The California Consumer Privacy Act (CCPA) took effect January 1, 2020.  While the California Attorney General’s enforcement authority is delayed until July 1, private litigants have already started to file direct claims under the CCPA as well as other consumer-related causes of actions predicated on alleged CCPA violations.  Notably, the California Attorney General takes the position that enforcement actions can cover violations that predate July 1, 2020.

As detailed in our prior posts (see, e.g., here and here), the CCPA expressly provides for only a limited private right of action related to data security breaches.  Cal. Civ. Code 1798.150.  Private plaintiffs can recover actual damages or statutory damages of $100 to $750 per statutory violation.  While a broader potential private right of action was considered, which would have permitted individuals to sue for additional CCPA violations, that amendment (SB 561) failed.

Nevertheless, private litigants have thus far filed CCPA-related claims in cases where breaches have occurred, but also in cases where no breach is alleged.  A quarter of the year in, we consider here how the CCPA has already impacted consumer class action claims.

Barnes v. Hanna Andersson LLC and Salesforce.com Inc., Case No. 4:20-cv-00812 (N.D. Cal.)

On February 3, 2020, California consumer Bernadette Barnes filed a putative class action Complaint against retailer Hanna Andersson arising from a data breach.  The breach (which occurred in September-November 2019), allegedly resulted in the loss of personally identifiable information (“PII”), including unencrypted credit card and consumer information.  Plaintiff also sued the cloud vendor Salesforce.com that allegedly stored the PII at issue.

Plaintiff seeks to represent a nationwide class including: “All individuals whose PII was compromised in the data breach announced by Hanna Andersson on January 15, 2020,” as well as a California sub-class.  Plaintiff does not include a cause of action under the CCPA, but relies upon the CCPA as a predicate for her claim under California’s Unfair Competition Law, Cal. Bus. & Prof. Code §17200 (“UCL”), along with causes of action for negligence and a declaratory judgment.

Sheth v. Ring LLC, Case No. 2:20-cv-01538 (C.D. Cal.)

On February 18, 2020, Seattle, Washington consumer Abhi Sheth filed a putative class action Complaint against California-based video doorbell and security camera manufacturer Ring.  Plaintiff alleges inadequate security measures for handling PII as well as unauthorized disclosure to third parties.

Plaintiff seeks to represent a class of consumers defined as: “All persons residing in the United States who purchased a Ring Security Device within the applicable statute of limitations period.  Plaintiff’s CCPA claim alleges improper collection and use of personal information without notice, and failing to provide the required notice of a right to opt out of the sale of personal information to third parties.  Plaintiff does not allege that Ring had any specific data breach or security event that triggered the claim.  Plaintiff asserts seven other causes of action arising from the same facts:  invasion of privacy; negligence; breach of implied warranty of merchantability; breach of implied contract; unjust enrichment; and violations of the UCL and California Legal Remedies Act, Cal. Civ. Code § 1750, et seq. (“CLRA”).

Significantly, the arbitration clause in Ring’s consumer agreement may create the first opportunity to balance the CCPA’s perceived hostility to arbitration, on the one hand, and the parties’ contract and policy underlying the Federal Arbitration Act, on the other.  That issue is expected to be a heavy battleground in CCPA consumer class actions, making this a potentially important first test on that issue.

On March 5, the Sheth case was consolidated with four other privacy-related cases pending against Ring and on March 31, the separate Sheth case was closed.  The continuing matter, In re: Ring LLC Privacy Litigation, Case No. 2:19-cv-10899 (C.D. Cal.), began with a December 26, 2019 Complaint that does not reference the CCPA; however, the Court’s February 11 Consolidation Order permits the plaintiffs to file a Consolidated Complaint after interim class counsel is appointed.  It is reasonable to expect that the updated pleading and addition of Sheth to the consolidated action could inject the CCPA more directly into the overall claims.

Burke v. ClearviewAI, Inc., Case No. 3:20-cv-00370 (S.D. Cal.)

