Bryan Cave Leighton Paisner Retail Blog

Retail Law

Other Posts

Main Content

EU’s General Data Protection Regulation Takes Effect in May — Are You Compliant?

February 22, 2018

Categories

The European Union’s General Data Protection Regulation (“GDPR”), arguably the most comprehensive – and complex – data privacy regulation in the world, goes into force on May 25, 2018. As retailers and other companies prepare, there continues to be a great deal of confusion regarding the requirements of the GDPR.

To help address that confusion, we are publishing a multi-part series that discusses the questions most frequently asked by clients concerning the GDPR.

Read More

Data Privacy and Security: A Practical Guide for In-House Counsel

January 26, 2018

Categories

Partner David Zetoony published the 2018 edition of his handbook, Data Privacy and Security: A Practical Guide for In-House Counsel, on January 25 – Data Privacy Day. The guide provides an overview of laws relevant to a variety of data matters topics, statistics that illustrate data privacy and security issues, and a breakdown of these data-related issues.

Members of Bryan Cave’s Data Privacy and Security Team contributed to the publication. The 2017 guidebook was downloaded by more than 6,000 in-house attorneys. “We are extremely proud of the fact that it has become a desk reference for in-house attorneys worldwide,” Zetoony wrote.

Read More

Retailers Should Be Aware of Data Privacy Concerns With Bring Your Own Device Policies

Many retailers permit their employees to use personal mobile devices, such as smartphones and tablets, to access company-specific information, such as email, under a Bring Your Own Device (“BYOD”) policy. BYOD policies can be popular for employees that want to use hand-picked devices and for retailers that want to avoid the cost of providing, and maintaining, company-owned devices. Nonetheless, the use of company data on non-company devices implicates both security and privacy considerations.

A reported 40 percent of companies offer BYOD to all employees, according to a survey by Crowd Research Partners.  Security concerns, data leakage, and malware were all listed as top concerns of retailers in allowing BYOD.

Consider the following when deciding upon a BYOD policy:

Is the scope of your control over employees’ mobile devices consistent with your company’s interest?  Retailers should consider why they have an interest in knowing about their employees’ mobile devices; that interest should be the basis from which a BYOD policy should emerge. If the company simply wants to allow an employee to access work email on a mobile device, then the policies and restrictions should proceed with that focus.

To what extent and for what purpose does your company monitor employees’ use of mobile devices? Many servers create logs showing when an employee’s device accessed the organization server using certain authentication credentials. As security measures such logs are often appropriate. To the extent that a retailer wants to monitor more substantive actions by an employee on a mobile device, such monitoring

Beware of Making Unsubstantiated Anti-Aging Claims

Manufacturers, distributors, and retailers often tout the anti-aging effects of certain cosmetics and nutritional supplements. Of course, the term “anti-aging” is not intended to literally mean that a product prevents aging. To the contrary, it is understood by both the industry and consumers as describing a product that is designed to mitigate, mask, or soften certain cosmetic indicators that come with age. These typically include wrinkles, discoloration, greying of the hair, or a loss of skin firmness.

Anti-aging litigation has proven popular with the plaintiffs’ bar. In the past five years, there have been at least 31 class action complaints filed alleging deceptive advertising of anti-aging products, and at least 10 enforcement actions brought by the Federal Trade Commission (FTC).

Often such putative class actions allege that advertising which touts a product’s anti-aging properties is deceptive and misleading to consumers. Typically, complaints over anti-aging claims lack affirmative evidence that a cosmetic product fails to produce the advertised effect. Rather, plaintiffs attempt to challenge the sufficiency of the advertiser’s substantiation for an anti-aging claim or, more recently, attempt to characterize an anti-aging product as an unregistered “drug,” for which FDA approval should have been obtained.

