A federal judge in California dismissed a lawsuit alleging a data breach at Walmart was a violation of the California Consumer Privacy Act (CCPA), noting the plaintiff failed to prove a breach occurred.
The lawsuit, Gardiner v. Walmart, filed in July 2020 in the U.S. Northern District of California, alleged a data breach of customer credit card information led to plaintiff Lavarious Gardiner’s personally identifiable information (PII) being sold on the dark web.
In a 14-page ruling issued July 28, U.S. District Judge Jeffrey White said the case failed to prove there was a data breach at Walmart; and even if there was, Gardiner’s initial complaint offered proof his PII was available on the dark web in 2019, before the CCPA took effect.
The judge had previously dismissed the lawsuit because Gardiner alleged he saw his PII for sale on the dark web in 2019. In his amended complaint, Gardiner said he was mistaken and that he saw his PII on the dark web in 2020. The amended complaint made several other “drafting error” claims in an attempt to realign the breach timeline to better fit with the CCPA’s enactment date of Jan. 1, 2020.
The judge found the revised allegations in the amended complaint “not credible” and dismissed the case with prejudice. It cannot be refiled.
“Plaintiff’s attempt to amend his complaint through his opposition by casting the allegation as a drafting error and attaching a self-serving declaration is improper,” White wrote in his ruling.
The ruling sets precedent that CCPA-related lawsuits alleging breaches that occurred before Jan. 1, 2020, will likely be tossed. Amending the complaint to have the claim fall within an updated timeline won’t work either.
Walmart said it was pleased with the ruling in a statement.
“As we have said, we are not aware of our data security measures being compromised, and we disputed the plaintiff’s allegations that the failure of our systems played any role in the public disclosure of his personally identifiable information,” a spokesperson said.
Walmart could have been subject to a fine of $750 per breach, as well as other penalties granted by the court, had evidence been found of a credible breach that occurred after Jan. 1, 2020.
The CCPA has a look-back provision to Jan. 1, 2019, but it only applies to companies’ handling of PII and not to consumers’ ability to file lawsuits alleging harm from data breaches.
California Attorney General Rob Bonta recently announced the state has made “great progress” in CCPA enforcement despite having issued no fines since the law took effect.
California is the only state in the country where consumers can file lawsuits in federal court alleging harm from the release of their PII through a data breach. All other consumers must depend on their state attorney general to make allegations and file lawsuits on their behalf.
Two states that recently passed data protection legislation—Virginia and Colorado—did not include private right of action in the final version of their laws. And whether to include private right of action has proved to be a stumbling block for similar legislation in other states, including Florida, Oklahoma, and Washington.
According to a lawsuit tracker from law firm Perkins Coie, more than 140 CCPA-related cases have been filed since the law took effect. About 50 involve claims a firm did not do enough to prevent a data breach; others cite consumer privacy rights, a claim that is not expressly allowed by the CCPA but has not stopped customers from filing suit. Elsewhere, the CCPA has been cited as a predicate for other causes of action, like a violation of the state’s Unfair Competition Law, Perkins Coie noted.