Ad Law Access : Washington D.C. Advertising Lawyer & Attorney : Kelley Drye & Warren Law Firm : New York, Chicago, Connecticut, New Jersey, Brussels

In early June, a slew of new bills began circulating in Congress that, if enacted, would impose uniform national data security and data breach notification requirements on entities that collect sensitive personal information. On June 7, 2011, Sen. Patrick Leahy (D-VT) introduced the Personal Data Privacy and Security Act (S. 1151), which was followed on June 15, 2011 by Sen. Mark Pryor’s (D-AR) and Sen. Jay Rockefeller’s (D-WV) Data Security and Breach Notification Act (S. 1207). The Leahy bill was referred to the Senate Judiciary Committee while the Pryor-Rockefeller bill was referred to the Senate Commerce Committee. Also on June 15, 2011, the House Energy and Commerce Subcommittee on Commerce, Manufacturing and Trade held a hearing on Rep. Mary Bono Mack’s (R-CA) Secure and Fortify Electronic Data Act (SAFE Data Act) Discussion Draft, which has yet to be formally introduced but is very similar to the Pryor-Rockefeller bill.

Click here to read more on the common themes among the three bills, as well as the respective civil and criminal penalties each bill imposes for violations.

While it is unclear if legislation will pass this term, privacy and data security issues continue to gain momentum in Congress. What is clear is that companies need to exercise due diligence in their data security and privacy practices or potentially subject themselves to unwanted litigation, Congressional pressure and regulation – not to mention negative media coverage.

• Email This
• Print
• Share Link

Last week, the Center for Environmental Health, a non-profit organization, filed a complaint in California Superior Court alleging that 34 cosmetics companies violated the California Organic Products Act of 2003 (“COPA”) by selling, labeling, or marketing cosmetic products containing less than 70% organic ingredients as “organic.” The Center seeks an order enjoining the defendants from further false and misleading labeling.

The USDA has jurisdiction over agricultural products and regulates the term “organic” as it applies to agricultural products through the National Organic Program (“NOP”). Consequently, the USDA has no statutory authority over the production and labeling of cosmetics that are not made up of agricultural ingredients or that do not claim to meet NOP organic standards. Cosmetics that contain or are made up of agricultural ingredients that satisfy NOP organic production, handling, processing, and labeling standards are, however, eligible for organic certification under USDA’s NOP regulations. Certification is based on the product’s organic content and other factors.
In contrast to the USDA’s organic standards, COPA applies to all cosmetics that are sold in California and are represented to be “organic” or contain organic ingredients, including those that contain no ingredients that are agricultural products. Thus, even if a cosmetic product is not within the USDA’s jurisdiction, sellers may still be liable under COPA for any representations that the product is organic. More specifically, COPA requires cosmetics that are sold, labeled, or represented as “organic,” or made with organic ingredients to contain at least 70% organically-produced ingredients. Multi-ingredient products containing less than 70% organically-produced ingredients may either identify each organically-produced ingredient in the ingredient statement, or display the total percentage of organic ingredients if they are so referenced in the label. Notably, any person may file a suit under the statute, and the statute does not require a plaintiff to demonstrate damages to obtain injunctive relief.

• Email This
• Print
• Share Link

Last week, Rhode Island enacted a new law that prohibits businesses from requesting any part of a customer’s social security number during a sales transaction. Section 6-13-17 of the Rhode Island Consumer Empowerment and Identity Theft Prevention Act, which became effective immediately, modifies a previous state law provision that permitted businesses to request a portion of a consumer’s social security number -- usually the last four digits -- in connection with the purchase of a product or service. A violation of the law can result in a criminal misdemeanor, as well as a private right of action permitting an award of damages, attorney’s fees, costs, and injunctive relief.

The law has few exemptions: licensed insurance companies, certain financial and health care or pharmaceutical-related services, and credit card offerors, but not other types of businesses in which some form of credit may be extended to the consumer as part of the sale. For example, some companies before they sell subsidized equipment to the consumer, usually as part of a term-length service contract, will collect part of a consumer’s social security number to request a credit report with a permissible purpose. This new law appears to restrict that practice. Accordingly, companies that sell to consumers in Rhode Island and typically request any form of social security number information during the sales process should pay close attention to the new law.
 

• Email This
• Print
• Share Link

On June 20, 2011, the Canada Consumer Product Safety Act (“CCPSA”) became effective, imposing incident reporting, testing, recall, and recordkeeping requirements on entities that manufacture, import, or sell consumer products in Canada. As previously noted, many of Canada’s new requirements may be more stringent than current U.S. consumer product safety laws, especially with regard to reporting and recordkeeping requirements.

Entities that manufacture, import, or sell products in Canada should ensure that they have created policies and procedures for detecting, reporting, and maintaining records for consumer product safety issues that comply with Canadian laws. The implementation of new requirements since January 2011 under U.S., Canadian, and other countries’ (e.g., Australia) consumer product safety laws makes it critical for entities to implement systems that will help them comply with the various new requirements and quickly implement corrective action plans.

Click here for more detail regarding Canada's broad consumer reporting and recordkeeping requirements.

• Email This
• Print
• Share Link

This month, the New York Court of Appeals ruled that website operators were not liable for allegedly defamatory comments posted by a third party on the website’s blog, even though the operators reposted those comments.

As we’ve noted before, Section 230 of the Communications Decency Act essentially provides that website operators may not be held liable for content provided by third parties. An operator may lose immunity, however, if it is responsible for creating or developing that content, in whole or in part. In this case, the plaintiff argued that the operators should not be entitled to immunity because they created a website that implicitly encouraged users to post negative comments and because the operators reposted some of the comments.

The court noted that it was joining “what may fairly be called the national consensus” and held that the defendants were immune under the CDA. The court determined that creating an open forum to post content -- including negative content -- is at the core of what Section 230 protects. Moreover, the defendants did not become providers of the allegedly defamatory content by reposing it. This, the court determined, is well within a publisher’s traditional editorial functions. This decision goes further than some recent decisions because, as the dissent noted, the defendants may have embellished some of the defamatory statements.

Companies that invite consumers to post content on their sites can breathe easier as a result of some of this, and other similar decisions. But it's important to remember that companies may lose their immunity if they play a role in developing the problematic content and that there can be a fine line between simply inviting content and developing it. Companies should consult with their legal counsel to ensure they stay on the right side of that line.  

• Email This
• Print
• Share Link

Senators Hatch and Harkin, the principle architects of the Dietary Supplements Health and Education Act (DSHEA) (amending the Federal Food Drug and Cosmetic Act (FDCA)), submitted a letter yesterday to FDA Commissioner Margaret Hamburg "exress[ing] their support for the upcoming new dietary ingredients (NDI) guidance." The Senators stated that the guidance should reflect the intent of DSHEA to "give FDA the tools necessary to help ensure the safety of dietary supplements and the accuracy of the limited claims allowed for them," and "minimize regulatory burdens that might inhibit consumer access to lawfully manufactured and labeled supplement products."

FDA plans to release the guidance on July 8, 2011, in accordance with the FDCA amendments made by section 113 of the Food Safety Modernization Act (FSMA). The FSMA amendments require the agency's guidance to clarify the circumstances under which a dietary supplement ingredient qualifies as a "new dietary ingredient" and companies are required to submit a new dietary ingredient notification to FDA which includes, "the evidence needed to document the safety of new dietary ingredients," and "appropriate methods for establishing the identity of a new dietary ingredient."

• Email This
• Print
• Share Link

June has seen a flood of activity on Capitol Hill seeking to protect consumer geolocational privacy. Within a few days of one another, three bills were introduced that, if enacted, would require consumer consent before geolocation information attained through mobile devices can be collected, used or disclosed to third parties. On June 14, 2011, Rep. Jason Chaffetz (R-UT) and Rep. Robert Goodlatte (R-VA) introduced the Geolocational Privacy and Surveillance Act (GPS Act) (H.R. 2168) in the House and, on June 15, 2011, Sen. Ron Wyden (D-OR) introduced companion legislation in the Senate (S. 1212).  Similarly, on June 16, 2011, Sen. Al Franken (D-MN) and Sen. Richard Blumenthal (D-CT) introduced geolocational privacy legislation of their own – the Location Privacy Protection Act of 2011 (S. 1223).

Notably, both the GPS Act and Franken-Blumenthal bill prohibit the collection, use or disclosure of consumer geolocation data without consumer consent subject to certain exceptions. The GPS Act is broader in scope than the Franken-Blumenthal bill, applying to federal and state government entities as well as commercial service providers while the Franken-Blumenthal bill is limited to commercial service providers. Both bills would impose criminal and civil penalties for unlawful collection, use and disclosure of geolocation data and empower the states and Federal government to enforce consumer data protection. These bills build on the growing legislative activity on privacy and data security potentially impacting any entities that utilize consumer geolocation data.