Marketers of cosmetic products should consider the following when reviewing their anti-aging claims, and their potential exposure to litigation:

  • Structure Claims to Focus on Consumer’s Perception.  Most cosmetic products are designed to conceal, mask, or mitigate the visual effects of aging, not to reverse the aging process itself. Consider drafting advertising language to make clear

“Made in USA” Claims Can Be Considered Deceptive Unless Substantiated

Although every product (unless excepted) that is imported into the United States must be marked with its country of origin pursuant to Section 304 of the Tariff Act of 1930, most products manufactured domestically are not required to list the United States as the country of origin. However, if manufacturers or retailers do choose to market their products as “Made in the USA,” these claims must be substantiated, or risk being considered deceptive under federal or state law.

On the federal level, the Federal Trade Commission has issued guidelines and considers representations that a product is “Made in the USA” to be deceptive, unless (1) “all or virtually all” of a product’s components are of U.S. origin, and (2) “all or virtually all” processing takes place in the United States.  Furthermore, the FTC considers phrases such as “Produced in the USA,” “Built in the USA,” or “Manufactured in the USA,” as conveying a near-identical meaning to “Made in the USA,” and applies the same standard.

The standards for “Made in the USA” claims may vary from state to state.  Under California law, for example, such labeling claims are allowed only “if all of the articles, units, or parts of the merchandise obtained from outside the United States constitute not more than 5 percent of the final wholesale value of the manufactured product.” Such labels are also allowed if the manufacturer makes a showing that it cannot produce or obtain a certain article, unit or part within the United States

Monitoring Employees’ Email and Internet Use Raises Legal Considerations

March 3, 2017

Categories

Retailers should be aware that federal laws prohibit the interception of another’s electronic communications, but these same laws have multiple exceptions that generally allow employers to monitor employees’ email and internet use on employer-owned equipment or networks.

As a result, under federal law, when retail employees use an organization’s telephone or computer system, monitoring their communications is broadly permissible, though there may be exceptions once the personal nature of a communication is determined. For example, under the National Labor Relations Act, employers cannot electronically spy on certain types of concerted activity by employees about the terms and conditions of employment.

Although monitoring is broadly permitted under federal law, some states, including Connecticut and Delaware, require that employers notify employees that they may be monitored. Even in states that do not require notice, employers often choose to provide notice since employees who know they are being monitored are less likely to misuse corporate systems. It is good practice for a retailer to have employees sign a consent or acknowledgment that monitoring may occur and to inform them that personal calls may not be made from particular telephones.

Employers may also monitor what an employee posts to social media. However, under some state laws employers cannot request that an employee provide his or her username and password to a social-media account in order for the employer to see content that was not published publicly. In 2016, sixteen states introduced or passed legislation prohibiting employers from requesting such information. This would include, for

Disclose and Follow Standards for Collection and Sharing of Customers’ Online Behavioral Data

January 31, 2017

Categories

Many retailers engage in behavioral advertising, which refers to the use of information to predict the types of products or services of greatest interest to a particular consumer. Online behavioral advertising takes two forms. “First party” behavioral advertising refers to situations in which a website uses information that it obtains when interacting with a visitor. “Third party” behavioral advertising refers to situations in which a company permits others to place tracking cookies on the computers of people who visit the site, so that those individuals can be monitored across a behavioral advertising network.

Two self-regulatory associations – the Network Advertising Initiative (“NAI”) and the Digital Advertising Alliance (“DAA”) – have created standards for companies engaged in third-party online behavioral advertising.  They recommend clear, meaningful and prominent disclosure on a retailer’s website that describes its data collection, transfer and use practices.  With respect to third-party behavioral advertising, they recommend describing the types of data that are collected, explaining the purpose for which it is collected or will be transferred to third parties, and providing a prominent opt-out mechanism by which customers can opt out from being tracked.

In addition to the self-regulatory effort, California’s Online Privacy Protection Act went into effect on January 1, 2014, and could be interpreted as requiring retailers and other businesses to notify consumers in their website privacy policies if they permit third party behavioral advertising. The following provides a snapshot of information concerning behavioral advertising.

