By: Linda L. Goodman
The California Consumer Privacy Act (“CCPA”) went into effect on January 1, 2020, with no private right of action – the only person who could bring suit was a government enforcement agency. In other words, the only risk for non-compliance was a 30-day cure notice and potential enforcement action by an underfunded Attorney General’s office. That is until you have a data breach…and then all bets are off as the data breach will give rise to a private right of action for CCPA statutory penalties.
Over 100 class actions referencing the CCPA have been filed to date, though very few have attained a court approved settlement or court approved penalty assessment. The Northern District of California is about to change that. This month, the trial court granted a granted preliminary approval in a data breach class action involving 4.1 million potential class members, in Atkinson, et al v. Minted, Inc., Case No. 3:20-cv-03869 (N.D. Cal.). The settlement called for a five million dollar settlement fund but not the $750.00 per violation (which would have resulted in over $3,000,000,000 penalty) is based on a group of hackers that breached San Francisco-based Minted, Inc. (“Minted”) (as well as eleven other companies) and then attempted to sell that personal information (“PI”). In total, 4.1 million consumers were purportedly impacted by the breach.
In June 2020, class plaintiffs filed a class action against Minted, alleging causes of action under the CCPA, negligence, and Business & Professions Code section 17200 (unfair competition law). The class plaintiffs complied with the CCPA pre-filing requirement and provided the statutorily required notice of the breach and an opportunity to cure. When they did not receive a response to their notice, the plaintiffs amended their complaint to seek statutory penalties and non-monetary relief for statutory damages of up to $750 per violation for the data breach that allegedly result from Minted’s failure to implement reasonable security procedures and Minted’s failure to take corrective action after their notice. Less than a year after the lawsuit was filed, the parties reached a settlement, which is now pending final court approval.
Though the settlement does not include an amount anywhere near the potential statutory range of the maximum allowable CCPA damages, it does include damaging non-monetary relief to the class members. In addition to monetary damage of five million dollars, it dictates to Minted the implementation of certain mandatory data security measures, requires two cybersecurity audits annually, and to offer credit monitoring and personal identity restoration services.
The good news is that the settlement amount and additional injunctive relief are similar to those facing similar data breach claim – namely a nominal cash payment of $43 per person, as well as two years of credit monitoring services, valued at approximately $10 per month per person. As one of the first of many anticipated data breach settlements involving the CCPA, the class settlement structure if approved, will be setting a president for parameters for CCPA class settlements going forward. The concern is having your data security program and protocol dictated to you. But the available demand for $750 CCPA penalty was not invoked. So, at least for now – everyone can still breath easily – but should be looking to secure their data – and documenting that effort!
______________________________________________________________________
This article is a publication of The Goodman Law Firm and is intended to provide information on recent legal developments. This article does not create an attorney-client relationship, nor should it be construed as legal advice or an opinion on specific situations. This may constitute “Attorney Advertising” under the Rules of Professional Conduct and under the law of other jurisdictions.
Linda L. Goodman is an attorney specializing in internet compliance and privacy law. With years of experience helping businesses navigate complex legal landscapes, Linda contributes expert insights on compliance issues in the digital space. To learn more about her services and insights, visit her law firm website at The Goodman Law Firm.
© 2021 TGLF, A.P.C.