Hunton Retail Law Resource

On May 9, 2024, the First Circuit became the first federal appellate court to address whether national retail websites’ use of session replay code creates specific personal jurisdiction for wiretapping claims allowing website users to hale retailers into court in any state where they visited these websites. The First Circuit concluded that it does not. It held that a website user failed to demonstrate that Ohio-based Bloomingdales.com intentionally targeted its website and its accompanying use of session replay software at users in Massachusetts and, therefore, failed to establish specific personal jurisdiction over Bloomingdales.com for alleged violations of the Massachusetts Wiretapping Act and Massachusetts Invasion of Privacy Statute. Rosenthal v. Bloomingdales.com, LLC, No. 23-1683, 2024 WL 2074685 (1st Cir. May 9, 2024). 

The Children’s Advertising Review Unit (CARU) of BBB National Programs issued a new compliance warning aimed at addressing the use of artificial intelligence (AI) in advertisements and data collection efforts targeted at children. The warning emphasizes that CARU will “strictly enforce” its Advertising and Privacy Guidelines for advertisers, brands, influencers and manufacturers that utilize AI in marketing and data collection involving children. The warning specifically highlights CARU’s concerns about the risks of AI in connection with the susceptibility of children to marketing that fails to distinguish between what is real and what is not.

Companies face significant exposure from privacy related claims. An increasing number of these claims result from efforts at the state level to regulate use of personal data. One key focus is Illinois’ Biometric Information Privacy Act (“BIPA”), but as lawmakers in other states continue to introduce legislation aimed at regulating the use of biometric data, more court decisions may muddy the waters regarding what conduct may be covered under a general liability policy.

Our 2023 Retail Industry Year in Review provides a comprehensive overview of recent developments, issues, and trends impacting retailers, as well as a look ahead at what to expect in 2024. We hope you will take a few minutes to review our new publication released last week.

Continue Reading

Earlier this month, a Pennsylvania federal judge held that users of Bass Pro Shops’ and Cabela’s websites lacked Article III standing to sue the retailers for use of “session replay” software, where the users failed to allege that the software captured their personal information, such as financial data or medical diagnosis information.  In Re: BPS Direct, LLC, and Cabela's, LLC, Wiretapping, No. 2:23-md-03074 (E.D. Pa. Dec. 5, 2023).  

BBB National Programs’ Children’s Advertising Review Unit (CARU) has released new Guardrails for Child-Directed Advertising and Privacy in the Metaverse. As explained in a BBB press release, the Guardrails are intended to provide companies with best practices as they navigate the complexities of engaging with children in metaverse experiences. The Guardrails offer “actionable recommendations” on developing metaverse experiences directed to children, complying with existing advertising and privacy law, and engaging responsibly with children online. These guidelines build on earlier CARU guidance regarding metaverse activities.

As reported on Hunton's Privacy and Information Security Law Blog, on May 31, 2023, the Federal Trade Commission announced a proposed order against home security camera company Ring LLC (“Ring”) for unfair and deceptive acts or practices in violation of Section 5 of the FTC Act.

On March 16, 2023, the Federal Trade Commission announced it issued orders to eight social media and video streaming platforms seeking Special Reports on how the platforms review and monitor commercial advertising to detect, prevent and reduce deceptive advertisements, including those related to fraudulent healthcare products, financial scams and the sale of fake goods. The FTC sent the orders pursuant to its resolution directing the FTC to use all available compulsory process to inquire into this topic, and using the FTC’s Section 6(b) authority, which authorizes the FTC to conduct studies that do not have a specific law enforcement purpose.

Plaintiff’s firms continue to file variations of state law wiretapping lawsuits over “session replay” software and “live chat” or “chatbot” applications in various jurisdictions. These filings typically allege that companies use such software tools to record users’ interactions with a website without first obtaining users’ consent, thereby violating the wiretapping, eavesdropping, or interception provisions of various state laws. Session replay software allows companies to record and play back users’ interactions on its websites. The “live chat” or “chatbot” feature allows a website user to engage in text conversations with an assistant, to which the company has access. These wiretapping claims threaten substantial penalties. Companies that use these web-tracking tools, however, can take steps to protect themselves from these lawsuits by a careful examination of the software being used and by evaluating what disclosures or consents may be warranted.

On October 18, 2022, the New York State Department of Financial Services (“NYDFS”) announced that EyeMed Vision Care LLC (“EyeMed”) agreed to a $4.5 million settlement for violations of the Cybersecurity Regulation (23 NYCRR Part 500) that contributed to the exposure of hundreds of thousands of consumers’ health data in connection with a cybersecurity event in 2020.

CARU, the Children’s Advertising Review Unit of BBB National programs, issued a compliance warning last week reminding industry that the self-regulating body on children’s advertising and privacy intends to enforce its advertising guidelines in the metaverse, just like in the real world.

On August 23, 2022, the Federal Trade Commission announced it is seeking additional public comment on “how children are affected by digital advertising and marketing messages that may blur the line between ads and entertainment” in conjunction with its “Protecting Kids from Stealth Advertising in Digital Media” event on October 19, 2022. The event will focus on manipulative marketing practices targeted towards children, particularly those related to influencer marketing and online games.

The public can comment on this topic and related issues until November ...

