Skip to content

Regulatory interest in Internet of Things (“IoT”) devices is growing, partly in response to concerns about device security. In January, for example, California’s IoT Law (SB 327) went into effect. This law requires manufacturers of IoT devices to equip the devices with reasonable security features appropriate to the nature and function of the device, the information it may collect or transmit, protect the device and the consumer PII it contains from unauthorized access or disclosure.

In addition, at the federal level last year at least one bill was introduced addressing the cybersecurity of IoT devices: The Internet of Things Cybersecurity Improvement Act of 2019.  Although the bill is being held in committee and will only directly affect federal IoT technology, it calls for the National Institute of Standards and Technology (NIST) to IoT-related security standards and guidelines.

In light of these developments, IoT device manufacturers would be “smart” to pay close attention to NIST’s draft Recommendations for IoT Device Manufacturers: Foundational Activities and Core Device Cybersecurity Capability Baseline (the “Draft Recommendations”).  The Draft Recommendations are described as voluntary, but various federal agencies, including the FTC, review and consider NIST publications in assessing privacy and data security practices.

NIST’s Draft Recommendations outline cybersecurity practices that manufacturers should consider adopting before they sell IoT devices to customers. According to NIST, these practices can help reduce the prevalence and severity of IoT device compromises (and attacks that exploit compromised IoT devices).

NIST’s Draft Recommendations consist of the following practices and further questions to help manufacturers and their customers to help address cybersecurity risks:

  • Identify expected customers and define expected use cases for IoT devices.
    • Which types of people or organizations are expected customers for the device?
    • How will the device be used?
    • Where, geographically, will the device be used?
    • What physical environments will the device be used in? (i.e. inside or outside, moving or stationary?)
    • What dependencies on other systems will the device need?
    • How might attackers misuse the device?
  • Research customer cybersecurity goals.
    • How will the device interact with the physical world?
    • How will the device be managed, accessed, and monitored by the customer or other devices?
    • How will the cybersecurity measures affect the device’s availability, efficiency, or effectiveness?
    • What data will the device store or transmit?
    • What are the sector-specific or legal regulations of the device?
    • What complexities will be introduced by the device interacting with other devices, systems, and environments?
  • Determine how to address customer goals.  NIST defines a core cyber-capability baseline in furtherance of this goal through:
    • Device Identification: specify how devices can be uniquely identified;
    • Device Configuration: ensure device firmware and software is protected from unauthorized access and modification;
    • Data protection: protect data that is stored and transmitted;
    • Logical Access to Interfaces: restrict logical access to local network interfaces to authorized entities only;
    • Software and Firmware Updates: ensure that updates can only be made by authorized entities; and
    • Cybersecurity State Awareness: create devices that can report on their cybersecurity state and make that information available to authorized entities only.
  • Define approaches for communicating with customers.
    • What terminology will the customer understand?
    • How much information will the customer need?
    • How/where will the information be provided?
    • How can the integrity of the information be verified?
  • Decide what to communicate to customers and how to communicate it.  NIST suggests answering the following questions for the customer:
    • How long do you intend to support the device?
    • When do you intend for the device end-of-life to occur?
    • What functionality, if any, will the device have after support ends and the end-of-life?
    • How can customers report suspected problems with cybersecurity implications and how will the manufacturer deal with these reports?

Given the shifting legal landscape for IoT cybersecurity, adopting the practices and procedures in NIST’s Draft Recommendations could protect a manufacturer’s investment in this technology into the future.


Please join partner Alysa Hutnik and associate Carmen Hinebaugh for Privacy 101, a webinar that walks through topics such as:

  • Privacy law 101
  • Data security and breaches
  • E-Mail, calls, and text marketing

Register Here


Three and a half years after UK citizens voted to leave the EU, the country officially left the Union on January 31. One of the many questions resulting from the departure is what happens to the EU-U.S. Privacy Shield as it applies to personal data transferred from the UK. The Commerce Department’s FAQs on Privacy Shield and the UK provide some answers; we highlight the key points below.

December 31, 2020 is the key date to watch. That is the end date for the UK-EU Transition Period. During this time, the European Commission will continue to consider personal data transfers from the UK under Privacy Shield as receiving adequate data protection. Privacy Shield-certified entities will not have to take any additional action to cover transfers that occur during this Transition Period.

However, certified entities will need to make some adjustments this year to continue to transfer personal data from the UK under Privacy Shield after the Transition Period. Specifically, a Privacy Shield-certified entity must take the following steps prior to December 31, 2020:

  • Update its public commitment to specify that it will apply Privacy Shield protections to personal data transferred from the UK. The FAQs provide model language for this commitment. Entities that will use Privacy Shield to transfer employment data from the UK must also make a corresponding disclosure in their HR privacy policies.
  • Maintain a current Privacy Shield certification, comply with Privacy Shield’s requirements, and continue to recertify annually.

Entities that rely on Privacy Shield for transferring personal data from the UK should keep these requirements (and all other Privacy Shield requirements) in mind when reviewing their compliance materials for Privacy Shield recertification.


Please join partner Alysa Hutnik and associate Carmen Hinebaugh for Privacy 101, a webinar that walks through topics such as:

  • Privacy law 101
  • Data security and breaches
  • E-Mail, calls, and text marketing

Register Here



The Ad Law Access podcast is available through Apple PodcastsSpotifyGoogle PlaySoundCloud, or wherever you get your podcasts.

Privacy law 101 webinar on Wednesday, February 25th
While there is a lot of attention on California’s new privacy law (CCPA), what about the basic privacy considerations when it comes to compliance, risk assessment, and negotiating contracts? Please join partner Alysa Hutnik and associate Carmen Hinebaugh for a webinar that walks through topics such as:

  • Privacy law 101
  • Data security and breaches
  • E-Mail, calls, and text marketing

Register here



This morning, the FTC announced that it is seeking public comment on whether to make changes to its Endorsement Guides as part of the agency’s systematic review of all current rules and guides. The Guides were first enacted in 1980, and updated in 2009 to more directly address social media. Among other things, the Guides states that influencers need to clearly disclose any relationship they have to the companies whose products they are promoting. Although the FTC hasn’t made any updates to the Guides since 2009, it has issued various guidance documents directed to businesses and influencers since then. (For more information about these guidance documents, listen to our podcast.)

In a proposed Federal Register notice, the FTC asks for comments on a range of questions, including:

  • whether the Guides should be changed to account for changes in technology or the economy;
  • whether some of the FTC’s guidance documents should be incorporated into the Guides;
  • whether children are capable of understanding disclosures of material connections;
  • whether incentives like free or discounted products bias consumer reviews, and whether or how those incentives should be disclosed;
  • whether composite ratings that include reviews based on incentives are misleading, even when reviewers disclose incentives in the underlying reviews;
  • whether the Guides should address the use of affiliate links by endorsers; and
  • what, if any, disclosures advertisers or operators of review sites need to make about the collection and processing of publication of reviews to prevent them from being deceptive or unfair.

The notice, along with instructions for filing comments, will be published in the Federal Register soon, and comments will be due within 60 days of publication. Companies are still wrestling with the 2009 updates, more than ten years after they went into effect, and it’s likely that any new changes will have similar far-reaching effects. If you work with influencers or incentivized reviews and need help writing comments, let us know.

The plaintiffs’ class action bar continues to target “healthy” advertising claims made by food and beverage companies by bringing expensive class action lawsuits against the companies.

The latest company forced to defend its advertising is BA Sports Nutrition, LLC, the maker of BodyArmor SuperDrink, which was recently hit with a putative class action in the Northern District of California.  The lawsuit, Silver v. BA Sports Nutrition, LLC, No. 20-cv-00633 (N.D. Cal.), alleges that, despite BodyArmor’s labels and advertisements representing SuperDrink as providing “superior hydration,” “better hydration,” and a “more natural” way to hydrate, the drink is actually a “dressed-up soda masquerading as a health drink.”

The named plaintiffs allege that BA Sports misleadingly advertises BodyArmor—through labels, TV and billboard advertisements, and paid social media influencers—as healthy despite each 16-ounce bottle containing the full daily recommended limit of sugar for adult men, and more than the recommended daily limit for children and adult women.  Although BA Sports fortifies BodyArmor with vitamins, the complaint alleges that this fortification is unlawful because the FDA prohibits fortifying junk foods just to market them as healthy—the so-called “jelly bean rule.”

But BodyArmor is not alone. Seemingly the entire food and beverage industry remains within class action plaintiffs’ crosshairs.   For example, advertisements for coconut-based products have been the target of several actions in recent years.