On February 27, 2020, California consumer Sean Burke and Illinois consumer James Pomerene filed a putative class action Complaint against ClearviewAI (and its two founders) alleging the improper collection and sale of PII and biometric information in violation of, among other laws, the CCPA.  Clearview “scrapes” websites (scanning, extracting, and copying images) to compile a comprehensive database that allegedly includes over three billion images and PII of consumers, which Clearview sells to law enforcement and private entities.  Plaintiffs allege that Clearview collected and used their PII without notice or consent in violation of the CCPA.

Plaintiffs seek to represent three California-related sub-classes:

(a) Sub-Class One (the “CCPA Class”) (Cal. Civ. Code § 1798.100, et seq): All persons who, while residing in California, had their California Biometric Information collected and/or used by Clearview without prior notice by Clearview and without their consent.

(b) Sub-Class Two (the “Commercial Misappropriation Class”) (Cal. Civ. Code § 3344): All persons who, while residing in California, had their Photograph or likeness knowingly used by Clearview for commercial gain without their consent.

(c) Sub-Class Three (the “Unjust Enrichment Class”): All persons who, while residing in California, had their California Biometric Information misappropriated by Clearview from which Clearview was unjustly enriched.

The Complaint also asserts claims under the Illinois Biometric Information Privacy Act, 740 ILCS 14/1, et seq. (“BIPA”) as well as specific causes of action for violations of the UCL, commercial misappropriation, and unjust enrichment.

Cullen v. Zoom Video Communications, Inc., Case No. 5:20-cv-02155 (N.D. Cal.)

On March 30, 2020, California consumer Robert Cullen filed a putative class action Complaint against online video-conferencing provider Zoom alleging the failure to properly safeguard user information and improper disclosure of individual and business information to third parties, including Facebook.  The allegations arise from a March 26 Vice Media report that purports to detail unauthorized sharing and data vulnerabilities of Zoom.

Plaintiff seeks to represent a class comprised of: “All persons and businesses in the United States whose personal or private information was collected and/or disclosed by Zoom to a third party upon installation or opening of the Zoom video conferencing application.”

Plaintiff asserts a claim under the CCPA for Zoom’s alleged collection and use of PII without adequate notice and failing to prevent unauthorized disclosure.  Plaintiff asserts related claims under the UCL and CLRA based on the same conduct and violation of, inter alia, the CCPA.  Plaintiff also alleges negligence, invasion of privacy, and unjust enrichment.

While these initial CCPA-related cases remain at the earliest stages, they demonstrate the ways in which consumer plaintiffs will use the CCPA in class actions.  Notably, however, not all consumer privacy complaints filed since January incorporated the CCPA.  Indeed, two consumer complaints filed in March 2020 in the Northern District of California make allegations arising from a consumer data breach, but do not include any claim under (or even reference to) the CCPA.

I.C., a minor by and through his natural parent, Nasim Chaudhri and Amy Gitre v. Zynga, Inc., Case No. 3:20-cv-01539 (N.D. Cal.); Carol Johnson and Lisa Thomas v. Zynga, Inc., Case No. 3:20-cv-02024 (N.D. Cal.). 

On March 3, 2020, Plaintiffs Amy Gitre and I.C. filed a putative class action Complaint arising from video game manufacturer Zynga’s alleged failure to protect PII of its users, including both adults (Gitre) and minors (I.C.).  Plaintiffs filed a fourteen-count Complaint that includes statutory and common law claims arising from the alleged failure to properly secure account holders’ PII.  In September 2019, a hacker publicly claimed to have breached Zynga’s database and was able to extract information concerning 218 million users.  The breach is alleged to have included users from some of Zynga’s most popular games: Words With Friends; Draw Something; and OMGPOP.  On September 12, 2019, Zynga posted a “Player Security Announcement” that confirmed the breach.

Plaintiffs seek to represent a nationwide class of: “All individuals in the United States whose PII was obtained or maintained by Zynga and compromised as a result of the Zynga data breach described herein” as well as adult and minor sub-classes.  The causes of action include:  negligence; negligent misrepresentation; negligence per se (under Section 5 of the FTC Act); unjust enrichment; violation of state data breach laws (including failure to safeguard data and failure to provide adequate notice of the breach); intrusion upon seclusion; and declaratory judgment (seeking an injunction compelling proper security of PII).  There are no references to, or causes of action under, the CCPA.

