Sarah Bruno, a partner at Arent Fox in the District, is one of the law firm’s primary attorneys who works in advertising and data privacy, a fast-growing practice at many U.S. law firms now that data security has become a chief concern among corporations.

One of the busiest parts of Bruno’s practice is in the fashion industry, advising major retail clients, including H&M, Lacoste, Diesel, Diane von Furstenberg and Hugo Boss on data privacy, particularly around what kind of information they’re allowed to collect from their customers.

Below is an edited transcript of a conversation with Bruno about her work and trends she’s seeing in data privacy law.

What are some of the big recurring issues you’re working on?

In the fashion space, what’s coming up more often with brands with many different platforms that are collecting data is consumers are giving their data and consent to one entity and allowing other entities to be [contacting] them. Say you walk into a store and decide you’re going to buy a shirt at Banana Republic and you say, “Sure, have my e-mail,” at the time of sale, and suddenly you’re getting blasts from [Banana Republic, Gap and Old Navy]. And if you travel or go on vacation, with geolocation [software], consumers are getting upset because they’re wondering, “How does Old Navy know I’m here in Seattle?”


It’s something that on our end as attorneys, we discuss with our clients. Can we combine our lists [of customer data]? Our guidance is: It’s risky. A lot of companies would love to combine lists. The Federal Trade Commission has said [companies] have to be transparent about that, and make sure consumers are aware they’re consenting. Many companies don’t want to take the risk and would rather not do it.

How do those issues come to your attention? Do customers complain?

We get consumer complaints and manage and change policies based on that. Lawyers [at the companies] internally track this and pass questions on to us. Once we dig in, we recommend changes. At the end of the day, we’re making recommendations to be transparent with what they’re collecting.

What kind of legal action has been taken around this issue?

In California, there have been many class actions based on a California law, the Song-Beverly Act, that says [retailers] cannot collect customers’ Zip codes at the time of purchase or transaction. They’re asking because they want to track where shoppers are coming from. Now, over half the states have something on the books about this. We walk retailers through this, giving them materials about how they can train employees to ensure they can collect data they need without violating these laws. Sometimes we tell them to put up a sign at the register that says the information is voluntary. We advise them to make it clear it’s voluntary and not tied to the sale.