Last week, the California legislature voted to send five amendments to the CCPA to the California governor’s desk.  The amendments include a one-year exemption for access and deletion rights to employee data and B2B communications; a provision exempting online-only businesses from operating a toll-free number to accept consumer requests; and a new mandate for data brokers to register with the Attorney General’s office.

Governor Gavin Newsom has until October 13, 2019 to act on the legislation.  The California legislative session ended on Friday, and no additional CCPA amendments are expected before the law comes into effect on January 1, 2020.

Of the six CCPA amendments that had been pending in the California legislature, just one amendment failed to pass last week.  A.B. 846 would have provided clarity that the CCPA does not restrict financial incentive and loyalty programs.

Here’s the full list of amendments awaiting the governor’s signature:

  • CLARIFYING AMENDMENTS & EXEMPTIONS: Assembly Bill 1355exempts deidentified or aggregate consumer information from the definition of personal information; creates one-year exemption for certain B2B communications or transactions; and broadens the existing exemption for compliance with the federal Fair Credit Reporting Act (FCRA).
  • DATA BROKER REGISTRATION: Assembly Bill 1202 requires data brokers to register with the California Attorney General.
  • EMPLOYEE EXEMPTION: Assembly Bill 25 changes the CCPA so that the law would not cover collection of personal information from job applicants, employees, business owners, directors, officers, medical staff, or contractors for one year.
  • CONSUMER REQUEST FOR DISCLOSURE METHODS: Assembly Bill 1564 would require businesses to provide two methods for consumers to submit requests for information, including, at a minimum, a toll-free telephone number.  A business that operates exclusively online and has a direct relationship with a consumer from whom it collects personal information would only be required to provide an email address for submitting CCPA requests.
  • VEHICLE WARRANTIES & RECALLS:Assembly Bill 1146 would exempt vehicle information retained or shared for purposes of a warranty or recall-related vehicle repair.
  • PUBLICLY AVAILABLE INFORMATION: Assembly Bill 874 streamlines the definition of “publicly available” to mean information that is lawfully made available from federal, state, or local government records. The bill also would amend the definition of “personal information” to exclude deidentified or aggregate consumer information.

On Tuesday, the FTC issued warning letters to three companies selling CBD products.  The companies, which FTC did not identify publicly, allegedly illegally advertised CBD products as being able to treat or cure serious diseases and health conditions without competent and reliable scientific evidence to support such claims. As we have written about previously, FTC and the FDA issued similar joint warning letters to three other CBD sellers earlier this year.

According to the FTC’s press release, the companies claimed their products could cure serious diseases such as cancer, alzheimer’s, fibromyalgia, and multiple sclerosis.  At least one company’s website, however, took it a step further by claiming “CBD ‘works like magic’ to relieve ‘even the most agonizing pain’ better than prescription opioid painkillers” and “the company . . . has participated in ‘thousands of hours of research’ with Harvard researchers.”

The letters directed the recipient companies to review all claims, including testimonials, to ensure they are supported by competent and reliable scientific evidence.  As readers of this blog likely know, advertisers are required to substantiate all objectively provable claims and cannot use testimonials as a means to make claims that they cannot otherwise substantiate. Given that cannabis, including hemp, was a controlled substance for decades, there has been limited research conducted to date.  Put another way, although users may have experienced favorable results, this does not excuse the advertiser from properly substantiating their claims.

Consumers increasingly want to feel good about their buying decisions and like-minded companies often look for ways to communicate how they align with consumers in the marketplace through “cause marketing.”

Advertising and Marketing and Consumer Product Safety practice groups chair Christie Grymes Thompson covers a specific type of cause marketing – the commercial coventure (CCV) – in the latest episode of the Ad Law Access PodcastCause Marketing – Commercial Co-Ventures: What You Need to Know Before Getting Started.

Commercial coventures are typically when a company teams up with a charity to offer a product or service or to sponsor an event, and consumer’s purchase or participation in the event triggers a donation to the charity. Christie discusses the statutes that apply to co-venturers and what you need to know to get started.

You can find the Ad Law Access podcast through your favorite streaming service (Apple Podcasts, Spotify, Google Play, Stitcher, SoundCloud, and others).

