Privacy and consumer protection enforcement actions against retail companies.
30
Total Actions
$214.5M
Total Fines
The FTC and 11 states settled with Walmart for $100 million over deceptive earnings claims in its Spark Driver gig worker app, where drivers were misled about base pay, tips, and incentives. The settlement also addressed GLBA violations for failing to provide proper notice regarding the handling of drivers' financial information. Walmart must implement an earnings verification program and is banned from misrepresenting driver earnings.
$100.0M
Texas Attorney General Ken Paxton filed a lawsuit against Shein US Services LLC for selling toxic products and exposing consumers' personal data to the Chinese Communist Party. The lawsuit seeks monetary penalties under the Texas Deceptive Trade Practices Act. This action is part of a broader effort to protect Texans from health risks and CCP influence.
Florida Attorney General James Uthmeier launched the CHINA Prevention Unit to combat data privacy threats from foreign adversaries and issued a subpoena to Shein for deceptive trade practices and data privacy violations related to potential unauthorized data sharing.
California Attorney General Rob Bonta announced an investigative sweep targeting businesses that use surveillance pricing, which involves setting individualized prices based on consumer data. The Department of Justice is sending information request letters to companies in the retail, grocery, and hotel sectors to assess compliance with the CCPA's purpose limitation principle. This action seeks to ensure that consumers are not charged different prices without proper disclosure and that businesses adhere to privacy laws.
Connecticut Attorney General William Tong is expanding an inquiry into high grocery prices by sending letters to major food distributors and retailers. The inquiry found no evidence of price gouging at the retail level but will now investigate the supply chain for potential unfair profiteering. The AG also cited factors like tariffs and SNAP cuts that contribute to high prices.
Connecticut Attorney General secured a $1 million multistate settlement with TFG Holding, Inc. for deceptive VIP membership program marketing and billing practices. The company must improve disclosures, obtain explicit consent, provide easy cancellation, and offer restitution to affected consumers.
$1.0M
The California Privacy Protection Agency (CPPA) settled with Tractor Supply Company for $1.35 million over violations of the California Consumer Privacy Act (CCPA). The violations included failing to maintain a proper privacy policy, not notifying job applicants of their rights, lacking an effective opt-out mechanism, and sharing personal information without adequate contracts. Tractor Supply must pay the fine and implement remedial measures such as scanning digital properties and annual compliance certification.
$1.4M
The California Privacy Protection Agency (CPPA) filed a petition in Superior Court to enforce a subpoena against Tractor Supply Company for alleged CCPA violations, including failure to honor consumers' right to opt-out of the sale and sharing of personal information. This is the CPPA's first judicial action to enforce an investigative subpoena, and the agency is seeking court assistance to compel the company's compliance.
Connecticut Attorney General William Tong announced a settlement with TicketNetwork, Inc. for violating the Connecticut Data Privacy Act by maintaining an unreadable privacy notice and non-functional consumer rights mechanisms. TicketNetwork agreed to comply with CTDPA requirements, maintain metrics for consumer rights requests, report to the AG, and pay $85,000.
$85K
The California Privacy Protection Agency (CPPA) settled with Todd Snyder, Inc. for violating the California Consumer Privacy Act (CCPA) by failing to process opt-out requests, requiring excessive information for privacy requests, and improperly verifying identities for opt-outs. The company must pay a $345,178 fine and overhaul its privacy practices, including configuring opt-out mechanisms and providing employee training.
$345K
Attorney General William Tong obtained a $4.93 million judgment against Planet Zaza of East Haven and its owner for persistent illegal cannabis sales in violation of a court order. The court imposed penalties of $5,000 per day for each day of violation and $25,000 per day for violating the temporary injunction, totaling $4.93 million.
$4.9M
Connecticut Attorney General William Tong announced a coordinated multi-state enforcement action against the sale of bootleg, flavored disposable e-cigarettes. Civil investigative demands were served on 12 Connecticut smoke shops, convenience stores, and two wholesalers for selling illegally imported, non-FDA authorized nicotine products designed to appeal to youth. Nine other states announced parallel investigations or litigation targeting distributors and retailers of these products.
Connecticut Attorney General William Tong sent a letter to Sephora regarding the marketing of anti-aging skincare products with harmful ingredients like retinol and acids to children and teens on social media. The AG seeks information on product placements in searches for kids and warning practices, cautioning parents about potential skin harm from these products.
Florida Attorney General Ashley Moody, leading a coalition of 20 other states, sent a letter to Temu demanding answers about its data collection and sharing practices, including potential sharing with the Chinese Communist Party, and compliance with forced labor laws. The company must respond within 30 days to questions about cybersecurity, data retention, and product safety.
