Bryan Cave Leighton Paisner Retail Blog

Retail Law

Other Posts

Main Content

Retailers Should Consider Whether Behavioral Advertising Is Sale of Information Under CCPA

The California Consumer Privacy Act (“CCPA”) was enacted in early 2018 as a political compromise to stave off a poorly drafted, and plaintiff’s friendly ballot initiative.  Although the CCPA is scheduled to go into force in early 2020, there is a great deal of confusion regarding the requirements of the CCPA, including the degree to which it aligns with other privacy regulations such as the European General Data Protection Regulation (“GDPR”).

To help address that confusion, BCLP published the California Consumer Privacy Act Practical Guide, and is publishing here a multi-part series that discusses the questions most frequently asked by retailers concerning the CCPA

Q. If a website participates in behavioral advertising, does the CCPA require that it disclose that it is “selling” consumers’ information?

The California CCPA requires that a business that “sells” personal information disclose within its privacy policy a “list of the categories of personal information it has sold about

Retailers Should Consider Impact of California Consumer Privacy Act on Employee Data

Retailers and other employers with operations in California should be aware of the potential application of the California Consumer Privacy Act (“CCPA”) to data collected about California employees.  Although the CCPA refers to “consumers,” as currently drafted the CCPA’s definition of a “consumer” also will apply to California-based employees.

As we previously reported, the CCPA grants consumers various rights with regard to their personal information held by businesses.  This is part of a multi-part series addressing frequently asked questions concerning the CCPA.

Which employers will have to comply with the CCPA?

Employers with employees in California will need to comply with the CCPA if their business falls into one of the following three categories:

  • Their business buys, sells, or shares the “personal information” of 50,000 “consumers” or “devices”;
  • Their business has gross revenue greater than $25 million; or
  • Their business derives 50% or more of its annual revenue from sharing
  • Avoiding the California Consumer Privacy Act Litigation Tsunami: What Does it Mean to “Do Business” in California?

    Companies that do business in California know that it is a magnet for class action litigation.  The California Consumer Privacy Act (“CCPA”), a new privacy law that applies to data collected about California residents, will provide even more incentive to plaintiff’s attorneys to bring suit in California.

    The CCPA was enacted in early 2018 as a political compromise to stave off a poorly drafted ballot initiative.  Although the CCPA is scheduled to go into force in early 2020, there is a great deal of confusion regarding the requirements of the CCPA, including the degree to which it aligns with other privacy regulations such as the European General Data Protection Regulation (“GDPR”).  To help address that confusion, BCLP is publishing a multi-part series to address the most frequently asked litigation-related questions concerning the CCPA.  BCLP is also working with clients to assess – and mitigate – litigation risks for when the CCPA goes

    California Passes Amendments to Consumer Privacy Act

    California Governor Brown recently signed into law SB 1121, which amends the California Consumer Privacy Act of 2018 to provide much-needed relief to retailers and other businesses that collect consumer information. The amendments take effect immediately.

    The California Retailers Association (CRA) worked successfully with other business leaders as part of the Privacy Coalition to secure passage and signature of SB 1121, and will continue to work on a more comprehensive clean-up bill in 2019.

    As we previously reported, the Act grants consumers various rights with regard to their personal information held by businesses, including:

    • The right to request that a business provide it with specific information the business has collected about them, including categories of information sold, and third parties to whom information is sold.
    • The right to request deletion of personal information the business has collected about the consumer. The business must comply unless one

    What Questions Are In-House Counsel Asking Most About the GDPR?

    The European Union’s General Data Protection Regulation (“GDPR”) is the most comprehensive – and complex – data privacy regulation in the world. As companies prepare for the GDPR to go into force on May 25, 2018, there continues to be a great deal of confusion regarding the requirements of the GDPR.

    To help address that confusion, our firm’s Data Privacy and Security team has published a multi-part series discussing the questions most frequently asked about the GDPR.  You can find a link to each of the top 10 questions and answers (in the order of popularity) below:

  • Does the GDPR data breach notification provision cover the same type of data as United States data breach notification provisions?
  • What Does It Mean To Be “Established” In The EU?
  • Is a Service Provider’s Privacy Shield Certification Good Enough?
  • Are the Standard Contractual Clauses Enough?
  • Are Work
  • Retailers Should Ensure Compliance With CAN-SPAM Act and State Laws

    Email is an important marketing tool for many retailers, who need to be aware of the legal requirements regarding sending email to customers and potential customers.

    Since its enactment in 2003, the Controlling the Assault of Non-Solicited Pornography and Marketing (“CAN-SPAM”) Act has attempted to curb the number of unwanted emails and impose some rules on a largely unregulated frontier.  In addition, at least thirty-seven states have laws regulating unsolicited electronic mail advertising. A state-by-state summary is available by clicking here.

    When followed, the CAN-SPAM Act’s restrictions give email recipients some control over their inboxes and also maintain fairness in how emails present themselves.  All businesses, retailers included, can face penalties of up to $16,000 per violation for failure to follow the CAN-SPAM Act.

    As a practical matter, many retailers use vendors for their email marketing and other email services, and those vendors often assist the retailers in complying

    EU’s General Data Protection Regulation Takes Effect in May — Are You Compliant?

    February 22, 2018

    Categories

    The European Union’s General Data Protection Regulation (“GDPR”), arguably the most comprehensive – and complex – data privacy regulation in the world, goes into force on May 25, 2018. As retailers and other companies prepare, there continues to be a great deal of confusion regarding the requirements of the GDPR.

    Read More

    Data Privacy and Security: A Practical Guide for In-House Counsel

    January 26, 2018

    Categories

    Partner David Zetoony published the 2018 edition of his handbook, Data Privacy and Security: A Practical Guide for In-House Counsel, on January 25 – Data Privacy Day. The guide provides an overview of laws relevant to a variety of data matters topics, statistics that illustrate data privacy and security issues, and a breakdown of these data-related issues.

    Read More

    Retailers Should Be Aware of Data Privacy Concerns With Bring Your Own Device Policies

    Many retailers permit their employees to use personal mobile devices, such as smartphones and tablets, to access company-specific information, such as email, under a Bring Your Own Device (“BYOD”) policy. BYOD policies can be popular for employees that want to use hand-picked devices and for retailers that want to avoid the cost of providing, and maintaining, company-owned devices. Nonetheless, the use of company data on non-company devices implicates both security and privacy considerations.

    A reported 40 percent of companies offer BYOD to all employees, according to a survey by Crowd Research Partners.  Security concerns, data leakage, and malware were all listed as top concerns of retailers in allowing BYOD.

    Consider the following when deciding upon a BYOD policy:

    Is the scope of your control over employees’ mobile devices consistent with your company’s interest?  Retailers should consider why they have an interest in knowing about their employees’ mobile devices; that

    Beware of Making Unsubstantiated Anti-Aging Claims

    Manufacturers, distributors, and retailers often tout the anti-aging effects of certain cosmetics and nutritional supplements. Of course, the term “anti-aging” is not intended to literally mean that a product prevents aging. To the contrary, it is understood by both the industry and consumers as describing a product that is designed to mitigate, mask, or soften certain cosmetic indicators that come with age. These typically include wrinkles, discoloration, greying of the hair, or a loss of skin firmness.

    Anti-aging litigation has proven popular with the plaintiffs’ bar. In the past five years, there have been at least 31 class action complaints filed alleging deceptive advertising of anti-aging products, and at least 10 enforcement actions brought by the Federal Trade Commission (FTC).

    Often such putative class actions allege that advertising which touts a product’s anti-aging properties is deceptive and misleading to consumers. Typically, complaints over anti-aging claims lack affirmative evidence that a

    “Made in USA” Claims Can Be Considered Deceptive Unless Substantiated

    Although every product (unless excepted) that is imported into the United States must be marked with its country of origin pursuant to Section 304 of the Tariff Act of 1930, most products manufactured domestically are not required to list the United States as the country of origin. However, if manufacturers or retailers do choose to market their products as “Made in the USA,” these claims must be substantiated, or risk being considered deceptive under federal or state law.

