“Made in the USA” claims have taken on an even greater importance as American manufacturing has captivated the political discussion. Recently FTC Commissioner Chopra released a statement calling for more stringent enforcement of the agency’s “Made in USA” advertising policies.

Kristi Wolff discusses how to substantiate “Made in USA” claims on the latest episode of the Ad Law Access Podcast, Making it in the USA – When Product Origin and Origin Marketing Claims Matter.

During the podcast, Kristi makes references to a commercial, John Villafranco’s podcast on Challenging Competitors’ Claims, and our webinar Buy American and Hire American: Is Your (Or Your Competitor’s) Product Really “Made in the USA”.

You can find the Ad Law Access podcast on Apple Podcasts,
SpotifyGoogle PlaySoundCloud, and other podcast services.

On a new episode of the Ad Law Access PodcastAlex Schneider discusses the recently approved (four) bills to amend the California Consumer Privacy Act (CCPA) and the Nevada and Maine Legislatures legislation that, like the CCPA, features new requirements relating to the sale of consumer personal data.

For additional information see the Ad Law Access blog posts:

The Ad Law Access podcast is available now through Apple PodcastsSpotifyGoogle PlaySoundCloud, and other podcast services.

 

Last week, the New York Attorney General’s Office announced that Bombas had agreed to pay $65,000 and implement a number of injunctive provisions to settle allegations that the sock startup failed to comply with the state’s data breach notification statute. According to the press release, Bombas learned in November 2014, that an unauthorized intruder had inserted malicious code designed to steal payment card information into its ecommerce platform. Bombas allegedly waited almost two months before remediating, and then mistakenly re-inserted the code into the website a few weeks later.

The company determined that the incident resulted in unauthorized access to the names, addresses, and credit card information of almost 40,000 customers nationwide, but did not notify those consumers until May 2018. New York’s data breach notification statute requires that businesses provide notice of a breach of personal information “in the most expedient time possible and without unreasonable delay” to both the affected resident(s) and the Attorney General, the Department of State, and the Division of State Police.

The AG’s Office has not made a copy of the settlement agreement public, but explains that the injunctive provisions are intended to help prevent future breaches and ensure compliance with the law, N.Y. Gen. Bus. Law § 899-aa. They include requirements for thorough and expeditious investigations into any future breaches and training for all appropriate officers, managers, and employees. This settlement highlights the importance of preparing for a breach, including developing and implementing policies and procedures that will allow the business to comply with the patchwork of state requirements in an efficient and timely manner.

With CBD projected to be a $450 Million industry in the coming year, FDA hosted a packed house of industry stakeholders last week in a day-long public meeting that was the kickoff of a discussion to determine whether there is a pathway for CBD in ingestible products such as foods and dietary supplements.  See our summary of key themes here and check out this podcast episode to hear five key takeaways. 

In the world of influencer marketing, a person’s power is often measured in terms of followers, “likes,” and other types of engagement. Because more followers and more engagement generally means more reach, companies who work with influencers often base their compensation on these metrics. But thanks to shady agencies that sell fake followers and offer fake engagement, these numbers may not tell the whole story.

The Influencer Marketing Council recently released a report that provides companies with some tips to detect fraud. Here are a few of the highlights:

  • Abnormal Spikes:  Abnormal spikes in follower numbers or engagement levels could suggest fake followers or bots.
  • Engagement Rates:  Large follower counts with low engagement rates could indicate that many followers are fake.
  • Engagement Quality:  A lot of repetitive or irrelevant engagement, or posts with unusually bad grammar, could indicate that the engagement comes from bots, rather than real followers.
  • Audience/Engagement Location:  If an influencer’s audience is mostly in one country, but the engagement comes from other countries, that could indicate the engagement is fake.
  • Incentivized Followers:  Consider whether an increase in followers is due to a sweepstakes or contest. Although gaining followers this way isn’t fraudulent, some of these followers may drop off after the promotion ends.

The complete report is available on the IMC’s website.Robot Hands

Although there is evidence to suggest that the ROI associated with influencer campaigns can be favorable, the increase in fraud can make that difficult to measure. It may not be possible to completely eliminate the fraud, but the IMC report at least provides some good tips to detect it.

While businesses rightfully have been focused on preparing for the California Consumer Privacy Act (“CCPA”), the Nevada and Maine Legislatures have moved forward with legislation that, like the CCPA, features new requirements relating to the sale of consumer personal data. The Nevada bill, which was signed into law on May 29 and amends an existing data privacy statute, requires companies to provide a designated channel through which consumers can opt out of the sale of their personal data. The Maine bill, which has passed house and senate votes, notably would require opt-in consent prior to the sale of personal data; however, the law would narrowly apply to Internet Service Providers (“ISPs”) and exclude online companies perhaps more commonly associated with the disclosure and sale of consumer data.

