U.S. Privacy and Data Security Developments: Impact on Retailers

The privacy and data security landscape is rapidly evolving in the U.S. and abroad. The emergence of new technologies and new media for collecting, using, and sharing personal information collected from consumers, and new thinking about privacy best practices, affects a range of businesses. Retailers, however, including food retailers, have been a special target for privacy litigation recently. This summary highlights just a few of the recent developments in this area of special interest to retailers.

1.  White House Privacy Report: The White House issued a consumer data privacy report in February that builds on a 2010 Department of Commerce Paper. The core concepts in the report are a "Consumer Privacy Bill of Rights" and a multi-stakeholder approach to develop and implement industry-specific codes of conduct that would be enforceable by the Federal Trade Commission (FTC). The White House report also calls for comprehensive legislation to apply the Consumer Privacy Bill of Rights to sectors not subject to existing laws, as well as a national security breach notification law.

The National Telecommunications and Information Administration (NTIA) is taking the lead on the development of enforceable codes of conduct, and recently issued a request for comment on aspects of that approach. NTIA plans to hold a stakeholder meeting on July 12 to discuss mobile apps. With growing use of mobile apps for many different types of retail operations, this initiative should be of particular interest to the industry.

2.  FTC Privacy Report: In March, the FTC issued its own privacy report, which builds on a 2010 FTC staff report. The FTC advocates the "Privacy by Design" concept for building privacy into new technologies, simplified consumer choice about data practices, and improved transparency in privacy notices. The FTC has called for baseline federal privacy legislation and data security/data breach legislation.

3.  FTC Privacy Enforcement: A recent settlement between the FTC and Rock-You suggests that the FTC now believes that the transmission and storage of e-mail addresses, user names and passwords (not traditionally deemed "sensitive") should be encrypted. The FTC also recently settled a complaint against Myspace alleging that Myspace misrepresented how it protects its users' personally identifiable information (PII). Myspace's privacy policy had stated that it would not share PII, or use such information in a way inconsistent with the purposes for which it was submitted, without prior notice and consent. However, Myspace assigned a persistent unique identifier- a "Friend ID"- to each user's profile, and shared the Friend IDs of users who viewed particular pages on the site with advertisers. The FTC's concern was that advertisers could use the Friend ID to locate a user's Myspace profile, obtain PII, and combine PII with additional information to link broader web-browsing activity to a specific individual. Broader implications of these actions for managing user information have to be considered.

4.  Mobile App and Mobile Phone Privacy and Consumer Protection: The FTC recently held a workshop on mobile payments and plans and another on advertising disclosures in the mobile space. FTC may be preparing updated guidance in these areas. Also, the California Attorney General recently reached an agreement with the major app platform providers on mobile privacy disclosures. In the mobile payments area, the Payment Card Industry (PCI) Council issued guidance for merchants using smart phones or tablets to accept payments from customers. The guidance, At a Glance: Mobile Payment Acceptance Security, urges merchants to secure account data at the point of capture using validated point-to-point encryption (P2PE) solutions to maintain data security throughout the payment lifecycle. A validated P2PE solution ensures that cardholder data is encrypted before it enters the mobile payment acceptance device, according to the FTC. The evolving security landscape may pose special challenges to retail operations.

5.  Data Breach Litigation: Several companies, including Sony and Epsilon, experienced major data breaches last year that got attention from regulators and spurred class action lawsuits. Earlier this year, the online retailer Zappos experienced an attack on its servers. It was reported that up to 24 million customer names, e-mail addresses, billing and shipping addresses, phone numbers, last four digits of credit card numbers, and scrambled passwords may have been unlawfully accessed although the company stated that credit card and other payment data was not accessed. Nevertheless, Zappos reset customer passwords and urged customers who were using common user names and passwords at other websites to change them. A putative class action was filed against Zappos' parent company, Amazon.com, just days after the incident was disclosed. Also, nine state attorneys general sent a letter to the company seeking detailed information about the breach and the company's policies for storing sensitive data.

