Craig Cardon

Consumers now expect to get the goods they want from any given retailer in myriad ways: in stores, by phone from catalogs and of course online. That omnichannel experience increasingly complicates Cardon’s work. As so-chair of Sheppard Mullin’s privacy and cybersecurity practice, he advises a roster of blue chip brands on global cybersecurity compliance.

Established brands such as Williams-Sonoma Inc., Burberry Group PC, Kate Spade New York, TJ Maxx, Levi Strauss & Co., Gymboree Group Inc. and Columbia Sportswear Co. are among his clientele as well as startups including Glossier and 11 Honoré.

“Retail is a data-driven practice these days, and the emergence of omnichannel selling is every marketer’s dream and every lawyer’s nightmare,” Cardon said. “Retailers’ ability to interact—hopefully in a non-creepy way—can be phenomenal for customers.”

But there’s a legal hitch.

“The omnichannel concept ignores the concept of jurisdiction. It’s all too easy to get sideways with different state and foreign laws,” Cardon said. “My job includes looking at the client’s overall legal policies in terms of their data collection practices, the privacy side of it and the advertising side of it. Advertising today is all about data, how you organize it and use it.”

Cardon got in early with the long-running saga of Williams-Sonoma’s effort to defend itself from privacy advocates’ claims over its ZIP code collection policy during credit card transactions. The first claims resulted in a 2011 state Supreme Court ruling that retail stores may not ask a customer to supply a zip code in the course of running a credit card. At least 20 other class actions followed. The cases were consolidated and other courts got involved. “Over the life of the case the legal ground has shifted as the technology advanced,” Cardon said.

In March 2018, Cardon’s team persuaded San Francisco County Superior Court Judge Curtis Karnow to decertify a class in a case that has largely defined point of sale data collection practices around the country as it progressed over a decade.

“Back when this started, no one had ever heard of an e-receipt, for instance,” Cardon said.

Along the way he won a bifurcated bench trial before Karnow on the interpretation of California’s Song-Beverly Consumer Warranty Act. Karnow’s ruling is before a state appellate panel, where it is expected to attract extensive amicus briefing from the retail industry and privacy groups. Williams-Sonoma Song-Beverly Cases, JCCP 4611 (S.F. Super. Ct., filed June 14, 2008).

“We’re getting the standards made clearer, and that’s what lawyers and their clients love,” Cardon said.

Still, the field is fluid and full of pitfalls.

“I get panic calls every day about a data incident, and some ask how I keep calm,” he said.

His secret to serenity is a five-minute dawn soak in icy water in a tub he keeps in the back yard.

“It’s a recovery mechanism from my endurance running,” Cardon said. “After that, nothing in my day will be as stressful.”

– John Roemer