Ever since the California Consumer Privacy Act (“CCPA”) took effect on January 1, 2020, litigants have been looking forward to guidance regarding the limits of data breach claims. Now some of the questions are starting to be answered. The March 5, 2021 decision in Gardiner v. Walmart, Inc.1 provides some much-needed direction as to the specificity required to state a CCPA claim, and the types of damages that are recoverable for data breaches in California.
Factual and Procedural Background Relating To Initial Complaint
Lavarious Gardiner filed a putative class action against Walmart, Inc. on July 10, 2020 regarding a purported data breach. Gardiner alleged that unauthorized individuals accessed his personal identifying information (“PII”) on Walmart’s website. Although Walmart never disclosed the alleged breach (and maintains that no breach occurred), Gardiner claims that he discovered his PII on the “dark web” and was advised by “hackers” that the information came from his Walmart account. Gardiner also claimed that he detected several vulnerabilities on Walmart’s website using cybersecurity scan software.
Gardiner asserted statutory claims against Walmart, including violation of the CCPA2 and violation of California’s Unfair Competition Law (the “UCL”).3 In addition, Gardiner asserted common law claims such as negligence and breach of contract.
In response, Walmart filed a motion to dismiss that was granted on March 5, 2021, albeit with leave to amend. The ruling addresses several notable matters of first impression. Although Gardiner has since amended his complaint in an attempt to address deficiencies identified by the Court, Walmart filed a motion to dismiss the amended complaint. A ruling on Walmart’s motion to dismiss the amended complaint will likely help provide additional direction for litigants.4
The Complaint Must State When The Alleged Breach Occurred
A threshold issue raised by Walmart was whether Gardiner sufficiently stated a CCPA claim despite failing to allege when the purported breach occurred. Gardiner argued that it is enough that his PII is still being sold on the dark web – regardless of when the breach occurred.
Importantly, the Court agreed with Walmart that a plaintiff must allege when the breach occurred. The Court clarified that, for purposes of a CCPA claim, the relevant conduct is the actual data breach resulting from a “failure to implement and maintain reasonable security procedures and practices.” Accordingly, the Court found that Gardiner must allege that the purported breach occurred on or after January 1, 2020 (the effective date of the CCPA), and failure to do so warrants dismissal.
Gardiner attempts to salvage his CCPA claim in his amended complaint, though it is unclear whether he will be successful. In the most recent motion to dismiss, Walmart points out that Gardiner claims his PII was listed for sale on the dark web in 2019, which was supported by evidence submitted by Gardiner’s own expert.5 Gardiner claims that this was a scrivener’s error, but does not cite to any evidence to support this assertion, other than the inference that some of the credit card data that was purportedly stolen after January 1, 2020 based on their expiration dates.6
Because the CCPA cannot be applied retroactively,7 the date when the alleged underlying breach occurred is particularly important. Of course, even if there was no dispute that the breach occurred after the effective date of the CCPA, January 1, 2020, the timing of the breach is relevant in order to put the defendant on notice of the plaintiff’s claims and to allow for some initial analysis of the merits of the lawsuit.
Given the limited case law interpreting the CCPA, the specific finding in the decision on the first motion to dismiss, and how the Court addresses the arguments in the second motion to dismiss, may have a significant impact on future cases. In particular, it is likely to filter out some CCPA claims by requiring plaintiffs to specifically allege when the breach occurred.
The Complaint Must Sufficiently Allege Disclosure Of PII
Walmart also argued that Gardiner’s complaint did not sufficiently allege disclosure of actionable PII under the CCPA,8 necessitating dismissal. Specifically, Gardiner did not claim that the 3-digit passcode to his credit card was disclosed in the purported breach.
Gardiner countered that the three-digit passcode should be “read into” his claim because he generally alleged disclosure of his “Walmart account, and all of its data.” Gardiner argued that the inference was obvious because his account information would be useless to third parties without the access code.
The Court disagreed that it should assume that Gardiner’s account information and passcode were both disclosed in the purported breach, noting that while the “Court will draw reasonable inferences in Plaintiff’s favor [on a motion to dismiss], it cannot read missing allegations in the complaint.” Thus, this finding clarifies that a plaintiff must also sufficiently allege the type of PII that was disclosed in order to state a claim under the CCPA.
In the amended complaint, Gardiner admits that the PIN and/or CVV numbers associated with his credit cards were not listed on the dark web marketplace.9 Nonetheless, he suggest that the sellers of the purported PII only need to show that they possess the relevant information needed to use the debit or credit cards to potential buyers; they do not need to list all of the information.10 If the Court agrees with Walmart that this claim is merely a “string of speculation,”11 it may become more difficult for plaintiffs to allege that their PII was disclosed unless they have explicit confirmation of that disclosure.
