When the California Consumer Privacy Act (CCPA) began enforcement on January 1, 2020, no one knew how long it would take for the regulation to impact businesses. We now have a concrete answer: almost immediately, as plaintiffs have filed a data breach class action lawsuit against Salesforce and Hanna Andersson, LLC, that includes allegations of CCPA violations.
The eventual result of this legal action is anyone’s guess, but the nature of the lawsuit is significant by itself. Simply put: CCPA compliance needs to be a top business priority because it’s clearly at the forefront of the minds of consumers – and their lawyers.
Let’s look at the lawsuit, it’s relationship to the regulation, and what it means for your business.
Data breaches, the dark web, and potential damages
The legal activity stems from a data breach that affected Hanna Andersson customers. As the National Law Review says:
“Hackers ‘scraped’ the retailer’s customers’ names, addresses, and credit card information from Hanna Andersson’s website. Salesforce was allegedly responsible for hosting this data on its e-commerce platform, which was ‘infected with malware’ and, as a result, became susceptible to the breach.”
The hackers then sold their ill-gotten data on the dark web. Residents of every state in the US – including some 10,000 California customers – were exposed to a higher risk of identity theft.
In the class action, the plaintiffs are seeking relief from a host of damages. Given the CCPA’s stated penalties of damages between $100 and $750 per violation, per consumer, the defendants could face a minimum of $1,000,000 in statutory damages.
The connection to CCPA
The regulation explicitly defines the term personal information to mean “Information that identifies, relates to, describes, is capable of being associated with, or could reasonably be linked, directly or indirectly, with a particular consumer or household.”
The term includes metadata or other associated data such as IP addresses, electronic network activity information such as browsing and search history, or other identifiers that may trace back to an individual.
In their lawsuit, the plaintiffs argue the defendants established sub-standard security practices and procedures required by the regulation and stored this personal data in an unsecure electronic environment.
They also argue the defendants didn’t disclose the breach in a timely and accurate manner as defined by the regulation.
How these allegations will hold up in court is impossible to guess. Unlike the European Union’s General Data Protection Regulation (GDPR), which was finalized in 2016 and had a two-year ramp-up before enforcement, many aspects of the CCPA – including enforcement deadlines – are unclear even after its enforcement date.
In addition, there are unanswered questions about the case facts and how they relate to the CCPA. For instance, the regulation only protects California consumers’ “non-encrypted and non-redacted personal information . . . subject to an unauthorized access.”
If the hackers somehow bypassed Salesforce’s encryption, does the allegation still stand?
As another example, the CCPA prohibits lawsuits if the company provides notice of the event to affected customers within 30 days and successfully cures the breach. So, the plaintiffs may not win if the defendants can prove they responded in the required timeframe and removed the malware.
The CCPA impact on your business
Even with a two-year preparation period, fewer than 50% of surveyed businesses said they had taken action to implement a compliance plan on the eve of GDPR enforcement. Surveys of businesses just before CCPA enforcement showed even worse results.
If anything, this lawsuit should be the punch that wakes up your CCPA compliance strategy. At a high level, the regulation aims to improve accountability of those collecting, selling, or sharing personal information and increase transparency of such activities.
Does your business have the robust internal processes and designated roles to meet this challenge?
To clearly show customers, California consumers, and regulators that your business is CCPA compliant, you need to implement a host of systemic measures into your IT infrastructures to reduce the risk of violation.
Beyond the security and notification requirements involved in the lawsuit, these measures should include solutions for:
- Tracking every purpose for which personal information is processed
- Ensuring that all individuals receive appropriate disclosure for each data-processing use case
- Providing the right to opt out of personal information sales
- Meeting the conditions applicable to a child’s consent in relation to selling personal information
- Offering consumers the ability to access their personal data and delete their information
Yet compliance isn’t the full story.
Along with addressing CCPA requirements, finding these solutions will help your business achieve the higher goal of building customer trust. And in a digital economy where a single poor experience can make a customer switch the competition, trusted engagements are a necessity.
Time is of the essence. The CCPA has arrived on the scene as a data protection force. The key question that faces your business is: Are you ready to thrive in this evolving data privacy and protection landscape?