The California Office of Environmental Health Hazard Assessment (OEHHA) yesterday released its explanation for withdrawing proposed “clarifications” to the Proposition 65 regulations governing internet sales.  Last January, OEHHA proposed what it considered to be modest clarifications to the safe harbor warning regulations, including provisions that would:

•  Specify that “internet sales” include purchases through mobile device applications;

•  Clarify that the option to provide a warning “by electronic device or process” is intended to apply to in-store product purchases at a physical retail location, and that this provision is unrelated to the requirements for warnings provided online for internet purchases;

•  Make clear that the tailored warnings provided in the regulations for specific products (such as for food, alcoholic beverages, and furniture) apply to internet and catalog sales; and

•  Expressly state that the requirement to provide warnings in alternate/foreign languages applies to the tailored product-specific warnings.

In September 2020, after reviewing feedback on the rulemaking, OEHHA announced that it intended to withdraw the proposed clarifications.  Now, the agency has released its final determination and response to comments document in which it explains that the withdrawal was precipitated by stakeholder comments that the supposed “clarifications” in fact represented a “wholesale change” to “the existing safe harbor warning for almost every consumer product.”  OEHHA objected to commenters’ characterization of the proposed revisions, particularly the contention that the “current safe harbor regulations do not require businesses selling online to provide both a website warning and a warning on or with the same product.”  In OEHHA’s view:

Websites and smart phones can be a part of a safe harbor warning method, but neither are a standalone safe harbor warning method.

While disagreeing with the comments, the agency opted to withdraw the proposed changes and said it will consider proposing similar amendments in the future.

With regard to alcohol sales, OEHHA finalized a series of changes intended to codify the terms of a settlement stemming from the California Attorney General’s enforcement action against online sellers of alcoholic beverages.  The new provisions include a requirement that Prop 65 warnings provided on-line or in catalogs also must be “provided to the purchaser or delivery recipient prior to or contemporaneously with the delivery of the product.”  Such warnings “must be readable and conspicuous to the recipient prior to consumption of the alcoholic beverages,” and must be provided (1) on or in the shipping container or delivery package, or (2) delivered by email or text message as part of the electronic receipt
or confirmation of the purchase.  These regulations go into effect April 1, 2021.

It is important to remember that the “safe harbor” warning regulations are not mandatory, but, rather, prescribe warning text and methods that are considered de facto compliant.  Businesses can use other means of communicating a warning, or different text, but, if so, they run the risk of a plaintiff challenging the sufficiency of the warning as “clear and reasonable.”

Further information is available at OEHHA’s website.

Find out more on Prop 65 on our Kelley Green blog.

Section 13(b) at the Start of the Supreme Court’s October Term:  Where Things Stand, Where They’re Likely to End, And A Proposed Legislative Fix

The Supreme Court’s new term began last Monday. This new term has taken on heightened significance with President Trump’s nomination of current Seventh Circuit Judge Amy Coney Barrett to the High Court. President Trump and Senator McConnell have vowed to place Barrett on the Court this year, with the aim of doing so before the November 3 election. With her confirmation hearing underway, it seems all but certain that Judge Barrett will soon become Justice Barrett, giving the Supreme Court a 6-3 conservative majority and likely cementing a rightward shift in upcoming jurisprudence for years to come.

One primary concern of the Court’s newly invigorated majority is textual fidelity. Sticking to a textual interpretation of statutes was something former Justice Scalia touted as a central tenet of judicial restraint. While originally more a conservative position, textualist renderings of statutes— in which the Court hews closely to the words of the texts and eschews interpretations that stray from the language’s plain meaning—have gained acceptance on both sides of the legal divide.

For practitioners litigating before and against the FTC, the ramifications of this textualist shift in jurisprudence will likely be massive. In two consolidated cases currently pending before the Court, Federal Trade Commission v. Credit Bureau Center, LLC and AMG Capital Management, LLC v. Federal Trade Commission, the new justice and her colleagues will be tasked with deciding whether or not Section 13(b) of the FTC Act authorizes the FTC to seek monetary relief from the individuals and entities it pursues under that statutory provision. Those cases, stemming from the Seventh and Ninth Circuits, respectively, will be heard and decided sometime in the first half 2021.