In 2017, Costco settled an action challenging the labels on its coconut oil product, which advertised the product’s “health benefits” and encouraged consumers to use the oil as a substitute for butter when, in fact, the product allegedly contained a high amount of saturated fat.

Danone US Inc. has faced a pair of similar class actions in California challenging the advertising of its coconut milk products.  Last year, in Andrade-Heymsfield v. Danone US, Inc., No. 19-cv-589, 2019 WL 3817948 (S.D. Cal. Aug. 14, 2019), the Southern District of California dismissed claims alleging that Danone deceptively advertised its So Delicious Coconut Milk.  There, the court concluded that the label’s claims that the milk contains “good fats” and can help maintain “healthy” bones through calcium and vitamin D were “structure and function” claims about the milk’s nutrients and their effects, which are allowed by the FDA.  The court also held that a reasonable consumer would be able to tell that the label’s reference to “healthy” refers to promoting bone health rather than representing that the product as a whole is healthy.

The next month, however, in Marshall v. Danone US, Inc., 402 F. Supp. 3d 831 (N.D. Cal. 2019), the Northern District of California denied Danone’s motion to dismiss a putative class action alleging that the “cholesterol-free” representation on its Silk Coconutmilk label misleads consumers into believing the milk has health benefits, which allegedly are belied by its saturated fat content of three or more grams per serving.

BA Sports—which was filed by some of the same plaintiffs’ counsel that pursued similar allegations against Coca-Cola’s vitamin-water product in Ackerman v. Coca-Cola Co., No. 11-02215 (E.D.N.Y.) and Ford v. Coca-Cola Co., No. 09-00395 (E.D.N.Y.)—is another reminder that, as consumers continue to express a desire for healthy foods and products, the plaintiffs’ bar will continue to bring these type of lawsuits.






On Friday, California Attorney General Xavier Becerra released proposed modifications to the formerly-released draft regulations implementing the California Consumer Privacy Act (CCPA). The modifications reflect the Attorney General’s response to public comments issued in response to the draft regulations and arguably represent a rollback of key provisions previously proposed.

The modifications impose a number of changes to the regulations. Of immediate note to companies are the following:

  1. Service Providers:  The modifications clarify that it would be acceptable (and thus, not a “sale”) for a service provider to use a business’s personal information to build or improve the quality of the service provider’s services, provided that the use does not include building or modifying household or consumer profiles, or cleaning or augmenting data acquired from another source.  The modifications also require the service provider to stop selling data on behalf of a business when a consumer has opted out of the business’s sale of their personal information.  This clarification arguably restricts an interpretation that using personal information to build or augment profiles, or to clean or augment personal information, are acceptable “business purposes” between a business and a service provider.
  2. Third Parties: The modifications no longer require a third party that purchases personal information to contact the consumer directly to provide notice and an opt out, or to contact the source and confirm that the source provided the required notice and obtain signed attestations.
  3. Loyalty Programs/Not Discrimination: If a consumer informs the business that she would like to remain in a loyalty program but otherwise have the business delete their information, it is lawful under the CCPA for the business to deny the deletion request as to the information necessary to maintain the enrollment in and benefits from the loyalty program. The modifications specifically provide that a business’s denial of a consumer’s request to know, request to delete, or request to opt-out for reasons permitted by the CCPA or the regulations are not discriminatory.
  4. Personal Information (Actual, Not Hypothetical): The modifications reinforce that whether information is “personal information” depends on how the business maintains the information, noting, for example, “if a business collects the IP addresses of visitors to its website but does not link the IP address to any particular consumer or household, and could not reasonably link the IP address with a particular consumer or household, then the IP address would not be “personal information.”  In other words, if data collected technically could be considered personal information under the CCPA definition, but the business does not and cannot reasonably link that data to any particular consumer or household, that data would not be personal information.
  5. Notice at Point of Collection:  The modifications clarify that a business may not use personal information for purposes that are materially different from those disclosed in the notice at collection, unless the business directly notifies the consumer of the new use and obtains explicit consent.
  6. Privacy Policy “Right to Know” Disclosure: In describing the “right to know” in the privacy policy, the disclosure should be written in a manner that provides consumers with a meaningful understanding of the categories listed, and disclose:
    • The categories of personal information collected;
    • The categories of sources from which it was collected;
    • The business or commercial purpose for collecting or selling personal information;
    • The categories of third parties with whom the business shares personal information;
    • The categories of personal information the business sold in the past 12 months and, for each category, the categories of third parties to whom they sold it; and
    • The categories of personal information disclosed for business purpose in the past 12 months and, for each category, the categories of third parties to whom they disclosed it.
  7. Privacy Policy “Agent Instructions” Disclosure:  The privacy policy must provide instructions on how a consumer can designate an authorized agent to make a request under the CCPA on the consumer’s behalf.
  8. Consumer Rights Requests: The modifications would update how a business responds to consumer rights requests as follows:
    • Online-Only Businesses:   If they have a direct relationship with a consumer, the modified regulations confirm that an online-only business need only provide an email address for submitting requests to know.
    • Timing: A business has 10 business days to confirm receipt of a request, and 45 calendar days to respond. If the business cannot verify the consumer’s identity within the 45 days, the business may deny the request.  In other words, the clock does not run indefinitely if the consumer has not verified his or her identity during the initial 45-day period.
    • “Right to Know” Search Exceptions:  A business does not need to search for personal information in response to a request if the business does not maintain the personal information in a searchable format, maintains it only for legal and compliance purposes, does not sell the information or use it for any commercial purpose, and describes in its response to the consumer the categories of information it holds that it did not search but which may contain the information. This provides some flexibility to avoid expensive searches for personal information, such as call recording or video footage collected by companies for security or legal compliance purposes.
    • “Right to Know” Production Exceptions:  The modifications struck the express exception preventing a business from providing specific pieces of personal information if the disclosure creates a substantial, articulable, and unreasonable risk to the security of the personal information, the consumer’s account with the business, or the security of the business’s systems or networks. Instead, the modifications more generally state that a business may avoid producing specific pieces of personal information, in whole or in part, because of a conflict with federal or state law, or based an exception to the CCPA, but must inform the requestor and explain the basis for the denial, unless prohibited from doing so by law.
    • Deletion Denial/Opt Out Notice:  If the business denies a deletion request, it also must ask the consumer if she wants to opt out of the sale of her personal information (even if the consumer has not made the opt-out request), and include a link to the opt out.
    • Deletion Compliance: Two-step confirmation of deletion requests is no longer required. In fulfilling a deletion request, the business does not need to specify the manner in which it deleted the personal information.
    • No Fee for Verification:  A business cannot require a consumer to pay a fee for the verification of a request to know or request to delete.
  9. Do Not Sell Button: The modifications provide additional information about the voluntary use of the opt-out button. When the opt-out button is used, it should be the same size as other buttons on the webpage, such as:
  10. Opt Out: A business has 15 business days to comply with an opt-out request. Significantly, the modifications provide that businesses will not need to notify third parties to whom they sold the consumers data within 90 days. Instead, this obligation is limited to circumstances when the business sold personal information to third parties between the date of the opt-out request and the date of compliance. For sales made during this limited period, the business shall direct the third party purchasers not to further sell the data. In addition, the opt-out method must be easy for consumers to execute and require minimal steps to allow the consumer to opt-out. “A business shall not utilize a method that is designed with the purpose or substantial effect of subverting or impairing a consumer’s decision to opt-out.”
  11. User-Enabled Privacy Controls:  A privacy control developed in accordance with the regulations must clearly communicate that a consumer intends to opt out of the sale of her personal information. The privacy control must require that the consumer affirmatively select her choice to opt out and not be designed with pre-selected settings. If a global privacy control conflicts with a consumer’s existing business-specific privacy setting or participation in a business’s financial incentive program, the business shall respect the global privacy control but may notify the consumer of the conflict and give the consumer the choice to confirm the business-specific privacy setting or participation in the financial incentive program.
  12. Mobile Notifications: The modifications provide that, where a business collects information from a mobile application, it can provide a link to the privacy policy within the applications. Where the application collects information that the consumer would not reasonably expect, the business must provide a notification of that collection, such as through a pop up window, that explains the collection and links to the larger privacy policy.
  13. Households: The modifications clarify that a household means those who reside at the same address, share a common device or the same service provided by a business, and are identified by the business as sharing the same group account or unique identifier. In terms of responding to “household” rights requests, if a consumer has a password-protected account with a business that collects personal information about a household, the business may process requests to know and delete relating to household information through the business’s existing business practices and in compliance with the regulations. If a member of a household is a minor under the age of 13, a business must obtain verifiable parental consent before complying with a request to access specific pieces of information for the household or the deletion of household personal information pursuant to CCPA-mandated parental consent.
  14. Employee Privacy Notice: Under the revised regulations, employee privacy notices do not need to contain links to the Do Not Sell option.
  15. Data Brokers: The modifications provide that data brokers do not need to provide a notice at collection to the consumer if it included in its registration submission a link to its online privacy policy that includes instructions on how a consumer can submit a request to opt-out.
  16. Annual Privacy Policy Disclosures:  Businesses that buy, receive for the business’s commercial purposes, sell, or share for commercial purposes, the personal information of 10MM+ (up from 4MM+) consumers in a calendar year must disclose required metrics by July 1 of every calendar year in their privacy policy (or on their website and accessible from a link included in their privacy policy) with some variations depending on how it tracks the data.

