Gardiner v. Walmart provided some guidance as to the specificity required to state a claim under the California Consumer Privacy Act (CCPA) and the types of damages that may be recoverable for breaches of California consumer data. On July 10, 2020, Lavarious Gardiner filed a proposed class action against Walmart, alleging that unauthorized individuals accessed his personal information through Walmart’s website. Although Walmart never disclosed the alleged breach or provided any formal notification to consumers (and maintains that no breach occurred), Gardiner claimed that he discovered his personal information on the dark web and was told by hackers that the information came from his Walmart online account. He also claims that by using cybersecurity scan software he discovered many vulnerabilities on Walmart’s website.

Gardiner claimed Walmart violated the CCPA and California’s Unfair Competition Law. In response, Walmart filed a motion to dismiss, which was granted on March 5, 2021 (of note – with leave to amend). While Gardiner has now amended his complaint, the court’s ruling on Walmart’s motion to dismiss addresses some important points related to data breach class actions, including:

  • The compliant MUST state when the alleged breach occurred. Gardiner had only alleged that his information was on the dark web, not when the breach actually occurred. The court also stated that for purposes of a CCPA claim, the relevant conduct is the actual data breach resulting from a “failure to implement and maintain reasonable security procedures and practices.” This means that the breach must have occurred on or after January 1, 2020, the effective date of the CCPA.
  • The complaint must sufficiently allege disclosure of personal information. Gardiner had only alleged that his credit card number was disclosed, but had not alleged that his 3-digit access code was affected.
  • Plaintiff’s damages arising from a data breach MUST not be speculative -this is common across courts that dismiss class action data breach suits. Here, Gardiner had not alleged that he incurred any fraudulent charges or suffered any identity theft or other harm.

The court also dismissed Gardiner’s unfair competition claims that were based on a benefit of the bargain theory.

The court also addressed the disclaimers in Walmart’s privacy policy.; Walmart argued that Gardiner’s contract-based claims were barred by the its website Terms of Use, which included a warranty disclaimer and limitation of liability for data breaches. The court said that the limitation of liability was clear and emphasized with capitalization, which put Gardiner on notice of its contents. This is an important part of the decision for ANY company with online presence -a company’s website Privacy Policy and Terms of Use could be the final line of defense.

Gardiner has since his complaint. Whether the amendments will avoid another motion to dismiss is unknown. Still, this decision provides valuable insight for claims made under the CCPA and important lessons about website Privacy Policies and Terms of Use.


Federal Court Finds the California Consumer Privacy Act (CCPA) Does Not Apply Retroactively, Dismissing Claims Against Walmart Stemming from an Alleged Data Breach | Data Privacy + Cybersecurity Insider














Skip to content

If you live within a one and a half-mile radius of the east side of the Walmart store in El Paso, Texas in a single-family home, within a one-mile radius of the North Las Vegas Walmart store in a single-family home, or within a one-mile radius of the Cheektowaga, New York Walmart store, then you are eligible to take part in the COVID-19 testing delivery-by-drone pilot program. It works like this: A drone drops off a testing kit with a self-administered nasal swab; the patient then ships the sample to Quest Diagnostics using a pre-paid shipping envelope. The results are provided to the patient online.

With the rising number of COVID-19 cases in these areas, the hope is to provide more testing and accessibility.

This program is available only while the supplies last. It is offered Monday through Saturday from 9:30 a.m. to 4:30 p.m. and Sunday from 10 a.m. to 4:30 p.m. This is yet another example of drones potentially increasing efficiency and improving accessibly for health care.

Walmart announced that it will begin experimenting with self-driving cars in a pilot program with General Motors-backed Cruise (a tech start-up with electric, self-driving cars) to deliver groceries and other products to neighborhoods in Phoenix, Arizona. The program will launch in 2021. The fleet of cars will use electricity from renewable resources to curb carbon emissions from the operation.

Customers will be able to place an order from their local store and have the products delivered contact-free by one of Cruise’s self-driving cars. The goal is to save customers time and money while also experimenting with technology that will help the environment.

While the pandemic has halted lots of autonomous vehicle companies’ plans to launch all sorts of services across many different cities in the U.S., the need for contact-free delivery, including prescription deliveries, has led many companies like Cruise to use the technology to fill that need.