On Friday, January 22, 2021, the Federal Trade Commission settled charges with three ticket brokers for violating the Better Online Ticket Sales (BOTS) Act, which was passed in 2015.  These are the first case brought under the Act.  In them, the Commission alleged that three brokers “used automated software to illegally buy up tens of thousands of tickets for popular concerts and sporting events, then subsequently made millions of dollars reselling the tickets to fans at higher prices.”  According to the Commission, the brokers acquired 150,000 tickets “using automated ticket-buying software to search for and reserve tickets automatically, software to conceal their IP addresses, and hundreds of fictitious Ticketmaster accounts and credit cards to get around posted event ticket limits.”  Judgments against the three amounted to about $31 million of which the defendants will pay $3.7 million.  The Commission sued both the companies and the individuals who ran the companies.

These cases are notable because they are the first cases but also because it took the Commission over 5 years to bring the first leaving the Act completely unenforced for years.  While the release suggests the investigation was complex, detection was likely easy.  Brokers are usually fairly visible to the public.  The Commission likely found them online, subpoenaed their records and software, and hired a forensic specialist to peel apart the code.  These cases raise serious issues for brokers who use automated purchasing software to purchase tickets for resale although it remains to be seen whether these enforcement actions will be a one-off signal to brokers that the Commission is watching or something more common.  Acting Chair Slaughter’s concurring statement would seem to suggest that there will be more during her tenure.

 

For more information on the FTC, advertising, marketing, and privay law, subscribe to Kelley Drye’s Ad Law Access blog and podcast  and visit the Advertising and Privacy Law Resource Center. Additional Kelley Drye resources can be found here.

Private consumer litigation in 2020 was significantly impacted by the California Consumer Privacy Act (CCPA) which took effect on January 1, 2020.  Whether asserted as a standalone CCPA violation claim or as a predicate act for other causes of action, including under California’s Unfair Competition Law (“UCL”), the volume of CCPA litigation has not abated.  While some claims have already been resolved (by motion or agreement), others are just hitting their litigious stride and with a full year of experience, certain trends have started to develop.

Over the course of the year, we have reported and summarized filed cases in our CCPA Round-Ups (Q1, Q2, Q3/4).  Now, with the first year of CCPA litigation behind us, this post (1) highlights emerging trends across the docket of cases; and (2) introduces Kelley Drye’s new CCPA Litigation Tracker, which is designed to provide an ongoing reference guide for updates on key cases involving consumers asserting CCPA-related claims.

It has been a full year since the California Consumer Privacy Act (“CCPA”) took effect at the top of 2020. In the cases filed in the second half of the year, the complaints more frequently assert a violation of the CCPA as a standalone cause of action, though it remains common for a CCPA violation to be asserted as a predicate to support a separate cause of action, such as a violation of California’s Unfair Competition Law (“UCL”).

In this post, we include our round-up of representative cases filed in the third and fourth quarters of the year. Our prior summaries of CCPA-related litigation filed last year can be found in our Q1 2020 CCPA Litigation Round-Up and CCPA Litigation Round-Up: Q2 2020. We have separately analyzed trends emerging from the 2020 CCPA litigation landscape. Going forward into 2021, we will continue to report on relevant developments in CCPA consumer litigation, and also provide updates in our CCPA Litigation Tracker chart.

  1. Cases Filed in Q3/Q4 2020 Alleging Direct Violation of CCPA

Shadi Hayden v. The Retail Equation, Inc. et al., No. 8:20-cv-01203 (C.D. Cal.)

On August 3, a class action amended complaint was filed by thirteen named plaintiffs against The Retail Equation, Inc. (“TRE”) and a variety of retailers: Sephora USA, Inc., Advance Auto Body Parts, Inc., Bed Bath & Beyond, Inc., Best Buy Co., Inc., Buy Buy Baby, Inc., Caleres, Inc., CVS Health Corporation, Dick’s Sporting Goods, Inc., L Brands, Inc., Stein Mart, Inc., The Gap, Inc., The Home Depot, Inc., and The TJX Companies, Inc. (the “Defendant Retailers”) in the District Court for the Central District of California.  Plaintiffs’ CCPA claim alleges that the Defendant Retailers, without their customers’ knowledge or consent, collect large amounts of data about their retail customers, including: (1) “Consumer Commercial Activity Data,” which includes “the unique purchase, return, and/or exchange histories of individuals consumers”; and (2) “Consumer ID Data,” which includes “the unique identification information contained on or within a consumer’s driver’s license, government-issued ID card, and/or passport” such as “the consumer’s name, date of birth, race, sex, photograph, complete street address, and zip code.” Plaintiffs allege that this data is shared with TRE as non-anonymized, individual data sets, which TRE processes to create consumer reports and a risk score for each customer. The risk score is allegedly used to advise the retailer about whether a customer’s attempted return or exchange is fraudulent or abusive.  The amended complaint alleges that “Defendants’ policies and practices failed to hold plaintiffs’ and Class members’ personal information secure by, for example, [the Retailer Defendants’ sharing of] the personal information . . . in an unsecured, unrestricted manner with TRE to create consumer reports and generate a ‘risk score’ that TRE then shared with other Defendant Retailers alongside other personal information.”

McCoy v. Alphabet, Inc. et al., 5:20-cv-05427 (N.D. Cal.)

On August 5, 2020, plaintiff Robert McCoy filed a class action complaint against defendants Alphabet Inc. and Google LLC for monitoring and collecting the sensitive personal data of Android Smartphone users when they interact with non-Google applications on their smartphones, without obtaining consent. This personal data includes the duration of time spent on non-Google apps and how frequently those apps are opened.  Plaintiff’s CCPA cause of action alleges that defendants failed to disclose that they collect the class members’ personal data and the true purpose for collecting the data, which plaintiff alleges is to gain a competitive edge over rival companies. Plaintiff’s proposed class definition includes “All Android Smartphone users from at least as early as January 1, 2014 through the present.”

On September 30, 2020, Google filed a Motion to Dismiss, including arguments that the CCPA claim fails because (1) plaintiff fails to allege his information was subject to a data breach; and (2) relief is only available to a consumer, which is defined as a “California resident,” and plaintiff is a New York resident.

Guzman v. RLI Corp. et al., No. 2:20-cv-08318 (C.D. Cal.)

On September 10, 2020, plaintiff Jose Guzman filed a class action complaint against defendants RLI Corp. and RLI Insurance Company alleging that defendants, through the Pacer filing service, disclosed the login credentials to computer systems containing personal and confidential information of class members. Plaintiff alleges that as a surety, defendants requested access to the records of Libre by Nexus, which secures bonds for detained undocumented immigrants. Plaintiff alleges that, in a separate suit, defendants disclosed Libre’s login credentials by filing them publicly, giving anyone with a Pacer login access to class members’ personal and confidential information including dates of birth, names of minor children, home address, Social Security Numbers, and taxpayer identification numbers and financial account information.

On October 22, 2020, defendants filed a Motion to Dismiss, including arguments that the CCPA claim fails because: (1) defendants’ access was court-authorized and therefore not unauthorized; (2) plaintiff failed to establish that there was a “violation of the duty to implement and maintain reasonable security procedures and practices”; and (3) plaintiff did not comply with the mandatory 30-day notice and cure provision. On November 6, 2020, the action was voluntarily dismissed without prejudice.

Gardiner v. Walmart Inc. et al., 4:20-cv-04618 (N.D. Cal.)

On July 10, 2020, plaintiff Lavarious Gardiner filed a class action complaint against retailer Walmart alleging that vulnerabilities on Walmart’s website led to breaches of Walmart’s systems, allowing hackers to steal customers’ personally identifiable information (including full names, addresses, financial account information, and credit card information), and allowed hackers to attack Walmart’s customers’ computers directly as well. The CCPA cause of action alleges that Walmart violated its duty to implement and maintain reasonable security procedures and practices appropriate to the nature of the personal information. On October 29, 2020, the Parties stipulated to a briefing schedule on defendant’s Motion to Dismiss which is scheduled to be completed by February 3, 2021.

Flores-Mendez et al v. Zoosk, Inc. et al., 3:20-cv-04929 (N.D. Cal.)

On July 22, 2020, plaintiffs Juan Flores-Mendez and Amber Collins filed a class action complaint against Zoosk, Inc., an online dating site, and its parent company, Spark Networks SE, alleging that cybercriminals hacked and obtained 30 million of Zoosk’s user’s records, containing their name, email, date of birth, and password, due to Zoosk failing to maintain reasonable security controls and systems.  Plaintiffs only sought injunctive and equitable relief but alleged that if Zoosk could not cure the breach within 30 days of its July 14 notice letter, they intended to amend to seek actual and statutory damages. On October 30, 2020, plaintiffs filed an Amended Complaint.

Warshawsky et al v. cbdMD, Inc et al., No. 3:20-cv-00562 (W.D.N.C.)

On October 9, 2020, plaintiffs Michael Warshawsky and Michael Steinhauser filed a class action complaint against cbdMD Inc., and CBD Industries, LLC. Plaintiffs allege that due to two data breaches, hackers accessed consumers’ names, credit card numbers, CVV security codes, credit card expiration dates, addresses, email addresses, and bank account numbers. Plaintiffs’ CCPA cause of action alleges that defendants’ computer systems and data security practices were inadequate to safeguard its customers’ personal information.

Diczhazy et al v. Dickeys Barbecue Restaurants Inc. et al., No. 3:20-cv-2189 (C.D. Cal.)

