A California federal district court recently granted in part the dismissal of certain federal and state privacy claims, including a California Consumer Privacy Act (“CCPA”) claim, in Hayden v. The Retail Equation, Inc., No. 8:20-cv-01203 (C.D. Cal.). Plaintiffs in Hayden alleged that twelve retailers unlawfully shared customer data with a computer software firm, The Retail Equation (“TRE”), which in turn created “customer risk scores” to identify potentially fraudulent customer returns. This customer risk score was alleged to include information about the customers’ purchase histories, information gleaned from social media, as well as personal information, including name, government identification card or passport information, address, sex, race, and date of birth. TRE and the retailers sought dismissal of: (1) the Fair Credit Reporting Act (“FCRA”) claim; (2) the CCPA claim; (3) the California invasion of privacy claim; (4) the Unfair Competition Law (“UCL”) claim; and (5) unjust enrichment claim. The Court dismissed all but the invasion of privacy claim.
First, as to the FCRA claim, the court held that the alleged activities did not meet the statutory definition of a “consumer report” under the FCRA. Specifically, the court highlighted that the customer risk score does not bear on plaintiffs’ eligibility for credit, and the retailers are not issuing any credit to the plaintiffs by deferring any payment or debt. The court reached this conclusion despite the fact that TRE describes itself as “consumer reporting agency” producing “consumer reports.”
Second, the court dismissed the CCPA claim. The Court held that disclosure of customers’ non-anonymized data was not the result of a failure to implement and maintain reasonable security measures, which would be actionable under the CCPA, but was rather a business decision to combat retail fraud. In sum, the court found the CCPA inapplicable because plaintiffs did not allege that the retailers violated their duties as they relate to security procedures and practices, and, for the non-California plaintiffs, that the CCPA was only actionable as to California residents.
Third, the court declined to dismiss the invasion of privacy claim. First, the court found that plaintiffs properly alleged a reasonable expectation of privacy. Distinguishing it from routine commercial behavior, the court pointed to data collected from social media, and highlighted that this information is thereafter combined with transactional data to create individual profiles. Second, the court concluded that the plaintiffs had properly alleged that the data collection was highly offensive, where plaintiffs had argued that risk score penalizes a consumer’s association or relationship with certain individuals based on the inclusion of social media information, and that, in any event, the resolution of this determination was better resolved beyond the pleading stage.
Lastly, the court dismissed the UCL and unjust enrichment claims because there is an adequate remedy at law in light of the court’s ruling as to the invasion of privacy claim.