FTC Examining How Consumer Protection and Privacy May Be Affecting Innovation and Competition; Seeking Input and Will Hold Policy Hearings to Address

The FTC announced yesterday that it will accept comments and hold a series of public hearings on consumer protection, privacy, and competition policy and enforcement.  The hearings will take place during fall and winter of this year and will evaluate whether recent changes in the economy, technology, or international landscape require adjustments to how the Commission approaches consumer protection, privacy, and competition issues.

The hearings are modeled off of hearings held in 1995 under then-Chair Robert Pitofsky.  Those hearings took place amidst the early growth of the internet and e-commerce, featuring panels such as, “The Newest Medium for Marketing: Cyberspace,” “Privacy in Cyberspace,” and “The Changing Role of the Telephone in Marketing.”  The 1995 hearings featured panelists from large companies including Walt Disney, General Electric, and Coca-Cola, along with consumer group representatives, regulators, academics, and attorneys from private law firms.  The hearings culminated in a two volume report on the state of consumer protection and competition policy.

In announcing the 2018 hearings, FTC Chair Joe Simons noted that “the FTC has always been committed to self-examination and critical thinking, to ensure that our enforcement and policy efforts keep pace with changes in the economy.”  Simons served as Director of the Bureau of Competition immediately after Pitofsky’s tenure as Chair under then-Chair Tim Muris – and alluded to Pitofsky, Muris and former Chair Kovacic in his statement announcing the hearings.  Simons’ statement also expressed his view that “[t]his project reflects the spirit, style, and, most importantly, broad scope of that effort,” and characterized the efforts as an “all-agency” project that will entail significant efforts from the Bureaus of Consumer Protection, Competition, and Economics, the Office of the General Counsel, the Office of International Affairs, as well as the Office of Policy Planning. Continue Reading

Worlds Collide: FTC Answers CPSC’s Request for Written Comments on IoT and Product Hazards

If you follow our blog, you know that we often write about issues involving the FTC and the CPSC, but we usually do not write about both in the same post. Now those worlds have collided. The staff of the FTC’s Bureau of Consumer Protection (“BCP”), a prominent voice in the Internet of Things dialogue, recently filed comments in response to a CPSC request for information about the potential safety hazards linked to internet-connected products. The request follows a May 16 hearing that included speakers representing a variety of industries and organizations, such as Retail Industry Leaders Association, Underwriters Laboratories Inc., Consumer Reports, and the Electronic Privacy Information Center. The BCP staff’s comments specifically address the following topics:

  • Best practices for mitigating against safety hazards. The BCP staff’s comments placed security and safety hand in hand with the following recommendations for companies offering connected devices: (1) risk assessments to evaluate their security programs and pinpoint possible threats before launching a product; and (2) oversight of service providers, including the incorporation of security standards into contracts and ensuring that the providers are complying with applicable security standards.
  • Registration for safety alerts and information related to recalls. The BCP staff recommended implementing a process similar to the CPSC’s current protocol for alerts related to infant and toddler products, wherein manufacturers and retailers are required to provide a safety registration card with the product. Instead of requiring the consumer to mail-in a registration, however, a URL could be included for online registration.
  • The role of government in regulating IoT security. The BCP staff did not take a position on whether the CPSC should implement regulations specific to IoT device hazards, but suggested that, if the CPSC considers such regulation, it should take a technology-neutral approach so that any such regulation does not quickly become obsolete.

The CPSC continues to evaluate these issues while coordinating with other federal entities like the FTC and NIST, tracking state legislative developments, and exploring the role of voluntary standards. Any company that makes, imports, distributes, or sells a connected product should continue to watch for developments.

Colorado Reaches New High with Strict Data Breach Notification Law

On May 29, Colorado Governor John Hickenlooper signed into law HB18-1128 to strengthen data breach notification requirements for companies and government entities collecting and maintaining personal information from Colorado residents.

