of Dave, an application that monitors bank accounts and notifies users when their expenses are likely to exceed available funds. The hack allegedly accessed personal information, including names, emails, birth dates, physical addresses, phone numbers, and encrypted social security numbers of over seven million individual user records, and then posted the entire database on a hacker forum.

Complaint alleges a violation of § 1798.150(a) for the exfiltration, theft or disclosure of users’ PII. Complaint also alleges violations of § 1798.81.5(c) for failure to require the third party handling the users’ PII to implement and maintain reasonable security procedures and processes.

Claims for Relief

Plaintiffs seek actual damages, injunctive relief, including public injunctive relief, and declaratory relief, and any other relief as deemed appropriate by the court.

Status

Pleadings

Deborah Wesch v. Yoddlee Inc., et al, No. 3:20-cv-06534-AGT (N.D. Cal)

Date Filed: September 17, 2020

Cause of Action / Trigger of Claim

Proposed class action against Yoddlee, a financial data aggregator, alleging that the company used its API to access the Plaintiff’s bank account and sensitive personal data without her knowledge or consent when she used her PayPal account.

Complaint alleges a violation of § 1798.100(b) for failure to give notice that the business was allegedly collecting personal information.

Claims for Relief

The CCPA is not a cause of action, but rather plead as an example of how the Defendant’s alleged “failure to disclose violates several privacy laws.”

Complaint seeks relief for violation of the Stored Communications Act (18 U.S.C. § 2701); the Computer Fraud and Abuse Act (18 U.S.C. § 103); California Unfair Competition Law (Cal. Bus. & Prof. Code § 17200); California’s Comprehensive Data Access and Fraud Act (Cal. Pen. Code § 502); California’s Anti-Phishing Act of 2005 (Cal. Bus. & Prof. Code § 22948.2); Unjust Enrichment, and Common Law Invasion of Privacy.

Status

Pleadings

This material is a summary for general information and discussion only and may be considered an advertisement for certain purposes. It is not a full analysis of the matters presented, may not be relied upon as legal advice, and does not purport to represent the views of our clients or the Firm. Lisa Monaco, an O’Melveny partner licensed to practice law in New York, Melody Drummond Hansen, an O’Melveny partner licensed to practice law in California, the District of Columbia, and Illinois, Randall W. Edwards, an O’Melveny partner licensed to practice law in California, Daniel R. Suvor, an O’Melveny partner licensed to practice law in California, and Scott W. Pink, an O’Melveny special counsel licensed to practice law in California and Illinois, contributed to the content of this material. The views expressed in this material are the views of the authors except as otherwise noted.