The FTC announced today that it is seeking comments on a variety of issues related to the Children’s Online Privacy Protection (COPPA) Rule. Although only six years have passed since the FTC’s 2013 COPPA Rule update, the FTC is initiating an early review in response to new technologies and applicability to certain business sectors, including the educational tech sector, voice-enabled connected devices, and general audience platforms that host third-party child-directed content. Along with seeking comments, the FTC will hold a public workshop on October 7, 2019 to further examine the Rule.

The agency’s expedited review may also be a response to an increase in legislative scrutiny of children’s privacy, including questions about child-directed content on general audience platforms, and calls from various Senators for an overhaul of COPPA legislation. Specifically, Sens. Josh Hawley (R-Mo.) and Edward Markey (D-Mass.), COPPA’s original author, introduced a bill in March to update COPPA that would address children as old as 15 and provide additional rights to parents regarding children’s information.

Aside from the standard questions the FTC includes in its review, the proposed notice also seeks comments on COPPA’s major provisions, including definitions, notice and parental consent requirements, verifiable parental consent exceptions, and safe harbors. The notice also asks whether the FTC’s 2013 Rule amendments have led to stronger protections of children’s privacy and more parental control over collection of children’s personal information, and if the 2013 Rule amendments resulted in any negative consequences.

In particular, the FTC seeks public comment on the following issues:

  • Whether behavioral targeting and profiling should be addressed in defining exemptions for COPPA compliance;
  • Whether factors to determine if a website or online service is directed to children should be updated to address sites that may have a number of child users, but aren’t specifically directed to children;
  • Whether the Rule should incentivize operators of general audience platforms to gain actual knowledge of whether there is child-directed content on their platforms;
  • Whether the Rule should include an exception for audio files collected as replacement for written words, such as for voice-activated searches; and
  • Whether the Rule should include an exception to parental consent for use of education technology in schools, and, if so, what such an exception should look like.

Comments in response to the notice are due 90 days after the notice is published in the Federal Register.

The FTC’s accelerated evaluation of the Rule indicates that the agency is seriously considering the evolving technological landscape and how it affects children’s privacy. In light of the continuing conversations about online privacy and the FTC’s role in policing it, today’s announcement indicates that the FTC continues to take its job as privacy’s top cop seriously.

New York’s efforts to pass the New York Privacy Act failed when the bill did not appear in the most recent legislative session. The bill, said to be “tougher,” “bolder,” and more “sweeping” than other privacy legislation, initially gained a number of Senate co-sponsors when Sen. Kevin Thomas introduced it, but no Assembly members signed on.
The bill included concepts such as the following:
  • Data Fiduciary: Companies that collect consumer data would be subject to fiduciary duties of loyalty and care to protect consumer information.
  • Private Right of Action: Individuals would have legal recourse when companies violated the law.
  • Increased Transparency: Companies would be required to routinely alert consumers of what information they collected, the purpose for that collection, and what, and with whom, information was shared.
In a Senate hearing, lobbyists expressed the same concerns identified in discussions of federal privacy legislation, such as the potential for overly-prescriptive privacy laws to harm small businesses and innovation.
With the failure of this bill, the California Consumer Privacy Act remains the only comprehensive privacy state statute. It remains to be seen if other states will catch up on the legislative front before California’s law goes into effect in January of next year.

Seven amendments to the California Consumer Privacy Act (CCPA) are one step closer to becoming law after the California Senate Committee on the Judiciary voted to advance the legislation earlier this month.

The bills now head to the Committee on Appropriations for a vote next month, followed by a vote of the full Senate.  The legislature has until September 13, 2019 to pass bills.

The most consequential and anticipated of the amendments, A.B. 25, A.B. 846, A.B. 1202, A.B. 1564, and A.B. 1146, were changed by the Judiciary Committee.  That means they will require the consent of the California Assembly before they can head to the governor’s desk for a final signature.

By comparison, two technical amendments, A.B. 874 and A.B. 1355, were advanced without changes by the Judiciary Committee.  If approved in their current form by the full Senate, these amendments will move directly to the governor for a signature.

Three CCPA amendments failed to secure approval by the Judiciary Committee and are unlikely to further advance.  These are A.B. 1416, A.B. 873, and A.B. 981.

Here’s the full list of CCPA amendments:

Amended and Approved by the Judiciary Committee

  • EMPLOYEE EXEMPTION: Assembly Bill 25 changes the CCPA so that the law does not cover collection of personal information from job applicants, employees, business owners, directors, officers, medical staff, or contractors.

What’s New?  The Senate Committee weakened the employee exception by sunsetting the exemption on January 1, 2021, and negating the exemption with regard to the CCPA’s notice and data breach liability provisions.

  • LOYALTY PROGRAMS: Assembly Bill 846 provides certainty to businesses that certain prohibitions in the CCPA would not apply to loyalty or rewards programs.

What’s New?  The bill was amended to prohibit a business from selling personal information of consumers collected as part of a loyalty, rewards, discount, premium features, or club card program.

  • DATA BROKER REGISTRATION: Assembly Bill 1202 requires data brokers to register with the California Attorney General.

