A new bill introduced in the Senate Health, Education, Labor, and Pensions (HELP) Committee would impose federal regulatory obligations on health technology businesses that collect sensitive health information from their service users and customers.

The Protecting Personal Health Data Act, S.1842, introduced by Senators Amy Klobuchar (D-Minn.) and Lisa Murkowski (R-Alaska), seeks to close a growing divide between data covered by the Health Insurance Portability and Accountability Act (HIPAA) and non-covered, sensitive personal health data.

More specifically, the bill would regulate consumer devices, services, applications, and software marketed to consumers that collect or use personal health data. This would include genetic testing services, fitness trackers, and social media sites where consumers share health conditions and experiences. Often, these technologies and services are run independent from traditional, HIPAA healthcare operations involving hospitals, healthcare providers, and insurance companies.

The bill directs the U.S. Department of Health and Human Services (HHS) to promulgate rules that would strengthen the privacy and security of such personal health data. The bill contemplates that the new rule would:

  • Set appropriate uniform standards for consent related to handling of genetic data, biometric data, and personal health data;
  • Include exceptions for law enforcement, research, determining paternity, or emergency medical treatment;
  • Set minimum security standards appropriate to the sensitivity of personal health data;
  • Set limits on the use of the personal health data;
  • Provide consumers with greater control over use of personal health data for marketing purposes; and
  • Create rights to data portability, access, deletion, and opt-outs.

Inevitably, the success or failure of the legislation will be tied to federal baseline privacy legislation already pending in Congress. Those efforts are ongoing, but have lost momentum in recent months as focus turns to California’s new privacy law taking effect on January 1, 2020.

On July 1, 2019, a new law governing automatic renewals will go into effect in Vermont. Although the law includes two provisions that are more stringent than those found in other state laws, the Vermont law is more limited in scope. It only applies to agreements with an initial term of one year or longer that renew for a subsequent term that is longer than one month.

The law includes two unique requirements:

  • Bold Disclosures:  Companies are required to “clearly and conspicuously” disclose “the terms of the automatic renewal provision in plain, unambiguous language in bold-face type.” Other states require “clear and conspicuous” disclosures, but Vermont is the first state to require the use of bold type.
  • Double Opt-In:  “In addition to accepting the contract,” a consumer must also take “an affirmative action to opt in to the automatic renewal provision.” Although some settlements have included similar requirements, this is the first time this type of requirement has been included in a statute.

Like many other state laws, the Vermont law also requires sellers to send a reminder notice between 30-60 days prior to renewal. The notice must generally include: (a) the date the contract will automatically renew; (b) the length of the new term; (c) the methods by which the consumer can cancel; and (d) the seller’s contact information. Existing contracts that are in effect as of July 1, 2019 may not automatically renew, unless sellers provide a similar notice.

Companies who sell products or services using automatic renewal plans should pay close attention to these developments. As we’ve posted before, a growing number of states regulate how these plans can be structured, and there have been both lawsuits and regulatory investigations targeting companies that have failed to comply.

The Electronic Retailing Self-Regulation Program (or “ERSP”) recently announced a decision involving Alo Yoga’s influencer campaign. The decision centers around how the company’s influencers disclosed – or, in some cases, failed to disclose – their connection to the company, and it includes helpful reminders about how to conduct an influencer campaign.

At the outset, the ERSP reminded Alo that an “individual does not have to say something positive about a product for a social media post to be considered an endorsement covered by the FTC Act. Simply posting a picture or video of a product, or, similarly, tagging a brand in the post, could convey the message that a person likes and approves of a product, and, therefore, may be an endorsement.” That endorsement triggers a disclosure requirement.

Although some influencers did disclose their connection to the company, ERSP took issue with the way some disclosures were made. For example, one influencer used the hashtag #ad – which is generally considered to be sufficient – but ERSP worried that it would get lost in the middle of 23 other hashtags. Also, some influencers used foreign words in their disclosures – such as #incollaborazionaloyoga – potentially making them hard for viewers to understand.

ERSP commended Alo for drafting guidelines that were based on the FTC’s Endorsement Guides and sharing them with its influencers, but reminded the company that simply telling influencers what they have to do is not enough. Companies also need to monitor compliance with their guidelines and take steps to address influencers that don’t comply. Moreover, companies should not re-post influencer posts that don’t include the appropriate disclosures.

