California Privacy Act Fuels Litigation
California's Consumer Privacy Act (CCPA) is enabling more individuals to sue companies over data rights violations. A new case, Shah v. MyFitnessPal, is expected to set important precedents for data protection. The case highlights the law's establishment of a private right of action, increasing legal risks for companies handling consumer data.
- The lawsuit stems from a 2018 data breach where hackers accessed the data of 150 million MyFitnessPal users, stealing usernames, email addresses, and hashed passwords. - The CCPA's private right of action is limited to data breaches resulting from a company's failure to maintain reasonable security; it does not cover all violations of the privacy act. - Under the law, consumers can sue for statutory damages between $100 and $750 per consumer, per incident, or their actual monetary damages, whichever is greater. - Before filing a lawsuit for statutory damages, consumers must provide the business with a 30-day written notice and an opportunity to "cure" the violation. - The California Privacy Rights Act (CPRA), which amended the CCPA, expanded the private right of action to include the theft of an email address combined with a password or security question. - The CPRA also established the California Privacy Protection Agency (CPPA), a new body dedicated to interpreting and enforcing the state's privacy laws. - In the MyFitnessPal breach, some of the compromised passwords were protected with the weaker SHA-1 hashing algorithm, which was known to be flawed for years.