On August 24, 2022, California Attorney General Rob Bonta announced the Office of the Attorney General’s (“OAG’s”) first settlement of a California Consumer Privacy Act (“CCPA”) enforcement action, against Sephora, Inc.

On March 9, 2022, the Securities and Exchange Commission (“SEC”) held an open meeting and proposed new cybersecurity disclosure rules for public companies by a 3-1 vote. If adopted, the new rules would impose substantial new reporting obligations with respect to material cybersecurity incidents and cybersecurity risk management, strategy, and governance for both domestic and foreign private issuers subject to the reporting requirements under the Securities Exchange Act of 1934.

As reported on the Hunton Andrews Kurth Privacy & Information Security Law Blog, on August 16, 2021, the U.S. Securities and Exchange Commission (“SEC”) announced that Pearson plc (“Pearson”), a publicly traded British multinational educational publishing and services company, agreed to pay a $1 million civil penalty in a settlement related to charges that Pearson misled investors about a 2018 data breach resulting in the theft of millions of student records. The SEC’s order found that Pearson made material misstatements and omissions about the data breach in a report furnished to the SEC and in a media statement.

This week, the FTC voted 3–1 to accept a settlement agreement with MoviePass, Inc., its parent company, and two of the now-defunct company’s former employees, after allegations of data security issues and deceptive trade practices. The Commission brought an enforcement action against MoviePass pursuant to the FTC Act and the Restore Online Shoppers’ Confidence Act (“ROSCA”), the latter of which requires disclosure of all material terms, a consumer’s informed consent, and a simple mechanism to stop recurring charges when marketing negative option services.

The Second Circuit just affirmed the dismissal of a data breach class action predicated on an alleged increased risk of identity theft on Article III standing grounds.  McMorris v. Carlos Lopez & Assocs., LLC, No. 19-4310, 2021 WL 1603808 (2d Cir. Apr. 26, 2021).  Notably, the district court that dismissed the action raised the issue of standing sua sponte in advance of a scheduled class settlement fairness hearing.

On November 26, 2020, the French Data Protection Authority announced that it imposed a fine of €2.25 million on Carrefour France and a fine of €800,000 on Carrefour Banque for various violations of the EU General Data Protection Regulation and Article 82 of the French Data Protection Act governing the use of cookies.

Earlier this year, The Retail Equation, a loss prevention service provider, and Sephora were hit with a class action lawsuit in which the plaintiff claimed Sephora improperly shared consumer data with The Retail Equation without consumers’ knowledge or consent. The plaintiff claimed The Retail Equation did so to generate risk scores that allegedly were “used as a pretext to advise Sephora that attempted product returns and exchanges are fraudulent and abusive.”

On August 6, 2020, President Trump signed executive orders imposing new economic sanctions under the International Emergency Economic Powers Act (50 U.S.C. § 1701 et seq.) and the National Emergencies Act (50 U.S.C. § 1601 et seq.) against TikTok, a video-sharing mobile application, and WeChat, a messaging, social media and mobile payments application. The orders potentially affect tens of millions of U.S. users of these applications and billions of users worldwide.

Continue Reading

Listen as Phyllis H. Marcus, partner at Hunton Andrews Kurth and Co-Chair of the ABA Antitrust Law Section’s Privacy and Information Security Committee, speaks about the privacy concerns over using smart devices on the ABA’s Our Curious Amalgam podcast, Is Your Assistant Spying on You? Understanding the Privacy Law Issues Involving In-Home Assistants.

As reported in the Hunton Insurance Recovery Blog, a Maryland federal court awarded summary judgment to policyholder National Ink in National Ink and Stitch, LLC v. State Auto Property And Casualty Insurance Company, finding coverage for a cyber-attack under a non-cyber insurance policy after the insured’s server and networked computer system were damaged as a result of a ransomware attack.  This is significant because it demonstrates that insureds can obtain insurance coverage for cyber-attacks even if they do not have a specific cyber insurance policy.

Continue Reading

As reported on the February 7, 2019 posting to the Hunton Privacy & Information Security Law Blog, at least one class action lawsuit has been filed that expressly references the CCPA.

Continue Reading

As publicly traded retailers begin to prepare their annual reports and 2020 proxy statements, they should keep in mind a number of new and amended SEC disclosure items. As detailed in our recent client alert, hot topics for proxy statements include hedging policy disclosure, board diversity disclosure and overboarding of directors.  In annual reports on Form 10-K, public retailers must consider new cover page requirements; new disclosure rules for material property, management’s discussion and analysis (MD&A) and exhibit filings; and most retailers will now disclose ...

The Florida legislature has introduced identical bills in the Florida House of Representatives (HB 963) and the Senate (SB 1670) (collectively the Act) that, if adopted, will require companies operating websites and other online services in the state to inform Florida consumers whether it is collecting personal information, and to provide an opportunity for the consumer to opt out of the sale of the personal information.

Innovation and developments in technology bring both opportunities and challenges for the retail industry, and Hunton Andrews Kurth has a sophisticated understanding of these issues and how they affect retailers. On January 23, 2020, our cross-disciplinary retail team, composed of over 200 lawyers, released our annual Retail Industry Year in Review. The 2019 edition, Spotlight on Technology, provides an overview and analysis of recent developments impacting retailers, as well as what to expect in 2020 and beyond. Topics discussed include: braille gift cards as the next wave of ...

