As we put another year to rest and forge into 2019, it is helpful to look back at the biggest retail developments in 2018. Notably, almost all relate to online retail, heavily focusing on privacy. We saw the deployment of GDPR, the introduction of the California Consumer Privacy Act, and a flurry of class actions under California's "Shine the Light" law.
On the non-privacy front, the Supreme Court clarified that tax laws require retailers to collect taxes in states where they have no physical presence. In California, new legislation was enacted for both automatic renewal programs and chatbots, and new online disclosure requirements took effect for Proposition 65. The plaintiff's bar continued aggressively pursuing class actions over website accessibility, while a new decision by the New Jersey Supreme Court put a nail in the coffin of no-injury TCCWNA claims. Finally, the FTC has indicated a looming crackdown on social media endorsements.
2018 was a big year, and there remains a lot to keep up with. These issues will undoubtedly continue to evolve and impact retailers in the year ahead. Steptoe's Retail & E-Commerce Group is your resource to stay updated on these and other business-critical issues impacting the retail industry. This article provides a quick review of the most significant developments of the past year, along with links to more in-depth articles for a more thorough review.
The General Data Protection Regulation (GDPR) took effect May 25, 2018. The GDPR applies to the processing of personal data (information relating to an identified or identifiable natural person); processing includes the collection, recording, storage and structuring of that data or other operations performed with respect to it.
On June 28, 2018, California passed the California Consumer Privacy Act (CCPA), which was amended September 23, 2018, will go into effect January 1, 2020, and which the Attorney General can begin actively enforcing on July 1, 2020. Broadly speaking, the CCPA has three facets: a consumer-facing side, a business-facing side, and breach-and-cure provisions. First, like the GDPR, the CCPA creates a number of consumer rights to control how personally identifiable information (PII) is disseminated. Consumers will have the right to know what information is collected, how it is used, who it is shared with, and how third parties use it. Consumers will also have the right to ask retailers to stop sharing their information, or to delete it altogether. Second, the CCPA requires retailers to set up systems for responding to consumer requests, generally within 45 days, about their information. Perhaps the most important component of the CCPA is that retailers need to track everything they do with a customer's information for at least 12 months after receiving it. Finally, the CCPA imposes statutory penalties that range up to $7,500 per incident per consumer.
Shine the Light
In the summer of 2018, numerous retailers were sued under California's "Shine the Light" law (Civil Code § 1798.83). The Shine the Light law applies to most companies that, during the last year, "disclosed" the "personal information" of "customers" to a "third party" that the company knows or has reason to know used that information for "direct marketing purposes." These suits were brought pursuant to the law’s accounting requirement, which mandates that companies disclose, upon request, the names and addresses of third parties with whom personal information was shared, as well as a list of all categories of personal information provided. If the customer's request is made through the designated channels, the company must provide a response within 30 days.
Learn more: "New 'Shine The Light' Suits Highlight Privacy Issues"
On June 21, 2018, a divided US Supreme Court issued its highly anticipated opinion in South Dakota v. Wayfair, Inc., upholding a South Dakota law imposing sales tax collection obligations on retailers with an economic presence in the state. The opinion overturns the decades-old rule enunciated in Quill Corp. v. North Dakota (Quill) and National Bellas Hess, Inc. v. Dep’t of Revenue of Ill. (National Bellas Hess), which required an in-state physical presence before a state could impose such obligations. The case fundamentally alters the tax landscape for retailers making sales in multiple jurisdictions.
Automatic Renewal Law
On July 1, 2018, changes to California's Automatic Renewal Law took effect, requiring retailers who allow consumers to sign up for a program online to provide a means to cancel their enrollment online. This means that vendors will not be able to require customers who sign up online to cancel via phone or mail. The updated California law also imposes new requirements on retailers who provide automatic renewal offers that include a free trial or gift, or short-term promotional or discounted prices. Under the new requirements, the initial offer should clearly and conspicuously state when and how consumers can cancel before being charged the normal price and how much they will be charged after the promotional rate expires.