What’s New?  The amendment dropped language that would have provided consumers the right to opt-out of the sale of their personal information by data brokers.

  • CONSUMER REQUEST FOR DISCLOSURE METHODS: Assembly Bill 1564 requires businesses to provide two methods for consumers to submit requests for information, including, at a minimum, a toll-free telephone number.  A business that operates exclusively online and has a direct relationship with a consumer from whom it collects personal information is only required to provide an email address for submitting CCPA requests.

What’s New?  The original Assembly amendment proposed to allow a business to provide consumers with either a toll-free number or an email address and physical address.  The Senate bill brings back the toll-free number requirement, but exempts online-only businesses from operating a toll-free number.

  • VEHICLE WARRANTIES & RECALLS: Assembly Bill 1146 exempts vehicle information retained or shared for purposes of a warranty or recall-related vehicle repair.

What’s New?  The bill was amended to more clearly describe vehicle recalls.

Approved by the Judiciary Committee

  • PUBLICLY AVAILABLE INFORMATION: Assembly Bill 874 streamlines the definition of “publicly available” to mean information that is lawfully made available from federal, state, or local government records. The bill also seeks to amend the definition of “personal information” to exclude deidentified or aggregate consumer information.
  • CLARIFYING AMENDMENTS: Assembly Bill 1355 exempts deidentified or aggregate consumer information from the definition of personal information, among other clarifying amendments.

Failed to Secure Approval

  • GOVERNMENT REQUESTS; FRAUD EXCEPTION: Assembly Bill 1416 creates exceptions for businesses complying with government requests; provides exceptions for the sale of information for detection of security incidents or fraud.
  • AMENDMENTS TO DEFINITIONS: Assembly Bill 873 broadens the definition of “deidentified” and clarifies that “personal information” includes information that “is reasonably capable of being associated with” a consumer or household.
  • INSURANCE EXEMPTIONS: Assembly Bill 981 exempts insurance institutions, agents, and insurance-support organizations (i.e., organizations assembling or collecting information about natural persons for the primary purpose of providing the information to an insurance institution or agent for insurance transactions) from complying with CCPA.

Our team will continue to track any new developments in the California Senate as these bills continue to be reviewed by the legislature.

Earlier this year, we posted about new laws governing automatic renewals in DC and Vermont. Starting on July 31, 2019, companies also need to worry about a similar statute in North Dakota.

Under the new law, companies must generally (a) present the terms of the automatic renewal offer in a clear and conspicuous manner, (b) provide an acknowledgement that includes the terms of the offer and cancellation instructions, and (c) provide a simple and cost-effective cancellation method. In addition, for subscriptions that will automatically renew for a period of more than six months after the initial term, companies must provide a written reminder between 30 and 60 days prior to the end of the current subscription term. The reminder must inform the consumer that she can cancel the contract to avoid automatic renewal.

If a company fails to comply with the law, its contracts will be unenforceable, and any merchandise sent to a consumer will be considered to be “an unconditional gift” without any obligations. The law also provides a private right of action.

Companies that sell products or services through subscription models need to stay on top of this growing patchwork of laws that govern automatic renewals. Failure to do that could result in significant penalties, especially as states, the FTC, and class action attorneys increase their scrutiny.​

California legislators are tweaking language in a proposal to exclude employee or job applicant data from the State’s landmark privacy law slated to take effect in January.

The California Consumer Privacy Act (CCPA) grants consumers the right to access, delete, or opt out of the sale of their personal information collected by a covered business.  The closely watched bill, A.B. 25, provides an exemption for employers who might receive access, deletion, or opt-out requests from their employees.

An earlier version of the bill passed the California Assembly by a vote of 77-0 on May 29, 2019.  The proposal introduced on Friday uses clearer language to explicitly exempt from the purview of the CCPA any personal information that a business collects about a job applicant to, employee of, owner of, director of, officer of, medical staff member of, or contractor of that business.

The exemption only applies when the personal information is used within the context of the person’s role or former role with the business.

The new amendment also excludes emergency contact information and personal information collected to administer HR benefits.

Importantly, the new exemption language will not apply to the CCPA’s rules on data breaches.  That means that an employer could still be on the hook for statutory or actual damages per data incident impacting their current or former employees as well as job applicants.

With two weeks to go before July 12th, the final day for California policy committees to report bills, the amended language must still satisfy the full California Senate Judiciary Committee before it can head to the Senate floor for a vote.

A new bill introduced in the Senate Health, Education, Labor, and Pensions (HELP) Committee would impose federal regulatory obligations on health technology businesses that collect sensitive health information from their service users and customers.

The Protecting Personal Health Data Act, S.1842, introduced by Senators Amy Klobuchar (D-Minn.) and Lisa Murkowski (R-Alaska), seeks to close a growing divide between data covered by the Health Insurance Portability and Accountability Act (HIPAA) and non-covered, sensitive personal health data.

More specifically, the bill would regulate consumer devices, services, applications, and software marketed to consumers that collect or use personal health data. This would include genetic testing services, fitness trackers, and social media sites where consumers share health conditions and experiences. Often, these technologies and services are run independent from traditional, HIPAA healthcare operations involving hospitals, healthcare providers, and insurance companies.

