Home Civil Law CCPA Data Breach Lawsuit Against Walmart Fails-Gardiner v. Walmart – Technology &...

CCPA Data Breach Lawsuit Against Walmart Fails-Gardiner v. Walmart – Technology & Marketing Law Blog


This is a knowledge breach lawsuit in opposition to Walmart through which plaintiff (on his own behalf and on behalf of a putative class) asserts that his information is being presently bought on the darkish Internet. Plaintiff asserted the everyday claims, but additionally one under the California Consumer Privacy Act. The choose dismisses the lawsuit saying the claims are inadequately pled. While the courtroom provides plaintiff an opportunity to treatment the deficiencies, it provides a sign that the courtroom will intently scrutinize any amended pleading.

The CCPA Claim Fails: The courtroom says the CCPA isn’t retroactive. In order to be actionable, Walmart’s violation of its responsibility to implement and preserve affordable safety procedures and practices will need to have occurred after January 1, 2020. Plaintiff relied on the truth that his information is presently being circulated on the darkish Internet, however the courtroom says this allegation doesn’t say something about when the breach occurred.

The CCPA declare additionally fails as a result of plaintiff didn’t allege disclosure of any private data. The courtroom works by the definition rigorously, specializing in credit score or debit-card related data. The plaintiff’s allegations are sparse on this regard. He tries to level to the truth that with the intention to full a transaction, plaintiff would have needed to enter the expiration date plus the three digit code. He additionally argues that the truth that his data is being bought on the darkish Internet implies that it could be the kind of data somebody might use to trigger monetary hurt. This hypothesis on the plaintiff’s half is inadequate.

Lack of Injury to Support the Remaining Claims: Plaintiff additionally asserted the standard claims for negligence, breach of contract, and under the UCL. The courtroom says the shortage of cognizable damage undermines all of these claims. The courtroom notes that whether or not plaintiff has alleged enough damage to assist the claims under state regulation is completely different from the query of whether or not plaintiff has adequately happy Article III standing. The courtroom walks by every concept of damage:

Loss of worth of PII: While the Ninth Circuit has acknowledged that lack of worth of PII could set up damage, the plaintiff’s allegations listed below are too imprecise. While the courtroom doesn’t give attention to it, the truth that plaintiff can cancel his bank card may additionally distinguish the alleged damage right here from the damage within the instances what place plaintiffs have efficiently higher level the idea of lack of worth to their PII. In these instances, plaintiffs make an argument that the plaintiff could exploit their very own PII (equivalent to looking historical past or internet habits or profile data), which isn’t believable right here.

Risk of future hurt: The allegations concerning danger of future hurt are equally too imprecise for the courtroom’s liking. The courtroom notes it’s unclear from the criticism whether or not plaintiff has cancelled his bank cards, however admonishes plaintiff that to the extent he amends his criticism to make clear whether or not or not he has cancelled his bank cards, he ought to be cautious of Rule 11.

Out-of-pocket bills: Again, the plaintiff’s allegations are too imprecise concerning any out-of-pocket bills for monitoring providers.

Benefit of the cut price: Finally, the courtroom seems to be on the benefit-of-the-bargain concept. Under this concept, if a portion of the cash paid by the plaintiff is attributable to information safety practices, then within the occasion of a knowledge breach, the plaintiff is not going to have obtained their good thing about the cut price. The solely drawback is that plaintiff can not allege that any portion of the quantity paid to Walmart for a typical on-line buy was attributable to information safety.

Other bases for Dismissal: Notwithstanding the shortage of damages, the courtroom additionally says a number of of the claims produce other issues.

The UCL declare: A UCL declare offers for “restitution and injunctive relief” and never damages. This implies that it’s an equitable declare that’s topic to the federal courtroom guidelines relevant to equitable claims. The plaintiff should display the absence of an ample authorized treatment, and plaintiff can not try this right here. Second, the courtroom says plaintiff lacks standing under the UCL. He has to have misplaced “money or property,” and the PII in query doesn’t represent “money or property.” Finally, the courtroom says there isn’t any predicate violation.