On March 23, a follow-on suit was filed in the same court raising similar allegations.  The Plaintiffs, Carol Johnson and Lisa Thomas, seek an identical nationwide class as well as Missouri and Wisconsin sub-classes, based on the citizenship of the Plaintiffs.  The Complaint asserts a narrower list of causes of action regarding negligence, negligence per se, unjust enrichment, and declaratory judgment.  Again, there are no references to, or causes of action under, the CCPA.

We will continue to monitor the various claims, as well as court decisions in CCPA litigations.  If you have any questions about defending and/or preparing for a potential privacy consumer class action, please reach out to our team.

Advertising and Privacy Law Resource Center

Effective March 21, 2020, the New York SHIELD Act imposes data security requirements on most businesses that own or license computerized data that includes the “private information” (defined below) of New York residents. In sum, such businesses must develop, implement, and maintain reasonable safeguards to protect the security, confidentiality, and integrity of that private information. Many businesses likely already comply with the these requirements, but statutes like the SHIELD Act provide a good reminder to review your data security program and confirm that you have everything squared away.

The SHIELD Act requires that businesses develop, implement, and maintain the following safeguards, at a minimum:

  • Reasonable Administrative Safeguards: Such safeguards should include the following: (1) designate one or more employees to coordinate the security program; (2) identify reasonably foreseeable internal and external risks; (3) assess the sufficiency of safeguards in place to control the identified risks; (4) train and manage employees in the practices and procedures of the security program; (5) select service providers capable of maintaining appropriate safeguards, and require those safeguards by contract; and (6) adjust the security program in light of business changes or new circumstances.
  • Reasonable Technical Safeguards: Such safeguards should include the following: (1) assess risks in network and software design; (2) assess risks in information processing, transmission, and storage; (3) detect, prevent, and respond to attacks or system failures; and (4) regularly test and monitor the effectiveness of key controls, systems, and procedures.
  • Reasonable Physical Safeguards: Such safeguards should include the following: (1) assess risks of information storage and disposal; (2) detect, prevent, and respond to intrusions; (3) protect against unauthorized access to or use of private information during or after the collection, transportation, and destruction or disposal of the information; and (4) dispose of private information within a reasonable amount of time after it is no longer needed for business purposes by erasing electronic media so that the information cannot be read or reconstructed.

“Private information” includes (1) Social Security numbers; (2) driver’s license numbers; (3) biometric information; (4) account numbers or credit or debit card numbers if they can be used to access an individual’s financial account; (5) account numbers or credit or debit card numbers in combination with security codes, access codes, or passwords that permit access to an individual’s financial account; and (6) usernames or email addresses in combination with a password or security question and answer that would permit access to an online account.

Businesses that follow the data security requirements in HIPAA, GLBA, the New York Department of Financial Services Cybersecurity Regulation, or any other New York statute or rule are not required to comply with the Act. A “small business” with fewer than 50 employees, less than $3 million in gross annual revenue, or less than $5 million in total assets, may also scale down its compliance program.

Breach Notification: Effective October 23, 2019, the SHIELD Act also made a number of edits to the New York data breach notification statute. Those edits included expanding the definition of “private information” to include biometric information and account credentials (following a trend we have seen with other states), prescribing additional content requirements for the individual and regulator notices, increasing the penalty caps to $20 per instance of failed notification (i.e., $20 per individual) up to $250,000, and extending the statute of limitations for regulator actions from two to three years. The statute does not expressly create a private right of action.

Last week, NAD launched a new, expedited process that will allow companies to challenge advertising claims made by competitors and get a decision within weeks as opposed to months.  The process, “Single Well-defined Issue Fast Track” or “SWIFT” is limited to single-issue cases, condenses and simplifies the standard NAD timeline and process, and is slightly more costly.

Fast-Track Eligible Cases

Only certain single-issue cases are accepted for the fast-track review and include, for example:

  • Influencer & Incentivized Reviews Disclosures;
  • Native Advertising Disclosures; and
  • Pricing & Sales Claims.

