Retail Exposure to Data Privacy Liability Is on the Rise in the U.S.: What Do Retailers Need to Know?

Check out highlights from AGG’s webinar featuring Julia Mehlman, assistant vice president, privacy counsel, for L’Oréal USA in conversation with AGG Litigation partner and Retail industry team member, David Marmins, and AGG Privacy & Cybersecurity attorneys Jackie Cooney and Erin Doyle.

“Working with clients, sometimes we hear: ‘We don’t collect personal data. We only have names and email addresses.’ As an initial matter, names and email addresses are personal data – and anything related to that person.”

– Jackie Cooney, AGG Privacy & Cybersecurity Practice

“Data privacy . . . is not something retailers have thought about as much as they should. Recently, I’ve had a run on privacy-related lawsuits. [Retailers] have not always had great defenses, because they simply were not aware of rules and regulations they may have to follow.”

– David Marmins, AGG Retail Industry Team

In response to rising retail exposure to data privacy liability, AGG offered a webinar discussing U.S. federal and state privacy laws regulating consumer personal information, including what counts as “personal data,” where personal data is collected in retail (retailers may think they’re not collecting personal data, but they probably are), how to know what laws apply, and how to tackle compliance. Below are just a few webinar highlights, but we recommend viewing the full webinar on-demand here.

What is personal data? It’s more than just personal identifying information.

  • Personal identifier information includes names, addresses, credit card number, and similar.
  • Related personal data is also protected, and may include a customer’s website activities, IP address, opt-in/opt-out choices, household information, and loyalty program participation. Non-medical health information, such as wellness interests and preferences, is personal data.
  • Some jurisdictions also regulate employee personal data, such as salary, benefits, and education details.

In the retail environment, in-store associates should be trained on how to address privacy questions and how to properly handle customer information. Retail training  materials should include  scenarios such as loyalty program sign-up, responding to requests for information about the company’s privacy practices, and how to  ensure that customers have an opportunity to review the company’s privacy policy on any in-store device used to collect personal information. It is also important for companies to remember that any in-store purchases, especially if associated with a loyalty program or consumer profile, should be treated as personal information.

– Julia Mehlman, L’Oréal USA

Where is personal data collected in retail?

  • Loyalty program sign-ups, whether in-store or online
  • Point-of-sale
  • In-store surveillance
  • Interactive in-store media, such as iPads
  • Online orders
  • Data collected by third parties on a retailer’s behalf, such as marketing partners
  • Data purchased from a data broker for digital ad targeting (e.g., foot traffic data)

How to know which data privacy laws apply to a retail business?

It’s a patchwork of federal and state laws. A multi-state retail brand will be touched by laws everywhere it operates, whether in-person or online. Multi-national brands are impacted by international data privacy laws as well.

  • U.S. federal data privacy regulation is not covered by a single law or agency but is scattered across a range of legislation. Ever heard of the Video Privacy Protection Act? This 1980s-vintage law prohibits sharing video-viewing data to a third party without the user’s consent. Other federal privacy laws include the CAN-SPAM law, the Federal Trade Commission Act, HIPAA, and the Fair Credit Reporting Act.
  • Keep an eye on state law in the states where you’re doing business, whether in-person or online. At least 18 states have passed comprehensive consumer privacy laws, and many other states have passed targeted data privacy laws, including legislation covering artificial intelligence, biometric data, and employee surveillance. All U.S. states have data breach notification laws.


Data privacy is a critical topic, and in today’s marketplace most retailers are operating in the personal data space. Do not hesitate to reach out to our AGG attorneys with questions about the webinar or data privacy in your business.


  • David Marmins, AGG Litigation Practice and Retail Industry Team, Moderator
  • Jackie Cooney, AGG Privacy & Cybersecurity Practice
  • Erin Doyle, AGG Privacy & Cybersecurity Practice
  • Julia Mehlman, assistant vice president, privacy counsel for L’Oréal USA