On November 9, 2020, plaintiffs Ross Diczhazy and Wesley Etheridge II filed a class action complaint against Dickey’s Barbecue Restaurants Inc. and Dickey’s Capital Group, Inc. for their alleged failure to secure and safeguard the names, payment card numbers and security codes of proposed class members in a data breach in violation of the CCPA. The complaint purports two classes: (a) All California residents who made a purchase from Dickey’s using a payment card, or otherwise disclosed payment card information to Dickey’s, since January 1, 2020, and whose personal information was compromised including as part of the Joker’s Stash BlazingSun data set; and (b) All persons who made a purchase from Dickey’s using a payment card, or otherwise disclosed payment card information to Dickey’s, since January 1, 2018, and whose personal information was compromised including as part of the Joker’s Stash BlazingSun data set.

Marquez v. Dickey’s Barbecue Resturants, Inc. et al., No. 3:20-cv-2251 (S.D. Cal.)

On November 18, 2020, plaintiff Jose Luis Marquez also filed a class action complaint against Dickey’s Barbecue Restaurants Inc. and Dickey’s Capital Group, Inc. for their failure to secure and safeguard their customers’ personal identifying information. As in Diczhazy (above), there is a nationwide class as well as a California subclass alleged: (a) All persons residing in the United States who made a credit or debit card purchase at any affected Dickey’s Barbecue Pit restaurant during the period of the Data Breach; and (b) All persons residing in the State of California who made a credit or debit card purchase at any affected Dickey’s Barbecue Pit restaurant during the period of the Data Breach.

Gitner v. U.S. Bank National Association et al., No. 0:20-cv-02101 (D. Minn.)

On November 20, 2020, plaintiff Barry Gitner filed a first amended class action complaint in the District of Minnesota against U.S. Bank National Association and U.S. Bancorp for their alleged failure to secure and safeguard the confidential, personally identifiable information of thousands of consumers, including names, account numbers, Social Security Numbers, driver’s license numbers, and dates of birth. Specifically, plaintiffs allege that a computer server with consumer information was stolen from defendants’ corporate offices. Under the CCPA cause of action, plaintiffs seek injunctive or other equitable relief but reserve their rights to amend the complaint to seek actual and statutory damages if the breach is not cured within 30 days. On January 13, 2021, the Court stayed the action pending arbitration of Plaintiff’s individual claims, after defendants’ Motion to Compel Arbitration was unopposed.

Schaubach v. Hotels.Com, LP et al., No. 8:20-cv-2370 (C.D. Cal.)

On December 17, 2020, plaintiff Lauren Schaubach filed a class action complaint against defendants Hotels.com, L.P. (“HLP”), Expedia Group, Inc. (“Expedia”) and Amazon Web Services, Inc. (“AWS”) after a Cloud Hospitality server hosted by Defendant AWS and containing information for customers of Defendant HLP and Defendant Expedia was hacked and tens of millions of data records were exposed, including full names, email address, ID numbers, phone numbers, credit card numbers, security codes and expiration dates. Plaintiff seeks to represent a class of “all consumers in California whose personally identifiable information was compromised in the Breach.” On December 17, 2020, the action was voluntarily dismissed without prejudice.

  1. Cases Filed in Q3/Q4 2020 Alleging CCPA Violations As a Predicate For UCL Causes of Action

Pygin v. Bombas, LLC et al., No. 4:20-cv-04412 (N.D. Cal.)

On July 1, 2020, plaintiff Alex Pygin filed a class action complaint against defendants Bombas, LLC, Shopify (USA) Inc. and Shopify, Inc., alleging that sock and apparel retailer Bombas uses an ecommerce platform supplied by Shopify to take customers’ personal and payment information (including name, billing, shipping and email addresses, along with credit card numbers, expiration dates, and security codes) and that the customers’ information was compromised during a data breach due to defendants’ negligent and/or careless acts and omissions and failure to protect the data.

While plaintiff brings no claim under the CCPA, he alleges that class members have suffered injury including “deprivation of rights they possess under . . . the California Consumer Privacy Act” by “failing to maintain reasonable security procedures and practices appropriate to the nature of the personally identifiable information.” As part of its causes of action for negligence and violation of the UCL, plaintiff alleges that defendants: (i) had a duty to take reasonable steps and employ reasonable methods of safeguarding the personally identifiable information of class members, as required under the CCPA; (ii) failed to maintain those reasonable security procedures and practices by storing the information in an unsecure electronic environment; and (iii) failed to disclose the data breach to class members in a timely and accurate manner as required by the CCPA.

Currently pending before the Court is Shopify’s Motion to Dismiss for (1) lack of personal jurisdiction, (2) violation of FRCP 8 for failing to distinguish among defendants and adequately allege that Shopify caused harm, and (3) failure to state a claim, based partially on the argument that the CCPA does not “create any private right of action under any other law.”

