Privacy Alert: Let the CCPA Class Action Lawsuits Commence


The first post-California Consumer Privacy Act (CCPA) data breach class action was filed on February 3 in the Northern District of California. See Barnes v. Hanna Andersson, LLC , N.D. Cal., Case No. 20-cv-00812.[1]

The Barnes complaint does not yet expressly state a cause of action under the CCPA, instead relying upon violations of the California Unfair Competition Law. Given the nature of the allegations, however, an amendment to include a CCPA claim is anticipated.

Under the CCPA, a plaintiff not need show any actual harm caused by a data breach and can seek statutory damages of up to $750 per incident per victim in the event of a data breach. In Barnes, it is alleged that there are 10,000 California victims of data breach that occurred in the fall of 2019.  

The Barnes plaintiffs claim that defendants put at risk the personally identifiable information (PII) that children’s clothing retailer Hanna Andersson maintained on Salesforce software, and that neither company maintained “reasonable security procedures and practices appropriate to the nature of the information to protect their customers’ valuable PII.”

A data breach under the CCPA is any unauthorized access, theft or disclosure of a consumer’s nonencrypted and nonredacted personal information that is the result of a business failure to implement and maintain reasonable security procedures and practices.

The CCPA became effective on January 1, 2020, and enforcement by the California Attorney General is expected in July 2020. In response, many businesses have been data mapping to find what personal information they collect on California residents and for what purposes, revising their website privacy policies, reviewing vendor agreements, creating new procedures to respond to consumer requests for access to or deletion of data, purchasing cybersecurity insurance and other activities necessary to comply with the CCPA.

These private rights of action — and potential class action lawsuits enabled by this right — are scary. They apply only to data breaches, not privacy complaints. We will continue to monitor this California data breach case, as well as others soon expected under the CCPA.

In the meantime, this case serves as another strong incentive to implement and maintain reasonable data security as a defense against such claims.

Reach out to Michael Cohen or the Global Privacy, Cybersecurity & Data Protection Group for more information on CCPA. For more information on class actions, reach out to Brian Fries or the Class Action Team

[1] See the Complaint here: