Bryan Cave Leighton Paisner Retail Blog

Retail Law

Other Posts

Main Content

What Questions Are In-House Counsel Asking Most About the GDPR?

The European Union’s General Data Protection Regulation (“GDPR”) is the most comprehensive – and complex – data privacy regulation in the world. As companies prepare for the GDPR to go into force on May 25, 2018, there continues to be a great deal of confusion regarding the requirements of the GDPR.

To help address that confusion, our firm’s Data Privacy and Security team has published a multi-part series discussing the questions most frequently asked about the GDPR.  You can find a link to each of the top 10 questions and answers (in the order of popularity) below:

  • Does the GDPR data breach notification provision cover the same type of data as United States data breach notification provisions?
  • What Does It Mean To Be “Established” In The EU?
  • Is a Service Provider’s Privacy Shield Certification Good Enough?
  • Are the Standard Contractual Clauses Enough?
  • Are Work
  • Retailers Should Ensure Compliance With CAN-SPAM Act and State Laws

    Email is an important marketing tool for many retailers, who need to be aware of the legal requirements regarding sending email to customers and potential customers.

    Since its enactment in 2003, the Controlling the Assault of Non-Solicited Pornography and Marketing (“CAN-SPAM”) Act has attempted to curb the number of unwanted emails and impose some rules on a largely unregulated frontier.  In addition, at least thirty-seven states have laws regulating unsolicited electronic mail advertising. A state-by-state summary is available by clicking here.

    When followed, the CAN-SPAM Act’s restrictions give email recipients some control over their inboxes and also maintain fairness in how emails present themselves.  All businesses, retailers included, can face penalties of up to $16,000 per violation for failure to follow the CAN-SPAM Act.

    As a practical matter, many retailers use vendors for their email marketing and other email services, and those vendors often assist the retailers in complying

    EU’s General Data Protection Regulation Takes Effect in May — Are You Compliant?

    February 22, 2018

    Categories

    The European Union’s General Data Protection Regulation (“GDPR”), arguably the most comprehensive – and complex – data privacy regulation in the world, goes into force on May 25, 2018. As retailers and other companies prepare, there continues to be a great deal of confusion regarding the requirements of the GDPR.

    Read More

    Data Privacy and Security: A Practical Guide for In-House Counsel

    January 26, 2018

    Categories

    Partner David Zetoony published the 2018 edition of his handbook, Data Privacy and Security: A Practical Guide for In-House Counsel, on January 25 – Data Privacy Day. The guide provides an overview of laws relevant to a variety of data matters topics, statistics that illustrate data privacy and security issues, and a breakdown of these data-related issues.

    Read More

    Retailers Should Be Aware of Data Privacy Concerns With Bring Your Own Device Policies

    Many retailers permit their employees to use personal mobile devices, such as smartphones and tablets, to access company-specific information, such as email, under a Bring Your Own Device (“BYOD”) policy. BYOD policies can be popular for employees that want to use hand-picked devices and for retailers that want to avoid the cost of providing, and maintaining, company-owned devices. Nonetheless, the use of company data on non-company devices implicates both security and privacy considerations.

    A reported 40 percent of companies offer BYOD to all employees, according to a survey by Crowd Research Partners.  Security concerns, data leakage, and malware were all listed as top concerns of retailers in allowing BYOD.

    Consider the following when deciding upon a BYOD policy:

    Is the scope of your control over employees’ mobile devices consistent with your company’s interest?  Retailers should consider why they have an interest in knowing about their employees’ mobile devices; that

    Beware of Making Unsubstantiated Anti-Aging Claims

    Manufacturers, distributors, and retailers often tout the anti-aging effects of certain cosmetics and nutritional supplements. Of course, the term “anti-aging” is not intended to literally mean that a product prevents aging. To the contrary, it is understood by both the industry and consumers as describing a product that is designed to mitigate, mask, or soften certain cosmetic indicators that come with age. These typically include wrinkles, discoloration, greying of the hair, or a loss of skin firmness.

    Anti-aging litigation has proven popular with the plaintiffs’ bar. In the past five years, there have been at least 31 class action complaints filed alleging deceptive advertising of anti-aging products, and at least 10 enforcement actions brought by the Federal Trade Commission (FTC).

