Penalty Amount
$2,000,000
Consumers Affected
22,000,000
New Jersey joined a multistate $2 million settlement with online retailer CafePress over a 2019 data breach that exposed personal information of approximately 22 million consumers nationwide, including over 540,000 in New Jersey. The settlement requires CafePress to implement a comprehensive cybersecurity program, incident response plan, and third-party assessments for five years, with payment suspended pending compliance.
CafePress must pay $2 million (with $750,000 immediate, including $98,368 to New Jersey), implement a comprehensive information security program with regular updates and CEO reporting, develop an incident response and breach notification plan, enhance personal information safeguards (encryption, segmentation, penetration testing, password management, data minimization), provide clear consumer notice regarding account closure and data deletion, and undergo third-party security assessments for five years. The remaining balance is suspended contingent on compliance.
In-house legal teams should review vendor agreements, customer terms of service, and data processing agreements for clauses addressing data security, breach notification, and incident response. Specifically, examine requirements for encryption of sensitive data (e.g., SSNs, payment details), timelines for breach reporting, obligations to conduct third-party security assessments, and data retention/disposal policies. Changes may include mandating a comprehensive cybersecurity program, implementing regular risk assessments, strengthening access controls, and ensuring compliance with state data breach notification laws. Also, assess indemnification provisions for breach-related costs and audit rights to monitor vendor compliance.
Entity
CafePress
Industry
RetailOfficial Press Release
https://www.njoag.gov/ag-grewal-joins-2-million-settlement-with-online-retailer-cafepress-over-2019-data-breach/
121820 CafePress AVC
https://www.nj.gov/oag/newsreleases20/121820-CafePress-AVC.pdf
New Jersey Attorney General Enforcement Page
https://www.njoag.gov/about/divisions-and-offices/division-of-consumer-affairs/
"settlement with internet retailer CafePress"
"total payment to the states of $2 million"
"The data breach compromised the personal information of approximately 22 million consumers nationally"
$500K
The FTC finalized an order against CafePress for failing to secure consumer data and covering up a data breach. The company must implement comprehensive security measures, and its former owner must pay $500,000 in redress to victims.
$370K
The FTC settled with CafePress for failing to implement reasonable data security measures, leading to multiple breaches that exposed Social Security numbers and other sensitive data. As part of the settlement, over $370,000 in refunds are being distributed to 20,044 consumers who filed valid claims.
$100K
New Jersey Attorney General Jennifer Davenport and the Division of Consumer Affairs announced a Consent Order with King Distribution LLC and 17 related retail smoke shops, resolving allegations that the companies illegally sold flavored vapor products in violation of New Jersey’s consumer protection laws. The Consent Order imposes a $100,000 civil penalty, requires reimbursement of $22,279 in investigation costs, and prohibits the companies from selling or distributing flavored vapor products in New Jersey. The enforcement action is part of New Jersey’s ongoing efforts to protect youth from flavored vape products, which have been permanently banned in the state since January 2020.
The New Jersey Bureau of Securities issued a Cease and Desist Order on April 30, 2026, against Titan Macro Finance for operating an investment fraud scheme via WhatsApp and Instagram that defrauded at least one New Jersey investor of $64,000. The scheme involved unregistered broker-dealer activity, fake trading profits, and undisclosed fees to access investor funds. The action was coordinated with the California Department of Financial Protection and Innovation, which issued a similar order against the entity for violating California’s Commodity Code.
New Jersey Attorney General Jennifer Davenport and the Bureau of Securities issued a public warning to state residents about fraudulent investment schemes proliferating on Meta-owned platforms including Facebook, Instagram, and WhatsApp. The alert details common scam tactics such as pump-and-dump schemes, confidence scams, and fraudulent cryptocurrency offerings, and provides tips for residents to avoid victimization. No enforcement action against any entity was announced in this release.
New Jersey Attorney General Jennifer Davenport led a bipartisan coalition of 27 state attorneys general in submitting a comment letter to the Federal Trade Commission urging federal rulemaking to regulate hidden and deceptive rental housing fees. The AG also issued guidance clarifying New Jersey’s new $50 rental application fee cap, effective May 1, 2026, warning that deceptive fee practices may violate the New Jersey Consumer Fraud Act. No specific enforcement action against a named individual entity was announced, with enforcement of the fee cap set to begin May 1, 2026.