This week marks the final opportunity for California lawmakers to amend the CCPA before the legislative session closes on Friday, September 13th.  The legislative posture of the amendments changed last Friday, when the Senate made changes to all of the active amendments.  These bills still require an affirmative vote of both houses this week before they can head to the Governor’s desk for a signature.  The Governor then has until October 13th to sign the bills into law.

Substantive changes were made to the following three amendments, AB 846, AB 1355, and AB 1202, as follows:

  • AB 846 (loyalty programs) now only would permit the sale of personal information collected through loyalty programs in very limited circumstances, and limits the third party purchaser’s retention and use of such data other than for eligibility purposes.
  • AB 1355 (clarifying amendments & exemptions) now adds a one-year exemption under the CCPA for personal information obtained by a business through B2B communications or transactions, specifically in the context of (a) the business conducting due diligence regarding a company, nonprofit, or government agency, or (b) the provision or receipt of a product or service to or from a company, nonprofit, or government agency.
  • AB 1202 (data broker registration) removed a provision that would have satisfied the compliance obligations of registered data brokers through website notices.

Otherwise, the Senate made technical changes to the amendments, confirming that the amendments are compatible and that their order of enactment will not have an unintended legal impact.  Procedurally, these changes mean that the amendments must be approved not only by the California Senate but also by the California Assembly.

Here’s the full list of pending amendments, as of September 9th:

  • LOYALTY PROGRAMS: Assembly Bill 846 would remove loyalty/rewards programs from the discrimination provisions of the CCPA but under very limited circumstances that are likely to materially affect how and if such programs are offered to California residents.
    • What’s New?  The new language in the amendment would permit the limited sale of personal information to a third party that is collected as part of a loyalty, rewards, premium features, discounts, or club card program “in order for the third party to provide the consumer with a financial incentive, sale, or other discount” but only when:  (1) the business obtains the consumer’s express consent to sell the information to the specific third party (and where the consumer has the option to participate in the program on equal terms with other participants without providing consent); and (2) the third party can only use the personal information to identify the consumer’s discount eligibility, and does not otherwise retain, use, or disclose the personal information separate from such eligibility determination.
  • CLARIFYING AMENDMENTS & EXEMPTIONS: Assembly Bill 1355 exempts deidentified or aggregate consumer information from the definition of personal information; creates a new, one-year exemption for certain B2B communications or transactions; and broadens the existing exemption for compliance with the federal Fair Credit Reporting Act (FCRA).
    • What’s New?  AB 1355 adds a limited, one-year exemption from the notice and rights provisions of the CCPA for personal information obtained from representatives of a business who communicate or transact with another business.  The exemption applies when a consumer is a “natural person who is acting as an employee, owner, director, officer, or contractor of a company, partnership, sole proprietorship, nonprofit, or government agency.”

The amendment would enable a business to claim the exemption with regard to “personal information reflecting a written or verbal communication or a transaction between the business and the consumer.”  Importantly, such communications or transaction with the business must occur solely within the context of the business either (a) “conducting due diligence regarding” such company, partnership, sole proprietorship, nonprofit, or government agency, or (b) “providing or receiving a product or service to or from such company, partnership, sole proprietorship, nonprofit, or government agency.”

In addition, new language in AB 1355 revises the exemption for compliance with the FCRA, clarifying that activity involving the disclosure or use of personal information by a consumer reporting agency, furnisher of information, or user of a consumer report is exempt from the CCPA as long as that activity is regulated by the FCRA.  The exemption does not apply in the case of a data breach actionable under the CCPA’s private right of action.

  • DATA BROKER REGISTRATION: Assembly Bill 1202 requires data brokers to register with the California Attorney General.
    • What’s New?  Earlier versions of the amendment included a provision that would have enabled data brokers to satisfy their obligation under California law to inform consumers about personal information collected and the purposes of collecting such information by posting that information on the data broker’s website.  The latest version of the amendment removes this language.

The following amendments moved forward without substantive changes.

