Federal District Court Dismisses Walmart Data Breach Class Action

Written by: Brett Lawrence, Esq.

On March 5, 2021, the Federal District Court for the Northern District of California granted Walmart’s motion to dismiss the plaintiff’s class action lawsuit for exposed customer personal data. This was one of the first major lawsuits alleging violations under the California Consumer Privacy Act (“CCPA”). We previously discussed this case’s factual background last August.

The Court’s ruling highlighted three reasons why the plaintiff’s complaint failed as a matter of law:

1. Must Allege Date When the Breach Actually Occurred

Plaintiff’s complaint failed to allege when Walmart actually suffered the data breach. The Court ruled that to bring a claim for violating CCPA, the plaintiff should have alleged that Walmart’s CCPA violation, which caused the data breach, occurred on or after the date CCPA went into effect, January 1, 2020. Absent this allegation, the Court concluded the plaintiff’s CCPA claim was not viable. It was not sufficient that plaintiff alleged that his personal information was still available on the dark web.

2. Types of Personal Information Must be Alleged with More Specificity

The Court further ruled that plaintiff’s CCPA claim failed because he did not sufficiently allege disclosure of personal information. CCPA defines “personal information” as a person’s full name plus an additional factor, such as the person’s social security or financial account numbers. Plaintiff’s complaint only alleged disclosure of “financial account information, credit card information,” and other personal information of Walmart customers. The Court concluded that the plaintiff did not allege disclosure of actual financial account or credit card numbers, as required by CCPA. The Court refused to assume that the plaintiff’s allegation included disclosure of numbers.

3. Claimed Damages Cannot be Too Speculative

The Court dismissed the plaintiff’s remaining claims—negligence, breach of contract, etc.—because he failed to sufficiently allege Walmart’s breach actually caused him injury. The plaintiff’s claimed injuries included loss of value to his personal information, increased risk of identity theft, and mitigation expenses. The Court concluded that these types of harms were insufficient to support his theory of damages. The Court reasoned that plaintiff did not explain how the value of his personal information diminished and that future harms and mitigation expenses were too conclusory.