A federal court in California recently dismissed a lawsuit brought under the California Consumer Privacy Act (CCPA) against Walmart, concluding that the CCPA did not apply retroactively and that the plaintiff had failed to specify the date of the alleged violation giving rise to his claim. The case—Gardiner v. Walmart Inc.—represents a meaningful hurdle for potential CCPA plaintiffs whose claims are either undated or predate the CCPA’s effective date.

In Gardiner, a consumer filed a putative class action against Walmart in the U.S. District Court for the Northern District of California, arguing that the alleged failure of Walmart’s data security practices violated the CCPA (along with other state laws). Specifically, the plaintiff alleged that at some unspecified point prior to the filing of his complaint, personal identifying information (PII) that he provided to Walmart when creating an account on the company’s website had been unlawfully accessed in connection with a data breach affecting the site and was sold on the dark web. Walmart filed a motion to dismiss in response, arguing among other things that the plaintiff’s lack of specificity with respect to the date of the breach was fatal to his CCPA claim because the statute applied only to breaches that occurred on or after January 1, 2020, the date when the CCPA went into effect.

The court agreed with Walmart’s position. Noting that the CCPA does not contain an express retroactivity provision, the court held that although the plaintiff alleged in his complaint that his PII was currently circulating on the dark web, his failure to allege the particular date of the breach of Walmart’s website doomed his CCPA claim. The court proceeded to dismiss the plaintiff’s remaining claims on other grounds.

As a practical matter, the decision in Gardiner may not have a significant impact on the particular plaintiff in that case, given that the court granted him leave to amend his complaint to cure the deficiencies in his allegations. More broadly, however, Gardiner will likely make it harder for CCPA plaintiffs to survive motions to dismiss because information concerning exactly when a data breach took place is not often available to plaintiffs prior to discovery.