Last week, the FTC announced that AT&T had agreed to pay $60 million to settle litigation over allegations that the company misled customers by advertising “unlimited” data plans that were subject to significant limitations. If you work in the mobile or broadband spaces, you should check out this analysis by our friends at CommLaw Monitor. But the settlement includes some valuable lessons, even if you don’t work in those spaces.

Andrew Smith, Director of the FTC’s Bureau of Consumer Protection, summed up one of the key issues in the case as follows: “AT&T promised unlimited data –  without qualification –  and failed to deliver on that promise. While it seems obvious, it bears repeating that Internet providers must tell people about any restrictions on the speed or amount of data promised.” Other companies have similar requirements with respect to any material restrictions on their offers.

The settlement prohibits AT&T from making claims about the speed or amount of its mobile data – including describing it as “unlimited” – unless it clearly discloses any material restrictions in close proximity to those claims. The order goes into detail about how the disclosures must be made. For example, if the company makes the claim on a web page, the material restrictions must appear on that page itself, near the triggering representation.” Using links or pop-ups isn’t sufficient.

We’ve posted about the benefits and limits of disclosures before. (Click here, for example). Disclosures can help to clarify a claim, but if the disclosure is necessary to prevent the claim from being misleading, putting the clarifying language in the fine print is probably not going to help you.

As privacy and personal data issues continue to be a focus of both legal action and media coverage, privacy policy statements are getting dusted off and reviewed by more eyes.  Imprecise or inaccurate policy statements, themselves, can expose a company to potential liability.  While most of the recent California Consumer Privacy Act (“CCPA”) attention has focused on the significant operational requirements, data flow classifications, attorney general future enforcement, and the limited private right of action for data breaches, perhaps the largest near-term CCPA risk issue will be how the law overlaps with other California consumer protection statutes, and litigation efforts focusing on alleged inaccuracy or deception based on the public statements companies make about their privacy practices.

CCPA’s Limited Private Right of Action

The Attorney General’s Office was granted wide discretion and enforcement powers to impose fines of up to $2,500 for unintentional violations and up to $7,500 for each intentional violation.  Cal. Civ. Code 1798.155.  The CCPA, however, provides for only limited private right of action for individual consumers related to data security breaches.  Cal. Civ. Code 1798.150.  Plaintiffs can recover actual damages or statutory damages of $100 to $750.  A broader potential private right of action was considered and would have permitted individuals to sue for any and all CCPA violations.  SB 561.  But that amendment failed to pass in May.

Where There’s a Will, There’s a Way?

But anyone expecting that companies will only face privacy-related consumer litigation in the context of a data breach is under-selling the risk.  While direct actions under the CCPA may be limited, the requirements of the CCPA may serve as the basis for claims under other consumer protection statutes.  And, importantly, the public statements and policies that companies issue will be scrutinized not just for their actual compliance, but for whether companies are fulfilling their own promises.  Indeed, nothing prevents individuals from filing putative consumer class action claims alleging false statements, unfair business practices, or misleading conduct on behalf of companies in connection with their privacy policies and practices.

What Types of Claims Are Likely to be Filed?

These claims are likely to be brought pursuant to other California consumer protection statutes, such as California’s Unfair Competition Law (Bus. & Prof. Code 17200), False Advertising Law (Bus. & Prof. Code 17500), and Consumer Legal Remedies Act (Civ. Code 1750).  For example:

  • Section 17200 prohibits “any unlawful, unfair or fraudulent business act or practice and unfair, deceptive, untrue or misleading advertising.”  Put differently, a violation of any other California law, including the CCPA, can serve as the basis for a claim.  That is true even where that underlying statute does not, itself, give rise to a private right of action.
  • Similarly, Section 17500 can give rise to a claim based on by disseminating untrue or misleading statements concerning the performance of services.  That would include statements made concerning the collection, use, handling, storage, dissemination, or destruction of personal information in connection with a business’s activities.
  • Finally, the CLRA prohibits a broad range of representations and statements concerning a company’s policies, procedures, and services.  In addition to actual damages, the statute also permits for recovery of punitive damages and recovery of attorney’s fees.

