April 15, 2021
The California Consumer Protection Act (CCPA), which went into effect on January 1, 2020, permits private citizens to sue companies for failing to adequately protect their personal information in addition to imposing regulatory fines connected to the rights of California residents under the CCPA (read more about the CCPA here and here). As expected, this has lead to dozens of individual and class action lawsuits being filed against companies such as Facebook, Google, and Walmart.
While this private right of action is limited only to data breaches, data theft, or unauthorized distribution of data, derivative claims such as breach of contract and negligence can be added to a lawsuit, increasing a company’s exposure exponentially.
This is exactly what happened when Lavarious Gardiner filed a putative class action against Walmart, Inc. on July 10, 2020. Gardiner claimed that he discovered his information for sale on the “dark web,” and therefore a data breach must have occurred. He also claimed that Walmart breached a contract with him and was negligent in allowing his information to be accessed and stolen.
Walmart moved to dismiss Gardiner’s claims, and the court agreed. The court’s decision provides guidance about the CCPA and the private right of action that the California Attorney General has not. For example:
- A private action under the CCPA must allege when a data breach happened, it cannot merely allege that it must have happened.
- A private action must specifically allege that personal information was disclosed, it cannot merely intimate that since information was available for sale, it was obtained as a result of a breach.
- Damages must be actual, not speculative.