Bryan Cave Retail Blog

Retail Law

Other Posts

Main Content

EU’s General Data Protection Regulation Takes Effect in May — Are You Compliant?

February 22, 2018


The European Union’s General Data Protection Regulation (“GDPR”), arguably the most comprehensive – and complex – data privacy regulation in the world, goes into force on May 25, 2018. As retailers and other companies prepare, there continues to be a great deal of confusion regarding the requirements of the GDPR.

Read More

Data Privacy and Security: A Practical Guide for In-House Counsel

January 26, 2018


Partner David Zetoony published the 2018 edition of his handbook, Data Privacy and Security: A Practical Guide for In-House Counsel, on January 25 – Data Privacy Day. The guide provides an overview of laws relevant to a variety of data matters topics, statistics that illustrate data privacy and security issues, and a breakdown of these data-related issues.

Read More

Retailers Should Be Aware of Data Privacy Concerns With Bring Your Own Device Policies

Many retailers permit their employees to use personal mobile devices, such as smartphones and tablets, to access company-specific information, such as email, under a Bring Your Own Device (“BYOD”) policy. BYOD policies can be popular for employees that want to use hand-picked devices and for retailers that want to avoid the cost of providing, and maintaining, company-owned devices. Nonetheless, the use of company data on non-company devices implicates both security and privacy considerations.

A reported 40 percent of companies offer BYOD to all employees, according to a survey by Crowd Research Partners.  Security concerns, data leakage, and malware were all listed as top concerns of retailers in allowing BYOD.

Consider the following when deciding upon a BYOD policy:

Is the scope of your control over employees’ mobile devices consistent with your company’s interest?  Retailers should consider why they have an interest in knowing about their employees’ mobile devices; that

Beware of Making Unsubstantiated Anti-Aging Claims

Manufacturers, distributors, and retailers often tout the anti-aging effects of certain cosmetics and nutritional supplements. Of course, the term “anti-aging” is not intended to literally mean that a product prevents aging. To the contrary, it is understood by both the industry and consumers as describing a product that is designed to mitigate, mask, or soften certain cosmetic indicators that come with age. These typically include wrinkles, discoloration, greying of the hair, or a loss of skin firmness.

Anti-aging litigation has proven popular with the plaintiffs’ bar. In the past five years, there have been at least 31 class action complaints filed alleging deceptive advertising of anti-aging products, and at least 10 enforcement actions brought by the Federal Trade Commission (FTC).

Often such putative class actions allege that advertising which touts a product’s anti-aging properties is deceptive and misleading to consumers. Typically, complaints over anti-aging claims lack affirmative evidence that a

“Made in USA” Claims Can Be Considered Deceptive Unless Substantiated

Although every product (unless excepted) that is imported into the United States must be marked with its country of origin pursuant to Section 304 of the Tariff Act of 1930, most products manufactured domestically are not required to list the United States as the country of origin. However, if manufacturers or retailers do choose to market their products as “Made in the USA,” these claims must be substantiated, or risk being considered deceptive under federal or state law.

On the federal level, the Federal Trade Commission has issued guidelines and considers representations that a product is “Made in the USA” to be deceptive, unless (1) “all or virtually all” of a product’s components are of U.S. origin, and (2) “all or virtually all” processing takes place in the United States.  Furthermore, the FTC considers phrases such as “Produced in the USA,” “Built in the USA,” or “Manufactured in

Monitoring Employees’ Email and Internet Use Raises Legal Considerations

Retailers should be aware that federal laws prohibit the interception of another’s electronic communications, but these same laws have multiple exceptions that generally allow employers to monitor employees’ email and internet use on employer-owned equipment or networks.

As a result, under federal law, when retail employees use an organization’s telephone or computer system, monitoring their communications is broadly permissible, though there may be exceptions once the personal nature of a communication is determined. For example, under the National Labor Relations Act, employers cannot electronically spy on certain types of concerted activity by employees about the terms and conditions of employment.