Communications service providers, mobile application developers and device-makers that utilize geolocation data need to be aware of these developments and the potential implications for their business models and data flow processes. Click here for more on the key provisions of the GPS Act and Franken-Blumenthal bill.

Christopher S. Koves contributed to this post.

• Email This
• Print
• Share Link

Last week, the FTC and the Colorado Attorney General filed a lawsuit against a company that sells a wealth-building program through infomercials. The infomercials included various claims that consumers could make large amounts of money by using the company’s program, as well as testimonials from consumers who purportedly made money through the program. Fine print disclosures stated that results would vary. According to the complaint, the claims were misleading, many of the testimonials were false, and most consumers did not earn any money.

What’s unique about this case is that the complaint also named one of the consumers who provided a testimonial. According to the complaint, the consumer earned much less money than she claimed to have earned in the infomercial. The consumer agreed to settle the case against her by agreeing not to make misrepresentations in the future and to cooperate with law enforcers in their case against the remaining defendants. The order is the FTC’s first against a consumer charged with making misrepresentations in a testimonial.

Advertisers should ensure that all claims in their ads -- including claims that are made by consumers -- are truthful and not misleading. As we’ve noted before, the FTC released new guidelines that address testimonials and “results not typical” disclosures. Be sure to consult those guidelines whenever you plan to use a testimonial.
 

• Email This
• Print
• Share Link

Last month, a class action lawsuit was filed against Michael Stores, Inc., accusing the arts and crafts retailer of violating a Massachusetts consumer protection statute when it collects and records zip codes during consumer credit card transactions. The lawsuit, Tyler v. Michaels Stores, Inc. filed in Massachusetts District Court, comes several months after the California Supreme Court decision in Pineda v. Williams-Sonoma Stores, Inc., which held that zip code information is personal identification information (“PII”) under California’s Song-Beverly Credit Card Act. (the “Song-Beverly Act”).

In Tyler, the plaintiff made a purchase at a Michael’s store with her credit card and, during the sales process, the cashier requested the plaintiff’s zip code. The plaintiff provided her zip code to the cashier allegedly based on the belief that it was necessary to complete the transaction. The plaintiff asserts that Michaels subsequently combined her zip code with other information to obtain her home mailing address, and began sending unwanted marketing materials. According to the complaint, the collection and recording of zip codes during a credit card transaction violates Mass. Gen. Laws ch. 93 § 105, under which a business cannot “write, cause to be written or require that a credit card holder write [PII], not required by the credit card issuer, on the credit card transaction form.”

The plaintiff in Tyler argues that Mass. Gen. Laws ch. 93 § 105 should be interpreted in a manner consistent with the California Supreme Court’s interpretation of the Song-Beverly Act in Pineda. In that case, the court held that a cardholder’s zip code qualified as “information concerning the cardholder. . .” as used within the Song-Beverly Act’s definition of PII. As a result, businesses in California face restrictions from requesting and recording a person’s zip code as part of a credit card transaction. The Massachusetts statute defines PII in a different, though arguably similar fashion to the Song-Beverly Act. Specifically, the statute includes an open-ended definition of PII that is not limited to a credit card holder’s address or telephone number. The plaintiff in Tyler is seeking injunctive relief, damages, and attorneys’ fees.

Businesses that collect customer information at the sales register should pay close attention to this case, as it may signal lawsuits in other states with statutes that are similar to California’s Song-Beverly Act.

• Email This
• Print
• Share Link

On June 2, 2011, the House Energy and Commerce Subcommittee on Commerce, Manufacturing and Trade held a hearing examining threats posed to data security and the much publicized data breaches at Sony and Epsilon. The hearing, “Sony and Epsilon: Lessons for Data Security Legislation” focused on the recent Epsilon and Sony data breaches and the need for comprehensive federal data security and data breach notification legislation. The representatives and witnesses discussed the delays in Sony’s notification, the extent of the breaches, and the prospects for federal legislation.

The hearing is part of a comprehensive review of data security and electronic privacy initiated by the House Energy and Commerce Committee that was announced on June 1, 2011. According to the Committee press release, the first phase of the Committee’s review will focus on online data security and data theft prevention, followed later in the year by a focus on broader electronic privacy concerns.

At the hearing, Rep. Bono Mack called for a “uniform national standard” for data security and data breach notification, announcing her intent to introduce legislation. The hearing built on the growing record in Congress supporting data security and data breach notification legislation that could ultimately supersede the current patchwork of state laws. Click here to read more about the hearing.

• Email This
• Print
• Share Link