What to think about when evaluating your organization’s online behavioral advertising

Reduce Potential Liability for Data Security Breaches by Negotiating Coverage in Payment Processing Agreements

January 13, 2017

Categories

Credit cards are the primary form of payment received by most retailers. In order to process a credit card, a retailer must enter into an agreement with a bank and a payment processor. Payment processing agreements often have significant impacts on a retailer’s financial liability in the event of a data breach. In many cases, the contractual liabilities that flow from a payment processing agreement surpass all other financial liabilities that arise from a data breach, including the cost to investigate an incident, defend litigation, and defend a regulatory investigation.

The following checklist describes common data security related provisions to look for within most payment processing agreements:

  • Incorporation of Payment Brand Rules. Most payment processing agreements incorporate by reference the rules, regulations, and guidelines of the payment brands (American Express, Discovery, MasterCard, and/or Visa). When negotiating a payment processing agreement, it is important to determine whether the obligation to abide by the payment brand rules is unilateral (i.e., is imposed only upon the merchant) or reciprocal (i.e., is imposed upon the merchant, the acquiring bank, and the payment processor).
  • Incorporation of the Payment Card Industry Data Security Standard. Many payment processing agreements reference the PCI DSS and require that a merchant be, and remain, in full compliance with the requirements of the PCI DSS. When negotiating a payment processing agreement it is important to determine whether you are, or are not, currently in compliance with the PCI DSS, and whether the obligation to comply with the PCI DSS is unilateral
  • What to Look for When Buying Cyber Insurance

    October 27, 2016

    Categories

    What to Look for When Buying Cyber Insurance

    October 27, 2016

    Authored by: BCLP and David Zetoony

    Most retailers know they need insurance to cover risks to their property such as fire or theft, or their risk of liability if someone is injured in the workplace.  As numerous high-profile breaches demonstrate, retailers also need to carry coverage for data breaches.  While many insurance companies offer cyber insurance, not all policies are created equal.

    Why is buying cyber insurance difficult?

  • There is little standardization among competing policies; as a result, it is hard to comparison shop.
  • Policies’ exclusions often swallow coverage; as a result, assessing the value of a policy is difficult unless you have extensive experience with the types of liabilities that arise following data breaches.
  • Policies often cover security but not privacy risks.
  • Items to review when shopping for cyber insurance:

  • Do the sub-limits on coverage match the corresponding risks?
  • Does the policy include sub-retentions (sub-deductibles) that are unlikely to be reached?
  • Does exclusion prevent payment for the largest risks, e.g.,charges that arise following a credit card breach, common theories alleged in class actions, etc.?
  • Is voluntary notification of affected consumers covered?
  • Will credit monitoring for affected consumers be covered?
  • Who does the insurer have on panel for legal representation, forensic investigations and/or crisis management?
  • How to Respond to Civil Subpoenas and Document Requests That Ask For Personal Information

    September 28, 2016

    Categories

    Litigants in a civil dispute often use subpoenas, subpoenas duces tecum, and discovery requests to obtain personal information about individuals who may not be present in the litigation. A request for documents and information that include personal information about third parties may conflict with legal obligations imposed upon an organization not to produce information.

    For example, if an organization promises within its privacy policy that it will never share personal information with a “third party,” and does not include an exception for requests made in civil litigation or through judicial process, a consumer could argue that by producing information pursuant to a subpoena or discovery request an organization has violated its privacy policy and committed an unfair or deceptive practice in violation of federal or state law.

    Read More

    Does Your Organization Collect Geo-Location Information?

    July 14, 2016

    Categories

    Smartphones, smartphone apps, websites, and other connected devices (e.g.,“wearables”) increasingly request that consumers provide their geo-location information.  Geo-location information can refer to general information about a consumer’s location, such as his or her city, state, zip code, or precise information that pinpoints the consumer’s location to within a few feet, such as his or her GPS coordinates.

    Organizations request geo-location information for a variety of reasons.  For example, many apps – such as transportation or delivery services – require geo-location in order to provide services that are requested by the consumer.  Other apps – such as mapping programs, coupon programs, or weather programs – require geo-location information in order to provide consumers with useful information.  Because such information has become intertwined, in many cases, with products and services, some organizations require the user to “Accept” or ‘“Agree”’ to the collection of geo-location information as a condition to using a device, application, or website.

    Although there is currently no federal statute that expressly regulates the use, collection, or sharing of geo-location data, the FTC has taken the position that precise geo-location information is a form of “sensitive” personal information and has suggested that a failure to reasonably secure such information, or a failure to adequately disclose the collection or sharing of such information, may violate the FTCA’s general prohibition against unfair or deceptive practices.1  In addition, Congress and state legislatures have considered several proposals that would expressly regulate the data.

    What to consider if your organization collects geo-location information:

  • What is the
  • What to Consider When Drafting or Reviewing a Privacy Policy

    June 20, 2016

    Categories

    Although financial institutions, health care providers, and websites directed to children are required to create consumer privacy policies under federal law, other types of websites are not.  In 2003, California became the first state to impose a general requirement that most websites post a privacy policy.  Under the California Online Privacy Protection Act (“CalOPPA”), all websites that collect personal information about state residents must post an online privacy policy if the information is collected for the purpose of providing goods or services for personal, family, or household purposes.  Since the passage of the CalOPPA, most websites that collect information – whether or not they are directed at California residents or are otherwise subject to the CalOPPA – have chosen to post an online privacy policy.

    What to think about when drafting or reviewing a privacy policy:

  • Is your organization subject to a federal law that requires that a privacy policy take a particular form, or include particular information?
  • Does the privacy policy describe the main ways in which your organization collects information?
  • Does the privacy policy describe the ways in which your organization shares information with third parties?
  • Does the privacy policy discuss data security? If so, is the level of security indicated appropriate?
  • Would the privacy policy interfere with a possible merger, acquisition, or sale of your organization’s assets?
  • Would the privacy policy interfere with future ways in which your organization may want to monetize data?
  • Does the privacy policy use terms that might be misunderstood
  • How to Pass Data Between Retailers to Facilitate Transactions

    June 9, 2016

    Categories

    Online retailers often learn information about a consumer that may be used to help identify other products, services, or companies that may be of interest to the consumer.  For example, if a consumer purchases an airplane ticket to Washington, D.C., the consumer may want information about hotels, popular restaurants, or amenities at the airport.

    Although online retailers often strive to provide recommendations quickly, and to make a consumer’s transition to a third party retailer seamless, the Restore Online Shoppers’ Confidence Act (“ROSCA”) generally prohibits one online merchant from transferring payment information (e.g., a credit card number) to a second online merchant.

    Below are some questions to consider when evaluating the data privacy issues involved in passing information between online retailers:

  • Are consumers being presented with third party products or services when they visit a retailer’s website?
  • Are consumers being presented with third party products or services immediately after they visit a retailer’s website?
  • Are such items affirmatively selected by the consumer, or added automatically to the consumer’s shopping cart?
  • If the consumer decides to purchase such items, would they likely think that your organization, or the third party, is processing the transaction?
  • Is the total cost of each third party product clearly and conspicuously disclosed?
  • If the consumer indicates that they wish to buy a third party product or service, can the consumer easily change that decision?
  • Is contact information being transferred from one retailer to another?
  • Is payment information being transferred from one retailer to another?
  • Is the third
  • Recommendations for Evaluating Your Company’s Use of Social Media

    The majority of retailers utilize social media to market their products and services, interact with consumers, and manage their brand identity. Many mobile applications and websites even permit users to sign-in with their social media accounts to purchase items or use the applications’ services.