Calixte et al. v. Dave, Inc., 2:20-cv-07704 (C.D. Cal.)

On August 24, 2020, five plaintiffs filed a class action complaint against defendant Dave Inc. alleging that its users’ names, emails, date of birth, physical address, phone numbers and social security numbers were compromised as a result of a cyberattack against a former third party service provider of Dave Inc. The complaint alleges that the hackers’ ability to pivot from a third-party vendor’s system to the defendant’s systems without detection demonstrates the lack of controls and cybersecurity measures in use at Dave Inc. to prevent such unauthorized use.

Plaintiffs only allege violations of the CCPA as a predicate to their UCL violation cause of action based on Dave Inc.’s alleged failure to implement and maintain reasonable security measures. The proposed nationwide class is defined as “All persons whose PII was compromised as a result of the Data Breach announced by Dave Inc. in July and August of 2020.” The Parties are currently briefing defendant’s Motion to Compel Arbitration. On November 9, 2020, the action was voluntarily dismissed without prejudice.

Wesch v. Yodlee, Inc. et al., No. 3:20-cv-05991 (N.D. Cal)

On August 25, 2020, plaintiff Deborah Wesch filed a class action complaint against defendants Yodlee, Inc. and Envestnet, Inc. (who acquired Yodlee) alleging that Yodlee sells highly sensitive financial data, such as bank balances and credit card transaction histories, collected from software products that it markets and sells to financial institutions. Plaintiffs allege that when individuals connect their bank accounts to Paypal, they upload their banking credentials using Yodlee’s system. Yodlee then allegedly stores a copy of the credentials on its own system and exploits them, contrary to the disclosed use of the information.

Plaintiff’s UCL cause of action is predicated upon alleged violations of the CCPA, including that defendants: (i) disclose before or at the point of collection, the category of information to be collected and how it will be used; and (ii) refrain from collecting additional information for additional purposes without providing notice.

Plaintiff filed an Amended Complaint on October 21, 2020  and the parties have stipulated to briefing schedule on plaintiff’s anticipated Motion to Dismiss.

Conditi v. Instagram, LLC et al., No. 3:20-cv-06534 (N.D. Cal.)

            On September 17, 2020, plaintiff Brittany Conditi brought a class action complaint against defendants Instagram LLC and Facebook Inc. alleging that Instagram constantly accesses users’ smartphone camera feature and monitors users without permission when they are not interacting with the camera feature, which goes beyond the services it promises to provide. Plaintiff alleges that Instagram does this to collect valuable personal data to increase their advertising revenue.

Plaintiff’s UCL cause of action is based upon allegations that defendants violated the CCPA by failing to disclose that they monitor users through their smartphone cameras, while not in use, to collect personal information. Plaintiff proposes the following class definition: “All Instagram users whose smartphone cameras were accessed by Instagram without their consent from 2010 through the present (the ‘Class Period’).”

 

You can follow developments in CCPA-related cases by referring to our new CCPA Litigation Tracker. If you have any questions about defending and/or preparing for a potential privacy consumer class action, please reach out to our team.

Last week, in a substantial win for the dietary supplement industry, the Ninth Circuit Court of Appeals upheld the Northern District of California’s grant of summary judgment to Target, ruling that state law false advertising challenges to permissible structure/function claims are preempted by the Federal Food, Drug and Cosmetic Act (“FDCA”).

Plaintiff Todd Greenberg alleged that he bought a bottle of Up & Up Biotin, a private label vitamin sold by Target, as part of his battle with hair loss.  Up & Up Biotin’s label states that biotin “helps support healthy hair and skin.”  The label also states that  “[t]his statement has not been evaluated by the Food and Drug Administration.  This product is not intended to diagnose, treat, cure, or prevent any disease.” Greenberg conceded that biotin is a nutrient that supports healthy hair and skin, but nevertheless claimed the label was misleading because most people obtain all the biotin they need from their diet, rendering the vitamin superfluous to all but a tiny percentage of people who have a biotin deficiency.

Under the FDCA, dietary supplement labels are required to be truthful and not misleading.  The statute also authorizes certain categories of statements, including structure/function claims, provided they are adequately substantiated. As a general matter, structure/function claims “describe the role of a nutrient or dietary ingredient intended to affect the structure or function in humans or that characterizes the documented mechanism by which a nutrient or dietary ingredient acts to maintain such structure or function[.]”  21 C.F.R. § 101.93(f).  Statements suggesting an ingredient’s ability to “strengthen,” “improve,” or “protect” a structure or function in the human body are structure/function claims so long as they do not suggest disease prevention or treatment.  The FDCA was intended to establish a national and uniform labeling standard for dietary supplements, expressly preempting any state law labeling requirement “that is not identical to” the labeling requirements in the FDCA.