Although monitoring is broadly permitted under federal law, some states, including Connecticut and Delaware, require that employers notify employees that they may be monitored. Even in states that do not require notice, employers often choose to provide notice since employees who know they are being monitored are less likely to

Disclose and Follow Standards for Collection and Sharing of Customers’ Online Behavioral Data

January 31, 2017


Many retailers engage in behavioral advertising, which refers to the use of information to predict the types of products or services of greatest interest to a particular consumer. Online behavioral advertising takes two forms. “First party” behavioral advertising refers to situations in which a website uses information that it obtains when interacting with a visitor. “Third party” behavioral advertising refers to situations in which a company permits others to place tracking cookies on the computers of people who visit the site, so that those individuals can be monitored across a behavioral advertising network.

Two self-regulatory associations – the Network Advertising Initiative (“NAI”) and the Digital Advertising Alliance (“DAA”) – have created standards for companies engaged in third-party online behavioral advertising.  They recommend clear, meaningful and prominent disclosure on a retailer’s website that describes its data collection, transfer and use practices.  With respect to third-party behavioral advertising, they recommend

Reduce Potential Liability for Data Security Breaches by Negotiating Coverage in Payment Processing Agreements

January 13, 2017


Credit cards are the primary form of payment received by most retailers. In order to process a credit card, a retailer must enter into an agreement with a bank and a payment processor. Payment processing agreements often have significant impacts on a retailer’s financial liability in the event of a data breach. In many cases, the contractual liabilities that flow from a payment processing agreement surpass all other financial liabilities that arise from a data breach, including the cost to investigate an incident, defend litigation, and defend a regulatory investigation.

The following checklist describes common data security related provisions to look for within most payment processing agreements:

  • Incorporation of Payment Brand Rules. Most payment processing agreements incorporate by reference the rules, regulations, and guidelines of the payment brands (American Express, Discovery, MasterCard, and/or Visa). When negotiating a payment processing agreement, it is important to determine whether the obligation to abide
  • What to Look for When Buying Cyber Insurance

    October 27, 2016


    What to Look for When Buying Cyber Insurance

    October 27, 2016

    Authored by: Bryan Cave and David Zetoony

    Most retailers know they need insurance to cover risks to their property such as fire or theft, or their risk of liability if someone is injured in the workplace.  As numerous high-profile breaches demonstrate, retailers also need to carry coverage for data breaches.  While many insurance companies offer cyber insurance, not all policies are created equal.

    Why is buying cyber insurance difficult?

  • There is little standardization among competing policies; as a result, it is hard to comparison shop.
  • Policies’ exclusions often swallow coverage; as a result, assessing the value of a policy is difficult unless you have extensive experience with the types of liabilities that arise following data breaches.
  • Policies often cover security but not privacy risks.
  • Items to review when shopping for cyber insurance:

  • Do the sub-limits on coverage match the corresponding risks?
  • Does the policy include sub-retentions (sub-deductibles) that are unlikely to be reached?
  • Does exclusion prevent payment for the largest risks, e.g.,charges
  • How to Respond to Civil Subpoenas and Document Requests That Ask For Personal Information

    September 28, 2016


    Litigants in a civil dispute often use subpoenas, subpoenas duces tecum, and discovery requests to obtain personal information about individuals who may not be present in the litigation. A request for documents and information that include personal information about third parties may conflict with legal obligations imposed upon an organization not to produce information.

    For example, if an organization promises within its privacy policy that

    Does Your Organization Collect Geo-Location Information?

    July 14, 2016


    Smartphones, smartphone apps, websites, and other connected devices (e.g.,“wearables”) increasingly request that consumers provide their geo-location information.  Geo-location information can refer to general information about a consumer’s location, such as his or her city, state, zip code, or precise information that pinpoints the consumer’s location to within a few feet, such as his or her GPS coordinates.

    Organizations request geo-location information for a variety of reasons.  For example, many apps – such as transportation or delivery services – require geo-location in order to provide services that are requested by the consumer.  Other apps – such as mapping programs, coupon programs, or weather programs – require geo-location information in order to provide consumers with useful information.  Because such information has become intertwined, in many cases, with products and services, some organizations require the user to “Accept” or ‘“Agree”’ to the collection of geo-location information as a condition to using a device,

    What to Consider When Drafting or Reviewing a Privacy Policy

    June 20, 2016


    Although financial institutions, health care providers, and websites directed to children are required to create consumer privacy policies under federal law, other types of websites are not.  In 2003, California became the first state to impose a general requirement that most websites post a privacy policy.  Under the California Online Privacy Protection Act (“CalOPPA”), all websites that collect personal information about state residents must post an online privacy policy if the information is collected for the purpose of providing goods or services for personal, family, or household purposes.  Since the passage of the CalOPPA, most websites that collect information – whether or not they are directed at California residents or are otherwise subject to the CalOPPA – have chosen to post an online privacy policy.