Courts have found that violations of internal policies and/or statements concerning those policies provide sufficient foundation for such actions.  See, e.g., In re Adobe Sys., Inc. Privacy Litig., 66 F. Supp. 3d 1197 (N.D. Cal. 2014) (plaintiffs’ allegations that they relied on Adobe’s claims that personal data would be protected sufficient to establish UCL standing); Smith v. Chase Mortg. Credit Grp., 653 F. Supp. 2d 1035, 1045-46 (E.D. Cal. 2009) (concluding that defendant’s alleged violation of internal policy provides basis for unfairness claim).   

Precision in Privacy Promises

These risks are a good reminder that it is critical not just to have the CCPA required disclosures in privacy statements and communications in response to consumer rights requests, but also to be vigilant and precise about the descriptions of privacy practices and how the company is honoring the rights requests.  In the end, a company’s statements about its CCPA compliance could end up triggering potential exposure far greater than anything available under the CCPA itself.

On another new episode of the Ad Law Access PodcastAlysa Hutnik starts at the beginning and explains a few of the issues you need to think about before starting a telemarketing texting campaign.

For additional information see the Ad Law Access blog posts:

The Ad Law Access podcast is available now through Apple PodcastsSpotifyGoogle PlaySoundCloud, and other podcast services.

Yesterday, the FTC released a new guide and video designed to help influencers understand when and how they should disclose the relationships they have to the brands they endorse. The guidance doesn’t break new ground, and readers of this blog shouldn’t find too many surprises, but it does summarize the key requirements in an easy-to-read format.

Here are some key points:

  • The term “endorsement” should be read broadly. For example, simply tagging a brand, without anything more, can be an endorsement. (If there are any surprises here, it’s the idea that a “like” can be an endorsement. It’s not clear how the FTC expects companies to make disclosures when they “like” a brand.)
  • The term “relationship” should be read broadly, as well. If an influencer receives payments or free products, that’s obviously a relationship that should be disclosed. But even if an influencer just receives a discount or “other perks,” that could also trigger a disclosure requirement.
  • Disclosures should be hard to miss. For example, they should appear up-front, in conjunction with the endorsement, and in a manner that makes it likely that consumers will see them. The guides give some examples of how disclosures can be made in different platforms and media.
  • Disclosures should be made in clear language. If an influencer uses a hashtag, it should be something that consumers are likely to understand. For example, the FTC encourages influencers to avoid abbreviations and shorthand. Unfortunately, influencers may not be able to rely on platform tools to make disclosures.
  • Endorsements should be truthful and not misleading. For example, influencers shouldn’t talk about their experiences with products they’ve never used or praise products they don’t actually like. Similarly, they shouldn’t make claims that the advertiser can’t substantiate.

Although the guidance is directed to influencers, brands should also pay attention to the guides and ensure they communicate these requirements when they engage influencers to speak on their behalf.

The continuing questions over the extent of the FTC’s enforcement authority to obtain monetary relief under Section 13(b) did not stop the Commission from filing a lawsuit on November 1 against multi-level marketer Neora, LLC and its CEO Jeffrey Olson for purportedly operating an illegal pyramid scheme that used deceptive marketing to sell supplements, skin creams and other products.

Pursuant to Section 13(b), the FTC seeks an injunction to stop Neora’s alleged pyramid scheme and an award of restitution to return money to consumers. The lawsuit, filed in the District of New Jersey, alleges that Neora (formerly known as Nerium International) and its CEO offered false promises that potential distributors could earn financial independence if they joined the company’s pyramid scheme – while, in reality, most recruits would end up losing money.

The lawsuit comes as part of the Commission’s larger efforts to crack down on multi-level marketing pyramid schemes. But interestingly, when it saw the lawsuit against it coming, Neora opted to lodge an aggressive attack of its own against the FTC.

In a lawsuit filed in the Northern District of Illinois (Seventh Circuit) against the FTC, Neora and Olson asked the court to declare that its company did not operate as a pyramid scheme. The company’s complaint also asserted that the FTC is not authorized to seek restitution or disgorgement under Section 13(b) – effectively contending that the FTC’s attempt to punish Neora by seeking restitution is not available as a remedy.

