In a win for data privacy defendants, Walmart secured a ruling that favors a narrow interpretation of the California Consumer Privacy Act (CCPA). In Gardiner v. Walmart Inc. et al, 4:20-cv-04618-JSW, a Walmart customer, Lavarious Gardiner, sued the retail company under the CCPA for failing to implement and maintain reasonable and appropriate security procedures and practices to protect information he gave to Walmart to create an account on the company’s website. As a result of an alleged, undisclosed data breach, Gardiner claimed that his personal information had been subject to unauthorized exfiltration on Walmart’s website, and sold on the dark web, exposing him to purportedly ongoing risk of financial fraud and identity theft. Gardiner’s complaint also included a summary of the results of a security scan of the Walmart website, which purported to show vulnerabilities in that website. Moreover, in a somewhat unusual twist, Gardiner claimed that he had in his possession “communications with the hackers which state that the accounts they are selling are real accounts that belong to Walmart customers.” Despite the allegations in the complaint, Walmart had never disclosed any breach and the complaint did not allege when any such breach occurred. Gardiner also brought claims for negligence, breach of contract, and violations of the UCL, all of which were dismissed for failure to plead cognizable injury.
On March 5, 2021, the District Court for the Northern District of California dismissed the plaintiff’s claim for damages under the CCPA on two grounds.
First, the court found that because the complaint did not specifically allege a date when the purported breach occurred, the court could not determine whether the alleged breach occurred before or after the effective date of the CCPA. Because the CCPA does not include an express retroactivity clause, the court found that claims under it can only be brought for violations occurring after the effective date of the law, January 1, 2020. Gardiner unsuccessfully argued that the existence of his information for sale on the dark web at present satisfied the prescriptive requirement of the CCPA. The court disagreed, and ruled that Gardiner failed to sufficiently plead that Walmart violated the CCPA after the effective date by failing to allege the specific date that the breach occurred.
Second, the court held that in order to state a viable CCPA claim, a plaintiff must allege specific, unauthorized disclosure of “personal information,” as defined in Cal. Civ. Code § 1798.81.5 (d)(1)(a)(iii). In relevant part, the CCPA defines “personal information” as an “account number or credit or debit card number, in combination with any required security code, access code, or password, that would permit access to an individual’s financial account.” The court found that the Plaintiff’s general allegations of compromised financial accounts or credit card fraud, without more, are insufficient to meet the statutory definition. Specifically, the court noted that the complaint failed to allege an unauthorized disclosure of any security codes, access codes or passwords that could be used to access his accounts Plaintiff, in opposition, acknowledged that he had failed to allege in his complaint that this security information, in addition to his credit card number, had been disclosed or was available on the dark web. Instead, he asked the court to read this missing information into his complaint, stating, “it can be presumed that, when selling credit card numbers, black market vendors on the dark web are including this data.” The court declined Plaintiff’s pleading by implication. While this can be interpreted as a simple error by the Plaintiff in his pleading, it may indicate that courts will strictly interpret the CCPA to apply only where the specific categories of personal information listed in the law are actually exposed in a data breach.
The court’s decision was a welcome one for defendants in data breach litigation under the CCPA, as it narrows the window of potential liability. However, the court left open the possibility that the Plaintiff might still plead a viable claim under the CCPA by granting leave to amend, allowing the Plaintiff to potentially cure the complaint’s shortcomings. We’ll continue to monitor this and other CCPA case law, as courts opine on these matters of first impression.