Effective September 1, covered entities will be required to notify individuals within 30 days of discovery of a security breach, unless the entity is notified that such a disclosure will impede a criminal investigation. Existing law requires notification to be made “in the most expedient time possible, and without unreasonable delay.” Republican state representative and bill co-sponsor Cole Wist stated the term “reasonable” was “too subjective and loose,” and could prevent consumers from acting quickly to prevent identity theft.  This makes the new law one of the strictest data breach notification laws in the country.  The following identifies pertinent changes to existing law.

Mandatory Information Security Procedures or Programs

Businesses must implement “reasonable” information security procedures or programs to protect the personal data they have – including data that has been shared with third parties – from unauthorized access, use, modification, disclosure, or destruction. Businesses that maintain paper or electronic documents containing customer personal information must develop a written policy for the destruction of such documents once they are no longer needed. Continue Reading

New Watchdog, New Tricks: European Data Protection Board Adopts GDPR Guidelines and Releases Statement on ePrivacy Regulation

Less than one week after replacing the now defunct Article 29 Working Party (WP29), the European Data Protection Board (EDPB) has adopted new guidelines on the EU General Data Protection Regulation (GDPR) and issued a statement on the ePrivacy Regulation revision.

What is the European Data Protection Board? How is It Different from the Article 29 Working Party?

The EDPB is made up of the head/representative of each of the EU national supervisory authorities, the European Data Protection Supervisor, and a non-voting member of the European Commission. The Board is tasked with ensuring the consistent application of GDPR by monitoring and ensuring the correct application of the GDPR, issuing guidelines, recommendations, and best practices regarding GDPR requirements, and approving data protection certification mechanisms encouraged under the GDPR, among other things. While the structure of the EDPB resembles that of the WP29, unlike the WP29, the EDPB has the power to adopt binding decisions to ensure the correct and consistent application of the GDPR.

What’s New on the European Data Protection Board Front?

The EDPB is carrying out its mandate to ensure a consistent level of data protection for individuals and the consistent application of GDPR by taking following steps:

  • Endorsing GDPR material issued by the WP29 (i.e., WP29 guidelines, recommendations, working documents, and referential).
  • Adopting a draft version of the Guideline on certification, which explains key concepts of certification provisions under GDPR Articles 42 and 43 as well as the scope and purpose of certification. The deadline for comments (which should be sent to EDPB@edpb.europa.eu) is July 12, 2018.
  • Adopting the final version of the Guidelines on derogations applicable to international transfers, which provides guidance on the application of GDPR Article 49 on derogations when transferring personal data to third countries or international organizations.
  • Releasing a statement on the revision to the ePrivacy Regulation, supporting the swift adoption of the new ePrivacy Regulation and offering insights and clarifications on key issues including, preventing the processing of electronic communications on the basis of “legitimate interest” or the general purpose of performance of a contract, ensuring that the new regulation maintains at least the current level of protection under the ePrivacy Directive, providing protection for all electronic communications, encouraging the use of anonymized electronic communication data, and ensuring that consent is obtained for websites and mobile apps.

How Do These European Data Protection Board Developments Impact My Business?

Now that GDPR is effective, the EDPB is moving swiftly to provide implementation guidance and compliance recommendations. All businesses with an EU footprint should familiarize themselves with and monitor the EDPB website for GDPR guidelines and public consultations.  Given the anticipated end of 2018 entry into force of the ePrivacy Regulation, which will complement the GDPR, companies should likewise scrutinize the EDPB’s recent ePrivacy Regulation statement in relation to their electronic communications practices.

SADDLE UP AMERICA: California Aims to Pass its Own GDPR Law

Just when you think you’ve tackled the Wild, Wild West of GDPR and privacy compliance, California decides to mix it all up again.

This November 6th, California voters will decide on the California Consumer Privacy Act (“Act”), a statewide ballot proposition intended to give California consumers more “rights” with respect to personal information (“PII”) collected from or about them.  Much like CalOPPA, California’s Do-Not-Track and Shine the Light laws, the Act will have broader consequences for companies operating nationwide.