So what happens next? As an initial matter, the Department of Justice will have first crack at the case, given that Neora is seeking a declaratory judgment. Regardless of whether DOJ or the FTC leads the government’s response, we would expect a motion for a change of venue from Illinois to New Jersey, with argument that it is not possible to litigate the motion for declaratory judgment without litigating the facts of the underlying case. If the court agrees, the case would be moved to New Jersey where there is binding precedent that is more favorable to the Commission’s position.

Section 13(b) Questioned in the Seventh Circuit

The company’s choice of forum was no doubt driven by the Seventh Circuit’s landmark decision earlier this year in FTC v. Credit Bureau Center LLC. In that case, the Seventh Circuit held that the FTC could not obtain monetary relief in the form of restitution under Section 13(b).  The court reasoned that Section 13(b)’s text cites injunctions as the FTC’s exclusive remedy, thus foreclosing the FTC from seeking restitution.  As we have reported previously, the Seventh Circuit’s decision overturned three decades of its own precedent and broke with eight other federal appellate courts.

The FTC has stated that the opinion will not change its enforcement behavior. In a recent panel discussion, FTC Chief Litigation Counsel Bikram Bandy remarked that Credit Bureau Center would not alter the Commission’s approach to deterring fraud by seeking restitution. In ongoing litigation where the FTC is seeking monetary relief from defendants, according to Mr. Bandy, the FTC has prevailed (so far) on all motions raised by opposing counsel that have attempted to assert the legal theories advanced in Credit Bureau Center as a means of blocking a restitution award.

However, Mr. Bandy also noted that the FTC’s desire to remain aggressive would continue in all circuits that have not adopted the Credit Bureau Center holding – which is to say, all circuits other than Seventh. Neora’s decision to file against the FTC in the Northern District of Illinois means that the court will not be able to ignore Credit Bureau Center’s holding relating to Section 13(b).

In a different development that also could have far-reaching implications for the FTC’s ability to obtain civil monetary penalties, the U.S. Supreme Court granted certiorari on November 1 in Liu v. SEC. The Supreme Court will consider whether the SEC may obtain disgorgement under the Securities Act, which only mentions “equitable relief.” The SEC has obtained disgorgement in many instances by asserting that it is a form of equitable relief, but Liu has asserted that disgorgement is a penalty – not an equitable remedy – and therefore is not permitted under a plain reading of the Securities Act. The Court’s interpretation in Liu could prompt courts to reevaluate whether Section 13(b) of the FTC Act allows for restitution.

The FTC’s Campaign Against Multi-Level Marketers

Why was Neora determined to go on the offensive? According to Neora’s complaint, the FTC has been “improperly” reinterpreting the law on pyramid schemes without proper legislation or rulemaking in an attempt to effectively outlaw multi-level marketing (MLMs.) Neora alleges that the FTC assumes that no incentives can be paid for recruitment of participating distributors, even when the MLM makes robust sales to satisfied consumers.

In a statement, Andrew Smith, the Director of the FTC’s Bureau of Consumer Protection, distinguished between legitimate MLMs and pyramid schemes, in alleging that Neora’s business model functions as part of the latter: “Participants in legitimate multi-level marketing companies earn money based on actual sales to real customers, rather than recruitment. But pyramid schemes depend on recruitment of new participants to pay out to existing participants, meaning that the vast majority of participants will ultimately lose money.”

In alleging that Neora directs its distributors to focus on recruiting instead of selling its product, the FTC cited a 2015 promotional video, where one of the company’s top earners remarked that distributors must take three steps to “explode” their business: “Number one. Recruit. Number two: Recruit. Number three: Recruit.” Beyond the recruitment-related allegations, the FTC also contended that Neora and its CEO deceptively promoted certain supplements as a means of curing concussions, chronic traumatic encephalopathy caused by brain trauma and Alzheimer’s disease.

Neora was not the only company targeted in the FTC’s investigation: the Commission also brought lawsuits against Signum Bioscienes and Signum Nutralogix. Unlike Neora, both Signum entities agreed to settle with the FTC. As per the terms of the settlement agreement, both entities will stop making certain claims relating to specific supplements at issue.