The Ninth Circuit affirmed the District Court’s ruling that Up & Up Biotin’s label satisfied all of the statutory requirements for a structure/function claim under the FDCA, namely that: (1) there was substantiation for the claim, (2) the label included the proper disclosures, and (3) the label did not suggest the product could treat diseases.  More specifically, and in contrast to a disease claim, the FDCA “only requires substantiation for the ingredient’s function on the human body, not the health impact of the product as a whole.”  In other words, “manufacturers may make structure/function claims about a nutrient’s general role on the human body without disclosing whether the product will provide a health benefits to each consumer.”

Accordingly, the Court found that the plaintiff’s state law false advertising claims “essentially s[ought] to impose an additional requirement that dietary supplement labels can make structure/function claims only if consumers are likely to benefit from the product.”  Because this requirement “is not identical to” the labeling requirements in the FDCA, the claims were preempted.

Dietary supplement companies are often targeted by class action plaintiffs asserting various theories about how carefully-drafted label claims are nevertheless deceptive to the proverbial “reasonable consumer.”  This decision brings a new level of comfort to the industry that if a structure/function claims complies with the FDCA, it is less likely to be challenged (at least in the Ninth Circuit).

Partner Aaron Burstein edited the Fall 2020 issue of Antitrust magazine with Janis Kestenbaum. If you’re looking to get up to speed on some of the most pressing regulatory issues surrounding personal data, this is the place to start — and the ABA is making free to access through the end of January.

A roundtable featuring Alexandra Reeve Givens (President and CEO, CDT), Jessica Rich (former Director of the FTC’s Bureau of Consumer Protection), Will DeVries (Google), and William McGeveran (University of Minnesota Law School) surveys the enforcement and policy landscape. The issue also features articles that examine the California Privacy Rights Act, the state (and stakes) of Section 230 reform, privacy issues in contact tracing apps, and applications of economic analysis to privacy. On the international front, authors analyze the first two years of GDPR enforcement and well as privacy and antitrust developments in China.

For additional privacy information and resources, visit Kelley Drye’s Advertising and Privacy Law Resource center.

Advertising and Privacy Law Resource Center

 

 

Things are about to change dramatically at the CFPB.  President-elect Joe Biden today nominated Rohit Chopra, a current commissioner at the Federal Trade Commission and long-time proponent of aggressive enforcement, to serve as director of the Consumer Financial Protection Bureau.

We knew that the incoming Biden administration would entail significant change on many fronts from the current administration, which has publicly espoused a policy of deregulation while continuing to pursue enforcement in certain priority areas.  The nomination of Chopra shows just how far-reaching the forthcoming change will be on issues related to consumer protection and consumer financial protection.

Chopra Background and Time as Commissioner

Prior to his current role as FTC Commissioner, Chopra served as Assistant Director of the CFPB and oversaw the Bureau’s student loan agenda.  Chopra later served as Special Adviser to the Secretary of Education and dealt with issues related to student loan servicing and defaults, consistently advocating for more extensive enforcement.  In the same vein, at the FTC Chopra has regularly dissented from his colleagues on the Commission, including on high profile enforcement matters like Facebook where he argued that the imposed $5 billion settlement was insufficient to redress unjust gains and “does little to change the business model or practices that led to the recidivism.”

Chopra also suggested that the FTC should have sought individual liability against CEO Mark Zuckerberg and other individual officers, arguing that “the FTC Act does not include special exemptions for executives of the world’s largest corporations, but this settlement sends the unfortunate message that they are subject to another set of rules.”  Chopra has also regularly dissented from FTC settlements limited to injunctive relief, most recently arguing in the Zoom matter that the settlement “provides no help for affected users” and further contributes to “the agency’s credibility deficit when it comes to oversight of the digital economy.”

Potential Priorities at the CFPB

President-elect Biden is able to appoint a new director to replace current CFPB director Kathy Kraninger under Seila Law v. CFPB, a June 2020 Supreme Court decision that held the director must be removable at will in order for the Bureau’s single director structure to be constitutional.  If confirmed as director, Chopra will likely restore the agency to its days of aggressive enforcement under its first director Richard Cordray in the Obama administration.

Chopra is also likely to seek to undo many changes made in the Trump administration.  Potential priorities for a CFPB under Chopra include:

  • Financial technology or the “fintech” sector broadly, including how innovative financial solutions use consumer information and whether fintech solutions adversely impact certain groups.
  • Reconsidering the Payday Lending Rule, which was significantly rolled back by the current administration and is currently being challenged in federal court.
  • New and aggressive enforcement related to fair lending laws and student loans, particularly given Chopra’s background and documented interest in the student loan market.
  • Expanded use of the Bureau’s authority to prohibit “abusive” acts and practices, a unique authority established under the Dodd-Frank Act which to date has been used sparingly in narrow circumstances.