Cases involving the following are not be eligible for SWIFT review:

  • Complex substantiation, including reviews of clinical studies;
  • Complex legal analysis where the NAD can’t rely on past NAD decisions; or
  • Multiple advertising issues.

Changes to the Process

Fast-track review streamlines the standard NAD procedure and condenses the timeline—with the intention of arriving at a final NAD decision within 20 days.  Here is the timeline:

  • The Challenger files a complaint, starting the clock.
  • The Advertiser has four days to object to the fast-track process and/or NAD’s jurisdiction.  NAD will decide on the objection within 10 days.
  • The Advertiser has 15 days to reply to the complaint (the objection does not extend this time).
  • Remote (telephone or video) party meetings are held within five days of the Advertiser’s reply.
  • NAD will submit a final decision to the parties 20 days after Challenger files its complaint.
  • The Advertiser has five days to submit a statement for inclusion in the published decision.

The appeals timeline is also condensed.

  • The Advertiser has three days to inform the NAD, NARB, and the Challenger of an  intent to appeal the decision.
  • The Advertiser has eight days to submit the case file to the NAD, NARB, and the Challenger (with the appeal limited to 15 double-spaced pages).
  • The Challenger has two days to object to the appeal (no cross-appeals allowed).
  • NARB Chair has absolute discretion to choose which types of members (public, advertising agency, and/or advertiser) will comprise the review panel.
  • NARB will issue a decision three days after the review panel hearing.

Fast-Track Review Cost

The fast-track review cost is $5,000 higher than the standard NAD review cost.  For BBB National Partners, the filing cost is $30,000.  For Challengers with gross annual revenue less than $250 million, the cost is $15,000.  For Challengers with gross annual revenue less than $5 billion, the cost is $35,000.  For Challengers with gross annual revenue more than $5 billion, the cost is $40,000.  If the NAD determines a case is not eligible for fast-track review, it will only retain a $5,000 processing fee and the Challenger has the option of filing a standard NAD challenge.

The COVID-19 pandemic continues to have far-reaching effects on businesses and consumers everywhere.  While many states are taking broadly consistent approaches on certain issues (e.g., price gouging, non-essential business closures), one area where we’ve seen significant divergence involves regulation of collection efforts – both by first party creditors and debt collectors.  In an effort to protect consumers who may themselves be experiencing financial distress, some states have imposed new, stringent restrictions to prevent businesses from engaging in certain collection activities.

For example, Massachusetts issued an emergency regulation that prohibits creditors from making unsolicited debt collection telephone calls to Massachusetts consumers for the next 90 days, unless the state of emergency ends before that time.  The regulation also prohibits collectors from

  • filing any new collection lawsuit;
  • garnishing wages, earnings, properties or funds;
  • repossessing vehicles;
  • applying for or serving a capias warrant;
  • visiting or threatening to visit the household of a debtor;
  • visiting or threatening to visit the place of employment of a debtor;
  • confronting or communicating in person with a debtor regarding the collection of a debt in any public place.

Nevada went a step further by requiring all collection efforts with Nevada consumers to cease until April 16, 2020, although its directive only applies to collection agencies holding a license or certificate and located out-of-state.  Other states such as California, New York, and Illinois have expressly stated that collection agencies and debt buyers are non-essential businesses, but have not sought to impose  additional restrictions on activities that can occur remotely consistent with other federal and state laws.

First-party collectors and debt collectors should consider the Massachusetts and Nevada initiatives before contacting consumers in those states, and continue to monitor whether other states follow suit with similar restrictions.

Lawsuits challenging the advertising and labeling of sugar content – and corresponding representations that a food product may be healthy or wholesome – have become ubiquitous in the class action world.  Yet, a growing number of courts are rejecting such claims when the product’s nutritional label accurately reflects the correct sugar amount in a manner that does not deceive consumers.

In late March, a proposed class action filed against One Brands LLC was dismissed with prejudice, with the court determining that the defendant did not deceive consumers about the sugar content in its energy bar products.  In Melendez v. One Brands, LLC, 1:18-cv-06650 (E.D.N.Y.), the plaintiff contended that One Brands’ labeling and marketing of two of its nutrition bar product lines – ONE Bar and ONE Basix – was misleading because the front label contained the brand name “ONE,” which refers to the bars’ one gram of sugar.

