Shortly after the California Consumer Privacy Act (“CCPA”) began enforcement on July 1, a California resident filed a class-action lawsuit that Walmart was hacked and the personal information, including his and other credit card data provided to the company is being sold on the dark web. He and other plaintiffs in the case claim they have been forced to purchase credit and personal identity monitoring services to protect against further identity theft. Walmart claims that it was not hacked and that it is not the source of the data on the dark web.
The CCPA provides for a penalty of up to $750 per consumer, per incident in the event of a data breach. This makes the CCPA unique, as California is the only state that allows consumers to file such lawsuits against companies (in other states and countries consumers do not have a “private right of action”, governmental regulatory agencies have the exclusive jurisdiction to pursue action against companies when an alleged data breach occurs).
As we’ve reported before, several other companies have been sued for alleged violations of the CCPA, such as Minted and Plaid. However, Walmart is the most high-profile CCPA lawsuit to date, and will likely raise consumer awareness on the topic of data privacy rights. Given that Walmart is the world’s largest retailer, the potential penalties it faces in this case could be catastrophic.
Given some of the ambiguities in the law, these lawsuits will start to establish the case law effecting CCPA enforcement. Those businesses taking a wait-and-see approach are exposing themselves to financial risk due to the significant financial penalties for noncompliance.
Key Takeaway:..