April 15, 2021

The California Consumer Protection Act (CCPA), which went into effect on January 1, 2020, permits private citizens to sue companies for failing to adequately protect their personal information in addition to imposing regulatory fines connected to the rights of California residents under the CCPA (read more about the CCPA here and here).  As expected, this has lead to dozens of individual and class action lawsuits being filed against companies such as Facebook, Google, and Walmart.

While this private right of action is limited only to data breaches, data theft, or unauthorized distribution of data, derivative claims such as breach of contract and negligence can be added to a lawsuit, increasing a company’s exposure exponentially.

This is exactly what happened when Lavarious Gardiner filed a putative class action against Walmart, Inc. on July 10, 2020.  Gardiner claimed that he discovered his information for sale on the “dark web,” and therefore a data breach must have occurred.  He also claimed that Walmart breached a contract with him and was negligent in allowing his information to be accessed and stolen.

Walmart moved to dismiss Gardiner’s claims, and the court agreed.  The court’s decision provides guidance about the CCPA and the private right of action that the California Attorney General has not.  For example:

  • A private action under the CCPA must allege when a data breach happened, it cannot merely allege that it must have happened.
  • A private action must specifically allege that personal information was disclosed, it cannot merely intimate that since information was available for sale, it was obtained as a result of a breach.
  • Damages must be actual, not speculative.
  • Terms of Use which properly disclaim warranties and limit liability can defeat breach of contract and negligence claims.

The most important ruling is that properly crafted Terms of Use can defeat derivative claims under the CCPA.  While a company may not disclaim liabilities imposed by law (including under the CCPA), the proper wording on a website can limit lawsuits to only a CCPA claim.  This reduces exposure and the costs required to defend against a lawsuit by eliminating derivative claims.

The Team at Renzulli Law Firm is working with clients around the world to ensure continued compliance with the CCPA.  If you have any questions about the CCPA, your company’s Terms of Use, and how to limit your liability, contact John F. Renzulli or Christopher Renzulli.