Plaintiff asserted that independent laboratory testing determined that the bars actually contained 5.2 grams of sugar, rather than the advertised one gram.  According to plaintiff, the misleading advertising was particularly important to consumers looking for healthier or diet-based options and also resulted in the bars being sold at a premium price.

The plaintiff asserted two different theories under New York state law: (1) the advertising was actually false, and (2) regardless of whether the “one” gram of sugar statement was actually false, it was still misleading as it deceived reasonable consumers into believing the bars offer lower calories and carbohydrates than competing brands.

U.S. District Judge Carol Bagley Amon rejected each of these arguments under NY General Business Law (GBL) §§ 349 and 350 and related common law theories.

The Court agreed with One Brands that the falsity claim was preempted by federal law.  In order to escape federal preemption, the Court ruled that a plaintiff must comply with FDA’s procedures, which require that testing be based on 12 sub-samples of the product and analyzed by specific reliable and appropriate procedures.  Plaintiff’s testing failed to comply with this methodology, and therefore his claims were preempted.

The Court also found that the “one gram sugar” statement on the ONE Bars’ front label was not likely to mislead a reasonable consumer into believing that the bars are lower in carbohydrates and calories than they actually are, because the back panel of the bars’ packaging serves to clarify any potential ambiguity on the front label. Because the products’ carbohydrate and caloric contents are contained in the mandatory nutrition facts panel – which is “exactly the spot consumers are trained to look” for such information –the court found that plaintiff failed to sufficiently plead the misleading claim under New York GBL §§ 349 and 350.

The Northern District of California recently reached a similar result in a case against General Mills,  reasoning that consumers could not be deceived by the sugar content in Honey Nut Cheerios because “all truthful and required objective facts” were disclosed on the product’s side panel of ingredients, and that individual consumers must reach their own conclusions about how much sugar is “healthy” for them to consume.

Advertisers should remain keenly aware of the growing number of class action lawsuits involving health and nutrition claims, and remember that, while an accurate nutrition facts panel cannot “cure” a false or misleading claim found elsewhere on the package, it can contribute to a finding that the overall package is not misleading to reasonable consumers and can support dismissal – even at the pleadings stage – in appropriate cases.

Advertising and Privacy Law Resource Center

Data is helping governments, researchers, and companies across the world track the spread of the novel coronavirus, monitor cases and outcomes of COVID-19, and devise ways to halt the virus’s spread.  As part of these efforts, raw data, software tools, data visualizations, and other efforts are providing the public and policymakers with insights into the growth of the pandemic.

Personal information — some of which may be highly sensitive — is key to many of these efforts.  Although some regulators in the U.S. and abroad have made it clear that privacy laws and the exercise of enforcement discretion provide leeway to process personal information in connection with COVID-19, they have also made it clear that privacy laws continue to apply.  Federal Trade Commission (FTC) Chairman Joe Simons advises that the FTC will take companies’ “good faith efforts” to provide needed goods and services into account in its enforcement decisions but will not tolerate “deceiving consumers, using tactics that violate well-established consumer protections, or taking unfair advantage of these uniquely challenging times.”  And, with many eyes on the California Attorney General’s Office in light of recent requests to delay enforcement of the California Consumer Privacy Act (CCPA), an advisor to Attorney General Xavier Becerra was quoted as stating: “We’re all mindful of the new reality created by COVID-19 and the heightened value of protecting consumers’ privacy online that comes with it. We encourage businesses to be particularly mindful of data security in this time of emergency.”

Devoting some thought to privacy issues at the front end of COVID-19 projects will help to provide appropriate protections for individuals and address complications that could arise further down the road.  This post identifies some of the key privacy considerations for contributors to and users of COVID-19 resources.

1. Is Personal Information Involved?

Definitions of “personal information” and “personal data” under privacy laws such as the CCPA and the EU’s General Data Protection Regulation (GDPR) are broad.  Under the CCPA, for example, any information that is “reasonably capable of being associate with, or could reasonably be linked” with an individual, device, or household is “personal information.”  This definition specifically includes “geolocation data.”  Although some data sources provide COVID-19-related information at coarse levels of granularity, e.g., county, state, or national level, the broad definition of “personal information” under the CCPA, GDPR, and other privacy laws makes it worth taking a close look at geographic and other types of information to determine whether the data at issue in fact reasonably qualifies as “personal information,” or if it is sufficiently anonymized to meet privacy definitions of de-identified and/or aggregate data.  CCPA, HIPAA, and other privacy laws provide examples of what safeguards are expected to reasonably treat data as anonymized, and employing such standards can help avoid unnecessary privacy mishaps despite well-intentioned efforts.

2. What Level(s) of Transparency Are Appropriate About the Data Practices?

Although some COVID-19 tools may be exempt from statutory requirements to publish a privacy policy (e.g., the provider of the tool is not a “business” under the CCPA), there are still reasons for providers to explain what data they collect and how they plan to use and disclose the data:

  • Disclosures help individuals to reach informed decisions about whether they want to provide their data, e.g., by downloading an app and allowing it to collect their location and other information. If business practices and consumer expectations are not reasonably aligned around the data practices, the failure to provide an appropriate privacy notice could be deemed an unfair or deceptive practice, inviting the scrutiny of the FTC or State Attorneys General.
  • Developing a privacy policy (or other disclosure) can help provide internal clarification on what types of personal information (or not) an app or service needs and collects. A granular understanding of such data practices can help providers to identify and mitigate privacy and data security risks associated with such data practices.
  • Developing a disclosure about a provider’s data collection and usage can help clarify the decision-making structure among multiple stakeholders so that the group is better equipped to handle data governance decisions over the lifecycle of a project.

3. How to Address Government Requests/Demands for Personal Information?

Although much remains to be seen in how federal, state, and local governments will use personal information (if at all) to develop and implement strategies to slow the spread of coronavirus, it is not unreasonable to expect that government agencies will seek information from providers of COVID-19-related tools.  The extent to which a provider can voluntarily provide information to the government — as well as the procedures that the government must follow to compel the production of information (and maintain the confidentiality of it in personally identifiable form) — depends on several factors, including what kind of information is at issue and how it was collected.  Becoming familiar with the rules that apply to voluntary and compelled disclosures, and safeguards to help prevent such data from being subject to broad freedom of information laws,  before a request arrives can help save valuable time down the road.  In many of these scenarios, for example, aggregate or pseudonymous data may be sufficient.

4. What Considerations Are There for Licensing COVID-19-Related Personal Information?

Finally, any licensing of personal information in connection with COVID-19 tools deserves careful consideration, particularly if the CCPA applies.  The CCPA imposes notice and opt-out requirements on entities that “sell” personal information. “Sell” is defined to include disseminating, disclosing, or otherwise “making available” personal information to for-profit third parties in exchange for “monetary or other valuable consideration.”  Several types of open source licenses require users to accept certain restrictions on their use and/or redistribution of licensed data or software.  For example, the Creative Commons Attribution-NonCommercial 4.0 International license requires licensees to agree (among other conditions) not to use licensed content for commercial purposes.  Obtaining this promise in exchange for personal information could constitute “valuable consideration” and give rise to a “sale” under the CCPA.   In addition, while not a “sale,” sharing personal information with a government authority would qualify as a disclosure under CCPA and would need to be accurately disclosed in the privacy policy.

Neither the California Attorney General nor the courts have interpreted the CCPA in the context of open source licenses.  Until more authoritative guidance becomes available, it makes sense to think through the potential obligations and other consequences of applying and accepting specific license terms to COVID-19-related personal information.

Bottom line:  Personal information has a key role to play in shaping responses to the novel coronavirus.  Privacy laws remain applicable to this information.  Applying privacy considerations to COVID-19 related practices involving data collection, sharing, and analysis will help mitigate unnecessary harms to consumers, aside from those presented by the virus itself.

For other helpful information during this pandemic, visit our COVID-19 Resource Center.