Although the text of Section 13(b) speaks only of injunctive relief, appellate courts have extended the reach of 13(b) to include monetary “restitution” since 1982. In 1989, the Seventh Circuit in FTC v. Amy Travel Serv., Inc. decided that Section 13(b) “carries with it the power to issue whatever ancillary equitable relief is necessary.” 875 F.2d 564, 571 (quotation omitted). Over the years, this expansive definition of 13(b) was adopted by nearly all of the Circuit Courts.

But that expansive definition of 13(b) is beginning to erode. On September 30, 2020, the Third Circuit, in FTC v. AbbVie Inc. et al, joined the Seventh Circuit in concluding that the reach of 13(b) does not extend to monetary restitution. These appellate decisions, along with the new composition of the Supreme Court, strongly suggest that, absent a legislative fix, the FTC’s historically broad restitution powers under 13(b) may soon be cut back, leaving practitioners with a wide-open question: What comes next?

Many believe that a legislative fix is in order, and steps have been taken to address the issue in Congress. Proponents argue that the FTC needs the broad powers appellate courts have historically provided it under Section 13(b) to indemnify the public against truly bad actors who commit egregious fraudulent conduct. But is a return to the status quo ante the right course of action?

One view is that a legislative remedy should be limited, so that restitution would be available under 13(b) only where the conduct rises to the level of  the “dishonest or fraudulent” standard articulated in Section 19 of the FTC Act. The FTC has a need for vibrant Section 13(b) remedies, but those remedies are only appropriate where the actors either knew or should have known that their conduct was false or deceptive. In more of the run of the mill substantiation cases, administrative proceedings are far more appropriate. There is a strong argument that any new language added to Section 13(b) should make that distinction clear.

Federal Trade Commission v. Credit Bureau Center, LLC (“Credit Bureau”)

Credit Bureau concerns a credit monitoring website that offered consumers what was purportedly a “free credit report and score.” Consumers opting to receive this report would unknowingly be enrolled in a monthly “membership,” costing $29.94 a month. Consumers only learned that they had been enrolled in the business’s monthly service when they received a post-hoc letter, detailing the commitment they had supposedly made.

The FTC sued Michael Brown, the sole owner and operator of Credit Bureau, under Section 13(b) of the Act. Relying on this longstanding precedent allowing the FTC to use Section 13(b) to assess money damages, the district court ordered Brown to pay more than $5 million is restitution to the FTC.

The district court’s ruling was appealed to the Seventh Circuit Court of Appeals. The Seventh Circuit, in a precedential opinion, reversed, finding that the FTC does not have the authority to obtain monetary restitution under Section 13(b). In doing so, the Credit Bureau court admonished that Section 13(b) must be taken on its own terms. “By its terms, section 13(b) authorizes only restraining orders and injunctions,” not restitution. 937 F.3d 764, 767. Because Section 13(b) does not explicitly authorize monetary restitution, the Seventh Circuit concluded that the FTC has no restitution powers under 13(b).

Ironically, it had been the Seventh Circuit, in Amy Travel Serv., that had originally expanded the FTC’s restitution powers under Section 13(b) thirty-one years ago. Although the principle of stare decisis would normally have constrained the Credit Bureau panel to follow Amy Travel’s precedent, even if the current panel disagreed with it, the Credit Bureau court decided that the textualist Supreme Court of the present-day would not allow Amy Travel to stand. In the words of the Seventh Circuit, “[s]tare decisis cannot justify adherence to an approach that [recent] Supreme Court precedent forecloses.” 937 F.3d 764, 767. The FTC asked the full Seventh Circuit to rehear the case, but that request was denied.

After being denied rehearing before the full Seventh Circuit, the FTC petitioned for certiorari of the Seventh Circuit’s Credit Bureau decision to the Supreme Court. In its Supreme Court petition, the FTC asked the Supreme Court to uphold the textual reading of Section 13(b) that has become prominent over the past thirty years. The Supreme Court accepted the FTC’s petition, granting certiorari, in July.