Chopra’s nomination also means that President-elect Biden will likely need to nominate at least two new commissioners to the FTC – given Chopra’s departure and the likely imminent departure of current FTC Chair Joe Simons.

We’ll continue to monitor both the CFPB and FTC fronts and post updates here – all signs indicate that we’re in for some interesting times ahead.

This morning, the Supreme Court heard its long-anticipated arguments in AMG Capital Management, LLC v. Federal Trade Commission. As we have previously explained, in AMG, the FTC’s use of Section 13(b) of the FTC Act to obtain monetary remedies is under the High Court’s microscope. While the outcome won’t be known for months, the Justices questioning at oral argument seem to suggest that the case might not break the FTC’s way.

The facts of AMG are straightforward. Scott Tucker was the owner of a single-proprietor business, AMG Capital Management. The business’s sole function was to provide payday loans. The FTC sued Scott Tucker, the owner of AMG, under Section 13(b) of the Act, asserting that the terms disclosed in the loan notes AMG provided to consumers did not reflect the harsher terms that Tucker actually enforced. The district court found Tucker liable, and pursuant to Section 13(b), levied a staggering $1.27 billion in equitable monetary relief to be paid by Tucker to the Commission. Tucker appealed this ruling to the Ninth Circuit. Tucker’s primary argument on appeal was that Section 13(b) forecloses monetary relief. The Ninth Circuit affirmed, and AMG’s petition to the Supreme Court on this issue was granted.

While some of the Justices at oral argument—particularly Justice Barrett and Alito—seemed concerned that reversing the Ninth Circuit’s judgment would provide an undeserved windfall to Tucker, a clear majority of the Court was more focused on the FTC’s broad interpretation of the statutory text. Justice Kavanaugh expressed the problem clearly and succinctly, when he stated to FTC counsel that, although he felt sympathy for the FTC’s concern with stemming bad actors, a regulatory agency is bound by its statutory mission. In Justice Kavanaugh’s words, “It seems the problem you have is the text.”

Although FTC counsel argued that prior case law from the nineteenth century allowed monetary equitable relief along with injunctive relief, Justice Roberts pointed out that those cases largely involved courts using their inherent equitable powers. An executive agency, by contrast, only retains equitable powers to the extent it is given them by statute. And while FTC counsel argued that the legislative intent when Section 13(b) was codified was to imbue it with broad equitable powers, AMG’s counsel effectively rebutted that argument, explaining that the best “way we determine Congress’s intent is by looking at the words on the page.”

While nothing is certain until a final decision is rendered, following oral arguments it seems even more likely that Section 13(b) of the FTC Act will be limited to its plain terms, allowing the FTC to use the statutory provision to obtain injunctive relief in court, and only that. As multiple Justices noted, Section 19 and Section 5(l) of the Act provide alternative avenues for relief. While Section 13(b) may be a more efficient method for the FTC to obtain monetary remedies, the majority of the Justices at oral argument signaled that efficiency alone is not a sufficient basis for imbuing an agency with such a powerful remedy.

All is not lost for the FTC. Again, here, Justice Kavanaugh led the way with a proposed solution for the Agency, when he asked, “Why isn’t the answer here for the Agency to seek this new authority from Congress for us to maintain a principle of separation of powers?”  With a new Congress about to be seated and proposed language that would amend Section 13(b) floating around the Hill, congressional clarification very well might be the FTC’s best path forward.

Advertising and Privacy Law Resource Center

With one eye on the U.S. Supreme Court, which is being asked to confirm that the FTC has authority to seek monetary relief under Section 13(b) in AMG Capital Management, LLC v. Federal Trade Commission, and the other eye on Congress which may or may not pass legislation authorizing monetary relief under Section 13(b), there has been very little said about what we might expect if neither were to occur.  What if the Court finds that 13(b) does not provide this authorization and Congress does not act?  How might the FTC seek consumer redress against entities alleged to have engaged in unfair or deceptive advertising practices in district court?  One answer is Section 19 of the FTC Act.  So then, what can we expect if Section 19 becomes the FTC’s best path forward?

Under Section 19 of the FTC Act, the FTC can pursue consumer redress for alleged unfair or deceptive practices, but first must file administratively for an order directing the target of the investigation to cease and desist from the allegedly unfair or deceptive practices and, if the order is challenged, go through several rounds of review—first by the Commission and then by the United States Court of Appeals.  Only after the Commission’s order becomes final can the FTC commence the Section 19 action in district court for consumer redress.  That action, of course, is still subject to the typical federal appellate process—which can make a Section 19 action an extremely time-consuming process.

