CCPA Data Breach Lawsuit Against Walmart Fails–Gardiner v. Walmart

April 24, 2021 · by Venkat Balasubramani · in E-Commerce, Licensing/Contracts, Privacy/Security

This is a data breach lawsuit against Walmart in which plaintiff (on his own behalf and on behalf of a putative class) asserts that his data is being currently sold on the dark web. Plaintiff asserted the typical claims, but also one under the California Consumer Privacy Act. The judge dismisses the lawsuit saying the claims are inadequately pled. While the court gives plaintiff a chance to cure the deficiencies, it gives a signal that the court will closely scrutinize any amended pleading.

The CCPA Claim Fails: The court says the CCPA is not retroactive. In order to be actionable, Walmart’s violation of its duty to implement and maintain reasonable security procedures and practices must have occurred after January 1, 2020. Plaintiff relied on the fact that his data is currently being circulated on the dark web, but the court says this allegation doesn’t say anything about when the breach occurred.

The CCPA claim also fails because plaintiff failed to allege disclosure of any personal information. The court works through the definition carefully, focusing on credit or debit-card related information. The plaintiff’s allegations are sparse in this regard. He tries to point to the fact that in order to complete a transaction, plaintiff would have had to enter the expiration date plus the three digit code. He also argues that the fact that his information is being sold on the dark web means that it would be the type of information someone could use to cause financial harm. This speculation on the plaintiff’s part is insufficient.

Lack of Injury to Support the Remaining Claims: Plaintiff also asserted the usual claims for negligence, breach of contract, and under the UCL. The court says the lack of cognizable injury undermines all of those claims. The court notes that whether plaintiff has alleged sufficient injury to support the claims under state law is different from the question of whether plaintiff has adequately satisfied Article III standing. The court walks through each theory of injury:

Loss of value of PII: While the Ninth Circuit has recognized that loss of value of PII may establish injury, the plaintiff’s allegations here are too vague. While the court does not focus on it, the fact that plaintiff can cancel his credit card may also distinguish the alleged injury here from the injury in the cases where plaintiffs have successfully advanced the theory of loss of value to their PII. In those cases, plaintiffs make an argument that the plaintiff may exploit their own PII (such as browsing history or internet behavior or profile information), which is not plausible here.

Risk of future harm: The allegations regarding risk of future harm are similarly too vague for the court’s liking. The court notes it’s unclear from the complaint whether plaintiff has cancelled his credit cards, but admonishes plaintiff that to the extent he amends his complaint to clarify whether or not he has cancelled his credit cards, he should be wary of Rule 11.

Out-of-pocket expenses: Again, the plaintiff’s allegations are too vague regarding any out-of-pocket expenses for monitoring services.

Benefit of the bargain: Finally, the court looks at the benefit-of-the-bargain theory. Under this theory, if a portion of the money paid by the plaintiff is attributable to data security practices, then in the event of a data breach, the plaintiff will not have received their benefit of the bargain. The only problem is that plaintiff cannot allege that any portion of the amount paid to Walmart for a typical online purchase was attributable to data security.

Other bases for Dismissal: Notwithstanding the lack of damages, the court also says several of the claims have other problems.

The UCL claim: A UCL claim provides for “restitution and injunctive relief” and not damages. This means that it’s an equitable claim that is subject to the federal court rules applicable to equitable claims. The plaintiff must demonstrate the absence of an adequate legal remedy, and plaintiff cannot do that here. Second, the court says plaintiff lacks standing under the UCL. He has to have lost “money or property,” and the PII in question does not constitute “money or property.” Finally, the court says there is no predicate violation.

Negligence claim: The negligence claim is barred by the economic loss doctrine. Purely economic loss is only available in certain types of cases. Plaintiff alleged there was a “special relationship” with Walmart, but the court is not persuaded.

Limitation of liability clause: The court says the limitation of liability clause in Walmart’s online terms may well quash plaintiff’s claims, given that the clause specifically applies to data loss or compromise. It was unclear which set of online terms Plaintiff agreed to (if at all), but all of the iterations of the Walmart’s terms of service have the same limitation of liability clause. Plaintiff argued that the clause was unconscionable. Again, the court is not persuaded, although it gives plaintiff an opportunity to allege facts regarding procedural or substantive unconscionability.

[Walmart moved to strike the class allegations on the basis that plaintiff did not agree to arbitrate his claims, unlike the class members who he seeks to represent. The court says this issue should be revisited when and if plaintiff files a motion to certify.]

This is obviously a ruling of interest because it involves a claim under the CCPA. The CCPA permits

“[a]ny consumer whose nonencrypted and nonredacted personal information […] is subject to an unauthorized access and exfiltration, theft, or disclosure as a result of the business’s violation of the duty to implement and maintain reasonable security procedures and practices appropriate to the nature of the information to protect the personal information may institute a civil action” [to recover damages or injunctive relief].

Cal. Civ. Code § 1798.150(a)(1). The court says the statute is not retroactive, and this creates challenges for this particular plaintiff (and likely others). It’s tough to know whether plaintiff’s lackluster pleading accounts for dismissal of the CCPA claim, or whether the court’s scrutiny of the CCPA allegations will be a real hurdle to plaintiffs.

Another item of note is how the “loss of value to the PII” argument fared. The court cites to other cases where the loss of PII is credited by the court as an element of damages (often in the standing context), but the plaintiff is unlikely to be able to rely on that argument here.

Finally, two points warrant mention regarding a plaintiff’s possible breach of contract claim against Walmart: (1) it is going to be tough for plaintiff to argue that he paid Walmart any money specifically for data security, and (2) the court signals that the limitation of liability clause could be a formidable hurdle.

Case citation: Gardiner v. Walmart, Inc., 2021 U.S. Dist. LEXIS 75079 (N.D. Cal. Mar. 5, 2021) [pdf]

9th Circuit Affirms Rejection of Data Breach Claims Against Gap — Ruiz v. Gap

The [Non]enforceability of Privacy Promises–Pinero v. Jackson Hewitt

Acxiom Not Liable for Security Breach

When Does a Privacy Policy Breach Support a Breach of Contract Claim? In re JetBlue

Starbucks Data Breach Plaintiffs Rebuffed by Ninth Circuit — Krottner v. Starbucks

In Hannaford Data Breach Case, First Circuit Says Card Replacement and ID Theft Insurance are Reasonable Mitigation Damages and Compensable–Anderson v. Hannaford Bros

Facebook Defeats Lawsuit Over Tracking Logged-Out Users–In re Facebook Internet Tracking

On Remand, Ninth Circuit Says Robins Satisfied Article III Standing

“Manufactured” TCPA Suit Fails For Lack of Standing

Seventh Circuit: Data Breach Victims Have Standing Based on Future Harm

Android and Pandora Privacy Rulings Accept Low Hurdle for Standing