Walmart Litigation offers steerage on knowledge breach class actions beneath the CCPA | Robinson + Cole Privateness + Safety Insider
Gardiner v. Walmart provided some guidance on the specificity required to make a claim under the California Consumer Privacy Act (CCPA) and the types of damages that may be recoverable for California consumer data violations. On July 10, 2020, Lavarious Gardiner filed a class action lawsuit against Walmart alleging that unauthorized individuals accessed his personal information through the Walmart website. Although Walmart never disclosed the alleged violation or gave consumers a formal notification (and claims no violation occurred), Gardiner alleged that he discovered his personal information on the dark internet and was informed by hackers that the information was from his Walmart online account came from. He also claims that he used the cybersecurity scanning software to discover many security flaws on the Walmart website.
Gardiner alleged Walmart violated the CCPA and the California Unfair Competition Act. In response, Walmart filed an application for dismissal, which was approved on March 5, 2021 (with notice – with permission to change). While Gardiner has now changed his complaint, the court’s decision on Walmart’s motion to dismiss addresses a number of key issues related to data breach class actions, including:
- Compliance MUST indicate when the alleged violation occurred. Gardiner had only claimed that his information was on the dark internet, not when the violation actually occurred. The court also found that for the purposes of a CCPA claim, the relevant behavior is the actual data breach resulting from a “failure to implement and maintain adequate security procedures and practices”. This means that the breach must have occurred on or after January 1, 2020, the effective date of the CCPA.
- The complaint must sufficiently claim disclosure of personal data. Gardiner only claimed that his credit card number was disclosed, but did not claim that his three-digit access code was compromised.
- The damage suffered by the plaintiff due to a data breach must not be speculative. This is common in courts dismissing class action lawsuits for data breaches. Here Gardiner did not claim he had fraudulently charged or suffered identity theft or other harm.
The court also dismissed Gardiner’s claims of unfair competition based on an advantage of the bargain theory.