    While using third party social media websites has significant advantages for businesses, it also raises distinct privacy concerns. Specifically, the terms of use that apply to social media platforms may give the platform the right to share, use, or collect information concerning your business or your customers. To the extent that the social media platform’s privacy practices are not consistent with the practices of your own company, they may contradict or violate the privacy notice that you provide to the public.

    Here is a list of issues to consider when evaluating your company’s use of social media:

  • How would a data breach of social media platforms affect your company? Do you have a plan if your social media account is breached?
  • Does your company share information with an intermediate service provider, such as a social media analytics company, to provide or analyze social media services?
  • Is your internal data or customer personal information protected under your agreements with third parties, including social media platforms?
  • What types of customer personal information are solicited, collected, maintained, or disseminated via your social media platforms (e.g., geo-location)?
  • Do you display information or images of users or other people, including your employees? Did the people in the images give their permission
  • Data Breach Litigation Report: An Analysis of Federal Class Action Lawsuits Involving Data Security Breaches

    Data security breaches – and data security breach litigation – dominated the headlines in 2015 and continue to do so in 2016.  While data breach litigation is an important topic for the general public, and remains one of the top concerns of general counsel, CEOs, and boards alike, there remains a great deal of misinformation reported by the media, the legal press, and law firms. At best this is due to a lack of knowledge and understanding concerning data breach litigation; at worst some reports border on sensationalism or fearmongering.

    Bryan Cave LLP began its survey of data breach class action litigation four years ago to rectify the information gap and to provide clients, as well as the broader legal, forensic, insurance, and security communities, with reliable and accurate information concerning data breach litigation risk.  The 2016 report covers litigation initiated over a 15 month period from the fourth quarter of 2014 through the fourth quarter of 2015.  Key findings include:

    • There was a nearly 25% decline in the quantity of cases filed as compared to the 2015 Data Breach Litigation Report .
    • When multiple filings against single defendants are removed, there were only 21 unique defendants during the relevant period, indicating that plaintiffs’ attorneys are filing multiple cases against companies connected to the largest and most publicized breaches, and are not filing cases against the vast majority of other companies that experience data breaches.
    • Approximately 5% of publicly reported data breaches led to class action

    Credit Card Data Breaches: Protecting Your Company from the Hidden Surprises

    Debit and credit cards are now the primary form of retail payment. Many retailers may not realize, however, that by accepting credit cards, they expose themselves to the risk of a data security breach and significant potential costs and legal liabilities.

    Retailers should consider the major sources of direct costs following a data breach. These costs always include the retaining of a PCI (payment card industry) certified forensic investigator as required by the PCI Council. Costs also typically include the retaining of a privileged forensic investigator (often by the retailer’s law firm or general counsel); the hiring of outside counsel; public relations and crisis management; and consumer notification including printing and mailing costs and protection services offered to consumers.

    In addition to the direct costs following a data breach, retailers often face three forms of liability from third parties: payment card brand fees; regulatory costs arising from investigations from the FTC, SEC and State Attorneys General, for example; and class action exposure. Contrary to what many retailers believe, retailers are typically not shielded from liability by their card processor or device manufacturers in the event of a payment card data breach. The “fine print” in the contracts for these products or services usually includes a number of provisions that place the liability on the retailer.

    Finally, retailers may want to evaluate whether a cyber-insurance policy is needed, and if the policy they are considering provides appropriate coverage, retention and limits in light of the costs detailed above.

    Click here  to

    The attorneys of Bryan Cave Leighton Paisner make this site available to you only for the educational purposes of imparting general information and a general understanding of the law. This site does not offer specific legal advice. Your use of this site does not create an attorney-client relationship between you and Bryan Cave LLP or any of its attorneys. Do not use this site as a substitute for specific legal advice from a licensed attorney. Much of the information on this site is based upon preliminary discussions in the absence of definitive advice or policy statements and therefore may change as soon as more definitive advice is available. Please review our full disclaimer.