Data Privacy and Security Are Top of Mind For the Alcohol Industry

Recent Changes in Privacy Law and Action by The FTC Brings New Challenges and Opportunities to an Established Industry

by: Tatyana Ruderman

Like almost all industries these days, the alcohol industry is changing and adapting to new and different consumer trends, spurned by changes in shopping habits, the effects of the pandemic, new technologies and shifting customer expectations.  With these changes come a variety of new considerations surrounding customer data privacy and security.

Many in the alcoholic beverage industry may have in the past viewed issues like data privacy and security as something that they may not need a primary focus on, given that many in the industry historically have had little engagement directly with consumers, particularly during consumers’ purchase decisions.   But thanks to recent action by the Federal Trade Commission and a new slate of data privacy laws in the US, the landscape is changing. 

If you’re not yet aware, 2023 ushered in a variety of new and sweeping changes and additions to the privacy law framework and landscape in a number of states. California’s amendment, California Privacy Rights Act (CPRA), to its 2020 privacy law, the California Consumer Privacy Act (CCPA) went into effect along with Virginia’s new privacy law, both of which add many more comprehensive data privacy and security obligations on businesses, such as data minimization and retention, due diligence, and contractual requirements. The new privacy laws also give consumers several data rights, such as the right to access, deletion, correction, and rights relating to sharing with certain third parties and the collection and use of data considered sensitive. Similar new privacy laws will take effect in July in Colorado and Connecticut, and in December in Utah. These laws apply broadly to businesses who operate in these markets, and the alcohol industry is no exception.

As if that weren’t enough, the FTC recently finalized a consent order with the well-known online technology platform Drizly, a subsidiary of Uber, which operates an online marketplace where consumers can place orders with retailers to buy beer, wine, and alcohol for delivery. Like any company with an online retail presence, the company collects and stores a wide range of personal information from consumers. 

According to the FTC’s complaint, Drizly was alleged to have been alerted to problems with the company’s data security procedures following an earlier security incident from 2018. Two years later, the FTC alleged that a hacker gained access to certain of Drizly’s corporate login information, hacked into the company’s database, and then stole customers’ information.

Notably, the FTC’s order also applies personally to Drizly’s CEO, who the FTC alleged presided over Drizly’s data security practices. According to the FTC, its order will follow the CEO even if he leaves Drizly, by imposing proactive requirements at future companies if he moves to a business collecting consumer information within certain parameters.

With the explosion of online sales of both beverages and other merchandise throughout the alcohol industry, data privacy and security issues are now widely viewed as a major concern and focus point, and a proactive approach is key. 

At ILG, we can help alcohol industry members in all tiers navigate their way through this complex and often intimidating maze of laws and regulations, and can help develop or enhance your existing compliance framework.   To learn more about how ILG can help your organization, click here.

Originally published by InfoLawGroup LLP. If you would like to receive regular emails from us, in which we share updates and our take on current legal news, please subscribe to InfoLawGroup’s Insights HERE.