Colorado Reaches New High with Strict Data Breach Notification Law

On May 29, Colorado Governor John Hickenlooper signed into law HB18-1128 to strengthen data breach notification requirements for companies and government entities collecting and maintaining personal information from Colorado residents.

Effective September 1, covered entities will be required to notify individuals within 30 days of discovery of a security breach, unless the entity is notified that such a disclosure will impede a criminal investigation. Existing law requires notification to be made “in the most expedient time possible, and without unreasonable delay.” Republican state representative and bill co-sponsor Cole Wist stated the term “reasonable” was “too subjective and loose,” and could prevent consumers from acting quickly to prevent identity theft.  This makes the new law one of the strictest data breach notification laws in the country.  The following identifies pertinent changes to existing law.

Mandatory Information Security Procedures or Programs

Businesses must implement “reasonable” information security procedures or programs to protect the personal data they have – including data that has been shared with third parties – from unauthorized access, use, modification, disclosure, or destruction. Businesses that maintain paper or electronic documents containing customer personal information must develop a written policy for the destruction of such documents once they are no longer needed. Continue Reading

New Watchdog, New Tricks: European Data Protection Board Adopts GDPR Guidelines and Releases Statement on ePrivacy Regulation

Less than one week after replacing the now defunct Article 29 Working Party (WP29), the European Data Protection Board (EDPB) has adopted new guidelines on the EU General Data Protection Regulation (GDPR) and issued a statement on the ePrivacy Regulation revision.

What is the European Data Protection Board? How is It Different from the Article 29 Working Party?

The EDPB is made up of the head/representative of each of the EU national supervisory authorities, the European Data Protection Supervisor, and a non-voting member of the European Commission. The Board is tasked with ensuring the consistent application of GDPR by monitoring and ensuring the correct application of the GDPR, issuing guidelines, recommendations, and best practices regarding GDPR requirements, and approving data protection certification mechanisms encouraged under the GDPR, among other things. While the structure of the EDPB resembles that of the WP29, unlike the WP29, the EDPB has the power to adopt binding decisions to ensure the correct and consistent application of the GDPR.

What’s New on the European Data Protection Board Front?

The EDPB is carrying out its mandate to ensure a consistent level of data protection for individuals and the consistent application of GDPR by taking following steps:

  • Endorsing GDPR material issued by the WP29 (i.e., WP29 guidelines, recommendations, working documents, and referential).
  • Adopting a draft version of the Guideline on certification, which explains key concepts of certification provisions under GDPR Articles 42 and 43 as well as the scope and purpose of certification. The deadline for comments (which should be sent to EDPB@edpb.europa.eu) is July 12, 2018.
  • Adopting the final version of the Guidelines on derogations applicable to international transfers, which provides guidance on the application of GDPR Article 49 on derogations when transferring personal data to third countries or international organizations.
  • Releasing a statement on the revision to the ePrivacy Regulation, supporting the swift adoption of the new ePrivacy Regulation and offering insights and clarifications on key issues including, preventing the processing of electronic communications on the basis of “legitimate interest” or the general purpose of performance of a contract, ensuring that the new regulation maintains at least the current level of protection under the ePrivacy Directive, providing protection for all electronic communications, encouraging the use of anonymized electronic communication data, and ensuring that consent is obtained for websites and mobile apps.

How Do These European Data Protection Board Developments Impact My Business?

Now that GDPR is effective, the EDPB is moving swiftly to provide implementation guidance and compliance recommendations. All businesses with an EU footprint should familiarize themselves with and monitor the EDPB website for GDPR guidelines and public consultations.  Given the anticipated end of 2018 entry into force of the ePrivacy Regulation, which will complement the GDPR, companies should likewise scrutinize the EDPB’s recent ePrivacy Regulation statement in relation to their electronic communications practices.

SADDLE UP AMERICA: California Aims to Pass its Own GDPR Law

Just when you think you’ve tackled the Wild, Wild West of GDPR and privacy compliance, California decides to mix it all up again.

This November 6th, California voters will decide on the California Consumer Privacy Act (“Act”), a statewide ballot proposition intended to give California consumers more “rights” with respect to personal information (“PII”) collected from or about them.  Much like CalOPPA, California’s Do-Not-Track and Shine the Light laws, the Act will have broader consequences for companies operating nationwide.

The Act provides certain consumer “rights” and requires companies to disclose the categories of PII collected, and identify with whom the PII is shared or sold. It also includes a right to prevent the sale of PII to third parties, and imposes requirements on businesses to safeguard PII.  If passed, the Act would take effect on November 7, 2018, but would apply to PII collected or sold by a business on or after nine (9) months from the effective date – i.e., on August 7, 2019.