  • EMPLOYEE EXEMPTION: Assembly Bill 25 changes the CCPA so that the law would not cover collection of personal information from job applicants, employees, business owners, directors, officers, medical staff, or contractors for one year.
  • CONSUMER REQUEST FOR DISCLOSURE METHODS: Assembly Bill 1564 would require businesses to provide two methods for consumers to submit requests for information, including, at a minimum, a toll-free telephone number.  A business that operates exclusively online and has a direct relationship with a consumer from whom it collects personal information would only be required to provide an email address for submitting CCPA requests.
  • VEHICLE WARRANTIES & RECALLS:Assembly Bill 1146 would exempt vehicle information retained or shared for purposes of a warranty or recall-related vehicle repair.
  • PUBLICLY AVAILABLE INFORMATION: Assembly Bill 874 streamlines the definition of “publicly available” to mean information that is lawfully made available from federal, state, or local government records. The bill also would amend the definition of “personal information” to exclude deidentified or aggregate consumer information.

The FTC and the New York Attorney General recently announced a record-setting $170 million ($136 million to the FTC and $34 million to the NY AG) joint settlement with Google. The settlement resolves allegations that YouTube violated the Children’s Online Privacy Protection Act (“COPPA”) and is the largest penalty the FTC has ever received in a COPPA case, easily dwarfing the agency’s next-highest $5.7 million settlement with TikTok.

In the complaint, the agencies alleged that YouTube violated the COPPA Rule because the site did not provide direct notice to parents of, or attempt to obtain verifiable parental consent prior to, collecting children’s personal information. Although the site markets itself as general audience and prevents users under age 13 from creating an account, the complaint alleged that YouTube had actual knowledge that it collected children’s personal information, including persistent identifiers, through the child-directed channels commercial entities operate on the site. This “actual knowledge” made YouTube an “operator” subject to the COPPA Rule.

The complaint also noted that, while identifying itself as a general audience platform not subject to COPPA, YouTube promoted its site as the “favorite website for kids 2-12” in pitches to toy companies and manually rated its content based on age group. Still, the company treated any content self-identified as child-directed similarly to any other content in terms of monetization and behavioral advertising practices.

The settlement’s injunctive provisions include:

  1. Developing and implementing a system for channel owners to designate whether their content is child-directed;
  2. Providing annual COPPA training for employees who manage child-directed channel owners;
  3. Making reasonable efforts to ensure that parents receive direct notice of the collection, use, or disclosure of children’s personal information;
  4. Posting prominently a link to that COPPA notice on any area of the site that collects children’s personal information;
  5. Obtaining verifiable parental consent prior to collecting, using, or disclosing children’s personal information; and
  6. Ceasing disclosing, benefiting from, or using any children’s personal information collected prior to the settlement within 90 days of the compliance date in January of 2020.

Although not specifically required by the settlement, YouTube also recently announced that it will be creating a site specifically for children’s content. Parents will be able to filter videos based on a child’s age, and track their children’s viewing history, and the site will not use behavioral advertising. Previously, the kids’ site was only available via mobile app.

Children’s privacy has been a hot topic recently, with the FTC announcing a request for comment on the COPPA Rule and legislators proposing updated COPPA legislation. Initial reports indicate that Congress sees this settlement as a slap on the wrist for the tech giant, as the total monetary penalty is allegedly less than two-days’ worth of profits for Google. Similar complaints were made after the FTC’s Facebook settlement, but it is left to be seen if disappointment with either settlement will be enough to push Congress to identify a new privacy enforcer via federal legislation.

NAD recently announced a decision involving Pyle Audio’s campaign to generate reviews for its NutriChef brand vacuum sealers. When consumers received their products, they would find a card promising them two rolls of vacuum sealing bags in exchange for leaving a review on Amazon.com. Near that promise, the card included the words “love this” and an image of five stars. The challenger argued that this presentation suggested that consumers had to leave positive reviews in order to receive the free bags. Moreover, the card did not tell consumers that they had to disclose that they received free products in exchange for the review.

ReviewsNAD started its decision by recapping previous guidance and cases – including this case that we discussed in April – holding that consumers who receive a benefit in exchange for a review should be required to clearly disclose that they’ve received that benefit. Here, Pyle did not take any steps to ensure that consumers made these disclosures. As a result, “consumers reading the reviews are left with the mistaken impression that the reviews are spontaneous . . . .” This violates the FTC’s Endorsement Guides.

