Bryan Cave Leighton Paisner Retail Blog

Retail Law


Main Content

California Adopts New Prop. 65 Warning Regulations

California’s Office of Environmental Health Hazard Assessment (OEHHA) has adopted new Proposition 65 warning regulations.  The new regulations will take effect in two years, on August 30, 2018.  In the interim, businesses may choose to comply with either the current or new regulations.

Prop. 65 prohibits businesses from knowingly and intentionally exposing California consumers to a chemical known to the state of California to cause cancer or reproductive harm without first providing a “clear and reasonable warning.”  As we reported on a draft of the regulations in April 2016, the new regulations substantially change what constitutes a clear and reasonable warning.

Products with label warnings manufactured prior to the effective date of the new regulations would continue to receive protection from liability. Parties to existing settlement agreements or court-approved consent judgments also can continue to provide warnings that comply with those agreements or orders.

Regulations Seek to Reduce Burden on Retailers

The new regulations seek to put the primary responsibility for providing warnings on product manufacturers or suppliers, who must either label their products with any required warnings or provide notice and warning materials to retailers. The manufacturer or supplier must specifically identify the product requiring a warning, provide all necessary warning materials, receive written or electronic confirmation of receipt from the retailer’s authorized agent, and renew the notice every six months for the first year and annually thereafter.  The manufacturer or other supplier of a product must notify a retailer within 90 days if a new

Online Seller Wins Dismissal of RICO Claims in Counterfeiting Action by Fashion Retailers

A New York federal court recently held that defendant Alibaba Group Holding Ltd. (“Alibaba”), which is notorious for allegedly enabling the sale of counterfeit products, did not violate federal racketeering law by selling allegedly counterfeit products on its e-commerce venues.

Alibaba owns and operates the popular shopping sites,, and, and generated $248 billion in gross merchandise volume in 2014 – more than Amazon and eBay combined. Luxury fashion retailers, including Gucci and Yves Saint Laurent, filed suit against Alibabi and seven other corporate entities that had roles in online platforms through which Chinese merchants could connect with consumers worldwide.

The lawsuit alleges that fourteen Chinese merchants, also named as defendants, sold counterfeit products bearing plaintiffs’ marks in the Alibaba marketplaces. It further alleges that the Alibaba defendants provided the online marketing, data collection, payment processing, financing, and shipping services necessary to sell the products, even though they knew or should have known that the merchant defendants were selling counterfeit goods.

On August 4, 2016, the U.S. District Court for the Southern District of New York granted the Alibaba defendants’ motion to dismiss two claims asserted against them under the Racketeer Influenced and Corrupt Organizations Act, 18 U.S.C. §1961 et seq. (“RICO”).

Plaintiffs’ first RICO claim was a substantive RICO claim brought pursuant to Section 1962(c), which makes it “unlawful for any person employed by or associated with any enterprise engaged in…interstate or foreign commerce, to conduct or participate, directly or indirectly, in the conduct of such enterprise’s

Receipt With Credit Card Data Constitutes Sufficient Injury for Class Action to Proceed

A recent federal court ruling allows a class action lawsuit to proceed against luxury fashion retailer Jimmy Choo for violating the Fair and Accurate Credit Transactions Act of 2003 (FACTA).  This ruling, which will likely be appealed, has important implications for other consumer class action lawsuits against retailers.

Jimmy Choo was accused of violating FACTA by printing credit card expiration dates on customer receipts in Wood v. J Choo USA, Inc., S.D. Fla. Case No. 15-cv-81487.  Jimmy Choo argued that the plaintiff had no standing to sue because she was not damaged when the retailer printed her credit card expiration date on her receipt. The court disagreed, holding that the consumer was sufficiently damaged to maintain the action as soon as soon as the receipt was printed.

Companies facing lawsuits alleging FACTA violations should be aware that although the U.S. Supreme Court held in Spokeo Inc. v. Robins, 136 S. Ct. 1540 (2016), that a plaintiff must show that an injury was both “concrete and particularized” and cannot rely on a procedural violation to allege injury in fact, there are instances where an injury may exist solely by virtue of a breach of a statutory prohibition.

Judge Beth Bloom of the U.S. District Court for the Southern District of Florida said that in certain circumstances—such as in this case involving Jimmy Choo—“the violation of a procedural right granted by statute” is sufficient to constitute injury for purposes of standing.