• Nevada

Nevada’s SB 220 amends the state’s existing online privacy notice statute, NRS 603A.300 to .360, to add a provision that requires “operators” – which include most companies that conduct business online with Nevada residents – to comply with a consumer’s do-not-sell request (health care and financial institutions subject to HIPAA and GLBA are out of scope of the law). As of the October 1, 2019 effective date, operators are required to create a “designated request address,” such as an email address, toll-free number, or website, through which consumers can submit a “verified request” to restrict the sale of covered data. A “verified request” is one where the operator can reasonably verify the authenticity of the request and the consumer’s identity using “commercially reasonable means,” which the law does not define.

The personal information covered under the law includes personal data such as name, address, and SSN, as well as online contact information, and any other data collected by the company that could be viewed as personally identifiable. Notably, the law defines “sale” more narrowly than the CCPA to include the exchange of covered information for “monetary consideration” to a person “for the person to license or sell the covered information to additional persons.”

Operators will have 60 days to respond to a consumer’s do-not-sell request, though this timeline may be extended by up to 30 days where the operator deems it necessary and notifies the consumer. The provision will be enforced by the Nevada Attorney General’s Office, which can impose a penalty of up to $5,000 per violation.

• Maine

The bill advanced by the Maine Legislature, titled “an Act to Protect the Privacy of Online Customer Information,” would among other things prohibit ISPs’ use, disclosure, and sale of “customer personal information” without a customer’s opt-in consent, except under limited circumstances such as to provide the requested service, to collect payment, and several other narrow scenarios. Customer personal information subject to the law broadly would include (1) personally identifiable information about an ISP customer; and (2) information relating to a customer’s use of broadband Internet access service, including web browsing history, app usage, device identifiers, geolocation data, and other usage information. ISPs also would be prohibited from making the sale of data mandatory under the applicable terms of service, or refusing service to customers who do not consent to data collection.

The bill is an attempt to restore at the state level core provisions within the FCC’s 2016 broadband order that were repealed by Congress in 2017. The Maine State Chamber of Commerce has opposed the bill, claiming that ISPs are being unfairly singled out, and arguing that the law would result in a false sense of privacy for consumers given that large web-based companies such Facebook and Google would not be subject to the law. The Governor still must sign the final legislation, which would take effect July 1, 2020.

The FTC today announced two new actions under the Consumer Review Fairness Act against companies (CRFA) that allegedly used non-disparagement provisions in consumer form contracts in connection with selling their respective services to help rent properties.  The two actions follow three CRFA actions last month, which we discussed here.

In the complaint against Shore to Please Vacations LLC, the FTC alleged that the company used language in form contracts providing that “[b]y signing below, you agree not to defame or leave negative reviews (includes any review or comment deemed to be negative by a Shore to Please Vacations LLC officer or member, as well as any review less than a “5 star” or “absolute best” rating) about this property and/or business in any print form or on any website . . .”  The contract also stated that any breach of this clause will result in a minimum liquidated damages of $25,000.

In the complaint against Staffordshire Property Management, LLC, the FTC alleged that Staffordshire used rental applications that provided that “Applicant … specifically agrees not to disparage [Staffordshire], and any of its employees, managers, or agents in any way, and also agrees not to communicate, publish, characterize, publicize or disseminate, in any manner, any terms, conditions, opinions and communications related to [Staffordshire], this application, or the application process. . . .”  The contract also stated that the company was entitled to damages for any breach of that provision.

The administrative orders entered in each case prohibit the companies from using “Review-Limiting Contract Terms” and require the companies to provide consumers with a notice of “Your Right to Post Honest Reviews.”  It’s clear the FTC is making the CRFA a priority, so companies should take note and ensure any form contracts don’t violate the terms of the CRFA by (a) prohibiting or restricting consumers from reviewing a business’ goods, services, or conduct; (b) imposing penalties or fees on consumers for those reviews; or (c) requiring consumers to give up their intellectual property rights in the content of those reviews.

On Tuesday and Wednesday of this week, the California Assembly voted to approve four bills to amend the California Consumer Privacy Act (CCPA). The legislation now moves to the California Senate.

In total, the Assembly has approved ten CCPA amendments. Here’s the full list:

Approved by the California Assembly – May 28 & 29

  • Assembly Bill 25: changes the CCPA so that the law does not cover collection of personal information from job applicants, employees, contractors, or agents. (Approved May 29, 2019.)
  • Assembly Bill 1416: creates exceptions for businesses complying with government requests; provides exceptions for the sale of information for detection of security incidents or fraud (Approved May 29, 2019.)
  • Assembly Bill 846: provides certainty to businesses that certain prohibitions in the CCPA would not apply to loyalty or rewards programs. (Approved May 28, 2019.)
  • Assembly Bill 1202:  Data broker registration legislation would require data brokers to honor consumer opt-outs and any other rights afforded by the CCPA (Approved May 28, 2019.)

