This week, a federal court in California largely tossed a case against several retailers and a data analytics company over allegations that the companies illegally shared their consumer transaction data. The court left intact an invasion of privacy claim to go forward. The opinion is available online.

U.S. District Judge David O. Carter of the Central District of California partially granted motions to dismiss the case that were filed by Sephora, Bed Bath & Beyond, CVS, Bath & Body Works, The Gap, Home Depot, the TJX Cos., and data analytics company the Retail Equation Inc. (TRE). As reported by Law 360,

While Judge Carter permanently dismissed claims for unjust enrichment and violation of the Fair Credit Reporting Act, the California Consumer Privacy Act and California’s Unfair Competition Law, he let stand a claim for invasion of privacy against TRE and the retailers. The judge said the plaintiff customers plausibly alleged a reasonable expectation of privacy against the defendants, noting “the wide discrepancy between plaintiffs’ alleged expectations for retail defendants’ use of their data and its actual alleged use.”

Judge Carter wrote that “[t]he court finds dismissing this claim at the pleading stage particularly inappropriate where, as is the case here, defendants are the only party privy to the true extent of the intrusion on plaintiffs’ privacy. Reading the complaint in a light most favorable to plaintiffs, plaintiffs sufficiently allege that TRE and retail defendants’ intrusion into plaintiffs’ privacy was highly offensive.”

Again, turning to Law 360,

In Wednesday’s order, Judge Carter tossed the customers’ California Consumer Privacy Act claims against the retail defendants, finding the CCPA wasn’t yet in effect when some plaintiffs purportedly attempted returns or exchanges. While the customers had argued the stores had a pattern and practice of data sharing, the court said the customers didn’t allege they were continuing to return or exchange merchandise at those retailers ‘such that their data is disclosed to TRE.’

In August 2021, claims against several other retailers were dismissed without prejudice.

As noted in the opinion,

Defendant TRE is a technology company that contracts with retailers to provide its services for detecting retail fraud or criminal activity amongst consumers. Plaintiffs allege Retail Defendants have or continue to be in a contractual relationship with Defendant TRE to utilize such services.  To combat retail fraud or criminal activity, Defendant TRE allegedly provides Retail Defendants individualized risk scores at the retailer’s request when a consumer attempts a product return or exchange. The risk scores are generated by Defendant TRE through analysis of data, referred to as Consumer Commercial Activity Data and Consumer ID Data. The Consumer Commercial Activity Data is collected by retailers and “includes, but is not limited to, each customers’ unique purchase return, and exchange history, i.e., what a consumer buys, when a consumer buys, where a consumer buys, how much a consumer buys, how often a consumer buys, what form of payment a consumer uses, etc.” . The Consumer ID Data is collected by retailers “includes, but is not limited to, all unique identification information contained on or within a consumer’s driver’s license, government-issued ID card, or passport, e.g., the consumer’s name, date of birth, race, sex, photograph, complete street address, and zip code.”  Plaintiffs allege Retail Defendants and Defendant TRE’s data collection efforts also involve “connecting data”— to create a consumer’s individual “risk score,” they use personal and transaction data of people thought to be related or associated with the consumer.  Plaintiffs further allege that TRE also considers “information about other customers in the merchant location during the time of the requested return transaction” to determine a consumer’s risk score.

(citations omitted).

Case: Hayden v. the Retail Equation Inc. et al., U.S.D.C. (C.D. Calif., no. 8:20-cv-01203).