49ers Case May Hint at Defensive Playbook for CCPA Data Breach Class Actions
Among litigators, one of the best known features of the California Consumer Protection Act (“CCPA”), is the statutory damages provision, under which damages for California consumers whose data was obtained in ransomware attacks and other incidents can range from $150 to $750 per individual. Given the size of many data incidents, which can involve information belonging to tens of thousands or hundreds of thousands of consumers, the statutory damages can quickly reach high numbers. As a result, businesses who experience a data breach that impacts California consumers are routinely sued in proposed class actions brought under the CCPA.
For businesses looking for a way to fend off these sorts of class actions seeking statutory CCPA damages, the CCPA’s notice and cure provision provides one of the few apparent offramps. Under this provision, set forth in California Civil Code Sectoin 1798.150(b), a consumer planning to file a suit seeking statutory damages must give the defendant business 30 days advance written notice. If the plaintiff does not notify the alleged violator before filing, the action may be subject to dismissal. Under the statute, in the “event a cure is possible,” a business may cure within 30 days, and provide the plaintiff a written notice of the cure and a guarantee that no other violation will occur.
In the years since the CCPA took effect in 2020, there has been only limited caselaw discussing this notice-and-cure provision, however, and very little caselaw from courts in California.
That changed slightly this summer when, in a decision issued on August 15, 2024 in a proposed class action filed against the San Francisco 49ers over a data incident, U.S. District Judge James Donato of the Northern District of California provided some guidance about how the CCPA notice and cure “offramp” provision would work.
Judge Donato’s Motion to Dismiss ruling, in In Re San Francisco 49ers Data Breach Litigation, Case No. 3:22-cv-051, came in consolidated proposed class actions brought by individuals who allege they are employees of other NFL teams and/or franchises who provided their personal information to the 49ers. The litigation arises from a February 2022 data incident that reportedly compromised information the team held in its database for nearly 21,000 individuals. The plaintiffs, who allege they received data breach notices the team sent out after it was the victim of a ransomware attack in 2022, claimed they were injured by (among other things) spending time researching the incident, reviewing financial accounts and other information, and experiencing diminished value of their personal information.
After Judge Donato denied a motion for preliminary approval of a proposed settlement in July 2023, the case moved forward this year to the motion to dismiss phase, during which the 49ers argued, among other things, that the plaintiffs had failed to comply properly with the CCPA’s notice-and-cure provision. Specifically, the 49ers argued that one of the named plaintiffs had filed his complaint the same day that he had mailed a letter to the 49ers alleging a breach of the CCPA, and that another named plaintiff had filed her complaint just four days after sending her letter to the 49ers. The team also argued that Plaintiffs’ notices failed to perfect a CCPA claim because the notices did not comply with the CCPA’s requirement that they “identify[ ] the specific provisions of [the CCPA] the consumer alleges have been or are being violated.” Cal. Civ. Code § 1798.150(b).
In response to these arguments, Judge Donato allowed the proposed class’s CCPA claims to go forward, but questioned whether plaintiffs could recover statutory damages under the CCPA based on the timing of the notice-and-cure letters. He went on to note that in light of the untimely CCPA notice-and-cure letters, “[w]hether plaintiffs may recover statutory damages under the CCPA remains in question. The CCPA requires a 30-day notice-and-cure procedure prior to initiating an action.” Order re Mot. to Dismiss (Dkt. No. 58), In re San Francisco 49ers Data Breach Litig., Case 3:22-cv-05138-JD, at 5 (Aug. 15, 2024). Judge Donato also noted that Plaintiffs did not address this issue, and directed the parties to confer on an agreement with respect to the date of mailing and whether that forecloses statutory damages.
Judge Donato’s decision also addressed other common questions that arise in proposed class actions of this type: he questioned, for example, whether the plaintiffs’ UCL claim was appropriately brought, given the 49ers’ contention that the relevant conduct happened outside California, noting the 49ers may “challenge it on summary judgment.” Order re Mot. to Dismiss (Dkt. No. 58), In re San Francisco 49ers Data Breach Litig., Case 3:22-cv-05138-JD, at 5 (Aug. 15, 2024). Judge Donato also dismissed the Plaintiffs’ Georgia Unfair and Deceptive Trade Practices Claim, although he gave the plaintiffs leave to amend; he reasoned that the complaint failed to allege which of the 49ers practices were purportedly deceptive. Judge Donato also dismissed the Plaintiffs’ negligence per se claim, reasoning that it is not a standalone claim.
As it happens, less than two months after Judge Donato’s ruling on the Motion to Dismiss, the parties filed a notice indicating they held additional settlement discussions after the ruling and that a renewed settlement had been reached. It appears unlikely, therefore, that Judge Donato will issue further guidance on the issue of the notice-and-cure or the other claims he discussed in his ruling.
Given the sheer volume of CCPA class actions, it may not be long before another court issues additional guidance about this potential CCPA offramp. In the meantime, businesses facing potential CCPA liability from data incidents would do well to keep in mind Judge Donato’s decision in the 49ers matter. Data incident plaintiffs may be in a rush to be “first to file,” but this rush could cause issues for their CCPA claims.