As localities order people to stay at home and non-essential businesses to close, consumers are turning to online options.  Although you might welcome the traffic, you might also be facing unexpected challenges like a reduced work force, supply chain disruptions, manufacturing shifts from regular inventory to medical necessities, and other hurdles that can cause shipping delays.  As you scramble to fulfill those orders, remember that under the FTC’s Mail Order Rule, you need a reasonable basis for any shipping representations and any delays may trigger obligations to notify purchasers and sometimes even cancel and refund orders.

Representations About Shipping Dates
The Mail Order Rule requires that when you advertise merchandise, you must have a reasonable basis for representations about timing for shipping. If you provide no shipping date, you must have a reasonable basis for believing that you can ship within 30 days.  Particularly in these times of uncertainty, companies may choose to use a shipping date that is further out than what they would reasonably anticipate in typical circumstances.

Initial Delay Notice
If you cannot ship the merchandise by the promised time frame or within 30 days, you must notify the customer and give the option to cancel the order and obtain a full and prompt refund.

If you know when you can expect to ship the merchandise, the initial delay notice must contain: (1) the revised shipping date; (2) the customer’s ability to cancel for a full refund; and (3) a statement that a customer’s non-response is a consent to the delay.

If you cannot provide a revised shipping date, the initial delay notice must contain: (1) the reason for the delay and (2) a statement that, if the customer agrees to the indefinite delay, the customer may cancel the order any time before shipment.

Subsequent Delay Notices
Given the current unpredictability around supply chains and distributions, companies may be unable to ship by the date included in the initial delay notice.  If that occurs, prior to that date, you must send a “renewed” delay notice.  Although this notice must include much of the same information as the initial delay notice, a customer must expressly consent to further delay.

A renewed delay option must include information about: (1) a revised shipping date; (2) the customer’s ability to cancel for a full refund; and (3) a statement that, unless the customer agrees to wait beyond the most recent definite revised shipment date and the company has not shipped by then, you will automatically cancel the order and issue a prompt refund.

If you cannot provide a new definite revised shipping date, the notice must include: (1) the reason for the delay; and (2) a statement that, if the customer agrees to the indefinite delay, the customer may cancel the order any time until shipment.

Instead of sending a delay notification, you can cancel the order and send a refund, as long as you notify the customer and send the refund within the time you would have sent the consent notification.

Exemptions to the Rule
Not all merchandise is subject to the Mail Order Rule.  For example, products such as monthly gift clubs, subscription boxes, and magazine subscriptions are exempt, although because the FTC could still challenge practices allegedly unfair or deceptive, we recommend taking reasonable steps to notify consumers about shipping delays and to offer options for cancellation and perhaps a refund.

Enforcement
The FTC can extract large civil penalties for violations of the Mail Order Rule: up to $43,280 per violation plus consumer redress.  For example, in FTC v. DiscountMetalBrokers, Inc., a court ordered DiscountMetalBrokers to pay over $6 million for violations of the FTC Act and the Mail Order Rule.  The FTC has also levied fines of over $800,000 in settlements related to alleged Mail Order Rule violations.

*          *          *

The Mail Order Rule imposes very specific requirements that companies should navigate carefully, COVID-19 or not.  As companies face shipping and distribution disruptions, appropriate notice to customers as delays become known will avoid Mail Order Rule violations and enforcement.

For other helpful information during this pandemic, visit our COVID-19 Resource Center.

As a follow-up to our recent posts on price gouging (see here, here, and here), we noted recent signs that federal and state authorities have escalated their enforcement efforts.

  • On Monday, the President signed an executive order to prevent hoarding and price gouging of crucial medical supplies.  It authorizes criminal prosecution of anyone whose purchases exceed reasonable limits.  Attorney General Barr concurrently announced that the Justice Department has already launched hoarding investigations to carry out the order.

So, if you’re sitting on 17,700 bottles of hand sanitizer, it’s probably time to donate that….

  • The AGs in 32 states sent a letter to online retail platforms (Amazon, eBay, Craigslist and others) urging them to do more to crack down on price gouging.  The letter calls for the platforms to set policies and enforce restrictions on price gouging during emergencies, trigger these protections independent of or prior to an emergency declaration, and create and maintain a fair pricing page or portal where consumers can directly report price gouging incidents.
  • In a March 17 letter, the House Energy & Commerce Committee urged the FTC to take action to protect consumers from price gouging.  The Committee also says it will continue to pursue other means, including legislation, to protect consumers.

