Federal Court Dismisses CCPA Claim Against Marriot International, Inc. For Lack of Standing

Scott Humphreys, Mudasar Khan, Gregory Szewczyk, Philip Yannella
Ballard Spahr LLP
Contact
LinkedIn
Facebook
X
Send
Embed

Ballard Spahr LLP

On January 12, 2021, the federal District Court for the Central District of California dismissed a data breach law suit—including a claim filed under the California Consumer Privacy Act (“CCPA”)—against Marriott International, Inc.  The holding, which dismissed the claims for lack of standing, will likely play a role in a number of CCPA cases that have motions to dismiss pending.

The case stems from a cybersecurity breach announced by Marriott on March 31, 2020, in which two employees of a Marriott franchise in Russia allegedly accessed some personal information without authorization.  The class action was filed asserting claims for negligence, breach of express and implied contract, violation of California’s Unfair Competition Law, and violation of the CCPA.  However, at the time the class action was filed, Marriott’s investigation was still ongoing.

Marriott’s investigation concluded that the only personal information that had been accessed was the class members’ names, addresses, phone numbers, email addresses, genders, birth dates, and loyalty account numbers—it did not involve sensitive personal information such as social security numbers, credit card information, or passwords/access credentials.  Marriott moved to dismiss for lack of Article III standing, and the District Court granted the motion.

The District Court engaged in a fairly standard Article III standing analysis, starting with whether there was injury-in-fact.  The Court relied on established precedent that, for there to be a credible risk of injury sufficient for standing, the data at issue must have a certain level of sensitivity.  Because the investigation revealed that the data at issue was not sensitive in nature, the Court held that the plaintiffs could not establish standing.

The four-page opinion did not specifically address the CCPA claim.  If it had, it likely could have dismissed that claim on separate grounds at the data that had been accessed without authorization did not fall into the subset of information subject to the CCPA’s private right of action.  However, the Marriott case demonstrates that even if plaintiffs could successfully argue that the CCPA is ambiguous with respect to the scope of its private right of action, they would still face standing challenges for data breaches involving non-sensitive personal information.  As there are numerous CCPA cases with motions to dismiss pending, we expect to see additional case law emerging on this front.

Send Print Report

DISCLAIMER: Because of the generality of this update, the information provided herein may not be applicable in all situations and should not be acted upon without specific legal advice based on particular situations.

© Ballard Spahr LLP | Attorney Advertising

Written by:

Ballard Spahr LLP
Ballard Spahr LLP
Contact
more
less

Ballard Spahr LLP on:

Reporters on Deadline

"My best business intelligence, in one easy email…"

Your first step to building a free, personalized, morning email brief covering pertinent authors and topics on JD Supra:
Sign Up Log in
*By using the service, you signify your acceptance of JD Supra's Privacy Policy.
Custom Email Digest
- hide
- hide