    Often such putative class actions allege that advertising which touts a product’s anti-aging properties is deceptive and misleading to consumers. Typically, complaints over anti-aging claims lack affirmative evidence that a

    “Made in USA” Claims Can Be Considered Deceptive Unless Substantiated

    Although every product (unless excepted) that is imported into the United States must be marked with its country of origin pursuant to Section 304 of the Tariff Act of 1930, most products manufactured domestically are not required to list the United States as the country of origin. However, if manufacturers or retailers do choose to market their products as “Made in the USA,” these claims must be substantiated, or risk being considered deceptive under federal or state law.

    On the federal level, the Federal Trade Commission has issued guidelines and considers representations that a product is “Made in the USA” to be deceptive, unless (1) “all or virtually all” of a product’s components are of U.S. origin, and (2) “all or virtually all” processing takes place in the United States.  Furthermore, the FTC considers phrases such as “Produced in the USA,” “Built in the USA,” or “Manufactured in

    Monitoring Employees’ Email and Internet Use Raises Legal Considerations

    Retailers should be aware that federal laws prohibit the interception of another’s electronic communications, but these same laws have multiple exceptions that generally allow employers to monitor employees’ email and internet use on employer-owned equipment or networks.

    As a result, under federal law, when retail employees use an organization’s telephone or computer system, monitoring their communications is broadly permissible, though there may be exceptions once the personal nature of a communication is determined. For example, under the National Labor Relations Act, employers cannot electronically spy on certain types of concerted activity by employees about the terms and conditions of employment.

    Although monitoring is broadly permitted under federal law, some states, including Connecticut and Delaware, require that employers notify employees that they may be monitored. Even in states that do not require notice, employers often choose to provide notice since employees who know they are being monitored are less likely to

    Disclose and Follow Standards for Collection and Sharing of Customers’ Online Behavioral Data

    January 31, 2017

    Categories

    Many retailers engage in behavioral advertising, which refers to the use of information to predict the types of products or services of greatest interest to a particular consumer. Online behavioral advertising takes two forms. “First party” behavioral advertising refers to situations in which a website uses information that it obtains when interacting with a visitor. “Third party” behavioral advertising refers to situations in which a company permits others to place tracking cookies on the computers of people who visit the site, so that those individuals can be monitored across a behavioral advertising network.

    Two self-regulatory associations – the Network Advertising Initiative (“NAI”) and the Digital Advertising Alliance (“DAA”) – have created standards for companies engaged in third-party online behavioral advertising.  They recommend clear, meaningful and prominent disclosure on a retailer’s website that describes its data collection, transfer and use practices.  With respect to third-party behavioral advertising, they recommend

    Reduce Potential Liability for Data Security Breaches by Negotiating Coverage in Payment Processing Agreements

    January 13, 2017

    Categories

    Credit cards are the primary form of payment received by most retailers. In order to process a credit card, a retailer must enter into an agreement with a bank and a payment processor. Payment processing agreements often have significant impacts on a retailer’s financial liability in the event of a data breach. In many cases, the contractual liabilities that flow from a payment processing agreement surpass all other financial liabilities that arise from a data breach, including the cost to investigate an incident, defend litigation, and defend a regulatory investigation.

    The following checklist describes common data security related provisions to look for within most payment processing agreements:

  • Incorporation of Payment Brand Rules. Most payment processing agreements incorporate by reference the rules, regulations, and guidelines of the payment brands (American Express, Discovery, MasterCard, and/or Visa). When negotiating a payment processing agreement, it is important to determine whether the obligation to abide
  • What to Look for When Buying Cyber Insurance

    October 27, 2016

    Categories

    What to Look for When Buying Cyber Insurance

    October 27, 2016

    Authored by: Bryan Cave and David Zetoony

    Most retailers know they need insurance to cover risks to their property such as fire or theft, or their risk of liability if someone is injured in the workplace.  As numerous high-profile breaches demonstrate, retailers also need to carry coverage for data breaches.  While many insurance companies offer cyber insurance, not all policies are created equal.

    Why is buying cyber insurance difficult?