There is currently no federal data breach law with preemptive effect, but all but a few states have data breach notification laws that are triggered when "personal information" (as defined in the laws) of residents is unlawfully accessed or acquired. Varying requirements in the laws can make compliance a challenge for national retailers that experience a data breach involving "personal information" of residents in several different states. California recently updated its law to require notification to the State Attorney General if a breach affects more than 500 residents. In addition, the California Office of Privacy Protection recently updated its data breach notification guide, and the Illinois Attorney General recently released its own security breach guide.

6.  Social Media Litigation: Facebook has agreed to settle a lawsuit involving its Sponsored Stories advertising feature by paying $10 million to charity. The Sponsored Stories feature involves the use of the name and photograph of individuals who "like" a company's Facebook page in an ad that is displayed to the individual's Facebook friends to encourage them to also "like" the company's page. The lawsuit, Fraley v. Facebook, Case No. 11-CV-01726 (N.D. Cal., filed March 11, 2011), claimed that Facebook did not adequately provide a way for users to opt-out of the Sponsored Stories feature, and that the feature misappropriated the names, photographs, likenesses, and identities of users for use in paid ads without their consent. The Fraley lawsuit suggests a need for advertisers to check their agreements with social media services to confirm the parties' respective obligations and liabilities and also review the programs to make sure that they comply with applicable federal and state privacy laws. The Fraley settlement is similar to a 2010 settlement with Facebook for $9.5 million that involved its Beacon program. Through the Beacon program, Facebook monitored and published user activity at Blockbuster, Overstock.com and other online retailers without users' permission.

7.  Employee Social Media Legislation: Legislation protecting employee privacy in social media continues to gain favor among the states. Maryland was the first state to prohibit employers from requesting or requiring employees or applicants to disclose log-in information for social networking sites and other personal accounts online. Similar bills have been introduced in California, Illinois, Massachusetts, Michigan, Minnesota, and New York, and are expected to be introduced in Colorado and New Jersey. In April, Rep. Eliot Engel (D-NY) introduced in the House of Representative the "Social Networking Online Protection Act" (H.R. 5050), that would prohibit employers and schools from requiring that employees, job applicants, and students provide their user names and passwords for social networking sites. As major employers, retailers should monitor these initiatives closely.

8.  California Song-Beverly Act Litigation: California's Song-Beverly Act bars retailers from requiring that customers submit a zip code when making a purchase. Several lawsuits alleging violations of the Act have been brought against retailers recently, including Bed, Bath & Beyond, General Nutrition Corporation, and Lowe's. An effort to revise the law failed (except that gas station owners have been excluded from the requirement). However, the CA Supreme Court is considering whether the Act applies to online retailers.

9.  California Supermarket Club Card Disclosure Act Litigation: It was recently reported that a Ralphs Grocery Co. customer filed a putative class action in California state court alleging that the chain shared personal information that he provided in connection with Ralphs rewards card program, in violation of California's Supermarket Club Card Disclosure Act and Unfair Business Practices Act. Ralphs allegedly shared the customer's personal information with its parent company, Kroger, as well as two unaffiliated business entities that provide data mining and data processing services. The Supermarket Club Card Disclosure Act prohibits selling or sharing rewards card information except for purposes of mailing card information to rewards card members; a violation of the Act constitutes an unfair business practice. A similar law, California's "Shine the Light" Act, requires disclosure of sharing, but does not prohibit it. It is customary for consumer data to be shared with parents or affiliates, and with business partners in some circumstances. In fact, many types of data processing and evaluations, including web or app analytics, are routinely handled by third parties. Thus, state laws and litigation bear watching, and are part of a broader trend of increased regulation and litigation involving privacy, data security and advertising across the country.

Keller and Heckman's Privacy, Data Security and Digital Media group assist clients with promoting their brands and generating revenues using digital media, as well as with advocating a sensible legal framework governing privacy, data security and digital commerce to policymakers around the world. Our work includes public policy advocacy, counseling, assisting with transactions, and defending businesses facing enforcement and litigation actions. For more information, please contact Keller and Heckman partners Sheila A. Millar (millar@khlaw.com; +1 202.434.4143), Tracy P. Marshall (marshall@khlaw.com; +1 202.434.4234) or Douglas J. Behr (behr@khlaw.com; +1 202.434.4213).