Influencers and companies have some flexibility in how they make disclosures and structure their campaigns, but this case demonstrates that there is a limit to that flexibility. Disclosures have to be made in a way that viewers are likely to see and understand them. And companies can’t just give their influencers guidelines, and hope for the best. Instead, they need to take an active role in the campaigns to ensure they comply with the law.

“Made in the USA” claims have taken on an even greater importance as American manufacturing has captivated the political discussion. Recently FTC Commissioner Chopra released a statement calling for more stringent enforcement of the agency’s “Made in USA” advertising policies.

Kristi Wolff discusses how to substantiate “Made in USA” claims on the latest episode of the Ad Law Access Podcast, Making it in the USA – When Product Origin and Origin Marketing Claims Matter.

During the podcast, Kristi makes references to a commercial, John Villafranco’s podcast on Challenging Competitors’ Claims, and our webinar Buy American and Hire American: Is Your (Or Your Competitor’s) Product Really “Made in the USA”.

You can find the Ad Law Access podcast on Apple Podcasts,
SpotifyGoogle PlaySoundCloud, and other podcast services.

On a new episode of the Ad Law Access PodcastAlex Schneider discusses the recently approved (four) bills to amend the California Consumer Privacy Act (CCPA) and the Nevada and Maine Legislatures legislation that, like the CCPA, features new requirements relating to the sale of consumer personal data.

For additional information see the Ad Law Access blog posts:

The Ad Law Access podcast is available now through Apple PodcastsSpotifyGoogle PlaySoundCloud, and other podcast services.


Last week, the New York Attorney General’s Office announced that Bombas had agreed to pay $65,000 and implement a number of injunctive provisions to settle allegations that the sock startup failed to comply with the state’s data breach notification statute. According to the press release, Bombas learned in November 2014, that an unauthorized intruder had inserted malicious code designed to steal payment card information into its ecommerce platform. Bombas allegedly waited almost two months before remediating, and then mistakenly re-inserted the code into the website a few weeks later.

The company determined that the incident resulted in unauthorized access to the names, addresses, and credit card information of almost 40,000 customers nationwide, but did not notify those consumers until May 2018. New York’s data breach notification statute requires that businesses provide notice of a breach of personal information “in the most expedient time possible and without unreasonable delay” to both the affected resident(s) and the Attorney General, the Department of State, and the Division of State Police.

The AG’s Office has not made a copy of the settlement agreement public, but explains that the injunctive provisions are intended to help prevent future breaches and ensure compliance with the law, N.Y. Gen. Bus. Law § 899-aa. They include requirements for thorough and expeditious investigations into any future breaches and training for all appropriate officers, managers, and employees. This settlement highlights the importance of preparing for a breach, including developing and implementing policies and procedures that will allow the business to comply with the patchwork of state requirements in an efficient and timely manner.

With CBD projected to be a $450 Million industry in the coming year, FDA hosted a packed house of industry stakeholders last week in a day-long public meeting that was the kickoff of a discussion to determine whether there is a pathway for CBD in ingestible products such as foods and dietary supplements.  See our summary of key themes here and check out this podcast episode to hear five key takeaways. 

In the world of influencer marketing, a person’s power is often measured in terms of followers, “likes,” and other types of engagement. Because more followers and more engagement generally means more reach, companies who work with influencers often base their compensation on these metrics. But thanks to shady agencies that sell fake followers and offer fake engagement, these numbers may not tell the whole story.

The Influencer Marketing Council recently released a report that provides companies with some tips to detect fraud. Here are a few of the highlights:

  • Abnormal Spikes:  Abnormal spikes in follower numbers or engagement levels could suggest fake followers or bots.
  • Engagement Rates:  Large follower counts with low engagement rates could indicate that many followers are fake.
  • Engagement Quality:  A lot of repetitive or irrelevant engagement, or posts with unusually bad grammar, could indicate that the engagement comes from bots, rather than real followers.
  • Audience/Engagement Location:  If an influencer’s audience is mostly in one country, but the engagement comes from other countries, that could indicate the engagement is fake.
  • Incentivized Followers:  Consider whether an increase in followers is due to a sweepstakes or contest. Although gaining followers this way isn’t fraudulent, some of these followers may drop off after the promotion ends.

The complete report is available on the IMC’s website.Robot Hands

Although there is evidence to suggest that the ROI associated with influencer campaigns can be favorable, the increase in fraud can make that difficult to measure. It may not be possible to completely eliminate the fraud, but the IMC report at least provides some good tips to detect it.