In addition, although Pyle may not have explicitly required consumers to leave a positive review to receive the free bags, NAD found that because the offer was coupled with the words “love this” and an image of five stars, consumers could reasonably conclude that a positive review was required. Moreover, the card directed people who weren’t happy to contact the company for help. “Consumers may reasonably understand that that there are two mutually exclusive options — (1) leave a review and get a reward if you are satisfied with the product or (2) contact Pyle if you are not satisfied.”

For future promotions, NAD recommended that Pyle take steps to ensure that consumers disclose that they’ve received a benefit in exchange for the review. Moreover, the company should not suggest that positive reviews are required. As far as existing reviews, NAD recommended that Pyle take reasonable measures to have those reviews taken down or to modify them to include a clear and conspicuous disclosure that the consumer who posted the review received something of value from Pyle.

These types of campaigns are receiving more attention from the FTC and NAD. If your company encourages consumers to write reviews, you should take a close look at FTC guidance and recent cases to ensure that your campaign does not get you in trouble.

Last week, the U.S. Court of Appeals for the Seventh Circuit cannonballed directly into the roiling waters of debate over the Federal Trade Commission’s enforcement powers, when it determined in a closely-watched appeal that the agency does not have the right to restitution under the primary provision the Commission uses to attack fraud — Section 13(b) of the FTC Act.  The decision is certain to lead to other challenges to the agency’s authority, and has set off a high level of speculation about what will happen next.

In Federal Trade Commission v. Credit Bureau Center, the Seventh Circuit held that the FTC could not obtain monetary relief in the form of restitution under Section 13(b). The decision represents a substantial limitation to the FTC’s enforcement power, as the agency previously has sought restitution when bringing deceptive practices claims in federal court.

This is no small deal.  Between July 1, 2017 and June 30, 2018, according to the Federal Trade Commission’s 2018 Annual Report on Refunds to Consumers, the FTC’s Bureau of Consumer Protection obtained 114 court orders totaling $563 million and supported refund programs administered by FTC defendants or another federal agency to deliver more than $2.3 billion in refunds to consumers.

The Credit Bureau Center decision comes just six months after the Third Circuit held in FTC v. Shire Viropharma, Inc. that the FTC cannot bring a case under Section 13(b) unless the FTC can articulate specific facts that a defendant “is violating” or “is about to violate” the law.  In other words, the Third Circuit’s decision in Shire limits Section 13(b) to cases where the FTC is pursuing injunctive relief for existing or impending conduct but not for activity unlikely to reoccur.  Credit Bureau Center goes a good deal further, limiting the type of equitable relief the FTC seeks at the end of a proceeding.

The Shire decision – and other appeals pending before circuit courts focusing on the FTC’s Section 13(b) authority – compelled Commissioner Wilson to note in her May 2019 congressional testimony that “recent decisions have raised questions about our authority that conflict with the clear intent of Congress and long-established case law.”  Commissioner Wilson advocated for an interpretation of Section 13(b) that empowers courts to employ a full range of equitable remedies in cases where the FTC has brought actions – including equitable monetary relief.

Whether Congress might be tempted to step in remains unclear, but what is certain is that the Seventh Circuit’s decision invokes a circuit split that will not be resolved unless the ruling is appealed to the Supreme Court.

“An Implied Restitution Remedy Doesn’t Sit Comfortably”

The facts of Credit Bureau Center are straightforward: Credit Bureau Center placed online advertisements for rental properties that did not exist or that they were not permitted to offer. When potential renters responded to the advertisements, company representatives pretended to be owners of the apartments at issue and sent correspondence offering tours if the renters would first obtain a credit report. The company’s own websites were used to obtain the credit reports.  Although the websites purported to provide the credits reports free of charge, the consumer was unknowingly enrolled into a credit monitoring service with a monthly charge fee.

The FTC brought suit claiming that Credit Bureau Center acted unlawfully and deceived consumers.  In 2017, an Illinois federal court granted summary judgment to the FTC and ordered restitution of $5.2 million to affected consumers.  On appeal, Credit Bureau Center disputed the order, contending (among other things) that the lower court had no authority to impose restitution under Section 13(b), which, according to Credit Bureau Center, only permits the agency to seek injunctions against ongoing unlawful activity.

During oral argument before the Seventh Circuit, Credit Bureau Center asserted that a plain reading of Section 13(b) does not support the FTC’s “unbridled, standardless” authority to pursue measures beyond injunctive relief.  Counsel for the FTC, on the other hand, argued that the panel should follow the Seventh Circuit’s considerable precedent, which supports the agency’s ability to secure all equitable relief under Section 13(b), including restitution.

In the decision, written by Judge Diane Sykes, the Seventh Circuit held that the FTC does not have authority to seek restitution under Section 13(b) – that section of the statute is limited to injunctive relief.   The decision recognized that FTC has long viewed Section 13(b) as allowing for awards of restitution, and that various courts have endorsed that understanding.  Indeed, the Seventh Circuit itself, in FTC v. Amy Travel Service, 875 F.2d 564 (7th Cir. 1989), found that Section 13(b) authorizes restitutionary relief.  [Bill MacLeod, who led the prosecution of Amy Travel while FTC Bureau Director, recalls that there was little doubt at the time that the remedial authority in Section 13(b) included all equitable relief a court could order.]

Still, despite three decades of precedent, the court vacated the restitution award and held that Section 13(b) does not permit such relief.  The court relied on Meghrig v. KFC W., Inc., 516 U.S. 479 (1996) in reasoning that courts must consider whether an implied equitable remedy is compatible with a statute’s express remedial scheme.  Applying Meghrig, the majority concluded that Section 13(b)’s grant of authority to order injunctive relief does not also permit a restitution award, despite thirty years of relevant precedent (“[s]tare decisis cannot justify adherence to an approach that Supreme Court precedent forecloses.”)

The majority undertook a detailed analysis of the FTC’s various enforcement mechanisms, explaining that the FTC adjudicates cases before administrative law judges under its “cease and desist” power inherent in Section 45(b).  The FTC also can preemptively resolve whether certain conduct violates the Act through rulemaking – a process that allows for legal and equitable remedies from violators.

The court found that Section 13(b) was different, as it allowed the FTC to forego administrative adjudication or rulemaking and directly pursue an injunction in federal court.  But by doing so in this case, the agency sought a remedy – restitution – not mentioned anywhere in the statute.  According to the court, the FTC’s argument that Section 13(b) implicitly authorized restitution held no weight.

In sum, reasoning that Section 13(b) allows the FTC to obtain injunctions that halt illegal conduct,  not other forms of equitable relief,  the court determined that its remedy provision must be limited to negative injunctions.  To read the statute in any other way, “would condition the Commission’s ability to secure restitution for past conduct on the existence of ongoing or imminent unlawful conduct” which would be an “illogical implication.”

Tying the FTC’s Hands

In a sharp dissent, Chief Judge Diane P. Wood, joined by two other judges, rebuked the majority both for denying the rehearing en banc and for overturning the long-standing Amy Travel precedent.  First, Judge Wood wrote that no recent Supreme Court decision had demanded such a “sea change” and that the majority effectively “tied the hands of a government agency” without the “careful consideration that plenary en banc review would have provided.”  The dissent criticized the majority’s effort to “trivialize the fact that eight [ ] sister circuits agree with Amy Travel’s holding.”

Judge Wood wrote that decisions from other circuits subsequent to Amy Travel were thoroughly explained and persuasive. The Seventh Circuit’s rejection of such precedent and refusal to rehear the case en banc constitutes error, Judge Wood reasoned. The majority was unfazed: “We recognize that this conclusion departs from the consensus view of our sister circuits. But when deciding whether we should overturn precedent, “[w]e are not merely to count noses. The parties are entitled to our independent judgment.” Quoting United States v. Hill, 48 F.3d 228, 232 (7th Cir.1995).

Regarding the proper interpretation of Section 13(b), Judge Wood’s dissent lambasted the majority’s reasoning. According to the dissent, the FTC Act provides for a “finely crafted system of enforcement powers and remedies” and the majority’s approach “upends what the agency and Congress have understood to be the status quo for thirty years.” The dissent disputed that the majority adopted a “textualist” view of the statute.  “If the text is overwhelming at all,” the dissent reasoned, “I find it overwhelmingly to support the power of the FTC to use any of the tools that Congress gave it . . .”

A close examination of the FTC Act, Judge Wood wrote, reveals that Congress expressly decided to give the agency a “menu” of options: the FTC has the ability to move unilaterally when it uses its rulemaking or cease-and-desist powers, and to act as a party before the court if it seeks a preliminary or permanent injunction. Unambiguously, the dissent then states: “It is not up to us to take away that which Congress gave.”