Learn more: "Auto-Renewal Cases: They Just Keep Coming"
On September 28, 2018, (then) California Gov. Jerry Brown signed into law first-of-its-kind legislation restricting the use of "bots" – defined as an "automated online account where all or substantially all of the actions or posts of that account are not the result of a person" – where a consumer cannot tell that a website or social media platform is using bot technology, as opposed to a live person, to interact with the consumer. The new law takes effect July 1, 2019 and makes it unlawful "for any person to use a bot to communicate or interact with another person in California online, with the intent to mislead the other person about its artificial identity for the purpose of knowingly deceiving the person about the content of the communication in order to incentivize a purchase or sale of goods or services in a commercial transaction or to influence a vote in an election."
Learn more: "No Bots About It: California's Crackdown On Chatbots"
New Proposition 65 Warning Requirements for Online Sales
Historically, for Internet product purchases, a company had the option to either post a generic Prop 65 warning at the bottom of its webpage or provide a Prop 65 label on the product. Now, with changes to Prop 65 regulations that went into effect in August 2018, in addition to an on-product warning, products sold over the Internet must have an online warning that is "closely associated" with the product being purchased. The consumer must be able to see the online warning prior to purchase, and the warning must be prominently displayed so that the customer does not have to search for it. The online warnings must either be: 1) placed on the product's display page; 2) given via a clearly marked hyperlink using the word "WARNING" on the product page; or 3) otherwise displayed to the consumer and "closely associated" with the product prior to purchase – for example, having the word "Warning" appear during the checkout process, but prior to completion of the order, once the shopper enters a California ZIP code.
Over the last few years, thousands of lawsuits have been filed by seeing-disabled plaintiffs based on the premise that by failing to make websites accessible to blind or deaf visitors, the websites violate Title III of the ADA. The ADA imposes upon "places of public accommodation" an obligation to "furnish appropriate auxiliary aids and services where necessary to ensure effective communication with individuals with disabilities." Although these lawsuits have been filed across the country, the vast majority have been filed in New York, California, Florida, and Pennsylvania under the ADA and corresponding state laws. While the majority of these suits have been filed by consumers who allegedly were unable to shop on a retailer's website, suits have more recently been filed concerning online employment applications, or mobile apps. Despite repeatedly reiterating its intent to provide clear standards for compliance, the Department of Justice has yet to deliver bright line guidance, leaving retailers vulnerable to repeated claims over allegations of "noncompliant" websites and apps.
Before this past year, the other popular "gotcha" lawsuit targeting many retailers was brought pursuant to New Jersey's Truth-in-Consumer Contract, Warranty and Notice Act (TCCWNA), which prohibits including terms in consumer contracts that could be applied in a way that violates a "clearly established legal right." Most of these suits were directed at retailers' online terms and conditions; although the plaintiffs often did not even claim to have seen or relied on the allegedly prohibited terms, they argued that the mere presence of the terms entitled them to damages under the TCCWNA. On April 16, 2018, after a year of deliberating, the New Jersey Supreme Court ruled that in order to be an "aggrieved consumer" entitled to penalties under the statute ($100 per violation), a consumer must have suffered an actual injury caused by the alleged violation. Since the Supreme Court’s decisions, TCCWNA litigation has all but dissipated.
Over the last three years, the Federal Trade Commission (FTC) has repeatedly identified sponsored social media endorsements as a high-priority issue. It has issued and updated detailed guidance for how to disclose sponsored content. And, if that were not a clear enough signal, in April 2017, the FTC sent letters to 91 brands and influencers (people paid to endorse products on their social media profiles and elsewhere), educating them of their need to disclose sponsored content. In September 2017, the FTC sent a follow-up warning letter to 21 of the same recipients, citing specific social media posts that appeared to endorse a brand but failed to clearly and conspicuously disclose a material connection between the brand and the influencer. Although the FTC has not taken any public action in this area recently, retailers should not assume it has moved on to other issues. Rather, businesses should make sure that their sponsored social media practices comply with the FTC's guidance – or risk becoming its next target.