Privacy & Information Security Law Blog

At this point, most companies doing business in California are aware of the California Consumer Privacy Act (“CCPA”), and most have been bracing for the eventual onslaught of class action litigation to follow its passage. On February 3, 2020, a class action lawsuit was filed that expressly references the CCPA—Barnes v. Hanna Andersson, LLC, et al., N.D. Cal. Case No. 3:20-cv-00812. Filed in the wake of retailer Hanna Andersson’s announcement of a data breach that allegedly compromised, among other things, customer payment card data, the plaintiff expressly claims a “deprivation of rights” under the CCPA based on the alleged “fail[ure] to maintain reasonable security procedures and practices appropriate to the nature of” personally identifiable information maintained by the defendants. Notably, the plaintiff does not bring a direct claim under the CCPA. She does, however, expressly “reserve the right to amend this Complaint as of right” to seek relief under the CCPA at a later time. Assuming the plaintiff does so, she might face retroactivity hurdles, given the data breach allegedly “occurred from September 16, 2019 to November 11, 2019,” and the CCPA is not expressly retroactive. Weinberg v. Valeant Pharm. Int’l, 2017 WL 6543822, at *7 (C.D. Cal. Aug. 10, 2017) (“California statutes apply prospectively unless the Legislature expressly indicates otherwise.”)