The deadline to submit written comments to the proposed modifications is February 24, 2020. Our firm will continue to review the draft regulations as we work with clients to develop practical guidance on complying with the CCPA. If you have questions on how the regulations may impact your business, or if you would like assistance in submitting a written comment, please contact Alysa HutnikAaron Burstein, Katie Townley, or Carmen Hinebaugh.


Yesterday, the FTC announced that it had reached a settlement with LendEDU and three of its officers over misleading ratings and reviews.

LendEDU runs a website that compares student loans and other financial products. Although they advertised that the ratings are on the site are “completely objective and not influenced by compensation,” the FTC argued that this wasn’t true. Instead, LendEDU based rankings on how much companies paid them per click. After LendEDU became aware of the FTC investigation, it added a disclosure suggesting that the money it receives from companies may affect their ratings, but the FTC found that was not sufficient.

The FTC also investigated the reviews about LendEDU’s that appeared on third party sites, such as Trustpilot. It determined that 111 of the 126 reviews that appeared on Trustpilot were actually written by LendEDU employees or their friends or family members. LendEDU highlighted some of these fake reviews on its own site, with headings such as “See What Our Customers Have to Say.” And, to make things worse, the company made up testimonials from non-existing customers and posted them on its site.

Image from LendEDU site

The proposed settlement would prohibit the company and its operators from making the same types of misrepresentations cited in the FTC’s complaint. In addition, the company is required to pay $350,000. Andrew Smith, Director of the Bureau of Consumer Protection, said: “These misrepresentations undermine consumer trust, and we will hold lead generators like LendEDU accountable for their false promises of objectivity.”

Although this case shouldn’t hold any surprises for readers of this blog, it demonstrates that the FTC continues to be focused on the issue of fake reviews.


In Glasser v. Hilton Grand Vacations Company, LLC, the Eleventh Circuit addressed a pair of appeals that presented the question of the appropriate definition of an automatic telephone dialing system (“ATDS”) as set forth in the Telephone Consumer Protection Act (“TCPA”).  In answering that question, the Eleventh Circuit expanded upon the Third Circuit’s ruling in Dominguez v. Yahoo, Inc. to conclude that calling technology will not satisfy the ATDS definition unless the equipment at issue generates the telephone numbers “randomly or sequentially” and then dials them automatically.  Under the Eleventh Circuit’s approach, companies who are, for example, contacting customers from a database of telephone numbers, even using the kind of “sophisticated telephone equipment” at issue in Glasser, will not face liability under the TCPA, so long as the technology used is not generating the numbers itself.

Glasser represents a significant reduction in the scope of liability under the TCPA.  Since 2003, due to an order by the Federal Communications Commission (“FCC”), the use of predictive dialing equipment has been sufficient to trigger the TCPA’s protections under the ATDS provisions of the statute.  In ACA Int’l v. FCC, however, the D.C. Circuit vacated prior FCC guidance on this issue, which the Eleventh Circuit (along with other courts), held includes the FCC’s 2003 order.  In reaching its conclusion, the Eleventh Circuit noted that the FCC had improperly sought to expand to the scope of the TCPA in order to capture more modern technology.  “[T]he [FCC] had watched companies switch from using machines that dialed a high volume of randomly or sequentially generated numbers to using ‘predictive dialers’ that called a list of pre-determined customers. . . .Watching this happen in real time, the [FCC] tried to use a broad ‘reading of the legislative history’ and an all-encompassing view of the law’s purpose to expand the statute’s coverage and fill this gap.”