On a similar note, last month, the FTC announced it had entered into a $150 million settlement order with AdvoCare International, L.P. and its former chief executive officer. The settlement bans AdvoCare from the multi-level marketing business to resolve the FTC’s charges that the company operated an illegal pyramid scheme that deceived consumers into believing that they could earn considerable income as distributors of health and wellness products. In announcing the settlement, the FTC’s Smith stated: “The FTC is committed to shutting down illegal pyramid schemes like this and getting money back for consumers whenever possible.”

Firing Back at the FTC

But will the FTC be permitted to continue seeking such restitution awards? In Neora’s complaint against the FTC, the company alleges that the FTC had threatened to sue Neora in the Northern District of Illinois since July 2018 under Section 13(b). Neora claims that the FTC only threatened to sue in the District of New Jersey – where it eventually brought the lawsuit – as a result of the Seventh Circuit’s contrary opinion in Credit Bureau Center.

In a detailed “factual background” section in its complaint, Neora covers the “string of federal court losses” suffered by the FTC relating to the extent of its authority to file lawsuits without first exhausting its own administrative process, regarding its authority to recover monetary relief and relating to its authority to seek injunctive relief. Neora’s complaint predicts that “other Circuit Courts” will follow the Seventh Circuit’s lead in limiting the FTC’s enforcement powers to only restraining orders and injunctions under Section 13(b).

Thus, Neora seeks a declaration from the Northern District of Illinois that Section 13(b) does not authorize the FTC to seek “rescission or reformation of contracts, restitution, the refund of monies paid, disgorgement of ill-gotten monies, and other equitable relief” and instead only authorizes the Commission to seek injunctive relief for ongoing conduct.

If Neora succeeds, the FTC’s goal of “getting money back for consumers” would no longer be on the table – at least within courts in the Seventh Circuit. Neora’s hard-hitting approach to challenging the FTC’s claims against it – especially by invoking the ongoing debate over Section 13(b) – certainly bears watching.

Stay tuned for more installments of the “Section 13 (b)log.” 

 

On a new episode of the Ad Law Access PodcastAlysa Hutnik provides an update to the California Consumer Privacy Act (CCPA) including discussion of the amendments, the draft regulations, and she touches on some of the classification issues.

For additional information see the Ad Law Access blog posts:

The Ad Law Access podcast is available now through Apple PodcastsSpotifyGoogle PlaySoundCloud, and other podcast services.

 

 

In exactly two months, the California Consumer Privacy Act (CCPA) takes effect. Many businesses are devoting resources to timely comply, but between the late rollout of the Attorney General’s draft regulations, recent amendments to the law, and a lack of consensus in the industry on interpretation of key CCPA terms, tackling compliance can be daunting. Perhaps that’s why in two polls released this year, businesses have overwhelmingly told the International Association of Privacy Professionals that they are not prepared for the CCPA.

The enforcement penalties support good faith and reasonable efforts to achieve compliance, but the CCPA grants the Attorney General the ability to seek civil penalties of $2,500 for each violation of the law, without defining “each violation.” As with any new law, common sense typically prevails on what early enforcement will address. In general, such cases tend to be the obvious non-compliance, rather than the borderline cases.

Beyond penalties, the CCPA will set the standard for how businesses describe their data practices and privacy commitments to consumers. Non-compliant or confusing privacy messages or practices may have reputational and public relations costs as well. Importantly, the Attorney General cannot bring an enforcement action until, July 1, 2020, at the latest, but any such enforcement action can focus on noncompliance that began on January 1, 2020.

For businesses seeking to comply, and fast, we highlight considerations for prioritizing compliance efforts. Of course, each business is different, and consultation with legal counsel is the surest way to develop a plan to comply with the new law.

Priority: Consumer-Facing Obligations

The CCPA is laser-focused on providing consumers with the tools to exercise their rights to access, delete, or opt out of the sale of their personal information. In particular, the CCPA requires businesses to describe these rights and how they comply in their privacy policies and other required notices.