F.T.C. v. Figgie International, Inc. provides an example of how Section 19 would work, as well as its limitations.  In Figgie, the FTC obtained a cease and desist order under Section 5 ordering Figgie to cease and desist from engaging in the unfair or deceptive practices it used to market its Vanguard heat detector products.  According to the FTC, “[t]he crux of Figgie’s message was that heat detectors could be relied on as life-saving fire warning devices, and that the best protection for one’s home is a combination of four or five heat detectors to one smoke detector.”

Following the administrative proceeding, the Administrative Law Judge concluded that every one of Figgie’s promotional materials “‘clearly conveys’ the claim that Vanguard heat detectors provide the necessary warning to allow safe escape from a residential fire.”  The promotional materials also discussed the National Fire Prevention Association (“NFPA”) standards “‘in such a way as to leave the reader with a distinct impression that [the NFPA] regards both smoke detectors and heat detectors as equally effective.’”  However, while the NFPA previously recommended using both smoke and heat detectors as part of a household fire warning system, after fire prevention experts conducted a series of tests that illustrated the limitations of heat detectors, the NFPA revised its standards to require only that smoke detectors (not heat detectors) be installed on each level of the home and outside each bedroom.

After an administrative trial, the ALJ found that Figgie knew of the changes in the NFPA standards and the limitations of heat detectors prior to making the challenged representations.  The ALJ found that Figgie’s representations were “misleading and deceptive in the absence of an explanation of the limits of heat detectors and the comparative superiority of smoke detectors.”  On appeal, the Commission upheld most of the ALJ’s findings and conclusions, but changed the disclaimer required on Figgie’s heat detectors.  The rest of the Commission’s cease and desist order “closely tracked the ALJ’s order” and prohibited Figgie from representing that heat detectors provide the necessary warning to permit safe escape from most residential fires, that combining heat detectors and smoke detectors provide greater warning than smoke detectors alone, and that Figgie may not misrepresent the capabilities of heat detectors to provide warning that would permit people to escape from residential fires.

After the cease and desist order became final (following an appeal to the Fourth Circuit Court of Appeals), the FTC filed an action pursuant to Section 19 in U.S. District Court for the Central District of California seeking consumer redress.  The FTC was awarded summary judgment by the district court, which found Figgie engaged in dishonest or fraudulent practices and awarded millions of dollars in consumer redress.

Of note, prior to summary judgment the district court granted the FTC’s “motion to deem ‘conclusive’” the list of 42 findings from the administrative proceeding.  That is because in a Section 19 proceeding, the Commission’s findings of material fact in support of a cease and desist order “shall be conclusive.”  On appeal, the Ninth Circuit noted that [t]he Commission’s findings, and those of the administrative law judge which the Commission adopted, are accordingly treated as established facts for purposes of this decision.”  Thus, to the extent that a district court’s findings deviate from the findings of the Commission, “the Commission’s findings control.”

The Ninth Circuit decision noted that “liability for past conduct would be imposed on Figgie if a reasonable person would have known in the circumstances that it was dishonest or fraudulent for Figgie to use the practices it did to sell heat detectors.”  In rejecting Figgie’s argument that actual knowledge was required, the Court noted that “Congress unambiguously referred the district court to the statement of mind of a hypothetical reasonable person, not the knowledge of the defendant.  The standard is objective, not subjective.”

Moreover, while the Ninth Circuit stated that “Section 19 liability must not be a rubber stamp of Section 5 liability,” it held that “[w]hen the findings of the Commission in respect to defendant’s practices are such that a reasonable person would know that the defendant’s practices were dishonest or fraudulent, the district [court] need not engage in further fact finding other than to make the ultimate determination that a reasonable person would know.”  The Figgie action, it held, was such a case, because it found there is “ample evidence in the Commission’s findings to satisfy a court that a reasonable person with Figgie’s access to the scientific data establishing the relative inferiority of heat detectors would have known that Figgie’s vigorous misrepresentations on their behalf were dishonest and fraudulent.”

And while the ALJ acknowledged “a debate among fire professionals” concerning the tenability limits of heat detectors, the Ninth Circuit relied on findings that “[a] consensus among experts, well supported by careful testing, established that smoke detectors almost always provide earlier warning than heat detectors, and Figgie had no basis for doubting the truth of the consensus, yet Figgie marketed its heat detectors in a manner designed to mislead consumers about this critical information.”  Hence, the conduct was deemed dishonest or fraudulent.

As Figgie demonstrates, the ALJ’s findings of fact almost certainly will be conclusive and, if appealed to the Commission, they are likely to be adopted.  The Commission, after all, is the entity that authorized the issuance of the administrative complaint that precipitated the Section 19 action in the first place.  All of this underscores how important it is to contest any underlying facts that may ultimately be considered to bear on whether the challenged conduct was dishonest or fraudulent.