Who is Covered?

The Act is intended to cover businesses that earn $50 million a year in revenue, or businesses that “sell” PII either by (1) selling 100,000 consumer’s records each year, or (2) deriving 50% of their annual revenue by selling PII. These categories of businesses must comply if they collect or sell Californians’ PII, regardless of whether they are located in California, a different state, or even a different country. Continue Reading

GDPR SIDEBAR: Should You Be Complying with the New Data Protection Law?

You’ve probably heard of the dreaded four-letter word – GDPR.  Companies around the globe had been preparing for the May 25th implementation date for quite some time.  But U.S.-based companies with no apparent EU presence may not have thought twice about whether the data protection law across the pond even applies to them.  Let’s face it, we have enough federal and state laws here in the U.S. to worry about.  But now that the GDPR dust has settled a bit, these U.S. companies may want to take a closer to look to confirm they aren’t captured within GDPR’s sweeping scope.

In this first installment of GDPR SIDEBAR, we address the fundamental threshold question of whether and to what extent a U.S.-based company must comply with the GDPR.  [click here for a primer on GDPR]

Continue Reading

New NAD Decision Highlights Key Ad Law Principles

Yesterday, we posted an interview with Laura Brett, the Director of the NAD, in which Brett discussed various issues, including how the NAD is evolving, how Brett sees herself as different from her predecessor, and how the NAD decides cases. Today, we’ll take a brief look at one of those cases that involves a perennial topic at the NAD – product testing.

DKB Household USA advertised that its Zyliss SwiftDry Salad Spinner “removes 25% more water than other salad spinners.” In response to a challenge brought by one of its competitors, DKB produced an independent third-party test that compared the performance of various salad spinners. The NAD was concerned by three key aspects of the test and the results:

First, the test was conducted on “simulated salad leaves” – cloths and sponges – rather than on actual greens. The NAD has consistently held that the most reliable measure of a product’s performance is demonstrated by tests that evaluate the product in the same manner the product is directed to be used by consumers. Although there may be reasons to deviate from that standard, the NAD was not convinced that DKB’s reasons were valid, in this case.

Second, DKB did not present a statistical significance of the test results. The NAD has consistently held that results should be statistically significant,  generally at the 95% confidence level. In this case, there was a small sample size and wide variations in the test results. “In the case of comparative performance claims, small sample sizes may not reliably demonstrate the claimed performance of the product.”  Accordingly, the NAD was “especially concerned that the test involved only five trials of each product.”

Third, DKB only tested its salad spinner against products sold by two competitors (including the challenger). The NAD noted that in order to support a broad superiority claim, “an advertiser must test a variety of competing products that comprise all or a substantial portion of competitive products the market.” In this case, there was no evidence in the record that the products tested comprised all or a substantial portion of competitive products.

Although there’s nothing groundbreaking in this case, it neatly encapsulates three key principles advertises should know: (1) products should generally be tested in a way that mirrors consumer use; (2) results must be statistically significant; and (3) to support an unqualified superiority claim, an advertiser must at least test against a substantial portion of competitive products.

A Peek Into The World Of NAD Director Laura Brett

Laura Brett became the director of the National Advertising Division in August 2017. Law360 published a Q&A session with special counsel Jennifer Fried and Laura Brett that provides insight into the NAD, what we can expect in the upcoming years, Laura’s approach as the NAD director, recent noteworthy cases, the NAD’s deliberative process, and much more. To read the interview, please click here.

Confirmation of Dana Baiocco as CPSC Commissioner Ends Democrat Majority

Months after she was initially nominated, today the U.S. Senate confirmed Dana Baiocco (R) as the next CPSC Commissioner in a 50-45 vote, replacing Marietta Robinson (D), whose term expired in October 2017. Ms. Baiocco’s confirmation brings the Commission to two Republicans and two Democrats. Ms. Baiocco was originally approved by the Senate Committee on Commerce, Science, and Transportation in November, but her nomination, along with almost 100 others, was returned to the President at the end of the year as that Congressional session ended. Ms. Baiocco was re-nominated in January. There had been no movement on this confirmation hearing until late last week when Senate Majority Leader McConnell filed cloture to end debate and proceed to a vote.

Prior to this nomination, Baiocco was a litigator at Jones Day who counseled clients on CPSC recalls and class-action lawsuits. Concerns have been raised as to her potential conflicts of interest stemming from her representation of companies such as Mattel and Yamaha, but she has committed to assess the need for possible recusal on matters on a case-by-case basis. Ms. Baiocco attended Duquesne University School of Law and clerked for The Honorable Gustave Diamond of the U.S. District Court for the Western District of Pennsylvania. Based on testimony during her confirmation hearing, Ms. Baiocco can be expected to focus on emerging technology, including Internet of Things issues, and the subsequent hazards. She will serve a 7-year term to end on October 27, 2024.

Ann Marie Buerkle (R) continues as Acting Chairman, and her nomination to become Chairman is still pending.

 

NAD Inhibits Growth of Bacteria (Claims)

The NAD recently analyzed whether Petmate had adequate substantiation to support claims that certain cat litter pans had “built-in antimicrobial protection” and that they could “inhibit bacteria growth.” Although the decision is most directly relevant to companies that make antimicrobial claims, it also contains information that’s relevant to any company that uses tests to substantiate claims.

There’s a lot going on in this case, but here are five key points from an advertising law perspective:

  • Petmate argued that product testing was not necessary because the Microban ingredient in its litter pans had been tested. The NAD disagreed, noting that just because a product is treated with an EPA registered pesticide does not, by itself, substantiate a product performance claim. Testing on the product is necessary.
  • The NAD reiterated that in order to make a “health-related claim,” such as the antimicrobial claims on the cat litter pans, an advertiser must have “competent and reliable scientific evidence.” This generally requires well-controlled studies with results that are statistically significance at the 95% confidence level.
  • Petmate submitted the results of a test conducted pursuant to an industry standard test designed to assess antimicrobial activity. The NAD was concerned, however, that the standard was designed to assess that activity on textile Although Petmate argued that the test was also valid for plastic materials, such as cat litter pans, the NAD was not convinced.
  • The NAD observed that the tests were conducted by Petmate’s supplier of Microban, the antimicrobial ingredient in its litter pans. Although the NAD prefers independent third-party tests, it will accept in-house testing as long as there is “evidence that adequate controls and safeguards were implemented to prevent bias.” Here, the NAD did not find such evidence.
  • Even if the NAD had accepted the tests, it noted that results must translate into a meaningful benefit for consumers. Here, the NAD found that there was no evidence demonstrating that consumers would perceive a difference due to the inclusion of the antimicrobial agent in the Petmate litter pans.

Keep in mind that if you make antimicrobial claims, you also need to worry about EPA regulations. While companies that manufacture and sell “treated articles” (with only non-public health claims) do not have to obtain independent registrations for products that incorporate an EPA-approved antimicrobial, they do have to comply with the conditions of the registration for the EPA-approved additive, including the types of claims that can be made and the products/materials in which the additive can be used. In addition, EPA regulations restrict how treated articles may be advertised. For example, antimicrobial claims should be printed in type of the same size, style, and color, and “should not be given any greater prominence than any other described product feature.”

For more analysis on EPA-related issues, visit our new Kelley Green Law blog.

Andrew Smith Named Director of FTC’s Bureau of Consumer Protection

Andrew Smith was recently named Director of the FTC’s Bureau of Consumer Protection. With a strong background in financial matters, businesses can expect Smith to focus on issues affecting consumer financial services.

Smith is not a stranger to federal positions. Although most recently a Partner in the Regulatory and Public Policy Group at Covington & Burling LLP and Co-Chair of the firm’s Financial Services Group, Smith previously held roles as Senior Counsel and Acting Assistant General Counsel at the SEC from 1997 to 2000 and as the Assistant to the Director of the Bureau of Consumer Protection from 2001 to 2005. During Smith’s time at the FTC, he focused largely on consumer financial protection policy—mainly through enforcement and rulemaking. For example, while serving as the program manager for the Fair and Accurate Credit Transactions Act of 2003, Smith helped to draft ten rules and six studies.

Smith’s interest in financial services has followed him throughout his career. His practice at Covington focused specifically on financial privacy—including regulatory compliance, consumer financial services laws, and enforcement actions and investigations. He also serves as the Chair of the ABA’s Consumer Financial Services Committee.

Notably, in January of this year, Smith testified before the House of Representatives Subcommittee on Financial Institutions and Consumer Credit about fintech policy. His statements suggest that he is in favor of an increased role of fintech in the banking industry, although he proposes passing legislation that clarifies the role of banks as lenders, regardless of the vendor or service provider. Further indications of Smith’s interest in the fintech space come from an editorial he authored in The Hill in February of this year. He advocates collaboration between fintech and banks to offer the middle class more financial options, e.g., point-of-sale lending. In Smith’s words, “the future of banking is the internet, and brick-and-mortar is the past.” His piece supports the Modernizing Borrower Credit Opportunities Act of 2017, a bipartisan bill to regulate the fintech industry introduced in November of 2017.