FACTA prohibits businesses from printing more than the

FDA Releases Final Rule Allowing Voluntary Risk Reviews of Food Additives to Continue

The Food and Drug Administration (FDA) says its final rule allowing outside groups to evaluate food additive risks will streamline its “Generally Recognized as Safe” (GRAS) reviews.

The agency recently released its GRAS final rule for its food additive program, switching reviews from a more formal but slower “petition-based” process to a voluntary “notification” process.  For retailers with private label food products, that means that they or their vendors can continue to convene their own expert panels to review the safety of many food additives, and provide notice of their findings to the FDA.

Under the federal Food, Drug and Cosmetic Act (FD&C Act), any substance that is intentionally added to food is a food additive that is subject to premarket review and approval by FDA, unless the substance is generally recognized, among qualified experts, as having been adequately shown to be safe under the conditions of its intended use, or unless the use of the substance is otherwise excepted from the definition of a food additive.

The use of a food substance may be GRAS either through scientific procedures or, for a substance used in food before 1958, through experience based on common use in food, which requires a substantial history of consumption for food use by a significant number of consumers.

Rule adopts pilot voluntary notification program.

The FDA’s rule implements as final a pilot notification program under which food makers can convene their own expert panels to prepare GRAS reviews and provide notice to the

New Federal Law Will Require Disclosure of GMO Content in Food

A new federal law will require food makers to disclose when foods contain genetically modified ingredients.

The law, which was recently signed by President Obama, will require such food products to be labeled with text, a symbol, or an electronic code readable by smartphone indicating the presence of GMOs. Small businesses will also have the option to label food products with a telephone number or Internet website directing customers to additional information.

The U.S. Department of Agriculture (USDA) has two years to draft regulations concerning which products require such disclosure, and additional details concerning what food makers must do to comply. After the regulations are finalized, food makers will have at least another year before the law takes effect.

Law preempts state and local GMO labeling laws.

The federal law preempts a similar Vermont law, Act 120, that took effect in July, as well as any other state or local GMO disclosure laws. The Vermont Attorney General’s office has announced it will suspend enforcement of Act 120.

Critics of the federal law, including Vermont’s congressional delegation, argued that it falls short compared with Vermont’s tougher labeling law requiring all foods with GMO ingredients to be labeled “produced with genetic engineering.”

Supporters of the federal law, including many in the food industry, say it avoids a state-by-state patchwork of laws in favor of a national disclosure solution.

Law will be federally enforced, but may fuel private lawsuits.

The law will be administered and enforced by the federal government, through the USDA.

FAA Regulations Clear Way for Delivery Drones

August 9, 2016


FAA Regulations Clear Way for Delivery Drones

August 9, 2016

Authored by: BCLP and Flora Sarder

The Federal Aviation Administration (FAA) has finalized its regulations concerning operational drones, allowing retailers to start using drone delivery systems.

In making drones available for retail delivery use, the FAA has carved out a space for drones to operate without becoming an “air carrier” under federal law regulating air transportation.

As a result, drones can now be used to deliver cargo in the mainland United States, except in Washington D.C., or any U.S. territory if the cargo weighs less than a total of 55 pounds, the flight is conducted from the remote pilot’s visual line of sight, the drones fly a maximum speed of 100 mph, and gain a maximum of 400 feet.

The much anticipated drone regulations bode well for retailers and manufacturers making their way into the drone delivery space.  Just a couple of months ago, Switzerland’s postal service began testing out drone deliveries with Matternet, a company dedicated to creating and mastering drone delivery systems.

In the United States, Amazon has eagerly been preparing for favorable regulations to allow room for Amazon PrimeAir, a delivery system designed to get to customers in 30 minutes or less.

Drones must be flown by remote pilots during daylight hours

Before retailers can start operating delivery drones, the new FAA regulations require that there must be a remote pilot who holds a remote pilot certificate and conducts a pre-flight check before each flight.  The drone must remain in the pilot’s visual line of sight so that it can be readily seen without

New Colorado Laws Grant Employees Access to Personnel Files, Right to Pregnancy Accommodations

The Colorado General Assembly ended the 2016 session by passing significant employment legislation. In June 2016, Colorado Governor John Hickenlooper signed into law House Bill 16-1432, granting employees access to personnel files upon request, and House Bill 16-1438 expanding protections for pregnant employees. All Colorado employers should familiarize themselves with these new laws and update related policies before they take effect.


House Bill 16-1432 grants current and former employees the right to access their personnel files upon request. When the Act takes effect, likely on January 1, 2017, the provisions will be found at C.R.S. § 8-2-129.


