A data-breach putative class action filed against online retailer Hanna Andersson and Salesforce, its e‑commerce platform, is seemingly the first to cite the California Consumer Protection Act (CCPA). While the original complaint didn’t include a cause of action under the CCPA, the parties have stipulated to an amended complaint that does.
Beyond the novelty of a claim made under the CCPA, the amended complaint is interesting in two respects. First, while the original breach took place in 2019—before the CCPA went into effect—the amended complaint avoids that hurdle by alleging that “hackers further disclosed” personal information in 2020. Second, the amended complaint alleges that Hanna Andersson and Salesforce “failed to ‘actually cure’” the violation of 1798.150 within 30 days of an alleged written notice. The amended complaint doesn’t specify what form that notice took, nor exactly when it happened. It will be interesting to see if it becomes an issue in the case. For example, did plaintiff file suit under other causes of action while the CCPA notice period ran its course, knowing that she would amend her complaint after that period to add a claim under the CCPA? This case could be an important first step in judicial clarification of the CCPA.
Plaintiffs are already beginning to test ways to incorporate the CCPA into complaints, even for events that took place before the law’s effective date. Companies can expect those efforts to continue.