Image: Sephora

As technological innovations in e-commerce continue to explode, retailers are increasingly utilizing customer data to personalize customer experiences, prevent fraud, improve their services, and make money through third-party sales. A wide array of new data analytics tools allow retailers to study a vast array of information  ranging from users’ order history to their exact mouse movements  to better understand their customer base. With any new business strategy comes risk, and plaintiffs’ attorneys are seeking huge damages awards by using a number of novel data privacy theories to attack companies’ practices.

On top of that, legislators are (at times, very slowly) responding to concerns about how businesses use personal information by proposing new consumer data privacy laws that limit the collection and sale of personal information. Here is Part I of a two-part look at some of the most prominent trends in data privacy litigation, highlighting the issues that companies should consider in order to avoid finding themselves on the receiving end of similar cases.

Right of Publicity Laws & the Sale of Customer Data

While retailers have long had to face privacy lawsuits under a variety of different laws, a deluge of new cases nearly 40 filed since October 2021 is taking a new approach by claiming that the sale of customer information violates right of publicity laws. Existing in similar forms in many states (both in statutory and common law form), right of publicity laws prohibit the unauthorized use of a person’s identifying information for commercial gain.

These statutes have traditionally been invoked by celebrities and other public figures whose names or other elements of their likenesses have been appropriated to falsely suggest that they endorse a product or brand. In these recent lawsuits, however, plaintiffs are alleging that retailers, publishers, and credit card companies, alike, have violated their “right of publicity” merely by including their names or other identifying information on mailing lists that were privately sold or rented to third parties.

Nearly all of these recent right of publicity lawsuits have been filed under the publicity laws of Illinois, California, Ohio, and South Dakota, and a look at the statutes’ damages provisions may help explain why: each provides for significant statutory penalties (i.e., those that can be awarded regardless of the damage suffered by plaintiffs). Most of the suits have been filed in the state where the defendant is based, and in many cases, the plaintiffs’ firms have filed several suits at once in the same court, each on behalf of a different plaintiff from a different state. And to date, nine of these suits have been filed against retailers, and more could be on the way. 

The new publicity cases are still in the earliest stages, and forthcoming developments could have significant implications for retailers’ customer list sharing practices. A pivotal question is whether the right to publicity even applies when the information at issue is privately sold (i.e., without any publicity), and is not being used to advertise a separate product (rather, the customer information is the product being sold). Case law involving similar claims indicates that judges may be skeptical of attempts like these to stretch the scope of the right to publicity to the data privacy realm. However, if some of these cases can survive motions to dismiss, retailers who use third-party data services will be at constant risk of expensive litigation.

Data Privacy Litigation Continues

A separate series of suits has targeted well over a dozen retailers for using software produced by The Retail Equation (“TRE”), which, according to its website, “uses statistical modeling and analytics to detect fraudulent and abusive behavior when returns are processed at retailers’ return counters.” The plaintiffs in these suits generally allege that the retailers invaded their privacy and violated the federal Fair Credit Reporting Act (“FCRA”) and state privacy and/or consumer protection laws by sharing such data with TRE, as well as by blocking them from returning items based on erroneous results from TRE’s software. The plaintiffs in these suits seek to represent broad nationwide classes of other individuals whose information was transmitted by a retailer defendant to TRE.

The first of these suits, Hayden v. Retail Equation, Inc., was filed in July 2020 against TRE and retailer Sephora, alleging that by sharing customer information with TRE, Sephora violated right to privacy laws, California’s Unfair Competition Law, unconscionability, the Fair Credit Reporting Act, and also committed defamation. In August 2020, the First Amended Complaint added claims against TRE’s parent company Appriss and thirteen additional retailers, such as Victoria’s Secret owner L Brands, Inc., Gap, Inc., and TJX Companies, among others.

TRE filed a subsequently-granted motion to dismiss, in connection with which the court found that the plaintiffs had not alleged any invasion of privacy. In granting the motion, the court explained that “although personal identification information collected by retailers at the point of sale may be subject to consumers’ privacy interests,” the plaintiffs “fail[ed] to state a claim for violation of privacy.” According to the court, “The amended complaint is simply too vague,” and while the plaintiffs allege that the “retailer defendants collect large amounts of data about their consumers and share the collected data with TRE without the consumers’ consent, [they do] not specify what kind of data is collected.” 