While businesses rightfully have been focused on preparing for the California Consumer Privacy Act (“CCPA”), the Nevada and Maine Legislatures have moved forward with legislation that, like the CCPA, features new requirements relating to the sale of consumer personal data. The Nevada bill, which was signed into law on May 29 and amends an existing data privacy statute, requires companies to provide a designated channel through which consumers can opt out of the sale of their personal data. The Maine bill, which has passed house and senate votes, notably would require opt-in consent prior to the sale of personal data; however, the law would narrowly apply to Internet Service Providers (“ISPs”) and exclude online companies perhaps more commonly associated with the disclosure and sale of consumer data.

• Nevada

Nevada’s SB 220 amends the state’s existing online privacy notice statute, NRS 603A.300 to .360, to add a provision that requires “operators” – which include most companies that conduct business online with Nevada residents – to comply with a consumer’s do-not-sell request (health care and financial institutions subject to HIPAA and GLBA are out of scope of the law). As of the October 1, 2019 effective date, operators are required to create a “designated request address,” such as an email address, toll-free number, or website, through which consumers can submit a “verified request” to restrict the sale of covered data. A “verified request” is one where the operator can reasonably verify the authenticity of the request and the consumer’s identity using “commercially reasonable means,” which the law does not define.

The personal information covered under the law includes personal data such as name, address, and SSN, as well as online contact information, and any other data collected by the company that could be viewed as personally identifiable. Notably, the law defines “sale” more narrowly than the CCPA to include the exchange of covered information for “monetary consideration” to a person “for the person to license or sell the covered information to additional persons.”

Operators will have 60 days to respond to a consumer’s do-not-sell request, though this timeline may be extended by up to 30 days where the operator deems it necessary and notifies the consumer. The provision will be enforced by the Nevada Attorney General’s Office, which can impose a penalty of up to $5,000 per violation.

• Maine

The bill advanced by the Maine Legislature, titled “an Act to Protect the Privacy of Online Customer Information,” would among other things prohibit ISPs’ use, disclosure, and sale of “customer personal information” without a customer’s opt-in consent, except under limited circumstances such as to provide the requested service, to collect payment, and several other narrow scenarios. Customer personal information subject to the law broadly would include (1) personally identifiable information about an ISP customer; and (2) information relating to a customer’s use of broadband Internet access service, including web browsing history, app usage, device identifiers, geolocation data, and other usage information. ISPs also would be prohibited from making the sale of data mandatory under the applicable terms of service, or refusing service to customers who do not consent to data collection.

The bill is an attempt to restore at the state level core provisions within the FCC’s 2016 broadband order that were repealed by Congress in 2017. The Maine State Chamber of Commerce has opposed the bill, claiming that ISPs are being unfairly singled out, and arguing that the law would result in a false sense of privacy for consumers given that large web-based companies such Facebook and Google would not be subject to the law. The Governor still must sign the final legislation, which would take effect July 1, 2020.

The FTC today announced two new actions under the Consumer Review Fairness Act against companies (CRFA) that allegedly used non-disparagement provisions in consumer form contracts in connection with selling their respective services to help rent properties.  The two actions follow three CRFA actions last month, which we discussed here.

In the complaint against Shore to Please Vacations LLC, the FTC alleged that the company used language in form contracts providing that “[b]y signing below, you agree not to defame or leave negative reviews (includes any review or comment deemed to be negative by a Shore to Please Vacations LLC officer or member, as well as any review less than a “5 star” or “absolute best” rating) about this property and/or business in any print form or on any website . . .”  The contract also stated that any breach of this clause will result in a minimum liquidated damages of $25,000.

In the complaint against Staffordshire Property Management, LLC, the FTC alleged that Staffordshire used rental applications that provided that “Applicant … specifically agrees not to disparage [Staffordshire], and any of its employees, managers, or agents in any way, and also agrees not to communicate, publish, characterize, publicize or disseminate, in any manner, any terms, conditions, opinions and communications related to [Staffordshire], this application, or the application process. . . .”  The contract also stated that the company was entitled to damages for any breach of that provision.

The administrative orders entered in each case prohibit the companies from using “Review-Limiting Contract Terms” and require the companies to provide consumers with a notice of “Your Right to Post Honest Reviews.”  It’s clear the FTC is making the CRFA a priority, so companies should take note and ensure any form contracts don’t violate the terms of the CRFA by (a) prohibiting or restricting consumers from reviewing a business’ goods, services, or conduct; (b) imposing penalties or fees on consumers for those reviews; or (c) requiring consumers to give up their intellectual property rights in the content of those reviews.