Judge Wood’s dissent also distinguished the majority’s reading of Meghrig.  Even Meghrig did not purport categorically to exclude an order to make payments from injunctive relief – and that case involved private plaintiffs. The dissent called it “remarkable” that the majority could interpret the decision to impose such a limitation on the relief that a government plaintiff, such as the FTC, could seek.  In sum, the dissent concludes that “nothing in Meghrig, and nothing in the cases following Meghrig, comes close to holding that a government agency acting pursuant to express authority to seek injunctive relief cannot ask for a mandatory injunction requiring turn-over of money.”

What’s Next?

Well, that remains to be seen, although it is a safe bet that this is not the final word when it comes to the reach of Section 13(b).  Congress could step in and write restitution into the FTC Act, as Commissioner Wilson has suggested.  There is likely to be a lot of noise around the Section 13(b) issue following the Seventh Circuit decision and many legislators on both sides of the aisle likely will agree with Chief Judge Wood that reading mandatory equitable powers out of Section 13(b) is not the right result, particularly when dealing with the FTC’s fraud program.  And, of course, the majority in Credit Bureau Center would agree that a legislative approach would be the correct course (“[i]t is now well settled that Congress, not the judiciary, controls the scope of remedial relief when a statute provides a cause of action.”).

It also seems likely that the FTC will seek certiorari – how could it not?  In fact, the FTC has done it before when a Seventh Circuit decision went against the agency, obtaining a unanimous reversal in FTC v. Indiana Federation of Dentists, 476 U.S. 447 (1986).  You would imagine that the FTC would be anxious to line up with sympathetic circuits here and resolve this issue once and for all.

A larger concern relates to the “brazen scammers,” as characterized by Chief Judge Wood.  Without the threat of having to return ill-gotten gains and redress consumer injury, will their breed proliferate, causing substantial consumer injury?  Or, as the majority in Credit Bureau Center seems to contend, should this not be a concern, given that Congress has already thought this through and provided the FTC with all the tools it needs?

And is there a middle ground?  In their excellent 2013 Antitrust Law Journal article, former FTC Chairman Tim Muris and Professor Howard Beales in many ways foresaw the current debate and suggested that the FTC and courts work to ensure that there are meaningful limits on the use of Section 13(b) to obtain consumer redress. 79 Antitrust Law Journal No. 1 (2013).  Like the majority and minority here, they relied on the language of the statute, but focused their attention on the statute’s authorization limiting the FTC’s ability to seek a “permanent injunction” only in “proper cases.”  Their suggestion:  “the touchstone for determining a “proper case” is whether a reasonable person would have known that the conduct was dishonest and fraudulent.”  In other words, restitution under Section 13(b) should not be pursued in cases in which it would not be available under Section 19.

How this all will shake out remains an open question.  In the meantime, expect a torrent of motion practice in Section 13(b) cases.  We should also expect the FTC to continue to file Section 13(b) cases seeking restitution in every circuit, except, that is, the Seventh.

Imagine you are perusing the coffee aisle in the grocery store and see a product described as “freshly ground,” “100% Arabica Coffee,” “Hazelnut Crème,” “Medium Bodied,” and “Rich, Nutty Flavor.”  Would you think that the coffee contains hazelnuts?  Should consumers be expected to consult the ingredient list to clarify any confusion?  And what exactly is “Hazelnut Crème?”

The First Circuit addressed these issues in Dumont v. Reily Foods Co., in which a split panel concluded that a reasonable consumer could be deceived into thinking that the product contained hazelnuts when, in actuality, it contained only naturally and artificially flavored coffee.  The court reversed the District of Massachusetts’ dismissal of the plaintiff’s Massachusetts General Law Chapter 93A claim, and permitted the case to proceed into discovery.

Judge William J. Kayatta Jr., writing for the majority, explained that while some reasonable consumers might be motivated to consult the ingredient label on the reverse side of the package, others might “find in the product name sufficient assurance so as to see no need to search the fine print on the back of the package, much like one might easily buy a hazelnut cake without studying the ingredients list to confirm that the cake actually contains some hazelnut.”  As support for this, Judge Kayatta noted that the plaintiff’s complaint set forth that the industry practice—in large part due to federal labeling requirements—is to state on the front of a package containing a product that is nut flavored (but that contains no nuts) that the product is naturally or artificially flavored.