Plaintiff’s Damages Arising From A Data Breach Must Not Be Speculative
Walmart argued that Gardiner’s alternative claims (negligence, violation of the UCL, and breach of contract) must fail because he cannot allege a cognizable injury. Walmart emphasized that Gardiner did not allege that he incurred any fraudulent charges or suffered any identity theft. In addition, Walmart contended that mitigation efforts (such as cancelling the account and purchasing credit monitoring services) are not recoverable damage. Similarly, Walmart noted that major credit card issuers have a “zero-fraud-liability” policy, eliminating the risk of imminent future harm.
The Court agreed with Walmart that Gardiner failed to allege any actionable harm because his claim of future harm was too speculative and there was nothing to suggest that expenses for credit monitoring services were reasonable or necessary.
The Court also dismissed Gardiner’s contract and UCL claims that were based on a benefit of the bargain theory.12 In particular, Gardiner alleged that Walmart’s privacy policy constituted an express contract regarding the security measures utilized to protect a customer’s personal information. Notably, though, Gardiner did not allege that the cost of data security was included in the cost of the goods he purchased or that he was required to agree/accept terms of the privacy policy before engaging in a purchase. Consequently, the Court found that Gardiner failed to establish that he had paid consideration for the data security services in Walmart’s privacy policy, and his claims based upon a benefit of the bargain theory due to a purported violation thereof were legally insufficient.
The Court did not reach the issue of whether the closure of the relevant account was fatal to Gardiner’s claims. However, if the Court later finds that canceling a compromised account forecloses future injury, it may have a dramatic effect on the ability of plaintiffs to claim damages for a data breach. After all, that is usually one of the first steps recommended to protect a person’s credit in the event of a breach.
Disclaimers Of Liability May Provide Additional Protection For Companies
The Court also addressed the impact of disclaimers in Walmart’s privacy policy. For instance, Walmart argued that Gardiner’s contract-based claims were barred by its Terms of Use because it included a warranty disclaimer and limitation of liability for data breaches. Gardiner countered that these provisions are unconscionable and should not be enforced because he was not given an opportunity to negotiate or reject the terms.
The Court disagreed with Gardiner and instead found that the relevant limitation of liability included clear language and was emphasized with capitalization - thus sufficiently putting consumers on notice of its contents. As a result, the Court found that Gardiner’s contract claims were barred by Walmart’s Terms of Use.13
While a company cannot simply disclaim statutory liability (including under the CCPA) in its terms of use, the Court’s ruling on this issue demonstrates how clear disclaimers can protect against derivative privacy claims following a data breach.
Conclusion
The Gardiner v. Walmart decision provides valuable insight as to the parameters of CCPA claims, and other causes of action that are related thereto. The district court largely rejected Gardiner’s expansive view of the CCPA and his vague allegations regarding the purported data breach.
Additionally, the anticipated decision on the motion to dismiss the amended complaint is likely to provide further guidance on how specific a complaint will need to be in order to survive a motion to dismiss. We will continue to monitor the proceedings in this matter and provide future updates regarding other important decisions relating to CCPA claims.
1 Case No. 20-cv-04618-JSW (N.D. Cal.).
2 Cal. Civ. Code § 1798.150, et seq.
3 Cal. Bus. & Prof. Code § 17200, et seq.
4 Gardiner filed the amended complaint on March 26, 2021, and Walmart responded with its motion to dismiss on April 23, 2021. See ECF Nos. 44 and 48. The motion to dismiss the amended complaint is now fully briefed and awaiting oral argument and a decision. See ECF Nos. 49 and 50.
5 See First Amended Complaint, ECF No. 44, ¶ 17. See also, Motion to Dismiss Plaintiff’s First Amended Complaint, p. 3.
6 See Plaintiffs Opposition to Defendant’s Motion to Dismiss First Amended Complaint, ECF No. 49, pp. 1-2.
7 McClung v. Emp’t Dev. Dep’t, 34 Cal. 4th 467, 475 (2004) (“Generally, statutes operate prospectively only.”).
8 CCPA only provides for a private right of action for disclosure of account information if it is accompanied with the required security code, access code, or password that would permit access to the account.
9 See First Amended Complaint, ECF No. 44, ¶ 19.
10 See First Amended Compl., ECF No. 44, ¶ 17.
11 See Walmart’s Motion to Dismiss Plaintiff’s First Amended Complaint, ECF No. 47, p. 5.
12 Gardiner alleged that he suffered a monetary injury because “he did not receive the benefit of his bargain with Defendants, through which he agreed to pay for goods with the understanding that his payment information would be protected by Defendants.” (Compl. ¶¶ 94 and 118.)
13 The Motion to Dismiss the Amended Complaint, and Gardiner’s objection thereto, are substantively the same as those in the initial motion to dismiss.
Sign up for our newsletter and get the latest to your inbox.