Previously Approved by the California Assembly

  • Assembly Bill 1146: exempts vehicle information retained or shared for purposes of a warranty or recall-related vehicle repair. (Approved May 23, 2019.)
  • Assembly Bill 873: broadens the definition of “deidentified” and clarifies that “personal information” includes information that “is reasonably capable of being associated with” a consumer or household (Approved May 22, 2019.)
  • Assembly Bill 981: exempts insurance institutions, agents, and insurance-support organizations (i.e., organizations assembling or collecting information about natural persons for the primary purpose of providing the information to an insurance institution or agent for insurance transactions) from complying with CCPA (Approved May 22, 2019.)
  • Assembly Bill 1564: requires consumers to submit CCPA requests to businesses via a toll free number or an email address and a physical address (Approved May 13, 2019.)
  • Assembly Bill 874: streamlines the definition of “publicly available” to mean information that is lawfully made available from federal, state, or local government records. The bill also seeks to amend the definition of “personal information” to exclude deidentified or aggregate consumer information (Approved May 9, 2019.)
  • Assembly Bill 1355:  exempts deidentified or aggregate consumer information from the definition of personal information, among other clarifying amendments (Approved May 9, 2019.)

Our team will continue to track any new developments in the California Senate as these bills continue to be reviewed by the legislature.

 

 

On Wednesday, the California Assembly voted to approve two bills to amend the California Consumer Privacy Act (“CCPA”). The legislation now moves to the California Senate.

In total, the Assembly has approved five CCPA amendments. Four bills remain pending before the full Assembly. Here’s the full list:

Approved by the California Assembly This Week

  • Assembly Bill 873: broadens the definition of “deidentified” and clarifies that “personal information” includes information that “is reasonably capable of being associated with” a consumer or household. (Approved May 22, 2019.)
  • Assembly Bill 981: exempts insurance institutions, agents, and insurance-support organizations (i.e., organizations assembling or collecting information about natural persons for the primary purpose of providing the information to an insurance institution or agent for insurance transactions) from complying with CCPA. (Approved May 22, 2019.)

Previously Approved by the California Assembly

  • Assembly Bill 1564: requires consumers to submit CCPA requests to businesses via a toll free number or an email address and a physical address. (Approved May 13, 2019.)
  • Assembly Bill 874: streamlines the definition of “publicly available” to mean information that is lawfully made available from federal, state, or local government records. The bill also seeks to amend the definition of “personal information” to exclude deidentified or aggregate consumer information. (Approved May 9, 2019.)
  • Assembly Bill 1355:  exempts deidentified or aggregate consumer information from the definition of personal information, among other clarifying amendments. (Approved May 9, 2019.)

Voted out of Committee

  • Assembly Bill 25: changes the CCPA so that the law does not cover collection of personal information from job applicants, employees, contractors, or agents. (On docket for full Assembly vote this week.)
  • Assembly Bill 846: provides certainty to businesses that certain prohibitions in the CCPA would not apply to loyalty or rewards programs. (On docket for full Assembly vote this week.)
  • Assembly Bill 1146: exempts vehicle information retained or shared for purposes of a warranty or recall-related vehicle repair. (On docket for full Assembly vote this week.)
  • Assembly Bill 1202:  Data broker registration legislation would require data brokers to honor consumer opt-outs and any other rights afforded by the CCPA (On docket for full Assembly vote this week.)

The two newly passed CCPA amendments now move to the Senate. Our team will continue to track any new developments regarding these bills.

Kelley Drye & Warren LLP announced the launch of the Ad Law Access podcast – a new podcast from its advertising law and privacy law groups.  Hosted by Kelley Drye attorneys, including Christie Grymes Thompson, Alysa Hutnik, John Villafranco, Gonzalo Mon, and Kristi Wolff, the podcast provides updates on advertising and policy law trends, issues, and developments.

“Our goal is to provide listeners with high-level, insightful analysis on the major issues in consumer protection law as they develop,” said Christie Thompson, chair of the advertising and marketing practice.  “We have structured these as shorter episodes – perfect for a morning or evening commute or lunch break – to give people digestible information that they can easily apply.”

Currently, listeners can find the following episodes:

The Ad Law Access podcast is available now through Apple’s iTunes, Spotify, Google Play, SoundCloud, and soon through other podcast services.