What’s the takeaway?  Operators of online retail and advertising platforms should be evaluating pricing practices to ensure that they do not run afoul of the patchwork of state laws governing price gouging.  Further, compare existing practices to those outlined in the AG letter and see what can be done to address these points.

  • And finally, as a follow up to reports of consumers using Tito’s Vodka to make hand sanitizer, Tito’s Vodka announced this week that it will be producing 24 tons of hand sanitizer and donating it.  Cheers to that.  Stay well!

For other helpful information during this pandemic, visit our COVID-19 Resource Center and our Advertising and Privacy Law Resource Center.

This week, the FTC announced that Federal-Mogul Motorparts had agreed to settle a complaint alleging that the company made unsubstantiated claims that its aftermarket Wagner OEX brake pads could help a driver stop a vehicle “up to 50 feet sooner” than competing brake pads and, thus, significantly reduce the risks of collision.

Shot from CommercialThe FTC was concerned that the company’s tests “did not simulate testing under ordinary driving conditions.” For example, while an industry standard braking test requires a driver to try to stop a vehicle in “the shortest distance achievable,” Federal-Mogul’s protocol required a driver to applying a “constant and relatively light force” to the brake pedal. That’s not what people do under emergency conditions.

As part of the settlement, Federal-Mogul agreed not to make comparative claims about its brakes’ stopping power or ability to reduce collisions unless it has “competent and reliable scientific evidence” consisting of tests that are “sufficient in quality and quantity based on standards generally accepted by experts in the field of automobile brakes, when considered in light of the entire body of relevant scientific evidence . . . .”

This serves as an important to reminder that you need to think carefully about the tests you use to substantiation your claims. As a general matter, if there is an industry standard case on point, you should use it. Companies that deviate from industry standard tests often have a hard time explaining why their tests are better.

It’s also important to ensure that your tests mirror actual consumer use in the conditions that you advertise. It doesn’t matter that your product performs a certain way in a testing environment, if that environment doesn’t match how consumers use the product or what’s depicted in your ads.

Over the past few weeks, my colleagues have discussed some of the considerations for marketing around COVID-19, including claim substantiation and price gouging. In the next few posts, we are going to take a deeper dive into a few topics, beginning with telemarketing. Here are some points to keep in mind:

States of Emergency: Two states, New York and Louisiana, prohibit certain telemarketing calls during declared states of emergency.

  • New York: The prohibition applies to any unsolicited telemarketing sales call to any person under a declared state of emergency. Calls made (1) in response to an express written or verbal request, or (2) in connection with an existing business relationship, are not “unsolicited” and are therefore permissible. Importantly, it is ambiguous as to whether this prohibition also covers business-to-business telemarketing calls. The provision applies to unsolicited telemarketing sales calls made to any person during a declared state of emergency. The statute defines “person” to include businesses, but the other telemarketing provisions in the statute are limited to business-to-consumer calls.
  • Louisiana: The prohibition applies to all telemarketing calls to consumers, except those made (1) within six months of an express request, or (2) pursuant to an existing business relationship or a prior business relationship that has lapsed within six months.

Telephone Consumer Protection Act: On Friday, the FCC issued a Declaratory Ruling confirming that certain autodialed calls and text messages to cell phones related to the COVID-19 pandemic qualify as calls and text messages made for “emergency purposes” and may be made without the prior express consent that the TCPA typically requires. The Declaratory Ruling is limited to calls and text messages by hospitals, healthcare providers, state or local health officials, government officials, or entities acting at their express direction and on their behalf. However, businesses may place COVID-19-related calls and text messages to their employees, and in some instances, to their customers, with prior express consent (by virtue of the employee or customer providing their phone number as a contact point), or potentially under this “emergency” exemption if, for example, the business is acting at the direction of a government official to address and communicate a necessary health and safety issue. Notably, if such messages include advertising, they are subject to the TCPA’s more rigorous consent obligations.

These are difficult times, but we are happy to help, so please do not hesitate to reach out to us or to check out the Kelley Drye COVID-19 Resource Center.