    What to think about when drafting or reviewing a privacy policy:

  • Is your organization subject to a federal law that requires that
  • How to Pass Data Between Retailers to Facilitate Transactions

    June 9, 2016


    Online retailers often learn information about a consumer that may be used to help identify other products, services, or companies that may be of interest to the consumer.  For example, if a consumer purchases an airplane ticket to Washington, D.C., the consumer may want information about hotels, popular restaurants, or amenities at the airport.

    Although online retailers often strive to provide recommendations quickly, and to make a consumer’s transition to a third party retailer seamless, the Restore Online Shoppers’ Confidence Act (“ROSCA”) generally prohibits one online merchant from transferring payment information (e.g., a credit card number) to a second online merchant.

    Below are some questions to consider when evaluating the data privacy issues involved in passing information between online retailers:

  • Are consumers being presented with third party products or services when they visit a retailer’s website?
  • Are consumers being presented with third party products or services immediately after they visit
  • Recommendations for Evaluating Your Company’s Use of Social Media

    The majority of retailers utilize social media to market their products and services, interact with consumers, and manage their brand identity. Many mobile applications and websites even permit users to sign-in with their social media accounts to purchase items or use the applications’ services.

    While using third party social media websites has significant advantages for businesses, it also raises distinct privacy concerns. Specifically, the terms of use that apply to social media platforms may give the platform the right to share, use, or collect information concerning your business or your customers. To the extent that the social media platform’s privacy practices are not consistent with the practices of your own company, they may contradict or violate the privacy notice that you provide to the public.

    Here is a list of issues to consider when evaluating your company’s use of social media:

  • How would a data breach of social media platforms
  • Data Breach Litigation Report: An Analysis of Federal Class Action Lawsuits Involving Data Security Breaches

    Data security breaches – and data security breach litigation – dominated the headlines in 2015 and continue to do so in 2016.  While data breach litigation is an important topic for the general public, and remains one of the top concerns of general counsel, CEOs, and boards alike, there remains a great deal of misinformation reported by the media, the legal press, and law firms. At best this is due to a lack of knowledge and understanding concerning data breach litigation; at worst some reports border on sensationalism or fearmongering.

    Bryan Cave LLP began its survey of data breach class action litigation four years ago to rectify the information gap and to provide clients, as well as the broader legal, forensic, insurance, and security communities, with reliable and accurate information concerning data breach litigation risk.  The 2016 report covers litigation initiated over a 15 month period from the fourth quarter

    Credit Card Data Breaches: Protecting Your Company from the Hidden Surprises

    Debit and credit cards are now the primary form of retail payment. Many retailers may not realize, however, that by accepting credit cards, they expose themselves to the risk of a data security breach and significant potential costs and legal liabilities.

    Retailers should consider the major sources of direct costs following a data breach. These costs always include the retaining of a PCI (payment card industry) certified forensic investigator as required by the PCI Council. Costs also typically include the retaining of a privileged forensic investigator (often by the retailer’s law firm or general counsel); the hiring of outside counsel; public relations and crisis management; and consumer notification including printing and mailing costs and protection services offered to consumers.

    In addition to the direct costs following a data breach, retailers often face three forms of liability from third parties: payment card brand fees; regulatory costs arising from investigations from the

    The attorneys of Bryan Cave LLP make this site available to you only for the educational purposes of imparting general information and a general understanding of the law. This site does not offer specific legal advice. Your use of this site does not create an attorney-client relationship between you and Bryan Cave LLP or any of its attorneys. Do not use this site as a substitute for specific legal advice from a licensed attorney. Much of the information on this site is based upon preliminary discussions in the absence of definitive advice or policy statements and therefore may change as soon as more definitive advice is available. Please review our full disclaimer.