Hunton Retail Law Resource

We recently posted an article on Hunton’s Privacy & Information Security Law Blog on a newly issued federal district court opinion citing that New York City’s “Consumer Data Law” violated the First Amendment and the regulation of commercial speech.  A federal judge declared the municipal law requiring food-delivery companies to share customer data with restaurants unconstitutional.

On January 3, 2023, an Illinois state court entered a preliminary approval order for a settlement of nearly $300,000 in a class action lawsuit against Whole Foods for claims that the company violated the Illinois Biometric Information Privacy Act (“BIPA”). The plaintiffs alleged that Whole Foods unlawfully collected voiceprints from employees who worked at the company’s distribution centers.

On August 24, 2022, California Attorney General Rob Bonta announced the Office of the Attorney General’s (“OAG’s”) first settlement of a California Consumer Privacy Act (“CCPA”) enforcement action, against Sephora, Inc.

As reported on Hunton’s Privacy and Information Security Law blog, on June 28, 2018, the Governor of California signed AB 375, the California Consumer Privacy Act of 2018 (the “Act”). The Act introduces key privacy requirements for businesses, and was passed quickly by California lawmakers in an effort to remove a ballot initiative of the same name from the November 6, 2018, statewide ballot. We previously reported on the relevant ballot initiative. The Act will take effect January 1, 2020.

As reported on Hunton's Privacy and Information Security Law blog, the FTC has modified its 2017 settlement with Uber after learning of an additional breach that was not taken into consideration during its earlier negotiations with the company. The revised proposed agreement goes beyond the FTC’s original settlement mandating that Uber implement a comprehensive privacy program. The expanded FTC order would require Uber to address software design, development and testing; how the company reviews and responds to third-party security vulnerability reports; and prevention, detection and response to attacks, intrusions or systems failures. Uber also would be required to report to the FTC any episode where it has to notify any U.S. government entity about the unauthorized access of any consumer’s information.

On January 8, 2018, the FTC announced an agreement with electronic toy manufacturer, VTech Electronics Limited and its U.S. subsidiary, settling charges that VTech violated the Children’s Online Privacy Protection Act (“COPPA”) by collecting personal information from hundreds of thousands of children without providing direct notice or obtaining their parent’s consent, and failing to take reasonable steps to secure the data it collected. Under the agreement, VTech will (1) pay a $650,000 civil penalty; (2) implement a comprehensive data security program, subject to ...

On October 23, 2017, the Federal Trade Commission issued a policy enforcement statement providing additional guidance on the applicability of the Children’s Online Privacy Protection Rule (“COPPA Rule”) to the collection of children’s audio voice recordings. The FTC previously updated the COPPA Rule in 2013, adding voice recordings to the definition of personal information, which led to questions about how the COPPA Rule would be enforced against organizations who collect a child’s voice recording for the sole purpose of issuing a command or request.

On September 5, 2017, the FTC announced that Lenovo, Inc. (“Lenovo”) agreed to settle charges that its preloaded software on some laptop computers compromised online security protections in order to deliver advertisements to consumers. The settlement agreement (the “Settlement”) is between Lenovo, the FTC and 32 State Attorneys General. 

On August 15, 2017, the FTC announced that it had reached a settlement with Uber, Inc., over allegations that the ride-sharing company had made deceptive data privacy and security representations to its consumers. Under the terms of the settlement, Uber has agreed to implement a comprehensive privacy program and undergo regular, independent privacy audits for the next 20 years.

In a video roundtable series, Hunton & Williams LLP partners Lisa J. Sotto and Steven M. Haas and special counsel Allen C. Goolsby, along with Stroz Friedberg’s co-president Eric M. Friedberg and Lee Pacchia of Mimesis Law, discuss the special consideration that should be given to privacy and cybersecurity risks in corporate transactions.

As reported on Hunton's Privacy and Information Security Law blog, on July 21, 2017, New Jersey Governor Chris Christie signed a bill that places new restrictions on the collection and use of personal information by retail establishments for certain purposes. The statute, which is called the Personal Information and Privacy Protection Act, permits retail establishments in New Jersey to scan a person’s driver’s license or other state-issued identification card only for the following eight purposes:

This past week, several consumer protection actions made headlines that affect the retail industry.

As reported on Hunton's Privacy and Information Security Law blog, on June 21, 2017, the Federal Trade Commission updated its guidance, Six-Step Compliance Plan for Your Business, for complying with the Children’s Online Privacy Protection Act (“COPPA”). The FTC enforces the COPPA Rule, which sets requirements regarding children’s privacy and safety online. The updated guidance adds new information on situations where COPPA applies and steps to take for compliance.

On June 1, 2017, the new Cybersecurity Law went into effect in China. This post takes stock of (1) which measures have been passed so far, (2) which ones go into effect on June 1 and (3) which ones are in progress but have yet to be promulgated.

On May 23, 2017, various Attorneys General of 47 states and the District of Columbia announced that they had reached an $18.5 million settlement with Target regarding the states’ investigation of the company’s 2013 data breach. This represents the largest multi-state data breach settlement achieved to date. 

On May 12, 2017, a massive ransomware attack began affecting tens of thousands of computer systems in over 100 countries. The ransomware, known as “WannaCry,” leverages a Windows vulnerability and encrypts files on infected systems and demands payment for their release. If payment is not received within a specified time frame, the ransomware automatically deletes the files. A wide range of industries have been impacted by the attack, including retailers and other businesses, hospitals, utilities and government entities around the world.

On April 18, 2017, the state of Washington passed House Bill 1493 (“HB 1493”), which sets forth requirements for businesses who collect and use biometric identifiers for commercial purposes. Under HB 1493, a biometric identifier includes a fingerprint, voiceprint, retina, iris or other unique biological pattern or characteristic used to identify a specific individual. Commercial use includes “a purpose in furtherance of the sale or disclosure to a third party for the purpose of marketing of goods or services when such goods or services are unrelated to the initial transaction in which a person first gains possession of an individual’s biometric identifier.” This bill comes after several other states have passed similar legislation regulating the commercial use of biometric identifiers, including the Illinois Biometric Information Privacy Act (740 ILCS 14) (“BIPA”) and the Texas Statute on the Capture or Use of Biometric Identifier (Tex. Bus. & Com. Code Ann. §503.001). 

As posted on the Hunton Privacy and Information Security Law blog, recently, Virginia passed an amendment to its data breach notification law that adds state income tax information to the types of data that require notification to the Virginia Office of the Attorney General in the event of unauthorized access and acquisition of such data. Under the amended law, an employer or payroll service provider must notify the Virginia Office of the Attorney General after the discovery or notification of unauthorized access and acquisition of unencrypted and unredacted computerized data containing a Virginia resident’s taxpayer identification number in combination with the income tax withheld for that taxpayer.

On March 14, 2017, the Consumer Review Fairness Act of 2016 (the “Fairness Act”) will come into effect, 90 days after it was signed into law by President Obama. The Fairness Act voids any provision in a form contract between a consumer and a business that (1) restricts the consumer’s ability to leave reviews, (2) imposes penalties for leaving negative reviews or (3) transfers intellectual property rights in reviews or feedback content from the consumer to the business. The Fairness Act was passed in response to an increase in the use of so-called “non-disparagement clauses” that prohibited consumers from sharing their honest opinions about a seller’s goods, services or conduct.

On March 17, 2017, retailer Neiman Marcus agreed to pay $1.6 million as part of a proposed settlement (the “Settlement”) to a consumer class action lawsuit stemming from a 2013 data breach that allegedly compromised the credit card data of approximately 350,000 customers.

On April 5, 2017, Hunton & Williams LLP and Stroz Friedberg will host a webinar on managing privacy and data security risks before, during and after an M&A transaction. Join Lisa J. Sotto, partner and chair of Global Privacy and Cybersecurity at Hunton & Williams; Rocco Grillo, Cyber Resilience Global Leader from Stroz Friedberg; and Keith O’Sullivan, CISO from Time Inc., for a discussion on how to prepare for and understand privacy and data security challenges in the context of corporate transactions.

On March 9, 2017, Home Depot Inc. (“Home Depot”) reached an agreement that includes the payment of $25 million and the implementation of new data security measures to resolve a putative class action brought by financial institutions impacted by the company’s 2014 data breach.

Hunton & Williams LLP announces the formation of a cross-disciplinary legal team dedicated to guiding companies through the minefield of regulatory and cyber-related risks associated with high-stakes corporate mergers and acquisitions. 

The Standing Committee of the National People’s Congress of China enacted a new Cybersecurity Law in November 2016. The final Cybersecurity Law will apply to many multinational companies starting June 1, 2017.

Providers of technology products and services are consistently innovating to grow their offerings to retailers. These new products and services present significant opportunity for retailers to more effectively reach customers, generate sales and grow revenue. But while these new offerings present a great tool to grow sales in this challenging market, they also can present significant cybersecurity risks.

As reported on the Hunton Privacy and Information Security Law blog, on February 6, 2017, the FTC announced that it has agreed to settle charges that VIZIO, Inc., installed software on about 11 million consumer televisions to collect viewing data without consumers’ knowledge or consent. The stipulated federal court order requires VIZIO to pay $2.2 million to the FTC and New Jersey Division of Consumer Affairs. 

As reported on the Privacy and Information Security Law blog, on January 23, 2017, the FTC released a Staff Report (the “Report”) on cross-device tracking technology that can link multiple Internet-connected devices to the same person and track that person’s activity across those devices. The Report follows a November 2015 workshop on the same subject and is based on information and comments gathered during that workshop.

As the retail industry continues to invest in and leverage new automation technologies to meet organizational efficiency and cost reduction goals, a growing number of retailers are looking to robots, or more specifically, service delivery automation or robotic process automation (“RPA”), as a solution. What is RPA? In the abstract, RPA is the substitution of human workers with automation. In the real world, according to the Institute for Robotic Process Automation, that translates to software robots that capture and interpret data from existing applications to process transactions, manipulate data, trigger responses and communicate with other digital systems. RPA doesn’t mean that robots will soon be sitting in a cubicle in accounting...at least not yet.

This past week, the FTC and DOJ issued an 11-page guidance document (the “Guidance”) aimed at protecting employees against anticompetitive conduct with respect to naked wage-fixing and agreements, in which companies agree on salary or other terms of compensation, and anti-poaching agreements, in which companies agree not to recruit each other’s employees. The Guidance for human resource (“HR”) professionals and hiring managers relates to both hiring and compensation decisions.

As reported on the Privacy & Information Security Law blog, on September 15, 2016, the New Jersey Senate unanimously approved a bill that seeks to limit retailers’ ability to collect and use personal data contained on consumers’ driver and non-driver identification cards. The bill, known as the Personal Information and Privacy Protection Act, must now be approved by the New Jersey Assembly.