Companies can prioritize building consumer-facing processes and notices that demonstrate publicly that the business respects and complies with the CCPA. This prioritization includes:

  • Prioritizing Transparency: Post plain language, straightforward consumer notices that address the current CCPA requirements in a manner that a consumer would actually understand (a challenge given reports that many privacy policies require a college reading level). Reviewing privacy policies is often the first step that a consumer – or regulator – can take to see if a company is complying with the CCPA. Privacy policies are public representations and should be vetted to confirm that they accurately reflect a company’s practices and do not contain allegedly false or deceptive statements.
  • Adopting a Privacy-Centric Company Culture: Businesses can establish procedures for personnel, including customer service agents and others most likely to interact with California consumers, so they are prepared to handle privacy rights discussions, or escalate or transfer such requests to those who can. The more straightforward the process, the less likely consumers will become confused and complain. A spike in complaints can be a key source for regulators and others to scrutinize a company’s practices.
  • Creating User-Friendly Options for Privacy Rights Requests: Provide clear directions on how consumers can submit requests, and through which channels. In particular, the CCPA requires a toll-free number (except for online-only businesses) and, for companies that “sell” personal information, a link on the home page that enables consumers to opt out of the sale of personal information.
  • Setting the Right Tone: As with all customer interactions, tone and responsiveness matter. When a consumer makes a privacy rights request, provide a brand-consistent, friendly response within 10 days that confirms receipt and provides information about how the request will be processed.

Priority: Protect Personal Information

The CCPA encourages implementing and maintaining reasonable security procedures and practices. In particular, the CCPA provides a private right of action to any consumer whose unencrypted and unredacted personal information is subject to a security incident due to a business’s failure to implement and maintain reasonable security procedures and practices. Among other remedies, the CCPA provides for statutory damages of $750 per consumer per incident or actual damages, whichever is greater.

Given the significant potential for litigation and statutory damages, prioritizing cyber security is more important than ever. “Reasonable Security” includes:

  • Compliance with Reasonable Industry Standard Practices: As described in a prior California Attorney General report, Critical Security Controls identified by the Center for Internet Security provide a “minimum level of information security that all organizations that collect or maintain personal information should meet.” These controls include reviewing hardware and software connected to a company’s network; implementing key security settings; limiting user and administrator privileges; assessing vulnerabilities and patching holes to stay current; securing critical assets and attack vectors; defending against malware and intrusions; blocking vulnerable access points; providing security training to employees and vendors with access to the network; monitoring accounts and network audit logs; testing defenses; and planning a response to security incidents. Importantly, businesses should document these efforts. Being able to demonstrate that it followed these controls, and how, will be a critical part of a company’s defense.
  • Third-Party Liability for Vendor Compliance: An important aspect of the business/service provider relationship is that a business that discloses personal information to a service provider “shall not be liable … if the service provider … uses it in violation of the [CCPA], provided that, at the time of disclosing the personal information, the business does not have actual knowledge, or reason to believe, that the service provider intends to commit such a violation.” Businesses can review vendor contracts, vendor-posted public terms, vendor descriptions of their services and how they use data, as well as vendor privacy policies and data processing addenda, to support that a vendor reasonably qualifies as a “service provider” and that there are no “red flags” that could provide a basis for third party liability. Depending on how many vendors a business has, it may be reasonable to tackle these efforts by tiered priority.

Priority: Plan for the CCPA’s Impact on Your Digital Advertising

A key area of interest is how the CCPA defines the “sale” of personal information, and how the definition applies to Ad Tech relationships and different services, including the variety of ways your company may use interest-based advertising, enrich your existing data sets, use different types of data analytics services, use matching and re-targeting, or target your advertising to certain defined audience segments.

In particular, publishers may be considered to have “sold” consumer personal information when they pass along persistent identifiers to other Ad Tech participants depending on the relationship with such participants, and how such participants use the data. Just as important, companies that use service providers to assist with their advertising and data analytics efforts should evaluate and firm up such classifications. For partners that are not intuitively service providers or obvious recipients of data sales, more analysis and industry benchmarking on interpretations are likely warranted.

The Interactive Advertising Bureau proposes a framework that will enable publishers and their partners to comply with the CCPA’s provisions on the “sale” of consumer data by providing publishers a technical solution to signal to partners that a consumer has opted out of the “sale” of their personal information. The framework will bind Ad Tech participants using a limited service provider contract. Through this arrangement, the framework maintains the availability of interest-based advertising, but restricts participants in their use of personal information to strictly business purposes.

