Coronavirus outbreak does not halt CCPA enforcement

The coronavirus outbreak has not stopped public and private enforcement of the California Consumer Privacy Act (CCPA).

Per an administrative order, the federal court hearing the Hanna Andersson/Salesforce CCPA litigation (Hanna Andersson click here to learn more) remains open for filings despite the coronavirus outbreak. Motions are being resolved on the papers and arguments are being held by telephone.

Recently, in Hanna Andersson, the plaintiff amended her putative class action complaint to include a CCPA cause of action, expressly asserting that the clothing retailer and online sales platform violated the CCPA’s data security provisions by failing to implement and maintain reasonable security procedures, resulting in a 2019 data breach. The complaint previously merely referenced the CCPA as the underlying unlawful act supporting a cause of action under California’s Unfair Competition Law (UCL). The amended complaint does not withdraw its original UCL or negligence allegations. Additionally, the amended complaint only renews complex legal issues previously reported on by McDonald Hopkins, specifically:

  • Whether courts will find the CCPA’s cure provisions illusory.
  • Whether businesses are required to cure the CCPA violations, the harm to consumers, or both.
  • How an entity can provide an express written statement that no further violations shall occur.
  • Whether UCL violations can be premised on alleged CCPA violations.

As for the first three, the amended complaint does not attempt to identify how or why the defendants failed to “actually cure” their CCPA violations, or how they could cure a violation that occurred in 2019. Rather, the amended complaint simply repeats the elements of the CCPA statute, in apparent violation of the pleading requirements articulated by the United States Supreme Court in Iqbal/Twombly. Thus, again, it will take time for courts to work through the CCPA’s notice and cure provision.

As for CCPA enforcement, the Attorney General of California has announced that the pandemic will not delay its CCPA enforcement efforts, currently set to begin on July 1, 2020.

At a time when much of the world is busy with stopping a global pandemic, these developments serve as a reminder that regulators and litigants remain steadfast in their commitment to enforce the CCPA—and to collect the steep fines and penalties associated with violating it.

McDonald Hopkins will continue to monitor and report developments on this litigation and Attorney General CCPA enforcement activities. Attorneys from McDonald Hopkins’ Data Privacy and Cybersecurity practice group are available to counsel business organizations on CCPA compliance and litigation.

+