A U.S. federal court has sided with StockX in connection with the proposed class action lawsuits filed against it in 2019 for allegedly failing to safeguard customers’ information and then failing to inform those same consumers after 6.8 million records were hacked from its website, and “instead, tried to hide the fact by telling users to reset their passwords under the guise of ‘system updates.’” The data breach was subsequently revealed by TechCrunch, prompting a number of individuals to file privacy-centric suits against it in courts across the U.S. for “intentionally, willfully, recklessly, or negligently failing to take adequate and reasonable data-security measures to ensure its systems were protected, take steps to prevent and stop the breach from happening, monitor and detect the breach on a timely basis, and disclose to customers the fact that it did not have adequate security systems and practices to safeguard [their] data.”
On the heels of a handful of individual class action lawsuits being combined before a federal district court in Michigan, U.S. District Judge Victoria Roberts granted Detroit-based StockX’s motion to dismiss the consolidated class action and compel arbitration in December 2020 on the basis that the parties are subject to StockX’s terms of service, which “always included an arbitration agreement, a delegation provision, a class action waiver, and instructions for how to opt out of the arbitration agreement.”
However, before the matter could make its way to arbitration, the plaintiffs, two of whom are minors, appealed to the U.S. Court of Appeals for the Sixth Circuit, arguing that the lower court erred in dismissing the case, as there is an issue of fact as to whether four of the plaintiffs accepted StockX’s terms of service. The plaintiffs further claimed that the defenses of infancy and unconscionability render the company’s terms of service, including the arbitration agreement and the delegation provision (i.e., a provision that states that an arbitrator will decide whether the dispute is fit for arbitration), invalid and unenforceable.
Beyond that, the plaintiffs also asserted that regardless of their ages, the arbitration agreement, including the delegation provision, is invalid because it is a “contract of adhesion,” “comprised of boilerplate language, drafted by StockX,” and “lacks the essential element of mutuality,” among other things. In short: the plaintiffs argued that an enforceable agreement does not exist between them and StockX, thereby, making arbitration an improper forum.
The Sixth Circuit’s Decision
In its decision dated December 2, a panel of judges for the Sixth Circuit declined to rule on any of the plaintiffs’ arguments about the validity or enforceability of StockX’s terms. Writing for the court, Judge Ralph Guy stated, “[W]e conclude that a contract exists and that the delegation provision itself” – which states that “the arbitrator . . . shall have exclusive authority to resolve any dispute arising out of or relating to the interpretation, applicability, enforceability or formation of [the arbitration] agreement to arbitrate, any part of it, or of [StockX’s] terms [of service] including, . . . any claim that all or any part of [the arbitration] agreement or the terms is void or voidable” – is valid.
“Such language alone is clear and unmistakable evidence requiring that an arbitrator shall decide the ‘applicability, enforceability,’ or validity of both the arbitration provision and the entire contract,” according to Judge Guy, holding that as a result, “the arbitrator must decide in the first instance whether the defenses of infancy and unconscionability allow plaintiffs to avoid arbitrating the merits of their claims.”
As for the plaintiffs’ challenge of the delegation clause, itself, the court held that they have failed to show that “‘the basis of [their] challenge [is] directed specifically’ to the ‘delegation provision,” as they “have simply recycled the same arguments that pertain to the enforceability of the agreement as a whole.” As a result, the majority determined that the plaintiffs’ challenge to the validity or enforceability of the delegation clause under the infancy defense “is for an arbitrator to decide.” (Judge Karen Nelson Moore dissented, arguing that “a minor who has disaffirmed a contract is not subject to the contract’s delegation provision, [as] arbitration is simply a matter of contract between the parties.”)
With this in mind, the Sixth Circuit upheld the lower court’s decision to dismiss the case and compel arbitration.
The win for StockX is the latest in a sting of cases that “strictly enforce delegation provisions,” according to Squire Patton Boggs LLP’s Ellen Phillips, who points to Swiger v. Rosette, in which a plaintiff sought to avoid arbitration in a case over an allegedly “predatory loan” contract that contained a delegation clause, but “was unable to do so when she failed to mention, let alone challenge, her contract’s delegation clause.” In March, the Sixth Circuit sided with the defendant, holding that “because Swiger’s arbitration agreement includes an unchallenged provision delegating [the] question [of whether the parties must arbitrate their dispute over the loan] to an arbitrator, the district court exceeded its authority when it undertook that task and found the agreement unenforceable.”
“If one wants a court to determine whether an arbitration agreement is enforceable, they must check if there is a delegation clause, and, if so, specifically challenge it,” Phillips states. “Otherwise, they will be left arbitrating whether they should be arbitrating.”
Esquer v. StockX
While the consolidated case will now move to arbitration, one of the cases filed against StockX in connection with the breach was previously determined to not be subject to dismissal on the basis of arbitration. In an order dated June 15, Eastern District of Michigan Judge Victoria Roberts determined that “because application of Michigan law would be contrary to fundamental California policy and California has a materially greater interest in Esquer’s claims than Michigan, StockX’s choice of law clause is unenforceable, [and] the Court will not compel arbitration of Esquer’s claims against StockX.”
In the complaint that she first filed before the U.S. District Court for the Northern District of California in September 2019, Esquer accused StockX of running afoul of California’s Consumer Records Act and Unfair Competition Law by “fail[ing] to secure and safeguard its customers’ private information, including the names, shipping addresses, email addresses, and passwords of those who created accounts on the StockX website.” Esquer argued that StockX “knew, or should have known, that its data security measures were inadequate,” particularly since the data breach “followed prominent breaches involving other e-commerce websites such as shein.com, panerabread.com, adidas.com, orbitz.com, macys.com, bloomingsdales.com, and zappos.com.”
StockX, which revealed that it surpassed 6.5 million lifetime buyers and 1 million lifetime sellers in the first half of 2021, has been building out its initially sneaker-focused offerings since its founding in 2016 and expanding internationally. In the wake of its latest funding round, a Series E-1 round that closed in April 2021, the company boasts a valuation of $3.8 billion.
The case is In Re: StockX Customer Data Security Breach Litigation, No. 21-1089 (6th Cir.).