The Act provides certain consumer “rights” and requires companies to disclose the categories of PII collected, and identify with whom the PII is shared or sold. It also includes a right to prevent the sale of PII to third parties, and imposes requirements on businesses to safeguard PII.  If passed, the Act would take effect on November 7, 2018, but would apply to PII collected or sold by a business on or after nine (9) months from the effective date – i.e., on August 7, 2019.

Who is Covered?

The Act is intended to cover businesses that earn $50 million a year in revenue, or businesses that “sell” PII either by (1) selling 100,000 consumer’s records each year, or (2) deriving 50% of their annual revenue by selling PII. These categories of businesses must comply if they collect or sell Californians’ PII, regardless of whether they are located in California, a different state, or even a different country. Continue Reading

GDPR SIDEBAR: Should You Be Complying with the New Data Protection Law?

You’ve probably heard of the dreaded four-letter word – GDPR.  Companies around the globe had been preparing for the May 25th implementation date for quite some time.  But U.S.-based companies with no apparent EU presence may not have thought twice about whether the data protection law across the pond even applies to them.  Let’s face it, we have enough federal and state laws here in the U.S. to worry about.  But now that the GDPR dust has settled a bit, these U.S. companies may want to take a closer to look to confirm they aren’t captured within GDPR’s sweeping scope.

In this first installment of GDPR SIDEBAR, we address the fundamental threshold question of whether and to what extent a U.S.-based company must comply with the GDPR.  [click here for a primer on GDPR]

Continue Reading

New NAD Decision Highlights Key Ad Law Principles

Yesterday, we posted an interview with Laura Brett, the Director of the NAD, in which Brett discussed various issues, including how the NAD is evolving, how Brett sees herself as different from her predecessor, and how the NAD decides cases. Today, we’ll take a brief look at one of those cases that involves a perennial topic at the NAD – product testing.

DKB Household USA advertised that its Zyliss SwiftDry Salad Spinner “removes 25% more water than other salad spinners.” In response to a challenge brought by one of its competitors, DKB produced an independent third-party test that compared the performance of various salad spinners. The NAD was concerned by three key aspects of the test and the results:

First, the test was conducted on “simulated salad leaves” – cloths and sponges – rather than on actual greens. The NAD has consistently held that the most reliable measure of a product’s performance is demonstrated by tests that evaluate the product in the same manner the product is directed to be used by consumers. Although there may be reasons to deviate from that standard, the NAD was not convinced that DKB’s reasons were valid, in this case.

Second, DKB did not present a statistical significance of the test results. The NAD has consistently held that results should be statistically significant,  generally at the 95% confidence level. In this case, there was a small sample size and wide variations in the test results. “In the case of comparative performance claims, small sample sizes may not reliably demonstrate the claimed performance of the product.”  Accordingly, the NAD was “especially concerned that the test involved only five trials of each product.”

Third, DKB only tested its salad spinner against products sold by two competitors (including the challenger). The NAD noted that in order to support a broad superiority claim, “an advertiser must test a variety of competing products that comprise all or a substantial portion of competitive products the market.” In this case, there was no evidence in the record that the products tested comprised all or a substantial portion of competitive products.

Although there’s nothing groundbreaking in this case, it neatly encapsulates three key principles advertises should know: (1) products should generally be tested in a way that mirrors consumer use; (2) results must be statistically significant; and (3) to support an unqualified superiority claim, an advertiser must at least test against a substantial portion of competitive products.

A Peek Into The World Of NAD Director Laura Brett

Laura Brett became the director of the National Advertising Division in August 2017. Law360 published a Q&A session with special counsel Jennifer Fried and Laura Brett that provides insight into the NAD, what we can expect in the upcoming years, Laura’s approach as the NAD director, recent noteworthy cases, the NAD’s deliberative process, and much more. To read the interview, please click here.

