The Minted Complaint: Another Case Brought Under the CCPA’s Private Right of Action
Well before the California Attorney General’s power to enforce the California Consumer Privacy Act (CCPA) commenced on July 1, 2020, as we have recently reported, private plaintiffs had already jumped into the fray, suing companies like Zoom and Houseparty for alleged violations of the CCPA. We noted that if one of these private lawsuits were to survive a motion to dismiss, it could lead to a substantial increase in class action litigation under the CCPA. Another putative class action under the CCPA that was filed on June 11, 2020 against Minted, Inc.—the popular online stationery, art, and home décor company—joins the growing list of private CCPA lawsuits and adds another wrinkle to this new area of law.
In our previous coverage, we explained that the Zoom and Houseparty claims did not arise out of a data breach committed by an unauthorized third party and relied on aspects of the CCPA outside of the private right of action—including provisions that, according to the statute, can only be enforced by the California Attorney General’s office. Unlike the Zoom and Houseparty cases, the Minted case does arise out of a data breach that Minted suffered in May 2020, in which hackers allegedly accessed and exfiltrated customers’ names, email addresses, and “hashed” or “salted” passwords, and also purportedly obtained “telephone number[s], billing address[es], and shipping address(es)” for certain users. Also the claims in the Minted complaint appear to track the CCPA’s private right of action provision ZoomHouseparty
The complaint in the Minted case alleges that hackers were able to acquire customers’ account information and then tried to sell that information on the dark web, as a result of Minted’s alleged failure to implement “reasonable security measures”, or properly encrypt and protect its users’ personal information. The complaint alleges a violation of the CCPA, among other claims.
With respect to the CCPA, the complaint alleges a violation of Section 1798.150(a)(1), which provides a private right of action to consumers whose personal information “is subject to an unauthorized access and exfiltration, theft, or disclosure as a result of the business’s violation of the duty to implement and maintain reasonable security procedures and practices.” Where a company’s failure to implement such measures results in a data breach, the victims can seek statutory damages, ranging from $100 to $750 per violation.
Before the plaintiffs in the Minted case can recover statutory damages, however, they will have to overcome several hurdles under the statute.
First, the plaintiffs do not allege specific failures by Minted to implement “reasonable” security measures. Rather, they claim that “[i]f Minted had implemented reasonable data security systems and procedures . . . , then it likely could have prevented hackers from infiltrating its systems and accessing its customers’ [personal information].” The plaintiffs also fault Minted for its alleged delay in discovering the hack—the hack occurred on May 6, but was not discovered until May 15 according to the complaint. Essentially, the plaintiffs point to the success of the hack as evidence that Minted failed to implement reasonable security measures. The CCPA does not define the term “reasonable security measures,” so it will be up to courts to decide the meaning of the term and whether such conclusory allegations concerning the inadequacy of Minted’s conduct are sufficient to survive a motion to dismiss.
Second, it is unclear whether the data that the plaintiffs claim was stolen is the kind of “personal information” that gives rise to a private right of action under the CCPA. In contrast to the definition of “personal information” applicable to the rest of the CCPA—which is much more expansive—the definition of “personal information” in the private right of action provision is limited to a smaller subset of data. The Minted complaint attempts to position the data that was allegedly breached, such as email addresses and account passwords, as meeting this limited definition. However, the drafters of the CCPA’s private right of action provision specifically enumerated the categories of data that must be disclosed before an individual can sue under the CCPA, and the list does not include email addresses or online account passwords. It remains to be seen whether the court will be persuaded to permit the plaintiffs’ claim to proceed even though the data allegedly subject to the hack does not fit within the statutory definition.
Finally, the CCPA requires plaintiffs to notify potential defendants of any violations prior to filing suit and allows 30 days to “cure” the violation and avoid the statutory damages. Like the Zoom complaint, the Minted complaint does not seek damages under the CCPA explicitly, but instead states that it is providing the requisite notice with the intent to amend in 30 days if Minted does not cure its violation. Notably, the plaintiffs allege repeatedly that it is not possible to cure the damage inflicted by this data breach. However, neither the CCPA nor its regulations define what it means to “cure” a data breach, making this another issue that the courts will likely need to resolve. Although more than 30 days has passed since the Minted plaintiffs filed their complaint, no amended complaint has been filed as of the publication of this post.
We will continue to cover class action lawsuits brought under the CCPA as they are filed and move through the courts. We will also be on the lookout for enforcement actions taken by the California Attorney General’s office and report them here.