The majority also found ambiguity in the phrase “Hazelnut Crème,” with one judge believing that “‘crème’ was a fancy word for cream, with Hazelnut Crème being akin, for example, to hazelnut butter.”

Finally, the majority held that the plaintiff’s state-law consumer fraud claim was not preempted by the Federal Food, Drug, and Cosmetic Act (“FDCA”), which imposes specific labeling requirements for the coffee product at issue.  The court ruled that such a claim must fit within a “narrow gap” to avoid preemption:  the plaintiff must be suing for conduct that actually violates the FDCA (otherwise the claim would be expressly preempted by the FDCA), but the plaintiff must not be suing because the conduct violates the FDCA (which would be implicitly preempted).  Because the complaint sought “to vindicate the separate and independent right to be free from deceptive and unfair conduct” separate and apart from any alleged FDCA violations, the chapter 93A claim was not preempted.

Former Chief Judge Sandra L. Lynch dissented, reasoning that the package as a whole undermined any reasonable belief that the coffee actually contained hazelnuts:  “the front label plainly states that the package contains ‘100% Arabica Coffee.’  It does not say it contains anything other than coffee.  The package here did not contain any misstatement of its contents, did not feature any pictures or illustrations of hazelnuts, and did not have any error in the ingredient list.”

Judge Lynch then addressed the phrase “Hazelnut Crème,” differentiating between the definition of cream—the oily or butyraceous part of milk—and that of crème—a “‘cream or cream sauce as used in cookery’ or ‘a sweet liqueur.’”  In her opinion, “[i]n the context of a package of ground, dry coffee, . . . the two words, ‘Hazelnut Crème,’ together plainly state the flavoring of the coffee.”  Judge Lynch similarly rejected the majority’s analogy to a hazelnut cake which, presumably, contains multiple ingredients and could very well contain hazelnuts.  In contrast, she noted that reasonable consumers would not approach a package of ground coffee in the same manner, especially one that was prominently labeled as “100% Arabica Coffee.”  Judge Lynch concluded that any consumer who was confused by the label, or specifically concerned with the presence of hazelnuts, could simply consult the ingredient label on the reverse side of the package to confirm the absence of hazelnuts.

While the majority found the case to present a close question for the very reasons set forth in Judge Lynch’s dissent, it ruled that the complaint stated a plausible claim for relief and reversed the lower court’s grant of the defendants’ motion to dismiss.

The First Circuit’s analysis resembles a recent Second Circuit decision involving Cheez-It crackers labeled as “WHOLE GRAIN” or “Made With WHOLE GRAIN” when the predominant ingredient was enriched white flour.  In Mantikas v. Kellogg Co., the Second Circuit concluded that while the product did, indeed, contain some whole grains, a reasonable consumer could be misled into believing that it was the predominant ingredient in the crackers.

While Dumont did not cite the Second Circuit’s opinion, it is based on the same premise that reasonable consumers should not be expected to consult an ingredient list to correct allegedly misleading information on the front label.  Judge Lynch’s dissent, however, cautioned that permitting “meritless labeling litigation” like this one to continue beyond the pleadings stage “will have the effect of driving up prices for consumers” and cause an entirely different type of “harm to the consumer.”  For now, the Dumont decision marks another plaintiff-friendly outcome sure to be relied on by class action plaintiffs in the First Circuit and elsewhere.

Effective January 1, 2020, New Hampshire’s new Insurance Data Security Law will impose certain information security requirements on entities that (1) are licensed under the state’s insurance laws and (2) handle “nonpublic information.” “Nonpublic information” is defined as information that is not publicly available and falls into one of the two following categories:

  1. Information that because of name, number, personal mark, or other identifier could identify a consumer when combined with the consumer’s Social Security number, driver’s license number, financial account number, credit or debit card number, security code or PIN that would permit access to the consumer’s financial account, or biometric records.
  2. Information or data, except age or gender, that can be used to identify a particular consumer and that relates to the past, present, or future physical, mental, or behavioral health or condition of any consumer or a member of the consumer’s family; the provision of health care to any consumer; or payment for the provision of health care to any consumer.