This new law provides current and former employees access to their personnel files and allows current employees to obtain a copy of their personnel files.

Defining “Personnel Files”

The Act defines personnel files as “the personnel records of an employee, in the manner maintained by the employer and using reasonable efforts by the employer to collect, that are used or have been used to determine the employee’s qualifications for employment, promotion, additional compensation, or employment termination or other disciplinary action.”  H.B. 16-1432, § 2.

The Act excludes the following documents from the definition of personnel files:

  • Documents required by state or federal law to be kept in separate files;
  • Confidential reports from previous employers;
  • Documents relating to active criminal or regulatory investigations;
  • Documents relating to active disciplinary investigations by the employer; and
  • Documents or records that identify an individual who made a confidential accusation about the employee requesting access to the files.

Personal Care Product Companies Targeted for “All-Natural” Claims

July 18, 2016


The Federal Trade Commission (“FTC”) has approved four final consent orders against companies that allegedly misrepresented their personal care products as “All-Natural” or “100% Natural.”

In the past several years, numerous private lawsuits have been filed by consumers, particularly in California, alleging that food products labeled and advertised as “natural” violate false advertising laws. The FTC orders demonstrate that other products may be at risk for such claims as well.

The FTC has authority for enforcing the Federal Trade Commission Act, which broadly prohibits “unfair or deceptive acts or practices.” The FTC views labels and ads as deceptive if there is a material misrepresentation or omission that is likely to mislead consumers and affect their choices regarding a product.

The FTC complaints allege the following companies made deceptive all-natural claims in labeling and advertising a variety of personal care products, ranging from sunscreen to shampoo: Trans-India Products, Inc., doing business as ShiKai; Erickson Marketing Group, doing business as Rocky Mountain Sunscreen; ABS Consumer Products, LLC, doing business as EDEN BodyWorks; and Beyond Coastal. The complaints allege that the products were labeled and advertised as being “Natural,” but contain synthetic ingredients such as phenoxyethanol, dimethicone, and polyethylene.

A complaint against a fifth company, California Naturel, Inc., just entered litigation. The FTC complaint alleges that the company labeled and advertised a sunscreen as “all natural” when it contains dimethicone.

The orders prohibit the companies from misrepresenting that a product is all-natural or 100% natural. In addition, they cannot misstate the extent to

Does Your Organization Collect Geo-Location Information?

July 14, 2016


Smartphones, smartphone apps, websites, and other connected devices (e.g.,“wearables”) increasingly request that consumers provide their geo-location information.  Geo-location information can refer to general information about a consumer’s location, such as his or her city, state, zip code, or precise information that pinpoints the consumer’s location to within a few feet, such as his or her GPS coordinates.

Organizations request geo-location information for a variety of reasons.  For example, many apps – such as transportation or delivery services – require geo-location in order to provide services that are requested by the consumer.  Other apps – such as mapping programs, coupon programs, or weather programs – require geo-location information in order to provide consumers with useful information.  Because such information has become intertwined, in many cases, with products and services, some organizations require the user to “Accept” or ‘“Agree”’ to the collection of geo-location information as a condition to using a device, application, or website.

Although there is currently no federal statute that expressly regulates the use, collection, or sharing of geo-location data, the FTC has taken the position that precise geo-location information is a form of “sensitive” personal information and has suggested that a failure to reasonably secure such information, or a failure to adequately disclose the collection or sharing of such information, may violate the FTCA’s general prohibition against unfair or deceptive practices.1  In addition, Congress and state legislatures have considered several proposals that would expressly regulate the data.

What to consider if your organization collects geo-location information:

  • What is the
  • California Proposition 65 Notices Allege BPA in Receipts, Water Cooler Jugs

    July 11, 2016


    Since the Prop. 65 warning requirement for bisphenol-A (BPA) took effect on May 11, 2016, two 60-day notices have been served alleging harmful exposure to the chemical without providing a warning. Those notices, both served by the Center for Environmental Health (CEH) on June 27, 2016, allege the presence of BPA in receipt paper and polycarbonate plastic water containers used for water coolers.

    The receipt paper notices were served against Del Taco and Grewal Superfoods Inc., and the water jug notice was served against Home Depot and DS Services of America, Inc.