  • There is little standardization among competing policies; as a result, it is hard to comparison shop.
  • Policies’ exclusions often swallow coverage; as a result, assessing the value of a policy is difficult unless you have extensive experience with the types of liabilities that arise following data breaches.
  • Policies often cover security but not privacy risks.
  • Items to review when shopping for cyber insurance:

  • Do the sub-limits on coverage match the corresponding risks?
  • Does the policy include sub-retentions (sub-deductibles) that are unlikely to be reached?
  • Does exclusion prevent payment for the largest risks, e.g.,charges
  • How to Respond to Civil Subpoenas and Document Requests That Ask For Personal Information

    September 28, 2016

    Categories

    Litigants in a civil dispute often use subpoenas, subpoenas duces tecum, and discovery requests to obtain personal information about individuals who may not be present in the litigation. A request for documents and information that include personal information about third parties may conflict with legal obligations imposed upon an organization not to produce information.

    For example, if an organization promises within its privacy policy that

    Does Your Organization Collect Geo-Location Information?

    July 14, 2016

    Categories

    Smartphones, smartphone apps, websites, and other connected devices (e.g.,“wearables”) increasingly request that consumers provide their geo-location information.  Geo-location information can refer to general information about a consumer’s location, such as his or her city, state, zip code, or precise information that pinpoints the consumer’s location to within a few feet, such as his or her GPS coordinates.

    Organizations request geo-location information for a variety of reasons.  For example, many apps – such as transportation or delivery services – require geo-location in order to provide services that are requested by the consumer.  Other apps – such as mapping programs, coupon programs, or weather programs – require geo-location information in order to provide consumers with useful information.  Because such information has become intertwined, in many cases, with products and services, some organizations require the user to “Accept” or ‘“Agree”’ to the collection of geo-location information as a condition to using a device,

    What to Consider When Drafting or Reviewing a Privacy Policy

    June 20, 2016

    Categories

    Although financial institutions, health care providers, and websites directed to children are required to create consumer privacy policies under federal law, other types of websites are not.  In 2003, California became the first state to impose a general requirement that most websites post a privacy policy.  Under the California Online Privacy Protection Act (“CalOPPA”), all websites that collect personal information about state residents must post an online privacy policy if the information is collected for the purpose of providing goods or services for personal, family, or household purposes.  Since the passage of the CalOPPA, most websites that collect information – whether or not they are directed at California residents or are otherwise subject to the CalOPPA – have chosen to post an online privacy policy.

    What to think about when drafting or reviewing a privacy policy:

  • Is your organization subject to a federal law that requires that
  • How to Pass Data Between Retailers to Facilitate Transactions

    June 9, 2016

    Categories

    Online retailers often learn information about a consumer that may be used to help identify other products, services, or companies that may be of interest to the consumer.  For example, if a consumer purchases an airplane ticket to Washington, D.C., the consumer may want information about hotels, popular restaurants, or amenities at the airport.

    Although online retailers often strive to provide recommendations quickly, and to make a consumer’s transition to a third party retailer seamless, the Restore Online Shoppers’ Confidence Act (“ROSCA”) generally prohibits one online merchant from transferring payment information (e.g., a credit card number) to a second online merchant.

    Below are some questions to consider when evaluating the data privacy issues involved in passing information between online retailers:

  • Are consumers being presented with third party products or services when they visit a retailer’s website?
  • Are consumers being presented with third party products or services immediately after they visit
  • Recommendations for Evaluating Your Company’s Use of Social Media

    The majority of retailers utilize social media to market their products and services, interact with consumers, and manage their brand identity. Many mobile applications and websites even permit users to sign-in with their social media accounts to purchase items or use the applications’ services.

    While using third party social media websites has significant advantages for businesses, it also raises distinct privacy concerns. Specifically, the terms of use that apply to social media platforms may give the platform the right to share, use, or collect information concerning your business or your customers. To the extent that the social media platform’s privacy practices are not consistent with the practices of your own company, they may contradict or violate the privacy notice that you provide to the public.

    Here is a list of issues to consider when evaluating your company’s use of social media:

  • How would a data breach of social media platforms
  • The attorneys of Bryan Cave LLP make this site available to you only for the educational purposes of imparting general information and a general understanding of the law. This site does not offer specific legal advice. Your use of this site does not create an attorney-client relationship between you and Bryan Cave LLP or any of its attorneys. Do not use this site as a substitute for specific legal advice from a licensed attorney. Much of the information on this site is based upon preliminary discussions in the absence of definitive advice or policy statements and therefore may change as soon as more definitive advice is available. Please review our full disclaimer.