Imagine a future in which Artificial Intelligence (AI) does the recruiting and hiring at US companies. Every new hire will be the uniquely perfect candidate whose skills, personality, presence, temperament and work habits are a flawless match for the job. Performance management and poor performance become extinct, relics from an age in which humans brought primitive instincts, biases and flawed intuition to hiring and employment decisions. While there are risks and challenges to employers in introducing this technology, manufacturers of AI software say that some version of that future may not be too far off. AI software such as Mya, HireVue and Gecko are among the numerous platforms that retail employers are now leveraging to hone in on and hire the best candidates more quickly. Generally speaking, AI interviewing products combine mobile video interviews with game-based assessments. The AI platform then analyzes the candidate’s facial expressions, word choice and gestures in conjunction with game assessment results to determine the candidate’s work style, cognitive ability and interpersonal skills.

As reported on the Privacy & Information Security Law Blog on February 8, 2019, the European Commission has issued an EU-wide recall of the Safe-KID-One children’s smartwatch marketed by ENOX Group over concerns that the device leaves data such as location history, phone and serial numbers vulnerable to hacking and alteration.

Continue Reading

As reported on the Privacy & Information Security Law Blog on January 31, 2019, Hunton Andrews Kurth celebrates the 10-year anniversary of our award-winning Privacy and Information Security Law Blog. Download a copy of "Ten Years Strong: A Decade of Privacy and Cybersecurity Insights."

Continue Reading

1548779769

Illinois Supreme Court Says Biometric-Data Protection Law Does Not Require Allegation of Actual Injury

As reported on Hunton Andrews Kurth’s Privacy & Information Security Law Blog on January 25, 2019, the Illinois Supreme Court ruled that an allegation of “actual injury or adverse effect” is not required to establish standing to sue under the Illinois Biometric Information Privacy Act.

Continue Reading

On January 7, 2019, California Assemblyman Phil Ting introduced Assembly Bill 161 which would prohibit businesses from providing paper receipts except upon request, citing “significant positive environmental and public health effects.” The goal of the Bill is to reduce consumers’ exposure to chemicals contained on paper receipts, such as BPA, and to reduce the carbon footprint.

On January 17, 2019, Hunton Andrews Kurth’s retail industry team, composed of more than 200 lawyers across practices, released their annual Retail Industry Year in Review publication.

The 2018 Retail Industry Year in Review includes many topics of interest to retailers, including the use of artificial intelligence (AI), ITC investigations, product recall insurance, antitrust enforcement in the Trump Administration, the collection and storage of biometric data, consumer privacy, SEC and M&A activity in 2018, the #MeToo movement and the impact of cashierless stores.

In a 2017 interview, Nigel Travis, former CEO of Dunkin’ Brands, stated that “delivery will be the next wave” in the restaurant industry and that it would “be like a revolution,” occurring “faster than anyone thinks.” Travis was not wrong; in fact, recent statistics shared by Melissa Wilson at the 2018 Restaurant Leadership Conference show Travis’ prediction quickly taking hold – 86% of consumers are using off-premise delivery services at least monthly and one third of consumers are using it more than they did a year ago. By some estimates, delivery services are projected to grow at least 12% per year over the next five years. While a handful of restaurants are filling the delivery demand themselves, more and more restaurants are looking to third-party delivery service providers to help them connect with the consumer. In fact, “third-party delivery services like UberEats, Grubhub, and Postmates currently represent $9 billion in restaurant sales today, and they are predicted to account for $16 billion in sales by 2022.”

The Federal Trade Commission announced the opening dates of its Hearings on Competition and Consumer Protection in the 21^st Century, a series of public hearings that discuss whether broad-based changes in the economy, evolving business practices, new technologies or international developments might require adjustments to competition and consumer protection law, enforcement priorities and policy. The FTC and Georgetown University Law Center will co-sponsor two full-day sessions of hearings on September 13 and 14, 2018, to be held at the Georgetown University Law Center ...

As reported on Hunton’s Privacy and Information Security Law blog, on June 28, 2018, the Governor of California signed AB 375, the California Consumer Privacy Act of 2018 (the “Act”). The Act introduces key privacy requirements for businesses, and was passed quickly by California lawmakers in an effort to remove a ballot initiative of the same name from the November 6, 2018, statewide ballot. We previously reported on the relevant ballot initiative. The Act will take effect January 1, 2020.

As reported on Hunton's Privacy and Information Security Law blog, the FTC has modified its 2017 settlement with Uber after learning of an additional breach that was not taken into consideration during its earlier negotiations with the company. The revised proposed agreement goes beyond the FTC’s original settlement mandating that Uber implement a comprehensive privacy program. The expanded FTC order would require Uber to address software design, development and testing; how the company reviews and responds to third-party security vulnerability reports; and prevention, detection and response to attacks, intrusions or systems failures. Uber also would be required to report to the FTC any episode where it has to notify any U.S. government entity about the unauthorized access of any consumer’s information.