    BPA is listed under Prop. 65 as a chemical known to cause harm to the female reproductive system. OEHHA recently adopted a safe harbor exposure level for BPA, for dermal exposure from solid materials, of 3 micrograms per day. Exposure below this level does not require a warning. The safe harbor level would apply to BPA in receipt paper.   It would not necessarily apply to exposure through ingestion of any BPA that may leach into water, food or beverages.

    OEHHA has adopted an emergency regulation authorizing temporary point-of-sale warnings for exposure to BPA from canned and bottled food and beverages, since BPA is widely used in the epoxy linings of such products. That regulation is expected to remain in effect for more than a year in order to allow manufacturers time to find and implement alternatives to BPA.

    The FDA Dishes Out Food Label Changes

    The current food label will soon be no more. After two decades, the Food and Drug Administration (FDA) just finalized the new Nutrition Facts label for packaged foods. Making it easier for consumers to make better informed food choices, the FDA announced that the changes are based a combination of public input, updated scientific information, new nutrition and public health research, and more recent dietary recommendations from expert groups.

    Highlights of the changes include:

    The Refreshed Label 

    • While the label’s appearance will generally remain the same, to highlight certain information the new label includes changes such as increasing the type size for “Calories,” “Servings per Container,” and the “Serving Size” declaration, and bolding the number of calories and the “Serving Size” declaration to highlight this information.
    • In addition to percent Daily Value of vitamin D, calcium, iron and potassium, manufacturers must declare the actual amount. For other vitamins and minerals, manufacturers can voluntarily declare the gram amount.
    • To better explain the meaning of Daily Value, the footnote is being changed to read: “*The % Daily Value tells you how much a nutrient in a serving of food contributes to a daily diet. 2,000 calories a day is used for general nutrition advice.”

    New Nutrition Science Information 

    • “Added sugars,” in grams and as percent Daily Value, will be included on the label.
    • The FDA updated the list of nutrients required or permitted to be declared and now requires that vitamin D and potassium are included on the label.

    The Top Three Privacy Takeaways of the New Delaware Online Privacy and Protection Act

    June 27, 2016


    Delaware’s New Privacy Policy Requirements

    Effective January 1, 2016, Delaware became the second state in the U.S., joining California, to require operators of commercial websites that collect personally identifiable information to post online privacy policies. The Delaware Online Privacy and Protection Act (DOPPA) applies to anyone who operates a “commercial internet website, online or cloud computing service, online application, or mobile application.”

    Before this Delaware law was passed, California was the only state to have enacted a law requiring operators to post a privacy policy.  See Cal. Bus. & Prof. Code §§ 22575-11579. As a result, most privacy policies were developed according to the California requirements. California’s law applies to an operator of a commercial website or online service. On October 30, 2012, the California Attorney General announced in a press release that it considers mobile apps to be a form of “online service,” thus making California’s privacy policy requirements applicable to mobile apps. Delaware’s law codifies the understanding that privacy policy laws apply to mobile apps. Given that 40% of top selling mobile apps still do not have a privacy policy, Delaware’s new law could provide the needed certainty to many companies. Companies should review their privacy policies to ensure they meet Delaware’s new requirements.

    Top Three Differences between California and Delaware Privacy Policy Laws

  • Persons protected: a.California: Protects “consumers,” defined as any individual who seeks or acquires, by purchase or lease, any goods, services, money, or credit for personal, family, or household purposes. b. Delaware: Protects “users,”
  • California May Collect Certain Information from Businesses to Support Its New Proposition 65 Website

    June 23, 2016


    California’s Office of Environmental Health Hazard Assessment (OEHHA) has launched a website,, intended to provide both businesses and consumers with information regarding the requirements for Proposition 65 warnings.

    The website provides information regarding listed chemicals, including when they were listed, the basis for listing, and whether they are listed as a carcinogen or as causing reproductive harm.  The website also identifies products and places that require a specific Prop. 65 warning under the new regulations being considered by OEHHA, such as alcoholic beverages, furniture products, amusement parks, and dental offices.  It provides the current language for the current Prop. 65 warning for those products as well as the newly proposed language.  It also provides information about the types of listed chemicals likely to be found in those products, the likely routes and levels of exposure, and ways to reduce that exposure.

    In order to develop information for the website, OEHHA can request information from businesses concerning the Prop. 65 warnings they provide.  See 27 CCR 25205.  Within 90 days of receiving such a request, businesses must provide information concerning the manufacturer of a product, the type and concentration level of a listed chemical for which a warning is being provided, where the chemical is found within the product, the anticipated routes and level of exposure, and other relevant information.