Even under Glasser’s interpretation of the statute, an important limitation on the use of “automated telephone equipment” remains, however, because such equipment must connect customers with a “human representative” or obtain the requisite consent to place calls using an “artificial or prerecorded voice” to avoid liability under the TCPA.  In Glasser, where the record demonstrated that one of the defendants had made calls using an “an artificial or prerecorded voice,” the Eleventh Circuit held that this conduct provided an “independent basis” for liability under the TCPA and affirmed summary judgment in plaintiff’s favor with respect to those calls.

In addition, it is important to keep in mind that while the Eleventh Circuit’s decision provides strong support to limit the scope of liability under the TCPA, the Ninth Circuit has held that dialing numbers from a stored list “automatically” will trigger the TCPA’s protections.  In addition, there is uncertainty in many other jurisdictions as to the type of technology that will qualify as an ATDS and the FCC still has not issued its order on remand following the D.C. Circuit’s ruling in ACA Int’l.  See  Further, it remains to be seen whether the Supreme Court will take up the issue of the appropriate definition of ATDS presented by the appeal in Duguid v. Facebook, Inc., in addition to the constitutional challenge it has already accepted in Barr v. American Association of Political Consultants, Inc. on January 10, 2020.


On the latest episode of the Ad Law Access Podcast, Senior Associate Katie Townley makes her podcast debut with a discussion of promotions. Katie provides this Taylor Swift contest as an example of how things can go wrong.

For additional information on promotions and other issues, visit the Advertising and Privacy Law Resource Center.

Please visit and subscribe to our blog, Ad Law Access, at for additional information on these and other advertising and privacy law topics.

The Ad Law Access podcast is available now through Apple PodcastsSpotifyGoogle PlaySoundCloud, and wherever you get your podcasts.

On January 30th, 24 State Attorneys General*, led by Kwame Raoul (D) of Illinois, submitted an amici curiae brief in support of the Federal Trade Commission’s position in FTC v. Credit Bureau Center LLC.

These State AGs are in agreement with the FTC, which has argued that the district court’s authority to grant a permanent injunction under Section 13(b) of the FTC Act includes the authority to require wrongdoers to return money that was illegally obtained. 19 Democrats, 4 Republicans, and 1 member of the New Progressive Party signed on to the brief, including State AGs from all of three states within the Seventh Circuit—Indiana, Illinois, and Wisconsin.

That is a pretty solid group, with a sprinkle of bi-partisan support, thanks to Republicans Lawrence Wasden (who has served as Idaho Attorney General since 2003), and newcomers Kevin Clarkson of Alaska, Curtis Hill of Indiana, and Jason Ravnsborg of South Dakota.

Of course, the math tells you that there were 32 State Attorneys General (22 Republicans, 8 Democrats, and 2 Independents) who did not sign on, even though it is a near certainty that they all had the opportunity to do so. There could be any number of reasons for that, so it would be wrong to conclude that all 32 of these Attorneys General stand behind the petitioners and not the FTC, but it is likely that a large number of these Attorneys General considered the issue and purposefully decided against supporting the FTC or simply chose to remain on the sidelines.

The principal point raised in the brief is that “the FTC’s ability to seek restitution under Section 13(b) benefits the amici States and their residents.” The brief notes that “in 2018 alone, the FTC’s Bureau of Consumer Protection issued more than $122 million in refunds to consumers throughout the country” and asserted that their “own enforcement efforts are fortified by having a strong federal partner in the FTC.”

In addition, the amici States argued that the impact of Credit Bureau Center is not limited to the Seventh Circuit and encourages forum shopping, with “defendants in at least one enforcement action having already requested a transfer of their case into the Seventh Circuit to take advantage of its now favorable law.” The amici States further argued that if the Credit Bureau Center decision stands, they will have to shift resources to work that would have previously been done by the FTC and weaken the incentive for collaboration with the FTC. Finally, they asked the Supreme Court to grant the FTC’s petition for certiorari.


*          Alaska (R), Colorado (D), Connecticut (D), Delaware (D), Hawaii (D), Idaho (R), Indiana (R), Illinois (D), Iowa (D), Maine (D), Maryland (D), Massachusetts (D), Michigan (D), Minnesota (D), Nevada (D), New Jersey (D), New Mexico (D), Oregon (D), South Dakota (R), Vermont (D), Virginia (D), Wisconsin (D), The District Of Columbia (D), and the Commonwealth Of Puerto Rico (New Progressive Party)