Win for Walmart as District Court Gives Strict Reading to CCPA

Patterson Belknap Webb & Tyler LLP

In a win for data privacy defendants, Walmart secured a ruling that favors a narrow interpretation of the California Consumer Privacy Act (CCPA).  In Gardiner v. Walmart Inc. et al, 4:20-cv-04618-JSW, a Walmart customer, Lavarious Gardiner, sued the retail company under the CCPA for failing to implement and maintain reasonable and appropriate security procedures and practices to protect information he gave to Walmart to create an account on the company’s website. As a result of an alleged, undisclosed data breach, Gardiner claimed that his personal information had been subject to unauthorized exfiltration on Walmart’s website, and sold on the dark web, exposing him to purportedly ongoing risk of financial fraud and identity theft. Gardiner’s complaint also included a summary of the results of a security scan of the Walmart website, which purported to show vulnerabilities in that website.  Moreover, in a somewhat unusual twist, Gardiner claimed that he had in his possession “communications with the hackers which state that the accounts they are selling are real accounts that belong to Walmart customers.”  Despite the allegations in the complaint, Walmart had never disclosed any breach and the complaint did not allege when any such breach occurred. Gardiner also brought claims for negligence, breach of contract, and violations of the UCL, all of which were dismissed for failure to plead cognizable injury.

On March 5, 2021, the District Court for the Northern District of California dismissed the plaintiff’s claim for damages under the CCPA on two grounds.

First, the court found that because the complaint did not specifically allege a date when the purported breach occurred, the court could not determine whether the alleged breach occurred before or after the effective date of the CCPA. Because the CCPA does not include an express retroactivity clause, the court found that claims under it can only be brought for violations occurring after the effective date of the law, January 1, 2020.  Gardiner unsuccessfully argued that the existence of his information for sale on the dark web at present satisfied the prescriptive requirement of the CCPA. The court disagreed, and ruled that Gardiner failed to sufficiently plead that Walmart violated the CCPA after the effective date by failing to allege the specific date that the breach occurred. 

Second, the court held that in order to state a viable CCPA claim, a plaintiff must allege specific, unauthorized disclosure of “personal information,” as defined in Cal. Civ. Code § 1798.81.5 (d)(1)(a)(iii). In relevant part, the CCPA defines “personal information” as an “account number or credit or debit card number, in combination with any required security code, access code, or password, that would permit access to an individual’s financial account.” The court found that the Plaintiff’s general allegations of compromised financial accounts or credit card fraud, without more, are insufficient to meet the statutory definition. Specifically, the court noted that the complaint failed to allege an unauthorized disclosure of any security codes, access codes or passwords that could be used to access his accounts Plaintiff, in opposition, acknowledged that he had failed to allege in his complaint that this security information, in addition to his credit card number, had been disclosed or was available on the dark web.  Instead, he asked the court to read this missing information into his complaint, stating, “it can be presumed that, when selling credit card numbers, black market vendors on the dark web are including this data.” The court declined Plaintiff’s pleading by implication. While this can be interpreted as a simple error by the Plaintiff in his pleading, it may indicate that courts will strictly interpret the CCPA to apply only where the specific categories of personal information listed in the law are actually exposed in a data breach.

The court’s decision was a welcome one for defendants in data breach litigation under the CCPA, as it narrows the window of potential liability. However, the court left open the possibility that the Plaintiff might still plead a viable claim under the CCPA by granting leave to amend, allowing the Plaintiff to potentially cure the complaint’s shortcomings.  We’ll continue to monitor this and other CCPA case law, as courts opine on these matters of first impression. 

DISCLAIMER: Because of the generality of this update, the information provided herein may not be applicable in all situations and should not be acted upon without specific legal advice based on particular situations.

© Patterson Belknap Webb & Tyler LLP | Attorney Advertising

Written by:

Patterson Belknap Webb & Tyler LLP
Contact
more
less

Patterson Belknap Webb & Tyler LLP on:

Reporters on Deadline

"My best business intelligence, in one easy email…"

Your first step to building a free, personalized, morning email brief covering pertinent authors and topics on JD Supra:
*By using the service, you signify your acceptance of JD Supra's Privacy Policy.
Custom Email Digest
- hide
- hide

This website uses cookies to improve user experience, track anonymous site usage, store authorization tokens and permit sharing on social media networks. By continuing to browse this website you accept the use of cookies. Click here to read more about how we use cookies.