Walmart Litigation offers steerage on knowledge breach class actions beneath the CCPA | Robinson + Cole Privateness + Safety Insider

Gardiner v. Walmart provided some guidance on the specificity required to make a claim under the California Consumer Privacy Act (CCPA) and the types of damages that may be recoverable for California consumer data violations. On July 10, 2020, Lavarious Gardiner filed a class action lawsuit against Walmart alleging that unauthorized individuals accessed his personal information through the Walmart website. Although Walmart never disclosed the alleged violation or gave consumers a formal notification (and claims no violation occurred), Gardiner alleged that he discovered his personal information on the dark internet and was informed by hackers that the information was from his Walmart online account came from. He also claims that he used the cybersecurity scanning software to discover many security flaws on the Walmart website.

Gardiner alleged Walmart violated the CCPA and the California Unfair Competition Act. In response, Walmart filed an application for dismissal, which was approved on March 5, 2021 (with notice – with permission to change). While Gardiner has now changed his complaint, the court’s decision on Walmart’s motion to dismiss addresses a number of key issues related to data breach class actions, including:

  • Compliance MUST indicate when the alleged violation occurred. Gardiner had only claimed that his information was on the dark internet, not when the violation actually occurred. The court also found that for the purposes of a CCPA claim, the relevant behavior is the actual data breach resulting from a “failure to implement and maintain adequate security procedures and practices”. This means that the breach must have occurred on or after January 1, 2020, the effective date of the CCPA.
  • The complaint must sufficiently claim disclosure of personal data. Gardiner only claimed that his credit card number was disclosed, but did not claim that his three-digit access code was compromised.
  • The damage suffered by the plaintiff due to a data breach must not be speculative. This is common in courts dismissing class action lawsuits for data breaches. Here Gardiner did not claim he had fraudulently charged or suffered identity theft or other harm.

The court also dismissed Gardiner’s claims of unfair competition based on an advantage of the bargain theory.

The court also addressed the disclaimers in Walmart’s privacy policy .; Walmart argued that Gardiner’s contractual claims were precluded by its website’s terms of use, which included a disclaimer of warranty and limitation of liability for data breach. The court stated that the limitation of liability was clear and capitalized, which made Gardiner aware of its content. This is an important part of choosing ANY online business. A company website’s privacy policy and terms of use could be the last line of defense.

Gardiner has since made his complaint. It is not known whether the changes will avoid another request for rejection. However, this decision provides valuable insight into claims under the CCPA and important insights into the website’s privacy policy and terms of use.

[View source.]

Comments are closed.