Otherwise, for companies engaged in digital advertising and analytics, some priorities include:

  • Assessing the “Sale” of Personal Information: Review any disclosure of personal information to other businesses and determine if that disclosure counts as a “sale” for purposes of the CCPA. If so, develop a plan to comply with the CCPA’s requirements.
  • Cataloging Cookies and Pixel Tags: Companies that have contracted with Ad Tech vendors to place cookies or fire pixel tags should catalog these activities and determine the extent to which they represent a “sale” of personal information, or if they reasonably qualify as service provider support. Alternatively, the Company may choose to block them from collecting personal information on the Company’s sites.

If you have any questions about compliance obligations under the CCPA, please contact Alysa HutnikKatie Townley, or Alex Schneider.

FTC Commissioners Rebecca Kelly Slaughter and Christine S. Wilson recently sat down with Cameron Kerry at the Brookings Institution to discuss the FTC’s role in privacy. Although the Commissioners did not agree on everything, both identified the FTC as the best agency to enforce privacy wrongs. The Commissioners also shared their views on issues such as notice and consent, data ownership, privacy harms, and FTC authority.

Both Commissioners agreed that “notice and consent” is an ineffective model. Instead, Commissioner Slaughter suggested focusing on consumer expectations as to how companies will use their data. Commissioner Wilson agreed, but suggested that any new model provide predictability and certainty for businesses in light of laws such as the CCPA and GDPR. Neither Commissioner thought the data ownership model was a proper alternative to “notice and consent,” and Commissioner Slaughter further noted that paying consumers for their data may actually exacerbate data use issues.

The Commissioners also discussed what harms the agency looks for in bringing privacy cases, and what harms any privacy legislation should address. Commissioner Wilson pointed to the FTC’s past enforcement actions, including a recent settlement against app developers who created apps to surreptitiously stalk individuals’ phones. Commissioner Slaughter suggested broadening the legislature’s and agency’s definition of privacy harms to consider new issues, such as data use and targeting that lead to child suicide and self-harm. She noted that harms should not need to be quantifiable to be cognizable.

In terms of how the FTC should use its enforcement authority, the Commissioners agreed that the agency should consider competition in privacy enforcement actions, but they disagreed as to how far to push the limits of the FTC’s authority. For Commissioner Slaughter, the important question is, “What are consumers’ reasonable expectations?” In the Facebook case, for example, Commissioner Slaughter wanted to pursue litigation to push for more transparency and limits on the company’s data collection and use. She noted that litigation is a good tool with which to identify the limits on the agency’s authority. Commissioner Wilson, on the other hand, was concerned about attempting to legislate through a settlement, and viewed the consumer relief in the case as “real and meaningful,” as evidenced by the company having already made changes to its practices as a result of the settlement.

Both Commissioners Slaughter and Wilson agreed that the FTC needs rulemaking and civil penalty authority in the first instance of an enforcement action, although Commissioner Wilson clarified that she thinks rulemaking authority should be limited, similar to COPPA. Both Commissioners also agreed that the FTC needs more resources for enforcement.

The FTC Commissioners also expressed a variety of views on what privacy legislation should look like, but noted that creating the law is ultimately up to Congress. Whether the legislature will pass privacy legislation remains to be seen. In the meantime, businesses will need to stay vigilant monitoring FTC privacy enforcement trends and business guidance, as well as the enactment of new state privacy laws and related state enforcement, private litigation, and relevant industry self-regulatory frameworks, such as the recently proposed IAB CCPA Framework.

The National Advertising Review Board (“NARB”) recently upheld an NAD decision regarding Goya Foods, Inc.’s claim, “La Pasta Favorita de Puerto Rico” or “Puerto Rico’s Favorite Pasta,” finding that the claim was not puffery and that it required substantiation. As we summarized here, NAD previously determined that use of the term “favorite” in this context was an objective claim that required sales data or consumer survey data as support. NARB agreed.

Although Goya did not have sales or survey data, the company argued that “favorite” was “subjective and immeasurable,” especially in light of the other fanciful claims present on the label such as “delicious.” Goya also pointed to an Eighth Circuit case that found that the word “favorite” was puffery in the context of the claim, “America’s Favorite Pasta.”

NARB was not convinced, determining that here, “favorite” conveys an objective preference message that requires substantiation. NARB noted that the Spanish definitions of “favorite,” like the English definitions, convey a message of preference. Although consumers may have different reasons for identifying a pasta as their favorite, they could easily determine which product was their “favorite” if given a survey.