Although personal identification information collected by retailers at the point of sale may be subject to consumers’ privacy interests, Plaintiffs fail to state a claim for violation of privacy. The Amended Complaint is simply too vague. Plaintiffs allege that the Retailer Defendants collect large amounts of data about their consumers and share the collected data with TRE without the consumers’ consent, but the Amended Complaint does not specify what kind of data is collected.

The Court also dismissed the plaintiffs’ FCRA claim based on its finding that TRE is not a consumer reporting agency.

In July 2021, the plaintiffs in Hayden filed a second amended complaint, but this time only against TRE, Appriss, and the eight retailers for whom there were California plaintiffs.  (Again, this included Victoria’s Secret owner L Brands, Inc., Gap, Inc., and TJX Companies, as well as Sephora). The second amended complaint includes claims for invasion of privacy and unjust enrichment, and violations of California’s Unfair Competition Law, the federal Fair Credit Reporting Act, and the California Consumer Privacy Act. In August, the claims against several of the retailer defendants were voluntarily dismissed, and then in September and October, many of the Hayden defendants filed motions to dismiss and/or motions to compel arbitration. 

Those motions were set for hearing on December 10, 2021, but have been continued due to a judicial reassignment.

California Consumer Privacy Act

It has now been two years since the California Consumer Privacy Act (“CCPA”) took effect on January 1, 2020, and a year and a half since state enforcement began on July1, 2020. While more than 170 CCPA claims have been filed to date, only a handful of those data privacy actions have targeted retailers, and we are only aware of one decision in any cases involving retailers. In Gardiner v. Walmart, Inc., the court held twice last year that the CCPA is not retroactive, and that a plaintiff cannot state a claim based on alleged violations that took place before January 1, 2020 regardless of whether the plaintiff allegedly suffered harm from the violation after the statute took effect.

Courts are continuing to determine what conduct falls within the CCPA’s narrow private right of action, which applies only when a statutorily-defined subset of a California resident’s “non-encrypted and non-redacted” personal information “is subject to an unauthorized access and exfiltration, theft, or disclosure as a result of the business’s violation of the duty to implement and maintain reasonable and appropriate security procedures and practices.” 

In the retail context, Hayden v. The Retail Equation could shed light on this issue. There, the plaintiffs allege that the retailer defendants’ practice of sharing customer return information with TRE violated the CCPA because it constituted “unauthorized access” and disclosure of personal information. The retailer defendants moved to dismiss the CCPA claim, arguing that the CCPA does not apply when retailers authorize the disclosure of information, because that precludes it from being a data breach.  The plaintiffs in Hayden withdrew their CCPA claims before the retailers’ first motion to dismiss was decided, but later included the identical CCPA argument in their amended complaint. The retail defendants moved to dismiss again in September 2021 (and briefing completed in November).

Although the CCPA’s private right of action is limited, the Attorney General’s office has the ability to sue for any violation of the statute, but only after providing the company with 30 days to cure the alleged noncompliance. The AG’s office has released a list of “illustrative examples of situations in which it sent a notice of alleged noncompliance,” many of which involve retailers. For example:

Grocery Chain: Required consumers to provide personal information in exchange for participation in its company loyalty programs, without providing the required Notice of Financial Incentive.

Consumer Electronics Manufacturer and Retailer: Used third-party online trackers on its retail website, which shared data with advertisers about consumers’ online shopping, without imposing the requisite service provider contractual relationship on these third parties.

Online Clothing Retailer: Failed to provide notice of the required CCPA consumer rights, including the right to know, delete, and to not be discriminated against; did not inform consumers of how to submit requests to know and delete; and did not explicitly state whether it had sold personal information or transferred personal information for a business purpose in the past 12 months.

Car Dealership: Collected information from consumers who test drove vehicles at the business, without providing a notice at collection. Its privacy policy was also deficient in a number of respects.

All of the above businesses reportedly took steps to achieve CCPA compliance within the 30-day statutory cure period, and the Attorney General has not announced any data privacy-related fines to date.

A new, more aggressive iteration of CCPA, the California Privacy Rights Act, will take effect in 2023, and could usher in a new wave of private and public enforcement suits. 

Stephanie Sheridan is a partner at Steptoe & Johnson LLP, and the chair of the firm’s Retail Practice Group. Meegan Brooks and Surya Kundu are associates at Steptoe & Johnson LLP.