Walmart latest hit with CCPA-related lawsuit

A San Francisco man alleges in a class-action lawsuit filed with the U.S. Northern District of California on July 10 that the retail giant was hacked and the personal information—including his credit card—that he gave to the company is being sold on the dark web. The man, Lavarious Gardiner, says hundreds of other Walmart customers have similarly seen their Walmart data appear on the dark web, where criminals and fraudsters sell and trade it. Gardiner says he has been forced “to purchase a credit and personal identity monitoring service to alert him to potential misappropriation of his identity and to combat risk of further identity theft.”

Under the CCPA, companies can be hit with a penalty of up to $750 “per consumer per incident” with regard to data breaches. Walmart contends it was not hacked and that it is not the source of the data on the dark web.

“Protecting our customers’ data is a top priority and something we take very seriously. We dispute the plaintiff’s allegations that the failure of our systems played any role in the public disclosure of his personally identifiable information (PII),” said a Walmart spokesman in an e-mail. “We intend to defend the company against the claims and will respond as appropriate with the court.”

The CCPA has been in effect since Jan. 1, with a look-back provision to Jan. 1, 2019. Enforcement, however, began July 1, with no public actions yet taken under the law. With the CCPA, California is the only state that allows consumers to file such lawsuits against companies. Most consumers have to depend on their state attorney general’s office to pursue action against companies when an alleged data breach occurs.

Several other companies have been sued for alleged violations of the CCPA, under similar circumstances.

Minted, an online stationery and craft retailer, was sued by two customers in June in the U.S. Northern District of California. The customers alleged their personal information was stolen and sold on the dark web. Minted says the data breach occurred in May 2020 and that it notified its customers a week later. The lawsuit contends the credit card information of five million Minted customers was exposed in the breach.

“The Walmart suit is certainly the most high-profile in what is almost certain to be a wave of privacy right action suits to come,” said Dan Clarke, president of IntraEdge, a compliance software vendor. “If what [the plaintiffs] have alleged is accurate, Walmart and Minted would be at the forefront of suits clearly in the scope of CCPA’s private right of action and associated potential statutory damages.”

Another CCPA-related lawsuit was filed in March against Sunshine Behavioral Health Group, a chain of drug and alcohol addiction clinics headquartered in San Juan Capistrano, Calif. The lawsuit, filed in the U.S. Central District of California in March, alleged Sunshine Behavioral Health suffered a data breach that exposed 3,500 client records. The lawsuit contends one of those client records belong to a Pennsylvanian who says he has spent hours working to protect his PII after someone tried to open a fraudulent credit card with the stolen information.

“This is a defining time for the CCPA, when precedents will be set and case law will start to be established,” said Stephen Cavey, co-founder of Ground Labs, a vendor that develops data management and regulatory compliance technology. “Many businesses won’t act to be compliant for something like this until absolutely pushed. The wait-and-see approach is a dangerous strategy to follow.”

Based on public statements by California Attorney General Xavier Becerra, some experts have guessed the AG’s office will prioritize protecting children’s privacy as it enforces the CCPA, as well as shining a light on the way digital marketers and data analysts store, use, and sell the data they collect.

Several other CCPA-related lawsuits have also been filed, including against TikTok, filed on behalf of a minor, that alleged the Chinese company mishandled the data of the minor; and Zoom and Houseparty, in which consumers alleged the companies mishandled their personal information.

A lawsuit filed by data broker Bombora alleged its competitor, ZoomInfo, violated the CCPA by how it collected and sold the data of its customers.

This month, a lawsuit against online retailer Hanna Andersson and Salesforce that cited potential violations of the CCPA in a data breach moved toward settlement, with terms expected to be finalized by the end of August.