BREAKING NEWS: Court Holds CCPA Not Retroactive and Plaintiff Cannot Rely on “Connect the Dots” CCPA Data Breach Theory
CPW has been tracking for some time the Lavarious Gardiner v. Walmart Inc. et al. case. In a massive win for Walmart (and defendants in data privacy litigation), on Friday the Court adopted Walmart’s narrow interpretation of the California Consumer Privacy Act (“CCPA”) and dismissed Plaintiff’s non-cognizable CCPA claim. Because this case involves issues of first impression regarding the scope of the CCPA, it is sure to impact other litigations. For the scoop on this decision, read on below.
Some background. Recall that back in July 2020, Plaintiff filed a class action complaint against Walmart alleging that Walmart suffered a data breach, albeit one which was never disclosed. As “evidence” of the breach, Plaintiff asserted that the personal information associated with his Walmart account had been discovered on the dark web and presented the results of security scans performed on Walmart’s website, which allegedly showed certain vulnerabilities. In other words, Plaintiff filed suit on the inference that Walmart’s systems had been breached, which Walmart denied.
Plaintiff’s Complaint included a claim under CCPA, in addition to other California privacy and consumer protection statutes. [Note: For more on Walmart’s Motion to Dismiss in the litigation check out here and here]. This brings us to the Court’s ruling on Walmart’s Motion to Dismiss. According to the Court (and in agreement with Walmart), Plaintiff’s CCPA claim had to be dismissed for two independent reasons.
First, Plaintiff’s failure to allege when the breach purportedly occurred was fatal to the Complaint. Recall that the CCPA provides that “[a]ny consumer whose nonencrypted and nonredacted personal information […] is subject to an unauthorized access and exfiltration, theft, or disclosure as a result of the business’s violation of the duty to implement and maintain reasonable security procedures and practices appropriate to the nature of the information to protect the personal information may institute a civil action” to recover damages or injunctive relief. Cal. Civ. Code § 1798.150(a)(1). The CCPA went into effect on January 1, 2020, and it does not contain an express retroactivity provision. Moreover, under well-settled California law, in the absence of an express retroactivity provision, a statute will usually not be applied retroactively.
As such, the Court held that the CCPA does not apply retroactively, and therefore the alleged breach involving Walmart was only actionable under the CCPA if it occurred after January 1, 2020. However, on this specific issue, the Complaint was silent. Although Plaintiff alleged his personally identifiable information (“PII”) was presently for sale on the dark web and argued that this allegation in itself sufficed for purposes of pleading a CCPA claim, the Court disagreed: “Absent allegations establishing that Walmart’s alleged violation of the CCPA occurred after it went into effect, Plaintiff’s CCPA claim is not viable.”
Second, the Court also held that Plaintiff’s CCPA claim failed for the additional reason that Plaintiff did not sufficiently allege disclosure of his personal information as defined in the CCPA. Recall that the CCPA provides that “personal information” means:
(A) An individual’s first name or first initial and the individual’s last name in combination with any one or more of the following data elements, when either the name or the data elements are not encrypted or redacted:
(i) Social security number.
(ii) Driver’s license number, California identification card number, tax identification number, passport number, military identification number, or other unique identification number issued on a government document commonly used to verify the identity of a specific individual.
(iii) Account number or credit or debit card number, in combination with any required security code, access code, or password that would permit access to an individual’s financial account […]
(B) A username or email address in combination with a password or security question and answer that would permit access to an online account.
Cal. Civ. Code § 1798.81.5. Why does this matter? Well in the Complaint Plaintiff merely alleged that that the purported breach compromised the full names, financial account information, credit card information, and other PII of Walmart customers. The Court found this allegation insufficient, noting that “[a]lthough in the Complaint Plaintiff generally refers to financial information and credit card fraud, he does not allege the disclosure of a credit or debit card or account number, and the required security or access code to access the account.” (emphasis added). Accordingly Plaintiff’s allegations, without more, did not suffice to plead a disclosure of “personal information” as defined in the CCPA.
Well, what about the OTHER claims pled in the Complaint-surely one of them had to move past the pleadings stage, right? Well, actually no. Walmart had moved to dismiss Plaintiff’s remaining claims for negligence, contract, and violations of California Unfair Competition Law (“UCL”) for failure to allege any cognizable injury. The Court accepted Walmart’s arguments on this front.
Similar to the allegations raised in other data breach litigations, Plaintiff alleged that he and the proposed class suffered economic damages and actual harm in the form of: (1) the improper disclosure of their PII; (2) future risk of potential fraud and identity theft; (3) Walmart’s nonexistent notification of the data breach; (4) ascertainable losses in the form of out-of-pocket expenses and value of time spent mitigating the data breach’s effect; (5) losses in the form of deprivation of value of their PII; and (6) overpayments for the goods purchased from Walmart. Not impressed by these alleged “injuries”? Neither was the Court, which found “Plaintiff’s vague and conclusory allegations regarding his purported injuries are insufficient to establish the damages element required for his breach of contract, negligence, and UCL claims.”
Walmart may have won this particular battle, but this data privacy litigation is not over yet. The Court gave Plaintiff the opportunity to cure the deficiencies in the Complaint by granting leave to amend. Whether Plaintiff is able ultimately to state a claim under the CCPA remains to be seen. Stay tuned.