As reported on the Hunton Privacy & Information Security Law Blog, on March 8, 2018, the Ninth Circuit Court of Appeals (“Ninth Circuit”) reversed a decision from the United States District Court for the District of Nevada. The trial court found that one subclass of plaintiffs in In re Zappos.Com, Inc. Customer Data Security Breach Litigation had not sufficiently alleged injury in fact to establish Article III standing. The opinion focused on consumers who did not allege that any fraudulent charges had been made using their identities, despite hackers accessing their names, account numbers, passwords, email addresses, billing and shipping addresses, telephone numbers, and credit and debit card information in a 2012 data breach. 

On January 18, 2018, Hunton & Williams LLP’s retail industry lawyers, composed of more than 100 lawyers across practices, released their annual Retail Year in Review publication. The Retail Year in Review includes many topics of interest to retailers including blockchain, antitrust enforcement in the Trump Administration, ransomware's impact on the retail industry, SEC and M&A activity in 2017, cyber insurance, vulnerability to class actions, and the reduced tax rate.

Read the full publication.

On October 23, 2017, the Federal Trade Commission issued a policy enforcement statement providing additional guidance on the applicability of the Children’s Online Privacy Protection Rule (“COPPA Rule”) to the collection of children’s audio voice recordings. The FTC previously updated the COPPA Rule in 2013, adding voice recordings to the definition of personal information, which led to questions about how the COPPA Rule would be enforced against organizations who collect a child’s voice recording for the sole purpose of issuing a command or request.

On September 5, 2017, the FTC announced that Lenovo, Inc. (“Lenovo”) agreed to settle charges that its preloaded software on some laptop computers compromised online security protections in order to deliver advertisements to consumers. The settlement agreement (the “Settlement”) is between Lenovo, the FTC and 32 State Attorneys General. 

An insured seeking coverage for credit card fees assessed against its third-party payment processor following a data breach recently filed an appeal in the Fifth Circuit Court of Appeals. Spec’s, a liquor store chain with over 160 locations throughout Texas, suffered two major data breaches of its credit card payment system, resulting in the loss of customer information and credit card numbers. Spec’s accepts Visa and MasterCard payments from its customers through a third-party processor, First Data. As a result of the breach, First Data incurred liability assessments from ...

On August 15, 2017, the FTC announced that it had reached a settlement with Uber, Inc., over allegations that the ride-sharing company had made deceptive data privacy and security representations to its consumers. Under the terms of the settlement, Uber has agreed to implement a comprehensive privacy program and undergo regular, independent privacy audits for the next 20 years.

In a video roundtable series, Hunton & Williams LLP partners Lisa J. Sotto and Steven M. Haas and special counsel Allen C. Goolsby, along with Stroz Friedberg’s co-president Eric M. Friedberg and Lee Pacchia of Mimesis Law, discuss the special consideration that should be given to privacy and cybersecurity risks in corporate transactions.

As reported on Hunton's Privacy and Information Security Law blog, on July 21, 2017, New Jersey Governor Chris Christie signed a bill that places new restrictions on the collection and use of personal information by retail establishments for certain purposes. The statute, which is called the Personal Information and Privacy Protection Act, permits retail establishments in New Jersey to scan a person’s driver’s license or other state-issued identification card only for the following eight purposes:

On June 13, 2017, Judge Andrea R. Wood of the Northern District of Illinois dismissed with prejudice a putative consumer class action filed against Barnes & Noble. The case was first filed after Barnes & Noble’s September 2012 announcement that “skimmers” had tampered with PIN pad terminals in 63 of its stores and exposed payment card information. The court had previously dismissed the plaintiffs’ original complaint without prejudice for failure to establish Article III standing. After the Seventh Circuit’s decision in Remijas v. Neiman Marcus Group, the plaintiffs filed an almost identical amended complaint that alleged the same causes of action and virtually identical facts. Although the court found that the first amended complaint sufficiently alleged Article III standing, the plaintiffs nevertheless failed to plead a viable claim. The court therefore dismissed the first amended complaint under Rule 12(b)(6). 

On May 26, 2017, Alcoa Community Federal Credit Union (“Alcoa”), on behalf of itself, credit unions, banks and other financial institutions, filed a nationwide class action against Chipotle Mexican Grill, Inc. (“Chipotle”). The case arises from a breach of customer payment card data. The putative class consists of all such financial institutions that issued payment cards, or were involved with card-issuing services, for customers who made purchases at Chipotle from March 1, 2017, to the present. Plaintiffs allege a number of “inadequate data security measures,” including Chipotle’s decision not to implement EMV technology. 

On June 1, 2017, the new Cybersecurity Law went into effect in China. This post takes stock of (1) which measures have been passed so far, (2) which ones go into effect on June 1 and (3) which ones are in progress but have yet to be promulgated.

On May 23, 2017, various Attorneys General of 47 states and the District of Columbia announced that they had reached an $18.5 million settlement with Target regarding the states’ investigation of the company’s 2013 data breach. This represents the largest multi-state data breach settlement achieved to date. 

A year ago, the United States Supreme Court held in Spokeo, Inc. v. Robins that a plaintiff must do more than plead a mere statutory procedural violation to establish standing; to plead an injury in fact, a plaintiff also must allege a harm that is both “concrete” and “particularized.” Two recent decisions by the U.S. Court of Appeals for the Eleventh Circuit—one involving a rare written dissent from the denial of a petition for rehearing en banc—demonstrate the continuing difficulties courts are facing in determining what constitutes a concrete injury under Spokeo. They suggest that the Eleventh Circuit is most likely to find standing for violations of statutes that are intended to protect personal privacy or create a right to information, although judges do not always agree as to which statutes fall within these categories.