The law will require that licensees:

  • Conduct a Risk Assessment: Conduct risk assessments that identify and mitigate “reasonably foreseeable” internal or external threats to the business and its nonpublic information, including nonpublic information accessible to or held by third-party service providers.
  • Implement an Information Security Program: Use the results of the risk assessment to create an information security program. The program must be managed by the board and detail the licensee’s plan for responding to cybersecurity events (an event “resulting in the unauthorized access to, disruption or misuse of, an information system or nonpublic information stored” on an information system).
  • Respond to Cybersecurity Events: Conduct a “prompt investigation” of all cybersecurity events and, in most circumstances, notify the Insurance Commissioner, within three business days, of any cybersecurity event that has a “reasonable likelihood” of materially harming a New Hampshire consumer or any material part of the licensee’s normal business operations. This notice must include specific information, including a copy of the licensee’s privacy policy.

The law includes a limited safe harbor for companies that are in compliance with HIPAA if the licensees have established and maintained HIPAA-required privacy, security, and data breach notification programs and procedures to protect both “protected health information,” as defined by HIPAA, and any other nonpublic information. The companies must submit written statements indicating that they (1) are HIPAA-compliant; and (2) protect any other nonpublic information in the same way that they do protected health information. These companies are still required to comply with the Insurance Data Security Law’s cybersecurity event notification requirements.

The law provides for additional limited exemptions for companies complying with other laws, including the New York Cybersecurity Regulation.

Licensees have one year from the effective date to comply with the risk assessment and information security program requirements, and two years from the effective date to ensure that third-party service providers are implementing appropriate security measures.

We recommend that companies take steps now to assess the applicability of the statute and determine how to best integrate its requirements into existing business practices.

Amendments to the California Consumer Privacy Act (CCPA) continued to advance on Monday, as the California legislature returned from its summer recess.  With just five weeks to go until the September 13th deadline for the legislature to pass bills, and fewer than five months until the CCPA is set to take effect, the Senate Appropriations Committee gave the greenlight to six bills: AB 25, AB 846, AB 1564, AB 1146, AB 874, and AB 1355.  The bills were ordered to a “second reading,” meaning they head to the Senate floor for consideration without a further hearing in the Senate Appropriations Committee.  Two of those bills, AB 874 and AB 1355, will be placed on the Senate’s consent calendar, because they have not been opposed.

The Senate Appropriations Committee also voted to advance AB 1202, the data broker amendment, but placed the bill in the Committee’s suspense file.  This procedural action holds bills that will have a significant fiscal impact on the State of California’s budget for consideration all at once to ensure that fiscal impacts are considered as a whole.

Here’s the full list of amendments as of August 12, 2019:

Ordered to Second Reading in the California Senate

  • EMPLOYEE EXEMPTION: Assembly Bill 25changes the CCPA so that the law does not cover collection of personal information from job applicants, employees, business owners, directors, officers, medical staff, or contractors.
  • LOYALTY PROGRAMS:Assembly Bill 846 provides certainty to businesses that certain prohibitions in the CCPA would not apply to loyalty or rewards programs.
  • CONSUMER REQUEST FOR DISCLOSURE METHODS:Assembly Bill 1564 requires businesses to provide two methods for consumers to submit requests for information, including, at a minimum, a toll-free telephone number.  A business that operates exclusively online and has a direct relationship with a consumer from whom it collects personal information is only required to provide an email address for submitting CCPA requests.
  • VEHICLE WARRANTIES & RECALLS: Assembly Bill 1146 exempts vehicle information retained or shared for purposes of a warranty or recall-related vehicle repair.
  • PUBLICLY AVAILABLE INFORMATION: Assembly Bill 874streamlines the definition of “publicly available” to mean information that is lawfully made available from federal, state, or local government records. The bill also seeks to amend the definition of “personal information” to exclude deidentified or aggregate consumer information.
  • CLARIFYING AMENDMENTS:Assembly Bill 1355 exempts deidentified or aggregate consumer information from the definition of personal information, among other clarifying amendments.

Placed on Suspense File of the Senate Committee on Appropriations

  • DATA BROKER REGISTRATION: Assembly Bill 1202requires data brokers to register with the California Attorney General.