Privacy & Information Security Law Blog

Earlier this year, The Retail Equation, a loss prevention service provider, and Sephora were hit with a class action lawsuit in which the plaintiff claimed Sephora improperly shared consumer data with The Retail Equation without consumers’ knowledge or consent. The plaintiff claimed The Retail Equation did so to generate risk scores that allegedly were “used as a pretext to advise Sephora that attempted product returns and exchanges are fraudulent and abusive.”

On August 3, 2020, the plaintiff, now joined by others, amended her complaint to cast an even wider net. The amended complaint now asserts claims against 12 additional retailers based on their alleged use of The Retail Equation’s services to identify fraudulent returns. As against the retailer defendants, the plaintiffs assert claims for invasion of privacy, violations of California’s unfair competition law, unjust enrichment, and, most notable, violations of the California Consumer Privacy Act (“CCPA”).

It is questionable whether the CCPA, which provides for statutory damages of no less than $100 and up to $750 per violation, even applies. The CCPA’s private right of action is limited to situations where personal information is “subject to unauthorized access and exfiltration, theft, or disclosure as a result of the business’s violation of the duty to implement and maintain reasonable security procedures and practices” (Cal. Civ. Code § 1798.150). The plaintiffs’ claims, however, concern the voluntary transfer of data to a third-party service provider. Contrary to a data breach, a voluntary transfer arguably does not involve any alleged “violation of the duty to implement and maintain reasonable security procedures and practices.” We note this same theory has been asserted against Zoom based on its alleged sharing of data with Facebook. Zoom’s response to the complaint in that action, In Re: Zoom Video Communications, Inc. Privacy Litigation, N.D. Cal. Case No. 5:20-cv-02155-LHK, is due on September 14, 2020.