June 24, 2021

Volume XI, Number 175


June 23, 2021

Subscribe to Latest Legal News and Analysis

June 22, 2021

Subscribe to Latest Legal News and Analysis

June 21, 2021

Subscribe to Latest Legal News and Analysis

CCPA Breach Class Action Settlement About to Get “Minted”

Although the California Consumer Privacy Act (“CCPA”) went into effect on January 1, 2020 and over 100 class actions referencing the CCPA have been filed to date, very few class actions have actually made their way to court approval.  That is about to change.

Last week, Judge Chhabria of the Northern District of California granted preliminary approval in a data breach class action involving 4.1 million potential class members, styled as Atkinson et al v. Minted, Inc., Case No. 3:20-cv-03869 (N.D. Cal.).  The $5 million non-reversionary settlement fund will be paid to consumers whose personal information was exfiltrated by a hacking group known as ShinyHunters, as reported here. In or around May 2020, ShinyHunters reportedly exfiltrated the consumer information from San Francisco-based Minted, Inc. (“Minted”) (along with 11 other companies) and then tried to sell that personal identifying information (“PII”) on the dark web.  In total, approximately 73 million consumers were affected by the breach, spread out over the 11 companies.  Of those 73 million, nearly 4.1 million were consumers of Minted, who were purportedly impacted by the breach. 

On June 11, 2020, shortly after the breach, putative class plaintiffs filed a putative class action against Minted, alleging causes of action under the CCPA, negligence, and California’s unfair competition law, Business & Professions Code section 17200, as we previously reported here. What made this class action stand out is that the putative class plaintiffs partially complied with the CCPA pre-filing requirement and reportedly provided the statutorily required notice of the breach and an opportunity to cure to Minted.  When they did not receive a response to their notice, the plaintiffs amended their complaint to seek statutory penalties and non-monetary relief.

The CCPA gives consumers a private right of action and provides statutory damages of up to $750 per violation for data breaches that allegedly result from a company’s failure to implement reasonable security procedures. Less than a year after this lawsuit was filed, the parties reached a settlement, which is now pending final court approval, with the preliminary approval having been granted on May 14, 2021.

Though the settlement did not end up anywhere near the potential statutory range of the maximum allowable CCPA damages, it includes valuable non-monetary components available to the class members and injunctive relief.  In addition to the non-revisionary $5 million settlement fund, the proposed settlement requires Minted to implement certain mandatory data security measures, to conduct two cybersecurity audits, and to offer credit monitoring and personal identity restoration services to affected U.S. residents.  These additional forms of relief are not uncommon in data breach class actions.  In the motion for approval, the Parties estimate that they expect participating class members to receive an estimated cash payment of $43 per person, as well as two years of credit monitoring services, valued at approximately $10 per month per person.

As one of the first of many anticipated data breach settlements involving the CCPA, the structure provided in the Minted settlement may end up setting helpful guidance and parameters for CCPA class settlements going forward.  Companies can take solace in the court’s finding that the settlement amount was reasonable, notwithstanding the available $750 CCPA penalty.  As more data breach settlements trickle in, we will continue to report on future CCPA settlements of interest.

©1994-2021 Mintz, Levin, Cohn, Ferris, Glovsky and Popeo, P.C. All Rights Reserved.National Law Review, Volume XI, Number 140



About this Author

Cynthia Larose, Privacy, Security, Attorney, Mintz Levin, Law Firm, electronic transactions lawyer
Member / Chair, Privacy & Cybersecurity Practice

Cynthia is a highly regarded authority in the privacy and security field and a Certified Information Privacy Professional (CIPP). She handles the full range of data security issues for companies of all sizes, from start-ups to major corporations. Cynthia is masterful at conducting privacy audits; crafting procedures to protect data; advising clients on state, federal, and international laws and regulations on information use and data security; helping organizations respond to breaches; and planning data transfers associated with corporate transactions. She is an in-...

Matthew Novian Complex Commercial Litigation Attorney

Matt focuses his practice on complex commercial litigation, including consumer protection matters. He has experience in drafting briefs and letters to opposing parties and in conducting depositions. In addition, Matt maintains an active pro bono practice, in which he counsels clients in matters related to immigration and domestic violence. He was a Law Clerk at Mintz in 2017. 

While attending law school, Matt was a summer associate at a Los Angeles-based law firm, where he worked on matters involving closely held corporations, commercial real estate disputes, and trademark licensing...

Natalie Prescott, Mintz Levin Law Firm, Litigation Attorney
Practice Group Associate

Natalie’s practice focuses on a wide range of litigation matters.

Prior to joining the firm, Natalie worked as the co-founder and trial lawyer for a boutique litigation firm that focuses on state and federal litigation. She also spent many years as a litigation associate at one of the world’s largest law firms, where she received extensive consumer litigation, trial, and appellate experience.

Previously, Natalie served as a judicial law clerk for the Honorable Roger T. Benitez of the United States District Court of the...

858 -314-1534