As we previously reported, beginning last Friday, and still occurring today, one of the worst and most widespread malware attacks has impacted more than 200,000 victims in at least 150 countries, including Britain’s National Health Service, FedEx, telecommunications companies Telefonica and Megafon, and automakers Renault and Nissan. The malware, known as "WannaCry," disables the user’s computer system and all of its data. A note in a text file then appears stating that in order to unlock the computer, $300 worth of the digital currency bitcoin must be paid to the hackers. A countdown timer appears and the fee increases with time. The hackers threaten to delete all data on the computer system if payment is not sent within one week. Cybersecurity experts believe that the malware was sent to computers through "phishing attacks," which are emails that appear to be from reputable sources and include a download to a link that allows the malware to infect the computer. From these computers, the malware then spreads to other computers on the network. One infected computer can spread this virus network-wide, and quickly.

On May 12, 2017, a massive ransomware attack began affecting tens of thousands of computer systems in over 100 countries. The ransomware, known as “WannaCry,” leverages a Windows vulnerability and encrypts files on infected systems and demands payment for their release. If payment is not received within a specified time frame, the ransomware automatically deletes the files. A wide range of industries have been impacted by the attack, including retailers and other businesses, hospitals, utilities and government entities around the world.

On May 2, 2017, the United States Court of Appeals for the Second Circuit issued a summary order affirming dismissal of a putative data breach class action against Michaels Stores, Inc. (“Michaels”). The plaintiff’s injury theories were as follows: (1) the plaintiff’s credit card information was stolen and twice used to attempt fraudulent purchases; (2) the risk of future identity fraud and (3) lost time and money resolving the attempted fraudulent charges and monitoring credit. The plaintiff, however, quickly cancelled her card after learning of the unauthorized charges and did not allege that she was held responsible for any of those charges.

On April 18, 2017, the state of Washington passed House Bill 1493 (“HB 1493”), which sets forth requirements for businesses who collect and use biometric identifiers for commercial purposes. Under HB 1493, a biometric identifier includes a fingerprint, voiceprint, retina, iris or other unique biological pattern or characteristic used to identify a specific individual. Commercial use includes “a purpose in furtherance of the sale or disclosure to a third party for the purpose of marketing of goods or services when such goods or services are unrelated to the initial transaction in which a person first gains possession of an individual’s biometric identifier.” This bill comes after several other states have passed similar legislation regulating the commercial use of biometric identifiers, including the Illinois Biometric Information Privacy Act (740 ILCS 14) (“BIPA”) and the Texas Statute on the Capture or Use of Biometric Identifier (Tex. Bus. & Com. Code Ann. §503.001). 

In March 2017, Syed Ahmad, a partner with Hunton & Williams LLP’s insurance practice, and Eileen Garczynski, partner at insurance brokerage Ames & Gough, co-authored an article, Protecting Company Assets with Cyber Liability Insurance, in Mealey’s Data Privacy Law Report. The article describes why cyber liability insurance is necessary for companies and provides tips on how it can make a big difference. Ahmad and Garczynski discuss critical questions companies seeking to protect company assets through cyber insurance should be asking.

Read the full article.

As posted on the Hunton Privacy and Information Security Law blog, recently, Virginia passed an amendment to its data breach notification law that adds state income tax information to the types of data that require notification to the Virginia Office of the Attorney General in the event of unauthorized access and acquisition of such data. Under the amended law, an employer or payroll service provider must notify the Virginia Office of the Attorney General after the discovery or notification of unauthorized access and acquisition of unencrypted and unredacted computerized data containing a Virginia resident’s taxpayer identification number in combination with the income tax withheld for that taxpayer.

On March 17, 2017, retailer Neiman Marcus agreed to pay $1.6 million as part of a proposed settlement (the “Settlement”) to a consumer class action lawsuit stemming from a 2013 data breach that allegedly compromised the credit card data of approximately 350,000 customers.

On April 5, 2017, Hunton & Williams LLP and Stroz Friedberg will host a webinar on managing privacy and data security risks before, during and after an M&A transaction. Join Lisa J. Sotto, partner and chair of Global Privacy and Cybersecurity at Hunton & Williams; Rocco Grillo, Cyber Resilience Global Leader from Stroz Friedberg; and Keith O’Sullivan, CISO from Time Inc., for a discussion on how to prepare for and understand privacy and data security challenges in the context of corporate transactions.

On March 9, 2017, Home Depot Inc. (“Home Depot”) reached an agreement that includes the payment of $25 million and the implementation of new data security measures to resolve a putative class action brought by financial institutions impacted by the company’s 2014 data breach.

Hunton & Williams LLP announces the formation of a cross-disciplinary legal team dedicated to guiding companies through the minefield of regulatory and cyber-related risks associated with high-stakes corporate mergers and acquisitions. 

The Standing Committee of the National People’s Congress of China enacted a new Cybersecurity Law in November 2016. The final Cybersecurity Law will apply to many multinational companies starting June 1, 2017.

Providers of technology products and services are consistently innovating to grow their offerings to retailers. These new products and services present significant opportunity for retailers to more effectively reach customers, generate sales and grow revenue. But while these new offerings present a great tool to grow sales in this challenging market, they also can present significant cybersecurity risks.

As reported on the Hunton Privacy and Information Security Law blog, on February 6, 2017, the FTC announced that it has agreed to settle charges that VIZIO, Inc., installed software on about 11 million consumer televisions to collect viewing data without consumers’ knowledge or consent. The stipulated federal court order requires VIZIO to pay $2.2 million to the FTC and New Jersey Division of Consumer Affairs. 

As reported on the Privacy and Information Security Law blog, on January 23, 2017, the FTC released a Staff Report (the “Report”) on cross-device tracking technology that can link multiple Internet-connected devices to the same person and track that person’s activity across those devices. The Report follows a November 2015 workshop on the same subject and is based on information and comments gathered during that workshop.

After a long and unconventional campaign, we finally know the election results: early next year, businessman Donald Trump will be sworn in as the 45th president of the United States, supported by a Republican Congress. What the election results mean for the nation’s retailers, however, remains an open question. Trump, as a candidate, staked out bold policy positions on issues with potentially significant effects on retailers. Both positive and negative developments on a wide range of issues are possible over the next four years. Once sworn in, Trump will have considerable latitude to implement his policies through executive branch agencies and their enforcement priorities. In other instances, however, he will require support from the 115th Congress, and in some instances his actions could be constrained by the effect of appointments and policy choices made by the Obama administration and the 114th Congress.

As reported in the Hunton Insurance Recovery blog, a federal judge in Alabama ruled Tuesday that a grocer could not rely on its legacy business insurance policies – including an “electronic data” coverage extension – to protect against third-party claims after customer data was compromised by a point-of-sale cyber attack. The decision in Camp’s Grocery, Inc. v. State Farm Fire and Casualty Company is another reminder to retail policyholders to ensure that their cybersecurity programs include both adequate cybersecurity safeguards and appropriate first-party and third-party cyber/crime insurance coverages. Failure to maintain either may jeopardize coverage for resulting cyber losses.

As reported on the Privacy & Information Security Law blog, on September 15, 2016, the New Jersey Senate unanimously approved a bill that seeks to limit retailers’ ability to collect and use personal data contained on consumers’ driver and non-driver identification cards. The bill, known as the Personal Information and Privacy Protection Act, must now be approved by the New Jersey Assembly.

As reported on the Privacy & Information Security Law blog, on July 29, 2016, the FTC announced that it had issued an opinion and final order concluding that LabMD, Inc. (“LabMD”) violated the unfairness prong of Section 5 of the FTC Act by failing to maintain reasonable security practices to protect consumers’ sensitive personal information. The unanimous decision reverses a November 2015 administrative law judge’s initial decision that, as we previously reported, dismissed the FTC’s charges against LabMD for failing to show that LabMD’s allegedly unreasonable data security practices caused, or were likely to cause, substantial consumer injury.

Consumer class actions are on the minds of virtually all consumer product manufacturers and service providers. Class actions based on privacy and consumer protection statutes are increasing at a remarkable rate, and can be a challenge to predict, budget and defend, given the difficulty in valuing consumer privacy rights. In an article, “Second Circuit Reminds Consumer Product Companies That Insurance Options Exist for Big Data Blunders and Privacy Faux Pas,” published in FC&S Legal’s Eye on the Experts column, Hunton lawyers Syed S. Ahmad, Neil K. Gilman and Paul T. Moura

On June 22, 2016, the Federal Trade Commission announced a settlement with Singaporean-based mobile advertising network, InMobi, resolving charges that the company had deceptively tracked hundreds of millions of consumers’ locations, including children, without their knowledge or consent. Among other things, the settlement orders the company to pay $950,000 in civil penalties. 

As reported on the Hunton Insurance Recovery blog, in a June 1, 2016 decision, the Second Circuit Court of Appeals reminded retailers and product manufacturers to look to their insurance coverages when defending against consumer class actions. In National Fire Insurance Co. of Hartford et al. v. E. Mishan & Sons Inc., the Second Circuit required CNA Financial Corporation to defend E. Mishan & Sons, Inc.(“Emson”) – best known for its “As Seen on TV” products – in two class actions alleging a conspiracy to trap customers into recurring credit card charges and that Emson sold private consumer information that it obtained through its product sales.

As we previously reported, the Supreme Court’s decision in Spokeo v. Robins has been nearly universally lauded by defense counsel as a new bulwark against class actions alleging technical violations of federal statutes. It may be that. But Spokeo also poses a significant threat to defendants by defeating their ability to remove exactly the types of cases that defendants most want in federal court. The decision circumscribes the federal jurisdiction, with all its advantages, that defendants have enjoyed under Class Action Fairness Act (“CAFA”) for the past decade.

As reported on the Hunton Insurance Recovery Blog, data breach claims involving customer data can present an ever-increasing risk for many retailers and other companies. A recent case further supports efforts to recover the costs associated with such claims. Specifically, a panel of the Fourth Circuit confirmed that general liability policies can afford coverage for cyber-related liabilities, and ruled that an insurer had to pay attorneys’ fees to defend the policyholder in class action litigation in Travelers Indemnity Company v. Portal Healthcare Solutions, No. 14-1944. Syed Ahmad, a partner in the Hunton & Williams LLP insurance practice, was quoted in a Law360 article concerning the importance of this decision.

On April 14, 2016, after four years of drafting and negotiations, the long awaited EU General Data Protection Regulation (“GDPR”) has been adopted at the EU level. Following the EU Parliament’s Committee on Civil Liberties, Justice and Home Affairs’ vote earlier this week and the EU Parliament in plenary session, the GDPR is now officially EU law and will directly apply in all EU countries, replacing EU and national data protection legislation.

Team helps companies devise legal strategies to enhance security and mitigate threat risk.

On April 4, 2016, Hunton & Williams LLP announced the formation of a Cyber and Physical Security Task Force to assist companies in minimizing the risks and consequences of a serious security incident. The task force is being led by global privacy and cybersecurity head Lisa Sotto, cybersecurity partner Paul Tiao, and energy partner Kevin Jones, and includes lawyers from a wide range of practice groups within the firm.

On April 4, 2016, the Commodity Futures Trading Commission (“CFTC”) announced a $10 million whistleblower bounty, its largest to date.

Similar to a program administered by the Securities and Exchange Commission (“SEC”), CFTC whistleblowers are eligible for an award worth 10 to 30 percent of an enforcement penalty if they bring original information to the CFTC which leads to an enforcement action that nets more than $1 million in sanctions.

On April 6, 2016, the Federal Trade Commission formally welcomed the updated Recommendation on Consumer Protection in E-commerce (the “Recommendation”) issued by the Organization for Economic Cooperation and Development (“OECD”) on March 24, 2016, endorsing the Recommendation’s broadened scope and increased consumer protections that “are designed to strengthen consumers’ trust in the expanding electronic marketplace.”

On March 9, 2016, Hunton & Williams’ Global Privacy and Cybersecurity practice lawyers released a management guide on the EU General Data Protection Regulation (“GDPR”), entitled “Overview of the EU General Data Protection Regulation,” addressing the key impacts the new law will have on businesses. This high-level management guide is intended to provide companies with a roadmap to the Regulation, focusing on topics such as expanded territorial scope, data breach notification rules, the One-Stop Shop concept and the right to be forgotten.

Later this month, we will be ...

This past week, the following consumer protection actions made headlines:

Food Marketing: Consumers Respond to Motion to Dismiss their Claims Against Walmart’s Missing Pork

On March 9, 2016, plaintiffs in a suit against Walmart Stores, Inc. responded to the company’s  motion to dismiss, saying that their complaint sufficiently put the retailer on notice of allegations that Walmart’s Great Value Pork & Beans in Tomato Sauce lacked an important ingredient: pork. The plaintiffs argue that the USDA requires pork and beans products to contain at least 12 percent pork in order to advertise pork on its labels, and that plaintiffs’ testing did not show any traces of pork in the product. Walmart contends in its motion to dismiss that its labels plainly state that the product contains less than 2 percent pork, and that plaintiffs’ claims are preempted by food labeling laws.

Companies across all industries, including retail, are seeing a significant uptick in software audits and similar software license compliance reviews. These audits can disrupt the day-to-day operations of even the most efficient IT departments and result in additional license fees, back-maintenance payments, penalties for noncompliance and external legal fees. The more aggressive software licensors may also threaten breach of contract claims, infringement claims, remote disabling of software, suspension of maintenance and other more disruptive practical measures. However, there are ways to limit exposure to such costly software audits and the associated risks, and to even prevent them from occurring in the first place.

This month, the Retail Industry Leaders Association (“RILA”) submitted comments to the Federal Aviation Administration (“FAA”) opposing a point-of-sale registration requirement for recreational drones. While the trade association generally supports the registration of drones, also known as unmanned aircraft systems, RILA called the point-of-sale registration process “costly, inefficient, and difficult to implement” while warning of potential data privacy concerns for consumers.

As reported in the Hunton Employment & Labor Perspectives Blog, Retailer Big Lots Stores, Inc. is facing a putative class action in Philadelphia, wherein the plaintiff alleges that the company “systematically” violated the Fair Credit Reporting Act’s (“FCRA”) “standalone disclosure requirement” by making prospective employees sign a document used as a background check consent form that contained extraneous information. Among other things, the plaintiff alleges that Big Lots’ form violates the FCRA because it includes the following three categories of ...

As reported on the Privacy & Information Security Law blog, the Enforcement Bureau of the Federal Communications Commission (“FCC”) entered into a Consent Decree with cable operator Cox Communications to settle allegations that the company failed to properly protect customer information when the company’s electronic data systems were breached in August 2014 by a hacker. The FCC alleged that Cox failed to properly protect the confidentiality of its customers’ proprietary network information (“CPNI”) and personally identifiable information, and failed to promptly notify law enforcement authorities of security breaches involving CPNI in violation of the Communications Act of 1934 and FCC’s rules.

