In one of the first substantive decisions handed down since the California Consumer Privacy Act (“CCPA”) came into effect, the District Court for the Northern District of California held in Gardiner v. Walmart, Case No. 20-cv-04618-JSW (March 5, 2021) that the limited private right of action for the unauthorized disclosure of unencrypted personal information does not apply to conduct occurring prior to the statute’s January 1, 2020 effective date.

In Gardiner, plaintiff alleged personal information that he and other users of Walmart’s website provided in creating an online account, including credit card information, was accessed by hackers as a result of an undisclosed data breach and had been posted on the Dark Web. The District Court dismissed plaintiff’s CCPA claim, finding that plaintiff’s failure to allege the date of the alleged hacking and access of his data required dismissal because he could not show that it had occurred after the statute’s effective date, citing Civ. Code § 3 (“[n]o part of [this Code] is retroactive, unless expressly so declared.”) and People v. Brown, 54 Cal. 4th 314, 319-20 (2012) (“in the absence of an express retroactivity provision, a statute will not be applied retroactively unless it is very clear from extrinsic sources that the Legislature must have intended a retroactive application.”). In so holding, the court also implicitly affirmed that in order to state a claim under the CCPA, a plaintiff must allege a data breach under §1798.150, rather than a violation of other CCPA provisions. See p. 4 (n order to have a viable claim against Walmart for a violation of the CCPA, Plaintiff must allege that Walmart’s “violation of the duty to implement and maintain reasonable security procedures and practices” that led to the breach occurred on or after January 1, 2020. See Cal. Civ. Code § 1798.150(a)(1).

The court further held that plaintiff’s CCPA claim must also be dismissed because, although plaintiff alleged the theft of full names, financial account and credit card information, he failed to allege that hackers obtained the security code or pin necessary to access such accounts.  The court declined to infer that such information must have been accessed by virtue of the information having purportedly been offered for sale on the Dark Web.

In addition to dismissing plaintiffs’ CCPA claims, the court also dismissed his claims for negligence, breach of contract, and under the Unfair Competition Law, finding that plaintiff failed to allege sufficient injury.  Although plaintiff alleged that he had a credible risk of identity theft, and had purchased a credit monitoring service, the court held that whether plaintiff’s mitigation efforts constitute a sufficient injury to support his claims rises and falls with his allegation regarding a credible threat of identify theft.  Because plaintiff failed to allege that the necessary codes were obtained to access his accounts, he failed to allege a credible threat of future harm and could not rely on his mitigation efforts.

Finally, the court dismissed his claims under the UCL on the grounds that he had failed to allege that he lacked an adequate remedy at law, relying on the Ninth Circuit’s recent decision in Sonner v. Premier Nutrition Corp., 971 F.3d 834, 844 (9th Cir. 2020).

Although the absence of an express retroactivity provision in the CCPA should have put the question of retroactivity to rest, numerous complaints have been brought based upon purported violations which occurred, in whole or in part, prior to the Act’s effective date.  The Gardiner decision should help to put those claims to rest.

For more information regarding how the courts are interpreting the CCPA and how it may impact your business, please contact Dan Rockey or another member of our Data Privacy and Security Team.