Figgie seems to suggest a plausible alternative, if things don’t break the Commission’s way in AMG Capital Management.  If that is the case, then why haven’t we seen more Section 19(b) cases over the years?  One answer is undoubtedly the success of the Section 13(b) program.  Why engage in administrative litigation, without the possibility of consumer redress absent a showing of dishonest and fraudulent conduct?  This has undoubtedly led to the ALJ becoming a version of the Maytag repairman, with relatively few cases to manage.  The numbers bear it out:  from 1977 to 1986, the Commission brought 94 administrative cases; from 2007 to 2017, the Commission brought only 12.

But it is not just the money, it is the requirement that the Commission establish that the conduct was dishonest and fraudulent – no small task – and timing too.  Section 19 cases, as they have historically been conducted, take a very long time.  Consider that the FTC issued its administrative complaint against Figgie in May 1983, the ALJ issued his findings of facts in October 1984, and the decision was appealed to the full Commission and substantially adopted in April 1986.  Figgie then appealed the Commission’s Order to the U.S. Court of Appeals for the Fourth Circuit, where it was ultimately upheld in 1987.  By the time that the Ninth Circuit issued its decision on appeal from the Section 19 district court action and the petition for certiorari to the Supreme Court was denied in early 1994, more than a decade had passed since the issuance of the FTC’s administrative complaint.

The FTC recently announced that glue maker, Chemence, paid a landmark $1.2 million settlement to resolve allegations that the company failed to comply with a 2016 Order regarding “Made in USA” claims. The 2016 Order required Chemence to pay $220,000 and to stop making misleading claims that its products were made in the United States.

According to the newest complaint, in spite of the 2016 Order, Chemence continued to falsely label its products with an unqualified “Proudly Made in USA” claim, despite foreign materials accounting for more than 80 percent of the materials costs and more than 50 percent of the overall manufacturing costs. The complaint also alleges that Chemence’s president, James Cooke, falsely declared under penalty of perjury that Chemence had modified its labeling to read “Made in USA with US and globally sourced materials.”

The resulting Order again requires Chemence to refrain from making misleading “Made in USA claims,” including unqualified claims unless they can show that the product’s final assembly or processing and all significant processing takes place in the United States, and that all or virtually all ingredients or components of the product are made and sourced in the United States. To the extent that Chemence makes qualified “Made in USA” claims, the company must provide a clear and conspicuous disclosure regarding which product contains foreign parts. If Chemence claims that a product is assembled in the United States, the company must ensure that it is last substantially transformed in the United States, its principal assembly takes place in the United States, and the United States assembly operations are substantial. The Order also prohibits Chemence from making any misleading county-of-origin claim about a product unless they have a reasonable basis that substantiates their claim.   Moreover, Chemence must notify all customers with a letter detailing the FTC allegations and the proper labeling for purchased products.

Chemence’s historic settlement with the FTC suggests that the Commission is heeding Commissioner Chopra’s calls to “mov[e] away from lax enforcement” concerning “Made in USA” claims.

This most recent enforcement action also comes as the FTC has proposed its Made in USA Labeling Rule.  Last summer’s NPRM includes the possibility for civil penalties for violations of the rule, and would give the FTC authority over all “Made in USA” claims, including those made online.

In spite of dissent from Commissioners Phillips and Wilson, comments in response to the proposed rule have been largely positive.  Supporters cited the current pandemic, noting that consumers are now more likely to buy goods online, resulting in the need for increased oversight of online advertising.

Even still, the NPRM met some pushback from several industry organizations and consumers who question the consistency of the proposed rule with respect to FTC precedent, trade agreements, and, echoing Commissioner Phillips’ dissent, FTC jurisdiction. In particular, comments flag that the proposed rule conflicts with USDA precedent, which currently holds that cattle raised in a foreign country and imported for slaughter and processing can qualify for a Made in USA or Product of USA label. It is not clear how this conflict between the two regulatory agencies would play out in practice.

*             *             *

The FTC has not released a revised rule in response to the comments, though  we anticipate that some version of the rule will likely come into effect. “Made in the USA” enforcement has been a high-priority for the FTC in recent years, and with the potential for a new Democrat chair leading the Commission, we expect this trend to continue. Please contact any of the attorneys in Kelley Drye’s Advertising Group if you would like assistance with Made in USA compliance.

 

 

Ad Law Access Podcast

Our increased relience on the Internet to conduct our daily affairs has thrust an additional spotlight on data security that much important. On another 101 edition of the Ad Law Access podcast, Lauren Myers covers data security and covers five key points businesses should keep in mind as they continue to refine their data security practices based on FTC settlements and guidance.

Listen on AppleSpotifyGoogle Podcasts,  Soundcloud, via your smart speaker, or wherever you get your podcasts.

For more information on data security, privacy, and other topics, visit: