Bryan Cave Leighton Paisner Retail Blog

Retail Law

Other Posts

Main Content

California Prop. 65 Regulation Exempts Certain Coffee Chemicals From Cancer Warning; Stay in Coffee Case Lifted

June 26, 2019

Categories

California’s Office of Environmental Health Hazard Assessment (“OEHHA”) has finalized a highly anticipated Proposition 65 regulation relating to coffee. The regulation, California Code of Regulations Section 25704, takes effect October 1, 2019. Section 25704 provides: “Exposures to chemicals in coffee, listed on or before March 15, 2019 as known to the state to cause cancer, that are created by and inherent in the processes of roasting coffee beans or brewing coffee do not pose a significant risk of cancer.”

As we previously reported, OEHHA issued a notice of proposed rulemaking concerning the regulation in June 2018. The Office of Administrative Law approved adoption of the regulation on June 3, 2019, and OEHHA issued a Final Statement of Reasons on June 7.

OEHHA’s Final Statement of Reasons concludes that “the weight of the evidence from the very large number of studies in the scientific literature does not support an association between the complex mixture of chemicals that is coffee and a significant risk of cancer. … Therefore, providing warnings for such exposures would not be ‘clear and reasonable’ or consistent with the purpose of Proposition 65.”

The regulation’s immediate impact, however, is still uncertain pending further proceedings anticipated in a highly publicized Prop. 65 case against coffee roasters and retailers. Prior to the proposed regulation, in Council for Education and Research on Toxics v. Starbucks Corp., Los Angeles Superior Court Judge Elihu Berle had found that defendants failed to demonstrate that coffee does not pose a significant risk

Domino’s Petitions Supreme Court for Review of Unfavorable Website Accessibility Decision

Domino’s Pizza LLC has submitted a petition asking the U.S. Supreme Court to review and reverse a decision from the Ninth Circuit Court of Appeals that allowed a website accessibility case to proceed against Domino’s. The question presented to the Supreme Court by Domino’s is“[w]hether Title III of the ADA requires a website or mobile application that offers goods or services to the public to satisfy discrete accessibility requirements with respect to individuals with disabilities.” Domino’s Pizza LLC v. Guillermo Robles, Petition for a Writ of Certiorari, at 2.

As we previously reported, in June 2019, the Ninth Circuit held in Robles v. Domino’s Pizza, LLC, that the ADA applies to the Domino’s website and mobile application, rejecting the due process and primary jurisdiction arguments that had led the district court to stay the action.

Title III of the ADA applies to “physical places of public accommodation.”   42 U.S.C. § 12182(a).  Circuit Courts are split over whether the ADA thus applies to websites, with some courts holding that it applies to all websites that offer goods and services to the public, and other courts holding that it only applies to websites with a nexus to a physical location open to the public.

In its Domino’s decision, the Ninth Circuit  continued to follow the rule it had established in prior cases – that a public accommodation under Title III must be or have a connection to a physical location – “reinforcing the existing circuit split.”  (Petition at 16.)  Domino’s urges the

Nevada Beats California to the Punch — New Privacy Requirements To Take Effect in October

June 13, 2019

Categories

On May 29, 2019, Nevada adopted Senate Bill No. 220 emulating portions of the California Consumer Protection Act (“CCPA”) with respect to permitting individuals to opt out of the sale of their personal information.  While Nevada may be the second state to pass legislation on the sale of personal information, its bill will be the first to go into force.  SB 220 goes into effect October 1, 2019, before the CCPA’s current compliance deadline of January 1, 2020.

The net result is that companies that thought they had until the end of the year (or until the California Attorney General could bring an enforcement action in July of 2020) to fully comply with the opt-out-of-sale portion of the CCPA, may need to address the issue now in order to meet Nevada’s October deadline.

While the Nevada law does not expressly require notice to individuals of this right in the privacy policy like the CCPA, it does require companies establish a “designated address” to receive requests from individuals not to sell their personal information. The “designated address” is an email address, toll-free phone number, or internet website. The bottom line: companies should review their practices concerning the sale of personal information and consider revising  their privacy policies before October to comply with the new Nevada law.

Although Senate Bill No. 220 incorporates the CCPA’s concept of permitting consumers to object to the sale of their information, it does not adopt any other concepts from the CCPA.  In addition, it avoids many of the drafting

New York District Court Addresses Mootness Argument in Website Accessibility Case

As businesses continue to face lawsuits and demand letters alleging that their websites are inaccessible to blind and deaf patrons in violation of the Americans with Disabilities Act (“ADA”), courts across the country continue to weigh in on the issue.  On Tuesday, June 4, 2019, the United States District Court for the Southern District of New York issued a decision in Diaz v. The Kroger Co. – holding that the Court lacked both subject matter and personal jurisdiction over the case because the complaint had been rendered moot by modifications defendant made to the website and because the defendant did not sell goods or services in New York.  Diaz v. The Kroger Co., Case No. 18-cv-07953, Opinion and Order [Dkt. No. 35]. 

In Diaz, the plaintiff, a visually-impaired and legally blind individual who resides in the Bronx, New York, alleged that the website of defendant Kroger, a supermarket chain with its principal place of business in Cincinnati, Ohio, denied equal access to blind customers.  Kroger moved to dismiss the complaint on two grounds:  (1) for lack of subject matter jurisdiction because it remedied the barriers to access to its website, and (2) for lack of personal jurisdiction because it does not conduct business in New York.  The Court granted Kroger’s motion to dismiss on both grounds.

In granting Kroger’s motion to dismiss for lack of subject matter jurisdiction, the Court noted that the facts of the case were different from other cases where courts found, “on the facts of those

APIs Have Broad Applications, From E-Commerce to Payroll Management

June 3, 2019

Categories

This post is the second in a two-part series concerning emerging uses and considerations involving application programming interfaces, or “APIs.”    

Most retailers and other large and mid-size businesses, and even some small businesses, utilize public APIs:

  • Businesses who vet their employees against a government database may be doing so through an API.
  • Businesses that rely on vendors to provide data or electronic services (such as HR and payroll management) may be receiving them through APIs.
  • Businesses that maintain databases associated with their website or applications, likely communicate with that database through an API.
  • Businesses that provide electronic data or electronic services are likely doing so through an API.  When the API license is presented as a take-it-or-leave-it agreement, the terms are often written to protect the provider from any liability for an offering from which the provider derives no direct financial benefit.

Still, regardless as to whether the license is free, prospective business licensees need to consider at least the following:

  • The use of most public APIs is contingent upon the user’s agreeing to the distributor’s contractual requirements. APIs made available for free may be provided pursuant to “licenses” or may alternatively be provided pursuant to a “terms of use” that sets forth the conditions under which use is permitted. Under either approach, if the user refuses to accept the terms, then use is barred. APIs made available for a fee may also be styled as a “terms of use” but commonly have “license” or “service”

Retailers Should Consider Whether Behavioral Advertising Is Sale of Information Under CCPA

May 17, 2019

Categories

The California Consumer Privacy Act (“CCPA”) was enacted in early 2018 as a political compromise to stave off a poorly drafted, and plaintiff’s friendly ballot initiative.  Although the CCPA is scheduled to go into force in early 2020, there is a great deal of confusion regarding the requirements of the CCPA, including the degree to which it aligns with other privacy regulations such as the European General Data Protection Regulation (“GDPR”).

To help address that confusion, BCLP published the California Consumer Privacy Act Practical Guide, and is publishing here a multi-part series that discusses the questions most frequently asked by retailers concerning the CCPA

Q. If a website participates in behavioral advertising, does the CCPA require that it disclose that it is “selling” consumers’ information?

The California CCPA requires that a business that “sells” personal information disclose within its privacy policy a “list of the categories of personal information it has sold about consumers in the preceding 12 months.”  CCPA, § 1798.130(A)(5)(C)(i).  The CCPA broadly defines the term “sell” as including the act of “disclosing” or “making available” personal information “for monetary or other valuable consideration.”  CCPA Section 1798.140(t)(1).  “Personal information” is also defined broadly as including any information that “could reasonably be linked, directly or indirectly, with a particular consumer or household” such as, in certain instances, IP addresses, unique online identifiers, browsing history, search history and “information regarding a consumer’s interaction with an Internet Web site, application, or advertisement.”  CCPA, Section 1798.140(o)(1)(A), (F).

Many companies – particularly online retailers – participate

Retailers Should Consider Potential Rewards and Risks of Using APIs

May 14, 2019

Categories

Application programming interfaces, or “APIs,” have become a critical part of ecommerce, and retailers are increasingly finding new and creative ways to use APIs to enhance their offerings and their business.  For example, Kroger deploys an API with information about its groceries, locations, coupons, and loyalty programs.  BestBuy similarly offers APIs to third parties, including one for recommended purchases.  LensCrafters, Williams-Sonoma, and other retailers have further deployed APIs to expand consumer access to their information.  Still, many other retailers are connecting to PayPal and other fintech companies to provide multiple secure checkout options.

This post is the first in a two-part series concerning emerging uses and considerations involving APIs.