The FTC settled charges that Rite Aid deployed AI facial recognition technology in hundreds of stores from 2012 to 2020 without reasonable safeguards, resulting in false-positive matches that disproportionately harmed women and people of color. The proposed order bans Rite Aid from using facial recognition for surveillance for five years and requires comprehensive biometric data safeguards, data deletion, consumer notifications, and a certified security program.
Attorney General William Tong and Stamford Police confiscated thousands of illegal delta-8 THC cannabis products from three Stamford vape shops. The products, which mimic youth-oriented snacks like Oreos and Cheetos, are unregulated and untested. Legal action is being prepared against the shops for violations of the Connecticut Unfair Trade Practices Act.
The FTC finalized an order against Drizly and its CEO for security failures that led to a data breach exposing 2.5 million consumers' personal information. Drizly failed to implement basic security measures despite prior alerts. The order requires Drizly to destroy unnecessary data, implement a security program, and publicly detail data collection practices.
California Attorney General Rob Bonta announced a settlement with Sephora, Inc. for $1.2 million over violations of the California Consumer Privacy Act. Sephora failed to disclose that it sold consumer personal information and did not process opt-out requests via Global Privacy Control. The settlement requires Sephora to pay penalties and implement compliance measures including policy changes and reporting.
$1.2M
Wawa Inc. agreed to pay $8 million to resolve a multistate investigation into a data breach that compromised approximately 34 million payment cards between April 2019 and December 2019. The breach involved malware that harvested card data from point-of-sale terminals. New Jersey will receive $2.5 million, and Wawa must implement enhanced cybersecurity measures including a comprehensive security program and third-party audits.
$8.0M
Harris Jewelry defrauded servicemembers with deceptive marketing, inflated prices, and hidden fees. A multistate settlement requires $34.2 million in refunds and debt relief, stops debt collection, and dissolves the business, affecting over 46,000 servicemembers.
$1.0M
Connecticut Attorney General announced a $34 million multistate settlement with Harris Jewelry for deceptive marketing and false promises to servicemembers, tricking them into high-interest loans for overpriced jewelry, with refunds and debt relief for affected consumers.
$34.0M
The FTC finalized an order against CafePress for failing to secure consumer data and covering up a data breach. The company must implement comprehensive security measures, and its former owner must pay $500,000 in redress to victims.
$500K
The FTC settled with CafePress's former owner Residual Pumpkin Entity, LLC and buyer PlanetArt, LLC over data security failures that led to a breach exposing Social Security numbers and other sensitive data. Residual Pumpkin paid $500,000 for victim compensation, and both companies must implement comprehensive security programs. A claims process is open for affected consumers until March 10, 2024.
$500K
New Jersey joined a multistate $2 million settlement with online retailer CafePress over a 2019 data breach that exposed personal information of approximately 22 million consumers nationwide, including over 540,000 in New Jersey. The settlement requires CafePress to implement a comprehensive cybersecurity program, incident response plan, and third-party assessments for five years, with payment suspended pending compliance.
$2.0M
Home Depot settled for $17.5 million over a 2014 data breach that compromised personal information of over 40 million consumers due to inadequate security at self-checkout kiosks. The settlement requires extensive cybersecurity reforms including an information security program, employee training, and encryption. New Jersey receives $579,623 from the multi-state settlement.
$17.5M
The FTC settled with Kohl's Department Stores for violating the Fair Credit Reporting Act by failing to provide identity theft victims with access to their business transaction records within 30 days. Kohl's agreed to pay a $220,000 civil penalty and must implement measures to comply with FCRA requirements, including providing records promptly and posting a notice on its website.
$220K
Neiman Marcus settled a multi-state investigation over a 2013 data breach that compromised payment card data of approximately 370,000 consumers nationwide, including 17,000 in New Jersey. The company agreed to pay $1.5 million and implement enhanced cybersecurity measures such as PCI compliance, network monitoring, and regular security assessments.
$1.5M
Target settled a multi-state enforcement action for a 2013 data breach that exposed payment card information of over 40 million customers due to inadequate security. The $18.5 million settlement requires Target to implement advanced security measures, and California receives over $1.4 million.
$18.5M
Target Corp. agreed to pay $18.5 million to resolve a multi-state investigation into the November 2013 data breach that compromised payment card information of over 41 million shoppers. The settlement requires Target to implement comprehensive cybersecurity reforms, including a dedicated Information Security Program, encryption, network segmentation, and third-party assessments.
$18.5M
The California Attorney General reached a $28.4 million settlement with Aaron's, Inc. for installing spyware on rented computers without customer consent and for violating the Karnette Rental-Purchase Act. The spyware, called 'Detective Mode', allowed remote monitoring of keystrokes, screenshots, location, and webcam activation. Aaron's must refund $25 million to approximately 100,000 customers and pay $3.4 million in penalties, and is prohibited from using spyware.
$3.4M