September 25, 2020

Volume X, Number 269

September 25, 2020

Subscribe to Latest Legal News and Analysis

September 24, 2020

Subscribe to Latest Legal News and Analysis

September 23, 2020

Subscribe to Latest Legal News and Analysis

Multiple Retailers Sued Under CCPA for Sharing Data Used to Identify Fraudulent Returns

Earlier this year, The Retail Equation, a loss prevention service provider, and Sephora were hit with a class action lawsuit in which the plaintiff claimed Sephora improperly shared consumer data with The Retail Equation without consumers’ knowledge or consent. The plaintiff claimed The Retail Equation did so to generate risk scores that allegedly were “used as a pretext to advise Sephora that attempted product returns and exchanges are fraudulent and abusive.”

On August 3, 2020, the plaintiff, now joined by others, amended her complaint to cast an even wider net. The amended complaint now asserts claims against 12 additional retailers based on their alleged use of The Retail Equation’s services to identify fraudulent returns. As against the retailer defendants, the plaintiffs assert claims for invasion of privacy, violations of California’s unfair competition law, unjust enrichment, and, most notable, violations of the California Consumer Privacy Act (“CCPA”).

It is questionable whether the CCPA, which provides for statutory damages of no less than $100 and up to $750 per violation, even applies. The CCPA’s private right of action is limited to situations where personal information is “subject to unauthorized access and exfiltration, theft, or disclosure as a result of the business’s violation of the duty to implement and maintain reasonable security procedures and practices” (Cal. Civ. Code § 1798.150). The plaintiffs’ claims, however, concern the voluntary transfer of data to a third-party service provider. Contrary to a data breach, a voluntary transfer arguably does not involve any alleged “violation of the duty to implement and maintain reasonable security procedures and practices.” We note this same theory has been asserted against Zoom based on its alleged sharing of data with Facebook. Zoom’s response to the complaint in that action, In Re: Zoom Video Communications, Inc. Privacy Litigation, N.D. Cal. Case No. 5:20-cv-02155-LHK, is due on September 14, 2020.

Copyright © 2020, Hunton Andrews Kurth LLP. All Rights Reserved.National Law Review, Volume X, Number 226

TRENDING LEGAL ANALYSIS


About this Author

In today’s digital economy, companies face unprecedented challenges in managing privacy and cybersecurity risks associated with the collection, use and disclosure of personal information about their customers and employees. The complex framework of global legal requirements impacting the collection, use and disclosure of personal information makes it imperative that modern businesses have a sophisticated understanding of the issues if they want to effectively compete in today’s economy.

Hunton Andrews Kurth LLP’s privacy and cybersecurity practice helps companies manage data and...

212 309 1223 direct