The bill directs the U.S. Department of Health and Human Services (HHS) to promulgate rules that would strengthen the privacy and security of such personal health data. The bill contemplates that the new rule would:

  • Set appropriate uniform standards for consent related to handling of genetic data, biometric data, and personal health data;
  • Include exceptions for law enforcement, research, determining paternity, or emergency medical treatment;
  • Set minimum security standards appropriate to the sensitivity of personal health data;
  • Set limits on the use of the personal health data;
  • Provide consumers with greater control over use of personal health data for marketing purposes; and
  • Create rights to data portability, access, deletion, and opt-outs.

Inevitably, the success or failure of the legislation will be tied to federal baseline privacy legislation already pending in Congress. Those efforts are ongoing, but have lost momentum in recent months as focus turns to California’s new privacy law taking effect on January 1, 2020.

On July 1, 2019, a new law governing automatic renewals will go into effect in Vermont. Although the law includes two provisions that are more stringent than those found in other state laws, the Vermont law is more limited in scope. It only applies to agreements with an initial term of one year or longer that renew for a subsequent term that is longer than one month.

The law includes two unique requirements:

  • Bold Disclosures:  Companies are required to “clearly and conspicuously” disclose “the terms of the automatic renewal provision in plain, unambiguous language in bold-face type.” Other states require “clear and conspicuous” disclosures, but Vermont is the first state to require the use of bold type.
  • Double Opt-In:  “In addition to accepting the contract,” a consumer must also take “an affirmative action to opt in to the automatic renewal provision.” Although some settlements have included similar requirements, this is the first time this type of requirement has been included in a statute.

Like many other state laws, the Vermont law also requires sellers to send a reminder notice between 30-60 days prior to renewal. The notice must generally include: (a) the date the contract will automatically renew; (b) the length of the new term; (c) the methods by which the consumer can cancel; and (d) the seller’s contact information. Existing contracts that are in effect as of July 1, 2019 may not automatically renew, unless sellers provide a similar notice.

Companies who sell products or services using automatic renewal plans should pay close attention to these developments. As we’ve posted before, a growing number of states regulate how these plans can be structured, and there have been both lawsuits and regulatory investigations targeting companies that have failed to comply.

The Electronic Retailing Self-Regulation Program (or “ERSP”) recently announced a decision involving Alo Yoga’s influencer campaign. The decision centers around how the company’s influencers disclosed – or, in some cases, failed to disclose – their connection to the company, and it includes helpful reminders about how to conduct an influencer campaign.

At the outset, the ERSP reminded Alo that an “individual does not have to say something positive about a product for a social media post to be considered an endorsement covered by the FTC Act. Simply posting a picture or video of a product, or, similarly, tagging a brand in the post, could convey the message that a person likes and approves of a product, and, therefore, may be an endorsement.” That endorsement triggers a disclosure requirement.

Although some influencers did disclose their connection to the company, ERSP took issue with the way some disclosures were made. For example, one influencer used the hashtag #ad – which is generally considered to be sufficient – but ERSP worried that it would get lost in the middle of 23 other hashtags. Also, some influencers used foreign words in their disclosures – such as #incollaborazionaloyoga – potentially making them hard for viewers to understand.

ERSP commended Alo for drafting guidelines that were based on the FTC’s Endorsement Guides and sharing them with its influencers, but reminded the company that simply telling influencers what they have to do is not enough. Companies also need to monitor compliance with their guidelines and take steps to address influencers that don’t comply. Moreover, companies should not re-post influencer posts that don’t include the appropriate disclosures.

Influencers and companies have some flexibility in how they make disclosures and structure their campaigns, but this case demonstrates that there is a limit to that flexibility. Disclosures have to be made in a way that viewers are likely to see and understand them. And companies can’t just give their influencers guidelines, and hope for the best. Instead, they need to take an active role in the campaigns to ensure they comply with the law.

“Made in the USA” claims have taken on an even greater importance as American manufacturing has captivated the political discussion. Recently FTC Commissioner Chopra released a statement calling for more stringent enforcement of the agency’s “Made in USA” advertising policies.

Kristi Wolff discusses how to substantiate “Made in USA” claims on the latest episode of the Ad Law Access Podcast, Making it in the USA – When Product Origin and Origin Marketing Claims Matter.

During the podcast, Kristi makes references to a commercial, John Villafranco’s podcast on Challenging Competitors’ Claims, and our webinar Buy American and Hire American: Is Your (Or Your Competitor’s) Product Really “Made in the USA”.

You can find the Ad Law Access podcast on Apple Podcasts,
SpotifyGoogle PlaySoundCloud, and other podcast services.

On a new episode of the Ad Law Access PodcastAlex Schneider discusses the recently approved (four) bills to amend the California Consumer Privacy Act (CCPA) and the Nevada and Maine Legislatures legislation that, like the CCPA, features new requirements relating to the sale of consumer personal data.

For additional information see the Ad Law Access blog posts:

The Ad Law Access podcast is available now through Apple PodcastsSpotifyGoogle PlaySoundCloud, and other podcast services.