    Businesses do not need to conduct any additional tests or analysis in order to respond to OEHHA’s request, and may respond that the requested information is

    What to Consider When Drafting or Reviewing a Privacy Policy

    June 20, 2016


    Although financial institutions, health care providers, and websites directed to children are required to create consumer privacy policies under federal law, other types of websites are not.  In 2003, California became the first state to impose a general requirement that most websites post a privacy policy.  Under the California Online Privacy Protection Act (“CalOPPA”), all websites that collect personal information about state residents must post an online privacy policy if the information is collected for the purpose of providing goods or services for personal, family, or household purposes.  Since the passage of the CalOPPA, most websites that collect information – whether or not they are directed at California residents or are otherwise subject to the CalOPPA – have chosen to post an online privacy policy.

    What to think about when drafting or reviewing a privacy policy:

  • Is your organization subject to a federal law that requires that a privacy policy take a particular form, or include particular information?
  • Does the privacy policy describe the main ways in which your organization collects information?
  • Does the privacy policy describe the ways in which your organization shares information with third parties?
  • Does the privacy policy discuss data security? If so, is the level of security indicated appropriate?
  • Would the privacy policy interfere with a possible merger, acquisition, or sale of your organization’s assets?
  • Would the privacy policy interfere with future ways in which your organization may want to monetize data?
  • Does the privacy policy use terms that might be misunderstood
  • The DOL’s New FMLA Poster – Does It Impact Your FMLA Policy?

    By now, you’re likely aware (and if you’re not, you should be) that, in April, the U.S. Department of Labor (“DOL”) issued a new “Employee Rights Under The Family And Medical Leave Act” poster, to replace the prior poster on this subject.

    The DOL has made clear that the old poster (revised Feb. 2013) is still sufficient – until further notice – to meet the posting requirement under the FMLA regulations. Thus, you’ve probably already given some thought as to whether and when to proceed with updating your posters.

    As you consider this step, however, have you also considered whether the new poster impacts your policy?

    The FMLA regulations provide that, if an FMLA-covered employer has any FMLA-eligible employees, and if the employer has a written policy on the subject of leave/benefits, then the employer must ensure that its policy contains the same information that is in the FMLA poster. (The notice requirements are discussed at pp. 12-13 of the helpful new publication from the DOL, “The Employer’s Guide to The Family and Medical Leave Act”.)

    Accordingly, now is a good time to review your FMLA policy to ensure that it contains all of the information that is in the new poster. Of course, it is to your benefit to include additional provisions in your policy, such as a prohibition on the misuse of FMLA leave. But at a minimum, all of the information that is in the poster must be included.

    Note that “all” means “all”; your policy must include, for example,

    How to Pass Data Between Retailers to Facilitate Transactions

    June 9, 2016


    Online retailers often learn information about a consumer that may be used to help identify other products, services, or companies that may be of interest to the consumer.  For example, if a consumer purchases an airplane ticket to Washington, D.C., the consumer may want information about hotels, popular restaurants, or amenities at the airport.

    Although online retailers often strive to provide recommendations quickly, and to make a consumer’s transition to a third party retailer seamless, the Restore Online Shoppers’ Confidence Act (“ROSCA”) generally prohibits one online merchant from transferring payment information (e.g., a credit card number) to a second online merchant.

    Below are some questions to consider when evaluating the data privacy issues involved in passing information between online retailers:

  • Are consumers being presented with third party products or services when they visit a retailer’s website?
  • Are consumers being presented with third party products or services immediately after they visit a retailer’s website?
  • Are such items affirmatively selected by the consumer, or added automatically to the consumer’s shopping cart?
  • If the consumer decides to purchase such items, would they likely think that your organization, or the third party, is processing the transaction?
  • Is the total cost of each third party product clearly and conspicuously disclosed?
  • If the consumer indicates that they wish to buy a third party product or service, can the consumer easily change that decision?
  • Is contact information being transferred from one retailer to another?
  • Is payment information being transferred from one retailer to another?
  • Is the third
  • The attorneys of Bryan Cave Leighton Paisner make this site available to you only for the educational purposes of imparting general information and a general understanding of the law. This site does not offer specific legal advice. Your use of this site does not create an attorney-client relationship between you and Bryan Cave LLP or any of its attorneys. Do not use this site as a substitute for specific legal advice from a licensed attorney. Much of the information on this site is based upon preliminary discussions in the absence of definitive advice or policy statements and therefore may change as soon as more definitive advice is available. Please review our full disclaimer.