NARB also noted that as a self-regulatory body, neither NAD nor NARB is bound by the Eighth Circuit ruling. Still, NARB did not think its decision conflicted with the Eighth Circuit case, as evaluating whether something is puffery is a fact-specific determination that depends on the context of the claim. In this context, “favorite” was an objectively provable claim. Thus, NARB upheld NAD’s suggestion that Goya discontinue use of the “favorite” claim.

Companies considering a “favorite,” “first,” or “best” claim should not assume that the terms are automatically puffery. Instead, advertisers should consider the context of the claim and whether that context conveys a message that requires substantiation.

With the new CCPA draft regulations out, you may be wondering—how can I comment?  What are the deadlines?  When will the draft regulations be finalized and go into effect?  This blog post summarizes the process and timing for the CCPA proposed regulations.  Businesses should consider filing comments to provide the Attorney General’s Office with insights on the operational and practical effects of some of the regulations as proposed, particularly where there may be unintended consequences and effects that were not sufficiently considered.  This blog post also walks through California’s rulemaking process under the California Administrative Procedures Act to provide more insights on the realistic timeframe for when the draft rules are likely to be finalized and go into effect.

CCPA Hearings and Comment Process

Comments are important if businesses are concerned about the proposed draft CCPA regulations.  The Attorney General’s Office is required to consider all relevant and timely comments, both written and oral.  After the comment period ends, the Attorney General’s Office also must respond to these comments in a document called the “Final Statement of Reasons,” which will explain how the Office modified the proposed regulations to accommodate the comments.

The deadline to submit written comments is December 6, 2019 by 5:00 p.m. (PST).  Any interested party, or someone authorized to act on their behalf, may submit written comments regarding the proposed CCPA regulations.  This can be done by sending the comments, by email, to PrivacyRegulations@doj.ca.gov.  Comments also can be submitted in-person at the public hearings, or by mail to:

  • Privacy Regulations Coordinator
    California Office of the Attorney General
    300 South Spring Street, First Floor
    Los Angeles, CA 90013

There will be four hearings to provide an opportunity for interested parties to present their feedback as follows:  December 2 (Sacramento), December 3 (Los Angeles), December 4 (San Francisco), and December 5 (Fresno).  All hearings start at 10 am.

Expected Timing for the Final Rules?

It depends, but as a practical matter, the earliest they could be finalized and effective is likely April 1, 2020 (and that’s if there are no substantive changes made).

In response to the comments filed, the Attorney General may decide to make changes to the proposed CCPA draft regulations.  If only non-substantial changes are made, there is no further notice and comment period.  If the changes are substantial but reasonably foreseeable (in light of the initial proposed regulations), there is an additional 15 day notice and comment period required. If there are substantial proposed changes that are not sufficiently related to the original proposed regulations, the Attorney General’s Office will need to repeat the full 45 day notice and comment process (this is less likely to occur).

If the agency relies on new material outside of the initial statement of reasons for the originally proposed draft regulations, it must make this material available for comment for 15 days.

Once the Attorney General’s Office completes its review of all comments on the additional proposed changes, and the notice and comment periods are exhausted, the Office will submit the rule to Office of Administrative Law, which has 30 working days to review the rulemaking record and confirm it is consistent with administrative procedure requirements.  If all is in order, that office will file the adopted rules with California’s Secretary of State.

The final CCPA rules’ effective date depends on the date that they are filed with the Secretary of State.  For example:

  • If filed September 1 – November 30: the effective date is January 1.
  • If filed December 1- February 29: the effective date is April 1.
  • If filed March 1 – May 31: the effective date is July 1.
  • If filed June 1 – August 31: the effective date is October 1.

These effective dates may vary based on a variety of factors, but generally the effective dates follow the timeline outlined above.  Once the final rule is adopted it has the force of law.

Our firm will continue to review draft CCPA regulations as we work with clients to develop practical guidance on complying with the CCPA. If you have questions on how the regulations may impact your business, or if you would like our assistance with drafting comments to the regulations, please contact Alysa HutnikKatie Townley, or Khouryanna DiPrima.