As technological innovations in e-commerce continue to explode, retailers are increasingly utilizing customer data to personalize customer experiences, prevent fraud, improve their services, and make money through third-party sales. A wide array of new data analytics tools allow retailers to study a vast array of information ranging from users’ order history to their exact mouse movements to better understand their customer base.

With any new business strategy comes risk, and plaintiffs’ attorneys are seeking huge damages awards by using a number of novel theories to attack companies’ data practices. On top of that, legislators are (at times, very slowly) responding to concerns about how businesses use personal information by proposing new consumer privacy laws that limit the collection and sale of personal information. Here is Part I of a two-part look at some of the most prominent trends in privacy litigation, highlighting the issues that companies should consider in order to avoid finding themselves on the receiving end of similar cases.

Right of Publicity Laws & the Sale of Customer Data

These statutes have traditionally been invoked by celebrities and other public figures whose names or other elements of their likenesses have been appropriated to falsely suggest that they endorse a product or brand. In these recent lawsuits, however, plaintiffs are alleging that retailers, publishers, and credit card companies, alike, have violated their “right of publicity” merely by including their names or other identifying information on mailing lists that were privately sold or rented to third parties.

Nearly all of these recent right of publicity lawsuits have been filed under the publicity laws of Illinois, California, Ohio, and South Dakota, and a look at the statutes’ damages provisions may help explain why: each provides for significant statutory penalties (i.e., those that can be awarded regardless of the damage suffered by plaintiffs). Most of the suits have been filed in the state where the defendant is based, and in many cases, the plaintiffs’ firms have filed several suits at once in the same court, each on behalf of a different plaintiff from a different state. And to date, nine of these suits have been filed against retailers, and more could be on the way.

The new publicity cases are still in the earliest stages, and forthcoming developments could have significant implications for retailers’ customer list sharing practices. A pivotal question is whether the right to publicity even applies when the information at issue is privately sold (i.e., without any publicity), and is not being used to advertise a separate product (rather, the customer information is the product being sold). Case law involving similar claims indicates that judges may be skeptical of attempts like these to stretch the scope of the right to publicity to the data privacy realm. However, if some of these cases can survive motions to dismiss, retailers who use third-party data services will be at constant risk of expensive litigation.

Retail Equation Litigation Continues

A separate series of suits has targeted well over a dozen retailers for using software produced by The Retail Equation (“TRE”), which, according to its website, “uses statistical modeling and analytics to detect fraudulent and abusive behavior when returns are processed at retailers’ return counters.” The plaintiffs in these suits generally allege that the retailers invaded their privacy and violated the federal Fair Credit Reporting Act (“FCRA”) and state privacy and/or consumer protection laws by sharing such data with TRE, as well as by blocking them from returning items based on erroneous results from TRE’s software. The plaintiffs in these suits seek to represent broad nationwide classes of other individuals whose information was transmitted by a retailer defendant to TRE.

The first of these suits, Hayden v. Retail Equation, Inc., was filed in July 2020 against TRE and retailer Sephora, alleging that by sharing customer information with TRE, Sephora violated right to privacy laws, California’s Unfair Competition Law, unconscionability, the Fair Credit Reporting Act, and also committed defamation. In August 2020, the First Amended Complaint added claims against TRE’s parent company Appriss and thirteen additional retailers, such as Victoria’s Secret owner L Brands, Inc., Gap, Inc., and TJX Companies, among others.

TRE filed a subsequently-granted motion to dismiss, in connection with which the court found that the plaintiffs had not alleged any invasion of privacy. In granting the motion, the court explained that “although personal identification information collected by retailers at the point of sale may be subject to consumers’ privacy interests,” the plaintiffs “fail[ed] to state a claim for violation of privacy.” According to the court, “The amended complaint is simply too vague,” and while the plaintiffs allege that the “retailer defendants collect large amounts of data about their consumers and share the collected data with TRE without the consumers’ consent, [they do] not specify what kind of data is collected.”

California Consumer Privacy Act

It has now been two years since the California Consumer Privacy Act (“CCPA”) took effect on January 1, 2020, and a year and a half since state enforcement began on July1, 2020. While more than 170 CCPA claims have been filed to date, only a handful of those data privacy actions have targeted retailers, and we are only aware of one decision in any cases involving retailers. In Gardiner v. Walmart, Inc., the court held twice last year that the CCPA is not retroactive, and that a plaintiff cannot state a claim based on alleged violations that took place before January 1, 2020 regardless of whether the plaintiff allegedly suffered harm from the violation after the statute took effect.

Courts are continuing to determine what conduct falls within the CCPA’s narrow private right of action, which applies only when a statutorily-defined subset of a California resident’s “non-encrypted and non-redacted” personal information “is subject to an unauthorized access and exfiltration, theft, or disclosure as a result of the business’s violation of the duty to implement and maintain reasonable and appropriate security procedures and practices.”

In the retail context, Hayden v. The Retail Equation could shed light on this issue. There, the plaintiffs allege that the retailer defendants’ practice of sharing customer return information with TRE violated the CCPA because it constituted “unauthorized access” and disclosure of personal information. The retailer defendants moved to dismiss the CCPA claim, arguing that the CCPA does not apply when retailers authorize the disclosure of information, because that precludes it from being a data breach.  The plaintiffs in Hayden withdrew their CCPA claims before the retailers’ first motion to dismiss was decided, but later included the identical CCPA argument in their amended complaint. The retail defendants moved to dismiss again in September 2021 (and briefing completed in November).