On January 12, 2021, the federal District Court for the Central District of California dismissed a data breach law suit—including a claim filed under the California Consumer Privacy Act (“CCPA”)—against Marriott International, Inc. The holding, which dismissed the claims for lack of standing, will likely play a role in a number of CCPA cases that have motions to dismiss pending.
The case stems from a cybersecurity breach announced by Marriott on March 31, 2020, in which two employees of a Marriott franchise in Russia allegedly accessed some personal information without authorization. The class action was filed asserting claims for negligence, breach of express and implied contract, violation of California’s Unfair Competition Law, and violation of the CCPA. However, at the time the class action was filed, Marriott’s investigation was still ongoing.
Marriott’s investigation concluded that the only personal information that had been accessed was the class members’ names, addresses, phone numbers, email addresses, genders, birth dates, and loyalty account numbers—it did not involve sensitive personal information such as social security numbers, credit card information, or passwords/access credentials. Marriott moved to dismiss for lack of Article III standing, and the District Court granted the motion.
The District Court engaged in a fairly standard Article III standing analysis, starting with whether there was injury-in-fact. The Court relied on established precedent that, for there to be a credible risk of injury sufficient for standing, the data at issue must have a certain level of sensitivity. Because the investigation revealed that the data at issue was not sensitive in nature, the Court held that the plaintiffs could not establish standing.
The four-page opinion did not specifically address the CCPA claim. If it had, it likely could have dismissed that claim on separate grounds at the data that had been accessed without authorization did not fall into the subset of information subject to the CCPA’s private right of action. However, the Marriott case demonstrates that even if plaintiffs could successfully argue that the CCPA is ambiguous with respect to the scope of its private right of action, they would still face standing challenges for data breaches involving non-sensitive personal information. As there are numerous CCPA cases with motions to dismiss pending, we expect to see additional case law emerging on this front.