Walmart CCPA Case Kicked for Good by Federal Judge, Case Reaffirms Mere Misappropriation of PI Does Not Establish Compensable Damages
Last week a federal judge dismissed a putative class action alleging that Walmart’s purportedly deficient security practices compromised customers’ personal data in violation of the California Consumer Privacy Act (“CCPA”). This was on the basis that Plaintiff did not credibly allege that the purported disclosure of personal information occurred after the law went into effect last year, among other reasons.
Readers of CPW are well-versed with the background of this case. Back in July 2020, Plaintiff filed a class action complaint against Walmart alleging that Walmart suffered a data breach which was never disclosed. As evidence of the breach, Plaintiff presented claims that the personal information associated with his Walmart account had been discovered on the dark web for sale and presented the results of security scans performed on Walmart’s website, which allegedly showed certain vulnerabilities. In other words, Plaintiff filed suit on the supposition that Walmart’s systems had been breached, which Walmart denies. Plaintiff’s complaint included a claim under the California Consumer Privacy Act (“CCPA”), in addition to other California privacy and consumer protection statutes.
However, as with all things, the details matter. In order for Plaintiff to prevail at this stage in the pleadings, the court had to find that the complaint sufficiently alleged a violation of the CCPA, which went into effect on January 1, 2020. This meant the data incident at issue had to have happened on or after this date. However, the original complaint filed in this alleged that found his personal data up for sale on the dark web in 2019. And when Walmart point out this pleading shortcoming in its motion as a basis for dismissal, Plaintiff filed opposition papers declaring that the actual date was 2020 and Wacategorizing the discrepancy as a “scrivener’s error.”
Assessing the pleadings and the parties’ briefing, the court ruled last Wednesday that the different date now claimed by Plaintiff was not credibly “the result of a typo or misunderstanding.” Nor was additional amendment of the pleadings a viable option for Plaintiff to state a cognizable CCPA claim. This is because federal courts (including ones within the Ninth Circuit, where this case was pending) have held that an amended complaint may only allege other facts consistent with the challenged pleading. Here by contrast, “[w]ere Plaintiff to amend his complaint to allege that the violation occurred on or after January 1, 2020, it would directly contradict the allegation in the FAC that he discovered his PII for sale in 2019.”
Plaintiff’s other claims were also subject to dismissal. The court acknowledged that under limited circumstances, courts within the Ninth Circuit have found that “[d]iminution of value of personal information can be a viable damages theory.” Pruchnicki v. Envision Healthcare Corp., No. 20-15460, 2021 U.S. App. LEXIS 11699 (9th Cir. Apr. 21, 2021). However, in order to prevail on such a theory, “a plaintiff must establish the existence of a market for the personal information and an impairment of the ability to participate in that market.” The “mere misappropriation of personal information’ does not establish compensable damages.” (emphasis added). Instead, a plaintiff must allege that his “personal information actually lost value.”
The court found Plaintiff’s California statutory and common law claims failed to satisfy this standard:
As in Pruchnicki, Plaintiff does not allege that he has been unable to sell, profit from, or monetize his personal information. Instead, he alleges that whether he ever intended to sell his information is irrelevant because it is possible to assign a monetary value to PII using a market approach. Apart from allegations about the value of PII in general, Plaintiff has not alleged that his purportedly stolen personal information—his name, home address, phone number, and the last four digits and expiration dates of two of his debit cards—is less valuable because of the breach. Indeed, Plaintiff’s allegations suggest that his PII may be valueless for reasons unrelated to the alleged breach.
(emphasis in original). As such, the court dismissed Plaintiff’s amended complaint (the original pleading had already been kicked out earlier in the year, but Plaintiff had been given another shot by being granted leave to file an amended pleading).
This case is noteworthy for its narrow application of the CCPA as well as for its damages ruling which builds upon the Ninth Circuit’s decision in Pruchnicki. And for more on data privacy litigations, stay tuned.