    On the federal level, the Federal Trade Commission has issued guidelines and considers representations that a product is “Made in the USA” to be deceptive, unless (1) “all or virtually all” of a product’s components are of U.S. origin, and (2) “all or virtually all” processing takes place in the United States.  Furthermore, the FTC considers phrases such as “Produced in the USA,” “Built in the USA,” or “Manufactured in

    Monitoring Employees’ Email and Internet Use Raises Legal Considerations

    Retailers should be aware that federal laws prohibit the interception of another’s electronic communications, but these same laws have multiple exceptions that generally allow employers to monitor employees’ email and internet use on employer-owned equipment or networks.

    As a result, under federal law, when retail employees use an organization’s telephone or computer system, monitoring their communications is broadly permissible, though there may be exceptions once the personal nature of a communication is determined. For example, under the National Labor Relations Act, employers cannot electronically spy on certain types of concerted activity by employees about the terms and conditions of employment.

    Although monitoring is broadly permitted under federal law, some states, including Connecticut and Delaware, require that employers notify employees that they may be monitored. Even in states that do not require notice, employers often choose to provide notice since employees who know they are being monitored are less likely to

    Disclose and Follow Standards for Collection and Sharing of Customers’ Online Behavioral Data

    January 31, 2017

    Categories

    Many retailers engage in behavioral advertising, which refers to the use of information to predict the types of products or services of greatest interest to a particular consumer. Online behavioral advertising takes two forms. “First party” behavioral advertising refers to situations in which a website uses information that it obtains when interacting with a visitor. “Third party” behavioral advertising refers to situations in which a company permits others to place tracking cookies on the computers of people who visit the site, so that those individuals can be monitored across a behavioral advertising network.

    Two self-regulatory associations – the Network Advertising Initiative (“NAI”) and the Digital Advertising Alliance (“DAA”) – have created standards for companies engaged in third-party online behavioral advertising.  They recommend clear, meaningful and prominent disclosure on a retailer’s website that describes its data collection, transfer and use practices.  With respect to third-party behavioral advertising, they recommend

    Reduce Potential Liability for Data Security Breaches by Negotiating Coverage in Payment Processing Agreements

    January 13, 2017

    Categories

    Credit cards are the primary form of payment received by most retailers. In order to process a credit card, a retailer must enter into an agreement with a bank and a payment processor. Payment processing agreements often have significant impacts on a retailer’s financial liability in the event of a data breach. In many cases, the contractual liabilities that flow from a payment processing agreement surpass all other financial liabilities that arise from a data breach, including the cost to investigate an incident, defend litigation, and defend a regulatory investigation.

    The following checklist describes common data security related provisions to look for within most payment processing agreements:

  • Incorporation of Payment Brand Rules. Most payment processing agreements incorporate by reference the rules, regulations, and guidelines of the payment brands (American Express, Discovery, MasterCard, and/or Visa). When negotiating a payment processing agreement, it is important to determine whether the obligation to abide
  • What to Look for When Buying Cyber Insurance

    October 27, 2016

    Categories

    What to Look for When Buying Cyber Insurance

    October 27, 2016

    Authored by: Bryan Cave and David Zetoony

    Most retailers know they need insurance to cover risks to their property such as fire or theft, or their risk of liability if someone is injured in the workplace.  As numerous high-profile breaches demonstrate, retailers also need to carry coverage for data breaches.  While many insurance companies offer cyber insurance, not all policies are created equal.

    Why is buying cyber insurance difficult?

  • There is little standardization among competing policies; as a result, it is hard to comparison shop.
  • Policies’ exclusions often swallow coverage; as a result, assessing the value of a policy is difficult unless you have extensive experience with the types of liabilities that arise following data breaches.
  • Policies often cover security but not privacy risks.
  • Items to review when shopping for cyber insurance:

  • Do the sub-limits on coverage match the corresponding risks?
  • Does the policy include sub-retentions (sub-deductibles) that are unlikely to be reached?
  • Does exclusion prevent payment for the largest risks, e.g.,charges
  • How to Respond to Civil Subpoenas and Document Requests That Ask For Personal Information

    September 28, 2016

    Categories

    Litigants in a civil dispute often use subpoenas, subpoenas duces tecum, and discovery requests to obtain personal information about individuals who may not be present in the litigation. A request for documents and information that include personal information about third parties may conflict with legal obligations imposed upon an organization not to produce information.

    For example, if an organization promises within its privacy policy that