Negligence declare: The negligence declare is barred by the financial loss doctrine. Purely financial loss is simply accessible in sure sorts of instances. Plaintiff alleged there was a “special relationship” with Walmart, however the courtroom isn’t persuaded.

Limitation of legal responsibility clause: The courtroom says the limitation of legal responsibility clause in Walmart’s on-line phrases could well quash plaintiff’s claims, provided that the clause particularly applies to information loss or compromise. It was unclear which set of on-line phrases Plaintiff agreed to (if in any respect), however the entire iterations of the Walmart’s phrases of service have the identical limitation of legal responsibility clause. Plaintiff argued that the clause was unconscionable. Again, the courtroom isn’t persuaded, though it provides plaintiff a possibility to allege details concerning procedural or substantive unconscionability.

[Walmart moved to strike the class allegations on the basis that plaintiff did not agree to arbitrate his claims, unlike the class members who he seeks to represent. The court says this issue should be revisited when and if plaintiff files a motion to certify.]


This is clearly a ruling of interest as a result of it entails a declare under the CCPA. The CCPA permits

“[a]ny consumer whose nonencrypted and nonredacted personal information […] is subject to an unauthorized access and exfiltration, theft, or disclosure as a result of the business’s violation of the duty to implement and maintain reasonable security procedures and practices appropriate to the nature of the information to protect the personal information may institute a civil action” [to recover damages or injunctive relief].

Cal. Civ. Code § 1798.150(a)(1). The courtroom says the statute isn’t retroactive, and this creates challenges for this specific plaintiff (and certain others). It’s robust to know whether or not plaintiff’s lackluster pleading accounts for dismissal of the CCPA declare, or whether or not the courtroom’s scrutiny of the CCPA allegations might be an actual hurdle to plaintiffs.

Another merchandise of observe is how the “loss of value to the PII” argument fared. The courtroom cites to different instances what place the lack of PII is credited by the courtroom as a component of damages (usually within the standing context), however the plaintiff is unlikely to have the ability to depend on that argument right here.

Finally, two points warrant point out concerning a plaintiff’s potential breach of contract declare in opposition to Walmart: (1) it’s going to be robust for plaintiff to argue that he paid Walmart any cash particularly for information safety, and (2) the courtroom indicators that the limitation of legal responsibility clause might be a formidable hurdle.

Case quotation: Gardiner v. Walmart, Inc., 2021 U.S. Dist. LEXIS 75079 (N.D. Cal. Mar. 5, 2021) [pdf]

Related posts:

Data Breach Plaintiff Doesn’t Have Standing in the Absence of Fraud or Identity Theft–Tsao v. Captiva

9th Circuit Affirms Rejection of Data Breach Claims Against Gap — Ruiz v. Gap

The [Non]enforceability of Privacy Promises–Pinero v. Jackson Hewitt

Acxiom Not Liable for Security Breach

When Does a Privacy Policy Breach Support a Breach of Contract Claim? In re JetBlue

Starbucks Data Breach Plaintiffs Rebuffed by Ninth Circuit — Krottner v. Starbucks

In Hannaford Data Breach Case, First Circuit Says Card Replacement and ID Theft Insurance are Reasonable Mitigation Damages and Compensable–Anderson v. Hannaford Bros

Facebook Defeats Lawsuit Over Tracking Logged-Out Users–In re Facebook Internet Tracking

On Remand, Ninth Circuit Says Robins Satisfied Article III Standing

“Manufactured” TCPA Suit Fails For Lack of Standing

Seventh Circuit: Data Breach Victims Have Standing Based on Future Harm

Android and Pandora Privacy Rulings Accept Low Hurdle for Standing

9th Circuit Says Plaintiff Had Standing to Sue Spokeo for Fair Credit Reporting Violations

Court Says Plaintiff Lacks Standing to Pursue Failure-to-Purge Claim Under the VPPA – Sterk v. Best Buy

First Circuit Rejects Data Insecurity Claims on the Basis of Article III Standing–Katz v Pershing

Third Circuit Says Data Breach Plaintiffs Lack Standing Absent Misuse of Data — Reilly v. Ceridian

LinkedIn Beats Referrer URL Privacy Class Action on Article III Standing Grounds–Low v. LinkedIn


Please enter your comment!
Please enter your name here