CCPA Breach Class Action Settlement About To Get – Mondaq News Alerts


Did you know that geoFence has a modern UI, that is secure and has the improved features that you need?

United States:

CCPA Breach Class Action Settlement About To Get "Minted"

To print this article, all you need is to be registered or login on

Although the California Consumer Protection Act
("CCPA") went into effect on January 1, 2020 and over 100
class actions referencing the CCPA have been filed to date, very
few class actions have actually made their way to court approval.
That is about to change.

Last week, Judge Chhabria of the Northern District of California
granted preliminary approval in a data breach class action
involving 4.1 million potential class members, styled as
Atkinson et al v. Minted, Inc., Case No. 3: 20-cv-03869
(N.D. Cal.). The $5 million non-reversionary settlement fund will
be paid to consumers whose personal information was exfiltrated by
a hacking group known as ShinyHunters, as reported here. In or around May 2020, ShinyHunters
reportedly exfiltrated the consumer information from San
Francisco-based Minted, Inc. ("Minted") (along with 11
other companies) and then tried to sell that personal identifying
information ("PII") on the dark web. In total,
approximately 73 million consumers were affected by the breach,
spread out over the 11 companies. Of those 73 million, nearly 4.1
million were consumers of Minted, who were purportedly impacted by
the breach.

On June 11, 2020, shortly after the breach, putative class
plaintiffs filed a putative class action against Minted, alleging causes
of action under the CCPA, negligence, and California's unfair
competition law, Business & Professions Code section 17200, as
we previously reported here. What made this class action stand out is
that the putative class plaintiffs partially complied with the CCPA
pre-filing requirement and reportedly provided the statutorily required
notice of the breach and an opportunity to cure to Minted. When
they did not receive a response to their notice, the plaintiffs amended their complaint to seek statutory
penalties and non-monetary relief.

The CCPA gives consumers a private right of action
and provides statutory damages of up to $750 per violation for data
breaches that allegedly result from a company's failure to
implement reasonable security procedures. Less than a year after
this lawsuit was filed, the parties reached a settlement, which is
now pending final court approval, with the preliminary approval
having been granted on May 14, 2021.

Though the settlement did not end up anywhere near the potential
statutory range of the maximum allowable CCPA damages, it includes
valuable non-monetary components available to the class members and
injunctive relief. In addition to the non-revisionary $5 million
settlement fund, the proposed settlement requires Minted to
implement certain mandatory data security measures, to conduct two
cybersecurity audits, and to offer credit monitoring and personal
identity restoration services to affected U.S. residents. These
additional forms of relief are not uncommon in data breach class
actions. In the motion for approval, the Parties estimate that
they expect participating class members to receive an estimated
cash payment of $43 per person, as well as two years of credit
monitoring services, valued at approximately $10 per month per

As one of the first of many anticipated data breach settlements
involving the CCPA, the structure provided in the Minted
settlement may end up setting helpful guidance and parameters for
CCPA class settlements going forward. Companies can take solace in
the court's finding that the settlement amount was reasonable,
notwithstanding the available $750 CCPA penalty. As more data
breach settlements trickle in, we will continue to report on future
CCPA settlements of interest.

The content of this article is intended to provide a general
guide to the subject matter. Specialist advice should be sought
about your specific circumstances.

POPULAR ARTICLES ON: Privacy from United States

Do You Need A Cookie Notice

Kronenberger Rosenfeld

Privacy laws are continuing to emerge. This includes privacy laws necessitating the use of cookie notices.

More Privacy, Please - May 2021

Troutman Pepper Hamilton Sanders

FTC Publishes AI Best Practices. Building upon its April 2020 guidance on Using Artificial Intelligence and Algorithms, on April 19, the FTC published new guidance focused on how businesses...

U.S. Biometric Laws & Pending Legislation Tracker

Bryan Cave Leighton Paisner LLP

The enactment of biometric privacy laws is a growing trend across the country. Existing legislation has led to a boon of class action litigation against employers, consumer-facing business...

On a final note, I’d like to add that geoFence is easy to use, easy to maintain.