May 21, 2022

Volume XII, Number 141

Advertisement
Advertisement

May 20, 2022

Subscribe to Latest Legal News and Analysis

May 19, 2022

Subscribe to Latest Legal News and Analysis

May 18, 2022

Subscribe to Latest Legal News and Analysis

Multiple Retailers Sued Under CCPA for Sharing Data Used to Identify Fraudulent Returns

Earlier this year, The Retail Equation, a loss prevention service provider, and Sephora were hit with a class action lawsuit in which the plaintiff claimed Sephora improperly shared consumer data with The Retail Equation without consumers’ knowledge or consent. The plaintiff claimed The Retail Equation did so to generate risk scores that allegedly were “used as a pretext to advise Sephora that attempted product returns and exchanges are fraudulent and abusive.”

On August 3, 2020, the plaintiff, now joined by others, amended her complaint to cast an even wider net. The amended complaint now asserts claims against 12 additional retailers based on their alleged use of The Retail Equation’s services to identify fraudulent returns. As against the retailer defendants, the plaintiffs assert claims for invasion of privacy, violations of California’s unfair competition law, unjust enrichment, and, most notable, violations of the California Consumer Privacy Act (“CCPA”).

It is questionable whether the CCPA, which provides for statutory damages of no less than $100 and up to $750 per violation, even applies. The CCPA’s private right of action is limited to situations where personal information is “subject to unauthorized access and exfiltration, theft, or disclosure as a result of the business’s violation of the duty to implement and maintain reasonable security procedures and practices” (Cal. Civ. Code § 1798.150). The plaintiffs’ claims, however, concern the voluntary transfer of data to a third-party service provider. Contrary to a data breach, a voluntary transfer arguably does not involve any alleged “violation of the duty to implement and maintain reasonable security procedures and practices.” We note this same theory has been asserted against Zoom based on its alleged sharing of data with Facebook. Zoom’s response to the complaint in that action, In Re: Zoom Video Communications, Inc. Privacy Litigation, N.D. Cal. Case No. 5:20-cv-02155-LHK, is due on September 14, 2020.

Copyright © 2022, Hunton Andrews Kurth LLP. All Rights Reserved.National Law Review, Volume X, Number 226
Advertisement
Advertisement
Advertisement
Advertisement
Advertisement
Advertisement

About this Author

In today’s digital economy, companies face unprecedented challenges in managing privacy and cybersecurity risks associated with the collection, use and disclosure of personal information about their customers and employees. The complex framework of global legal requirements impacting the collection, use and disclosure of personal information makes it imperative that modern businesses have a sophisticated understanding of the issues if they want to effectively compete in today’s economy.

Hunton Andrews Kurth LLP’s privacy and cybersecurity practice helps companies manage data and...

212 309 1223 direct
Advertisement
Advertisement
Advertisement