Well, as Ron Burgundy would say, “that escalated quickly”! We’re only a few months into implementation of the California Consumer Privacy Act (CCPA) – and only a little over a month since enforcement began – and we’re already starting to see CCPA-related class action lawsuits filed.
According to Legaltech News® (CCPA Class Action Suits Focusing on Third-Party Cookies, Reasonable Security Measures, written by Dan Clark), there have “only” been 63 CCPA-related class action lawsuits filed since January, Dominique Shelton Leipzig, a partner at Perkins Coie in Los Angeles, said in an interview Monday. She said many of the cases are tangentially related to the CCPA and that “only” 14 cases allege direct violations of the CCPA.
“Only”? Seems like a lot to me already.
Anyway, since going into effect in January, the CCPA only provides a private right of action for consumers relating to access to sensitive personal information during a data breach. If a court finds in the plaintiffs’ favor, a company can be liable for $100 to $750 per violation of the statute. That, of course, could encourage class action suits on behalf of those consumers, so maybe that’s why she said “only”.
Even though the CCPA has been in effect since January, there is still no clarity on how judges will rule in some of the class action lawsuits over third-party cookies collecting data and what constitutes a reasonable effort to protect personally identifiable information. “There is the question of whether third-party advertising cookies on a website constitute a sale under the statute,” Shelton Leipzig said.
Companies allowing a user to sign on using another web service such as Twitter or Facebook (and there are certainly a lot of those) and give a third-party access to user information will be determined by the courts.
One suit that addresses this issue is Johnston v. Zoom Video Communications in the U.S. District Court for the Northern District of California. Plaintiff Robert Cullen claims that had he known Zoom was allowing Facebook to have that information, he, and the proposed class, would have chosen another service. While a spokesperson for Zoom didn’t respond to request for comment this week, Zoom CEO Eric Yuan wrote in a blog post shortly before the suit was filed in March that Zoom “decided to remove the Facebook SDK in our iOS client and have reconfigured the feature so that users will still be able to log in with Facebook via their browser”.
Of course one issue to be expected that in-house counsel will need to pay attention to is how courts determine what it means to reasonably protect consumer data from a data breach.
One of the most recent CCPA cases filed in July, Gardiner v. Walmart in the U.S. District Court for the Northern District of California, claims that Walmart’s systems were faulty which allowed for a data breach and for hackers to take personal information of the proposed class.
“Under the CCPA, there are comments about reasonable security measures and no one really knows what that looks like,” Kyle Janecek, an associate at Newmeyer & Dillion in Newport Beach, California, said. “The best you can do currently is making those measures work right for the company.”
“Protecting our customers’ data is a top priority and something we take very seriously. We dispute the plaintiff’s allegations that the failure of our systems played any role in the public disclosure of his personally identifiable information,” a Walmart spokesperson said when asked for comment on the case.
Come to think of it, considering the various potential avenues to unexpected access to personal data, maybe that hasn’t escalated so quickly and “only” is the right term to reference the current number of class action lawsuits. Expect a lot more.
Speaking of CCPA, on Tuesday, August 18th, Onna will conduct the webinar Establishing Data Retention Policies That Comply with CCPA & GDPR at 2pm ET (1pm CT, 11am PT). In this presentation, join Onna and experts from Carnival Cruise Corporation & Ally as they dive into the challenges compliance regulations have created, data policy best practices, and how to proactively create an effective data retention policy that prepares you for GDPR, CCPA and future regulations to come. Might help keep your organization off the list of potential future class-action defendants.
So, what do you think? Did you think there would be more CCPA related class actions filed by this point? Or are your surprised that we’ve already had so many? Please share any comments you might have or if you’d like to know more about a particular topic.
Disclaimer: The views represented herein are exclusively the views of the author, and do not necessarily represent the views held by my employer, my partners or my clients. eDiscovery Today is made available solely for educational purposes to provide general information about general eDiscovery principles and not to provide specific legal advice applicable to any particular circumstance. eDiscovery Today should not be used as a substitute for competent legal advice from a lawyer you have retained and who has agreed to represent you.