Another indication of Smith’s likely priorities as Bureau Director may be the people he worked with during his prior stint at the FTC. For example, he worked closely with Howard Beales who served as the Director of the Bureau of Consumer Protection from 2001 to 2004. Regarding advertising specifically, Beales advocates for a flexible “reasonable basis” standard for substantiation requirements, as opposed to more stringent evidentiary standards. This position favors the view that consumers benefit from having access to information. Having served with Beales, Smith may take a similar approach to substantiation requirements as Director.

Despite Smith’s previous experience, however, his appointment has not been without controversy. While at Covington, Smith represented Facebook, Uber, and Equifax in both investigations and FTC settlements regarding data breaches. Although Smith plans to recuse himself from these high profile cases in his new role, opponents have noted that Smith’s representation of these companies may put him at odds with the FTC’s consumer protection mission. Senator Richard Blumenthal stated that he could “imagine worse choices [for Bureau Director], but not many,” noting that Smith was “on the wrong side of [the] issues” in his testimony on behalf of Equifax last fall. During that testimony, Smith indicated that credit bureaus should not have a fiduciary duty to consumers from whom they collect data, and that current industry regulations were satisfactory to protect consumers. Senator Elizabeth Warren called Smith’s appointment “corruption, plain and simple,” referring to him as “Equifax’s hired gun.” Further, David Vladeck, who was Bureau Director from 2009 to 2012, noted that Smith’s recusing himself from some of the agency’s most important cases is an unusual position for someone in his role and wondered “how far-reaching the recusals will be.”

The FTC’s newly-appointed Democratic Commissioners had similar concerns, turning a usually perfunctory vote into a point of contention. Rebecca Slaughter noted that appointing a Director “who is barred from leading on data privacy and security matters that affect so many consumers, command so much public attention, and implicate such key areas of the law potentially undermines the public’s confidence in the commission’s ability to fulfill its mission.” Rohit Chopra, a fellow Democrat, agreed, noting that Smith’s conflicts “[raise] many questions,” and would put Smith “on the sidelines” in some of the agency’s most important cases. He also noted that FTC Chairman Joe Simons made the pick without a Commission meeting. Simons, however, called the appointment a “source of unnecessary controversy,” indicating that “it is impossible to attract high caliber professionals to the FTC without encountering some conflicts,” and noting that the agency can readily handle recusals.

Although we may have some insight into Smith’s new role as Director, his position on consumer protection issues outside of the financial industry, and the effects of his recusals, are left to be seen. We can expect, however, that helping to regulate fintech, and other financial security issues, will likely be high on his list of things to do.

Happy Chickens in a Line (Claim)

The NAD recently announced a decision in which it analyzed whether consumers would interpret claims in two commercials about Perdue’s happy chickens and organic practices to apply to all of the company’s chickens or only some of them. Even if you aren’t trying to measure the satisfaction of your own poultry, the decision includes some valuable insights into the NAD’s views on “line claims.”

One commercial shows Jim Perdue and his sons, each wearing a shirt with a Perdue logo, going about their daily tasks. They talk about “organic free-range chickens” that are “non-GMO, 100% vegetarian-fed, raised with no antibiotics,” as they drive up to a barn with the Perdue Harvestland Organic logo. The general Perdue brand logo appears on screen before flipping to the Perdue Harvestland Organic logo, as a voiceover states: “Perdue. Raising more organic chickens than anyone in America.”

One key question for the NAD was whether the commercial communicated that all Perdue chickens are raised organically (which is not true) or only that Harvestland Organic chickens are raised organically (which is true). Although the advertiser provided a survey demonstrating that consumers only took away the latter, narrower, claim from the commercial, the NAD found flaws in the survey and ultimately determined that consumers could interpret the commercial more broadly.

The NAD noted that the commercial featured numerous “visual and verbal general brand references to Perdue, while presenting only momentary visual references to Harvestland Organic, the sub-brand to which Perdue’s organic claim pertains.” In addition, although “Perdue” was mentioned in the audio, the sub-brand was not. Because of this, “consumers may understand all of Perdue’s chickens to be organic, rather than only the ones it offers through its Harvestland Organic sub-brand.”

If you make a claim that applies only to some of your products, you need to be careful not to suggest it applies to your whole line products. Whether or not your ad will be read to present a “line claim” will depend on various factors, including whether you make general brand references and what products you show. This case demonstrates that the line – no pun intended – between line claims and narrower claims isn’t always very clear, so it pays to be careful.

LexBlog