On Monday, October 19, US Transportation Secretary Anthony R. Foxx and FAA Administrator Michael P. Huerta announced the formation of a task force charged with developing recommendations for a registration system for Unmanned Aircraft Systems (the “Task Force”). The Task Force will be directed to deliver its report by November 20. In connection with the announcement, the secretary and the administrator also issued a Clarification of the Applicability of Aircraft Registration Requirements for Unmanned Aircraft Systems (UAS) and Request for Information Regarding Electronic Registration for UAS (the “CRFI”), which was published in the Federal Register on Thursday, October 22. Through the CRFI, the agencies seek, for the first time, to impose the aircraft registration requirement on “model aircraft,” including recreational UAS, effective immediately, while also soliciting comments from industry and the public on the nature and parameters of the UAS registration process. Comments must be submitted by November 6 in order to be considered by the Task Force.

As reported in the Privacy & Information Security Law blog, the United States District Court for the District of Minnesota, in large part, upheld Target’s assertion of the attorney-client privilege and work-product protections for information associated with a privileged, internal investigation of Target’s 2013 data breach.

As reported on the Privacy & Information Security Law blog, Hunton & Williams welcomes Phyllis H. Marcus as counsel to the firm’s privacy and competition teams. Phyllis joins the firm from the Federal Trade Commission, where she held a number of leadership positions, most recently as Chief of Staff of the Division of Advertising Practices. Phyllis led the FTC’s children’s online privacy program, including bringing a number of enforcement actions and overhauling the Children’s Online Privacy Protection Act (“COPPA”) Rule. She offers the privacy team a keen ...

As reported in the Privacy & Information Security Law blog, the Seventh Circuit rejected Neiman Marcus’ petition for a rehearing en banc of Remijas v. Neiman Marcus Group, LLC, No. 14-3122. In Remijas, a Seventh Circuit panel found that members of a putative class alleged sufficient facts to establish standing to sue Neiman Marcus following a 2013 data breach that resulted in hackers gaining access to customers’ credit and debit card information. No judge in regular active service requested a vote on the rehearing petition. Additionally, all members of the original panel voted ...

As reported in the Privacy & Information Security Law blog, Judge Magnuson of the U.S. District Court for the District of Minnesota certified a Federal Rule of Civil Procedure 23(b)(3) class of financial services institutions claiming damages from Target Corporation’s 2013 data breach. The class consists of “all entities in the United States and its Territories that issued payment cards compromised in the payment card data breach that was publicly disclosed by Target on December 19, 2013.”

As reported in the Privacy & Information Security blog, the U.S. District Court for the Central District of California recently granted, only in part, a motion to dismiss a data breach class action against Sony Pictures Entertainment, Inc. (“Sony”) in Corona v. Sony Pictures Entertainment, Inc. The case therefore will proceed with some of the claims intact.

Read the full post.

On April 23, 2015, the Federal Trade Commission (FTC) announced that Nomi Technologies (Nomi) has agreed to settle charges stemming from allegations that the company misled consumers with respect to opting out of the company’s mobile-device tracking service at retail locations. The settlement marks the FTC’s first § 5 enforcement action against a retail tracking company.

As reported on the Privacy & Information Security Law blog, the Federal Communications Commission announced a $25 million settlement with AT&T Services, Inc. (“AT&T”) stemming from allegations that AT&T failed to protect the confidentiality of consumers’ personal information, resulting in data breaches at AT&T call centers in Mexico, Colombia and the Philippines. The breaches, which took place over 168 days from November 2013 to April 2014, involved unauthorized access to customers’ names, full or partial Social Security numbers and certain protected ...

As reported in the Privacy & Information Security Law blog, various technology companies, academics and trade associations filed amicus briefs in support of Microsoft’s attempts to resist a U.S. government search warrant seeking to compel it to disclose the contents of customer emails that are stored on servers in Ireland. On December 23, 2014, the Irish government also filed an amicus brief in the 2nd Circuit Court of Appeals.

Read the full post.

As reported in the Privacy & Information Security Law blog, the Federal Trade Commission announced a settlement of at least $90 million with mobile phone carrier T-Mobile USA, Inc. (“T-Mobile”) stemming from allegations related to mobile cramming. This settlement amount will primarily be used to provide refunds to affected customers who were charged by T-Mobile for unauthorized third party charges. As part of the settlement, T-Mobile also will pay $18 million in fines and penalties to the attorneys general of all 50 states and the District of Columbia, and $4.5 million to the ...

As reported in the Privacy & Information Security Law blog, rent-to-own retailer Aaron’s, Inc. (“Aaron’s”) entered into a $28.4 million settlement with the California Office of the California Attorney General related to charges that the company permitted its franchised stores to unlawfully monitor their customers’ leased laptops.

Read the full post.

As reported in the Privacy & Information Security Law blog, a recent decision by the United States Court of Appeals for the Ninth Circuit reinforces the importance of obtaining affirmative user consent to website Terms of Use for website owners seeking to enforce those terms against consumers. In Nguyen v. Barnes & Noble Inc., the Ninth Circuit held that Barnes & Noble’s website Terms of Use (“Terms”) were not enforceable against a consumer because the website failed to provide sufficient notice of the Terms, despite having placed conspicuous hyperlinks to the Terms ...

As reported in the Privacy & Information Security Law blog, the Federal Communications Commission announced that Verizon has agreed to pay $7.4 million to settle an FCC Enforcement Bureau investigation into Verizon’s use of personal information for marketing. The investigation revealed that Verizon had used customers’ personal information for marketing purposes over a multiyear period before notifying the customers of their right to opt out of such marketing.

Read the full post.