Contrast the US litigious approach with the almost softly softly GDPR introduction. CCPA has been in effect for a few weeks and we’re already seeing legal action…:
[…] The Barnes complaint comes in the wake of a recent announcement—only a few weeks earlier—that hackers “scraped” the retailer’s customers’ names, addresses, and credit card information from Hanna Anderson’s website. Salesforce was allegedly responsible for hosting this data on its e-commerce platform, which was “infected with malware” and, as a result, became susceptible to the breach. The hackers then posted this information up for sale on the dark web, leading to identity-theft and other privacy concerns. Plaintiffs also claim that the retailer unreasonably delayed its announcement of the breach; and that the breach affected residents of every state, potentially including over 10,000 California residents. Plaintiffs seek, inter alia, injunctive and declaratory relief, free credit monitoring, statutory damages, punitive damages, disgorgement and restitution, and attorneys’ fees and costs.
In an interesting twist, the Barnes complaint, however, does not allege an express cause of action for a violation of the CCPA. Rather—just as our privacy team has predicted in the Mintz July 2019 webinar—the Barnes plaintiffs predicate their UCL § 17200 causes of action, in part, on alleged violations of the CCPA. This is a creative procedural mechanism that allows plaintiffs to buttress their privacy claims, as well as to rebut any challenges with respect to standing, namely, that they did not suffer an injury-in-fact that is “concrete and particularized”—as required by the U.S. Supreme Court in Spokeo, Inc. v. Robins, 578 U.S. ___ (2016).