The provision of public APIs has exploded in recent years amid ecommerce. More than 60 percent of eBay listings are added via API.  At least 50 percent of Salesforce transactions are via APIs.  Ecommerce service companies Shopify ($25B) and Twilio ($15B) have exploded to multibillion dollar market valuations, in part, through providing APIs to retailers.

Without APIs, a third-party developer could theoretically create a bot to visit these retailers’ websites and “scrape” key information, but such an approach is less effective than an API. First, through an API, the provider controls what third parties access, while “scraping” raises copyright risks. See, e.g., Ticketmaster L.L.C. v. RMG Technologies, Inc., 507 F. Supp. 2d 1096 (C.D. Cal. 2007) (granting injunctive relief on grounds that defendant infringed copyright and terms of use through automated screen-scraping of Ticketmaster’s site in order to facilitate

New California Law Requires Collection of Sales Tax From Third-Party Online Retailers

April 26, 2019

Categories

Under a new California law signed by Governor Gavin Newsom on Thursday, out-of-state online retailers that make more than $500,000 from California sales must collect sales tax from their California customers.

Although the largest online retailers already collect California sales tax, smaller retailers that sell through the sites have not paid state taxes until recently.  The new law clarifies that online sales platforms must collect tax for products sold on their websites even if they come from so-called third-party retailers, but provides an exemption for out-of-state retailers that make less than $500,000 from California sales.

As we previously reported, the U.S. Supreme Court held in South Dakota v. Wayfair that states can tax purchases from out-of-state sellers.  After that ruling, numerous states, including California, took steps to begin collecting sales tax from out-of-state retailers.

On April 1, California started requiring out-of-state retailers to register with the state and begin charging customers sales tax.  That policy applied to retailers making more than 200 transactions or $100,000 in California sales. Worried that would harm small businesses, state lawmakers fast-tracked a bill to raise the cap to $500,000, and Governor Newsom signed it into law Thursday.

The new law, AB147, also codifies California’s new policies for larger online retailers, which state lawmakers argued had an unfair advantage over in-state businesses who already had to tax California customers.

“This new law will close this major loophole by mandating that all online retailers collect and remit all the state and local sales taxes due

CPSC Notifies Consumer Product Manufacturers of Possible Data Breach of Safety Information

A number of retailers and manufacturers have recently received notices from the U.S. Consumer Product Safety Commission concerning a possible data breach. The CPSC’s letter advises recipients of an unauthorized release of confidential information that did not go through the procedures of 15 U.S.C. § 2055, also known as “Section 6(b)” of the Consumer Product Safety Act (CPSA).

Section 6(b) is intended to encourage candor between the CPSC and regulated companies, by assuring that sensitive information will be handled under procedures intended to ensure the accuracy and fairness of any disclosure.  Section 6(b) restricts the CPSC’s public disclosure of manufacturer and product specific information, and applies to information from which the public can readily determine the identity of a manufacturer.

The breach appears to concern a mass inadvertent disclosure of nonpublic manufacturer and product specific information.  It appears the information could have been released months ago, but the CPSC only recently discovered the issue.  Based on the type of information retained by the CPSC, the disclosed information likely involves safety incidents specific to manufacturers and private labelers of consumer products.

The letter from the CPSC’s Office of General Counsel states:  “[W]e recently discovered that nonpublic information identifying your company by name along with product model name and/or model number was released in error to the public without following the procedures in 15 U.S.C. § 2055.”

The CPSC also has sent a letter to recipients of the disclosed information, demanding that they return the information, or destroy it and certify destruction.  The

Labor Department Proposes Changes to Minimum Salary for Overtime Exemptions

March 14, 2019

Categories

The United States Department of Labor has issued a notice of proposed rulemaking that would change the minimum salary levels necessary for an employee to be properly classified as exempt from the overtime compensation requirements of the Fair Labor Standards Act.  Under the proposed rule, the minimum salary for most exemptions would rise from $455 per week ($23,660 annualized) to $679 per week ($35,308 annualized).  The minimum annual compensation for the “highly compensated employee” exemption would rise from $100,000 to $147,414.

For employees in the executive, administrative and professional exemptions, the proposed rule would permit nondiscretionary bonuses and incentive payments (including commissions) to satisfy up to ten percent (10%) of the required minimum salary.  In addition, provided that the employee has received at least ninety percent (90%) of the required minimum compensation in each payroll week for 52 weeks, the employer would be permitted to make a single “catch-up” payment within one pay period after the end of the 52-week period, in order to bring the employee’s compensation to the required level.

For “highly compensated employees,” the proposed rule would require that ten percent (10%) of the minimum annual compensation be paid in the form of a weekly salary, but the remainder could be paid in the form of nondiscretionary bonuses and incentive payments.  In addition, the rule would also permit a “catch-up” payment as described above.

The proposed rule would formally rescind the Obama-era rule proposed in 2016, which was blocked by permanent injunction before it could take effect. 

USDA and FDA to Jointly Regulate Cell-Cultured Food Products

March 11, 2019

Categories

The U.S. Department of Health and Human Services’ Food and Drug Administration (“FDA”) and the U.S. Department of Agriculture’s Food Safety and Inspection Service (“FSIS”) formally agreed on March 7 to share regulatory authority over cell-cultured meat products (“CCM”) derived from livestock or poultry.

As we previously reported, regulatory authority over CCM has been a much contested issue. FSIS purports to have jurisdiction over CCM under the Federal Meat Inspection Act (“FMIA”), while FDA purports to have jurisdiction under the Federal Food, Drug, and Cosmetic Act (“FFDCA”). Instead of battling over jurisdiction, the agencies have decided to collaborate – both will have oversight but at different stages of production. Essentially, FDA will oversee the initial stages of production, while FSIS will take on authority during cell harvesting.

While the details have yet to be refined, the agreement broadly allocates the agencies’ respective roles and responsibilities as follows:

FDA

  • Oversee initial cell collection and the development and maintenance of cell banks
  • Oversee proliferation and differentiation of cells through time of harvest
  • Develop additional requirements for cell bank conditions and processes
  • Conduct inspections of cell banks and take enforcement action if necessary to ensure compliance with FDA’s laws and regulations
  • At harvest, help coordinate transfer of oversight to FSIS and share information with FSIS

FSIS

  • At harvest, help coordinate transfer of oversight from FDA and review information from FDA
  • Require establishments that harvest cells to obtain a grant of inspection
  • Conduct inspections in establishments where cells

Retailers Should Consider Impact of California Consumer Privacy Act on Employee Data

Retailers and other employers with operations in California should be aware of the potential application of the California Consumer Privacy Act (“CCPA”) to data collected about California employees.  Although the CCPA refers to “consumers,” as currently drafted the CCPA’s definition of a “consumer” also will apply to California-based employees.

As we previously reported, the CCPA grants consumers various rights with regard to their personal information held by businesses.  This is part of a multi-part series addressing frequently asked questions concerning the CCPA.

Which employers will have to comply with the CCPA?

Employers with employees in California will need to comply with the CCPA if their business falls into one of the following three categories:

  • Their business buys, sells, or shares the “personal information” of 50,000 “consumers” or “devices”;
  • Their business has gross revenue greater than $25 million; or
  • Their business derives 50% or more of its annual revenue from sharing personal information.
  • What are the key implications of having to comply with the CCPA?

    Employers who have to comply with the CCPA will be subject to the CCPA’s:

  • Expansive definition of “personal information”;
  • New notice requirements for California-based employees, which notices describe the employer’s collection of and use and disclosure of personal information;
  • New data privacy rights for California-based employees, including the right to access, delete, and opt out of the “sale” of personal information;
  • Special rules for the collection and use of personal information of minors;
  • Requirement to implement appropriate and reasonable security practices and procedures;
  • Enforcement provisions, including
  • Avoiding the California Consumer Privacy Act Litigation Tsunami: What Does it Mean to “Do Business” in California?

    February 14, 2019

    Categories

    Companies that do business in California know that it is a magnet for class action litigation.  The California Consumer Privacy Act (“CCPA”), a new privacy law that applies to data collected about California residents, will provide even more incentive to plaintiff’s attorneys to bring suit in California.

    The CCPA was enacted in early 2018 as a political compromise to stave off a poorly drafted ballot initiative.  Although the CCPA is scheduled to go into force in early 2020, there is a great deal of confusion regarding the requirements of the CCPA, including the degree to which it aligns with other privacy regulations such as the European General Data Protection Regulation (“GDPR”).  To help address that confusion, BCLP is publishing a multi-part series to address the most frequently asked litigation-related questions concerning the CCPA.  BCLP is also working with clients to assess – and mitigate – litigation risks for when the CCPA goes into effect by putting in place the policies, procedures, and protocols needed to comply with the Act.

    Q. What does it mean to “do business” in California?

    The CCPA purports to apply to any for-profit legal entity that “does business in the State of California” and satisfies one of three thresholds:

  • Has annual gross revenue in excess of $25 million.
  • Purchases, receives for commercial purposes, sells, or shares for commercial purposes, personal information of 50,000 or more consumers, or
  • Derives 50% of its annual revenue from selling consumer personal information.1
  • For companies doing substantial business in California, determining whether they must

    Bioengineered Food Disclosure Rules Finalized, Require Disclosure of “Detectable” GMOs

    On December 21, 2018, the U.S. Department of Agriculture’s (USDA) Agricultural Marketing Service (AMS) published its final rule implementing the National Bioengineered Food Disclosure Standard (NBFDS) signed into law by President Obama in 2016.   The NBFDS preempted state and local genetic engineering labeling requirements and charged AMS with developing a national mandatory standard for disclosing the presence of bioengineered (BE) food.  The rule takes effect on February 19, 2019, and implementation will be phased in over the next three years.

    As we previously reported, the NBDS requires food manufacturers, importers of food labeled for retail sale in the U.S. and some U.S. retailers to disclose foods and ingredients produced from foods that are or may be bioengineered.  The final rule defines “bioengineered food” as any food that “contains genetic material that has been modified through in vitro recombinant deoxyribonucleic acid (DNA) techniques and for which the modification could not otherwise be obtained through conventional breeding or found in nature,” and excludes any genetically modified material that is “not detectable.”  Non-detectable amounts of modified genetic material do not require BE labeling

    Disclosure can be through text, a symbol, electronic or digital link, or text message, as follows:

    • Text: Entities can state “bioengineered food” or “contains a bioengineered food ingredient” for multi-ingredient food.
    • Symbol: Entities can use a variation of the following symbol, which incorporates the word “bioengineered” and can be used in either color or black and white:

    Public Forums Underway in California Consumer Privacy Act Rulemaking

    January 14, 2019

    Categories

    The California Consumer Privacy Act (“CCPA”), was passed last summer as a compromise to avoid a highly restrictive privacy regime slated to appear on the November 2018 ballot in California.  Amidst much controversy and debate, the California Attorney General’s Office is set to draft implementing regulations for the new law.  As part of that process, six public rulemaking workshops have been scheduled for the public to provide comments and voice concerns.  The first  took place on January 8, 2019 in San Francisco and was attended by a cross-section of trade associations and privacy advocacy groups.  Although the public comments covered a variety of topics, a few themes emerged:

    • Industry groups want to more closely align the CCPA’s provisions with other privacy regulations such as the European Union’s General Data Protection Regulation (“GDPR”). Many businesses have already undertaken the Herculean task of coming into compliance with the EU law.  They propose establishing a safe harbor under the CCPA for businesses that are GDPR compliant.
    • Several comments were directed to one of the more controversial provisions of the CCPA – the “right to equal service and price,” which refers to the CCPA’s prohibition against discriminating against consumers who exercise their rights under the CCPA not to provide personal information. This anti-discrimination provision does, however, allow businesses to offer different prices or levels of service if the difference is “reasonably related to the value provided to the consumer by the consumer’s data.”  Several parties commented that the phrase “the value provided to

    California Court Grants Nonsuit in Website Accessibility Trial

    A California court has dismissed a website accessibility case shortly after commencing trial, issuing a sua sponte nonsuit on grounds that the defendant credit union’s website is not subject to the ADA.

    Martinez v. San Diego Credit Union, San Diego Superior Court Case No. 37-2017-00024673, would have been the only known website accessibility lawsuit to go to trial in the state of California. Instead, after commencing trial, the Court ordered the parties to submit trial briefs, inquired whether the parties would object to the Court issuing a sua sponte ruling at the outset of the case, and then granted the nonsuit.  In so ruling, the Court advised the parties that it agreed with the defendant credit union’s position that the complaint failed to state facts sufficient to constitute a cause of action, and that it wished to save plaintiff’s counsel the expense of flying its expert witness from the East Coast.

    Plaintiff had alleged violation of California’s Unruh Act, which incorporates Title III of the Americans with Disabilities Act (“ADA”). Title III provides that:

    “No individual shall be discriminated against on the basis of disability in the full and equal enjoyment of goods, services, facilities, privileges, advantages, or accommodations of any place of public accommodation by any person who owns, leases (or leases to), or operates a place of public accommodation.”

    42 U.S.C. § 12182(a). Title III defines the term “public accommodation” by listing twelve specific categories of private businesses that are covered.  42 U.S.C. § 12181(7).

    The implementing regulations

    The attorneys of Bryan Cave Leighton Paisner make this site available to you only for the educational purposes of imparting general information and a general understanding of the law. This site does not offer specific legal advice. Your use of this site does not create an attorney-client relationship between you and Bryan Cave LLP or any of its attorneys. Do not use this site as a substitute for specific legal advice from a licensed attorney. Much of the information on this site is based upon preliminary discussions in the absence of definitive advice or policy statements and therefore may change as soon as more definitive advice is available. Please review our full disclaimer.