Federal Court Finds the California Consumer Privacy Act (CCPA) Does Not Apply Retroactively, Dismissing Claims Against Walmart Stemming from an Alleged Data Breach
A federal District Court in California recently dismissed a lawsuit against Walmart that arose from an alleged data breach. (Gardiner v. Walmart, Inc., 20-cv-04618-JSW (N.D. Cal., March 5, 2021). Among other things, the court determined that California’s Consumer Privacy Act (CCPA) does not apply retroactively, dismissing the CCPA claim because the plaintiff had not specified the date of the alleged breach.
According to the allegations of the complaint, the plaintiff had provided certain personal identifying information (PII) to Walmart, including credit card information, when he created an online account. Plaintiff claimed that Walmart has been targeted numerous times by individuals who have hacked its website and its customers’ computers, and that the hackers posted stolen account information—including his—on the dark web. As a result, plaintiff asserted that he and others faced an imminent threat of identity theft and fraud, had to spend time and resources to mitigate the effects of the data breach, and suffered economic damages. The complaint alleged violations of the CCPA and also California’s Unfair Competition Law, along with common law claims such as negligence and breach of contract.
Walmart, which disputed that there was any breach of its network, moved to dismiss the complaint. The court granted the motion. As to the CCPA claim, the court concluded that CCPA only applies to breaches occurring on or after January 1, 2020, and does not apply retroactively. Plaintiff therefore had to allege that Walmart’s purported violation of its duty to implement reasonable security procedures to prevent the breach occurred on or after that date. Because plaintiff did not allege a specific date of the alleged breach, he did not have a viable CCPA claim. The court held that the CCPA claim also failed because the complaint did not sufficiently allege disclosure of plaintiff’s PII, such as disclosure of his credit card number and security code.
In addition, the court dismissed all of plaintiff’s remaining claims for negligence, contract, and unfair competition on the grounds that plaintiff had failed to plead a cognizable injury. In doing so, the court found that, without factual allegations identifying what PII was stolen, plaintiff’s bare assertion that his PII had economic value was insufficient to support his claims. The court also determined, among other things, that conclusory allegations of an increased risk of identity theft were insufficient to establish injury. The decision may not end the litigation, however, as the court granted plaintiff leave to amend his complaint to cure the identified deficiencies. It remains to be seen if he will do so.