April 14, 2021

Volume XI, Number 104

Advertisement

April 14, 2021

Subscribe to Latest Legal News and Analysis

April 13, 2021

Subscribe to Latest Legal News and Analysis

April 12, 2021

Subscribe to Latest Legal News and Analysis

Multiple Retailers Sued Under CCPA for Sharing Data Used to Identify Fraudulent Returns

Earlier this year, The Retail Equation, a loss prevention service provider, and Sephora were hit with a class action lawsuit in which the plaintiff claimed Sephora improperly shared consumer data with The Retail Equation without consumers’ knowledge or consent. The plaintiff claimed The Retail Equation did so to generate risk scores that allegedly were “used as a pretext to advise Sephora that attempted product returns and exchanges are fraudulent and abusive.”

On August 3, 2020, the plaintiff, now joined by others, amended her complaint to cast an even wider net. The amended complaint now asserts claims against 12 additional retailers based on their alleged use of The Retail Equation’s services to identify fraudulent returns. As against the retailer defendants, the plaintiffs assert claims for invasion of privacy, violations of California’s unfair competition law, unjust enrichment, and, most notable, violations of the California Consumer Privacy Act (“CCPA”).

It is questionable whether the CCPA, which provides for statutory damages of no less than $100 and up to $750 per violation, even applies. The CCPA’s private right of action is limited to situations where personal information is “subject to unauthorized access and exfiltration, theft, or disclosure as a result of the business’s violation of the duty to implement and maintain reasonable security procedures and practices” (Cal. Civ. Code § 1798.150). The plaintiffs’ claims, however, concern the voluntary transfer of data to a third-party service provider. Contrary to a data breach, a voluntary transfer arguably does not involve any alleged “violation of the duty to implement and maintain reasonable security procedures and practices.” We note this same theory has been asserted against Zoom based on its alleged sharing of data with Facebook. Zoom’s response to the complaint in that action, In Re: Zoom Video Communications, Inc. Privacy Litigation, N.D. Cal. Case No. 5:20-cv-02155-LHK, is due on September 14, 2020.

Advertisement
Copyright © 2021, Hunton Andrews Kurth LLP. All Rights Reserved.National Law Review, Volume X, Number 226
Advertisement
Advertisement

TRENDING LEGAL ANALYSIS

Advertisement
Advertisement

About this Author

In today’s digital economy, companies face unprecedented challenges in managing privacy and cybersecurity risks associated with the collection, use and disclosure of personal information about their customers and employees. The complex framework of global legal requirements impacting the collection, use and disclosure of personal information makes it imperative that modern businesses have a sophisticated understanding of the issues if they want to effectively compete in today’s economy.

Hunton Andrews Kurth LLP’s privacy and cybersecurity practice helps companies manage data and...

212 309 1223 direct
Advertisement
Advertisement