Confirmation of Dana Baiocco as CPSC Commissioner Ends Democrat Majority

Months after she was initially nominated, today the U.S. Senate confirmed Dana Baiocco (R) as the next CPSC Commissioner in a 50-45 vote, replacing Marietta Robinson (D), whose term expired in October 2017. Ms. Baiocco’s confirmation brings the Commission to two Republicans and two Democrats. Ms. Baiocco was originally approved by the Senate Committee on Commerce, Science, and Transportation in November, but her nomination, along with almost 100 others, was returned to the President at the end of the year as that Congressional session ended. Ms. Baiocco was re-nominated in January. There had been no movement on this confirmation hearing until late last week when Senate Majority Leader McConnell filed cloture to end debate and proceed to a vote.

Prior to this nomination, Baiocco was a litigator at Jones Day who counseled clients on CPSC recalls and class-action lawsuits. Concerns have been raised as to her potential conflicts of interest stemming from her representation of companies such as Mattel and Yamaha, but she has committed to assess the need for possible recusal on matters on a case-by-case basis. Ms. Baiocco attended Duquesne University School of Law and clerked for The Honorable Gustave Diamond of the U.S. District Court for the Western District of Pennsylvania. Based on testimony during her confirmation hearing, Ms. Baiocco can be expected to focus on emerging technology, including Internet of Things issues, and the subsequent hazards. She will serve a 7-year term to end on October 27, 2024.

Ann Marie Buerkle (R) continues as Acting Chairman, and her nomination to become Chairman is still pending.

 

NAD Inhibits Growth of Bacteria (Claims)

The NAD recently analyzed whether Petmate had adequate substantiation to support claims that certain cat litter pans had “built-in antimicrobial protection” and that they could “inhibit bacteria growth.” Although the decision is most directly relevant to companies that make antimicrobial claims, it also contains information that’s relevant to any company that uses tests to substantiate claims.

There’s a lot going on in this case, but here are five key points from an advertising law perspective:

  • Petmate argued that product testing was not necessary because the Microban ingredient in its litter pans had been tested. The NAD disagreed, noting that just because a product is treated with an EPA registered pesticide does not, by itself, substantiate a product performance claim. Testing on the product is necessary.
  • The NAD reiterated that in order to make a “health-related claim,” such as the antimicrobial claims on the cat litter pans, an advertiser must have “competent and reliable scientific evidence.” This generally requires well-controlled studies with results that are statistically significance at the 95% confidence level.
  • Petmate submitted the results of a test conducted pursuant to an industry standard test designed to assess antimicrobial activity. The NAD was concerned, however, that the standard was designed to assess that activity on textile Although Petmate argued that the test was also valid for plastic materials, such as cat litter pans, the NAD was not convinced.
  • The NAD observed that the tests were conducted by Petmate’s supplier of Microban, the antimicrobial ingredient in its litter pans. Although the NAD prefers independent third-party tests, it will accept in-house testing as long as there is “evidence that adequate controls and safeguards were implemented to prevent bias.” Here, the NAD did not find such evidence.
  • Even if the NAD had accepted the tests, it noted that results must translate into a meaningful benefit for consumers. Here, the NAD found that there was no evidence demonstrating that consumers would perceive a difference due to the inclusion of the antimicrobial agent in the Petmate litter pans.

Keep in mind that if you make antimicrobial claims, you also need to worry about EPA regulations. While companies that manufacture and sell “treated articles” (with only non-public health claims) do not have to obtain independent registrations for products that incorporate an EPA-approved antimicrobial, they do have to comply with the conditions of the registration for the EPA-approved additive, including the types of claims that can be made and the products/materials in which the additive can be used. In addition, EPA regulations restrict how treated articles may be advertised. For example, antimicrobial claims should be printed in type of the same size, style, and color, and “should not be given any greater prominence than any other described product feature.”

For more analysis on EPA-related issues, visit our new Kelley Green Law blog.

LexBlog