Notably, the FTC is representing itself before the Supreme Court. This is highly unusual. In the normal course of events, the Solicitor General of the United States represents government agencies at the High Court. In this case, the Solicitor General chose to sit it out, signaling that the Trump Administration might agree with the Seventh Circuit’s reading limiting the FTC’s powers under 13(b).

AMG Capital Management, LLC v. Federal Trade Commission (“AMG”)

AMG is in many ways a parallel case to Credit Bureau, with similar facts leading to an opposite outcome. Indeed, depending on what happens at the Supreme Court next year, AMG may represent the last of the old guard of cases in which the appellate court affirms the FTC’s broad restitution powers under Section 13(b).

AMG, like Credit Bureau, involved a single-proprietor business, AMG Capital Management. The business’s sole function was to provide payday loans. The FTC sued Scott Tucker, the owner of AMG, under Section 13(b) of the Act, asserting that the terms disclosed in the loan notes provided to consumers did not reflect the harsher terms that Tucker actually enforced. The district court found Tucker liable, and pursuant to Section 13(b), levied a staggering $1.27 billion in equitable monetary relief to be paid by Tucker to the Commission.

Tucker appealed the district court’s ruling to the Ninth Circuit Court of Appeals, arguing, inter alia, that Section 13(b) forecloses monetary relief. Like the Seventh Circuit in Credit Bureau, the Ninth Circuit noted that the argument that 13(b) does not allow restitution “has some force.” 910 F.3d 417, 426. Yet, unlike the Seventh Circuit, the AMG panel concluded that it “remain[ed] bound by” the ample Ninth Circuit precedent broadly construing Section 13(b). Id. at 427.

Two of the three judges on the AMG panel, in separate concurrences, called for the Ninth Circuit to rehear the case en banc, in order to overrule its prior precedent (something only the full Circuit has the power to do in the Ninth Circuit). However, the full Circuit denied AMG’s petition for a panel rehearing. After its petition for rehearing was denied, AMG filed a petition for certiorari with the Supreme Court. The Supreme Court granted that petition in July, consolidating the case with Credit Bureau for a single oral argument.

FTC v. AbbVie Inc. et al (“AbbVie”)

On September 30, in a precedential decision, the Third Circuit joined Credit Bureau in concluding that “district courts lack the power to [authorize monetary disgorgement] under Section 13(b).” The facts in Abbvie concerned a patented drug called AndroGel. The FTC sued the owners of Androgel’s patent under Section 13(b), alleging they had filed sham patent infringement suits against generic drug makers, and that they had entered into an anticompetitive reverse-payment agreement with one of those generic providers. The district court awarded the FTC disgorgement of $448 million.

The Third Circuit reversed the order of disgorgement. In doing so, the Abbvie panel, like the Seventh Circuit before it, focused on the text of the statute. The Abbvie court found that the text was dispositive, allowing only injunctive relief and (at best) minimal monetary penalties. In the Third Circuit’s view, “Section 13(b) authorizes a court to ‘enjoin’ antitrust violations. It says nothing about disgorgement, which is a form of restitution.” Emphasizing this point, the court wrote that “[a] contrary conclusion would undermine the FTC Act’s statutory scheme.” In reaching its conclusion, the AbbVie court explicitly relied on the findings of its sister Circuits in Credit Bureau and AMG, calling the Seventh Circuit’s Credit Bureau decision “a thorough and well-reasoned opinion.”

Because AbbVie was just decided, the Supreme Court will not be hearing it directly this term. However, Abbvie indicates that, when it comes to 13(b), the dominoes are falling. The appellate courts, like the Supreme Court, have become much more textually inclined over the last decade. The Third Circuit’s AbbVie panel consisted of two Trump appointees and a George W. Bush appointee. The parties before the Supreme Court in Credit Bureau are currently in the midst of briefing. The Third Circuit’s AbbVie decision is certain to play a large role in that briefing, and has further potential to influence the Supreme Court’s Credit Bureau decision.

The End of Restitution Under 13(b)?

Seventh Circuit Judge Amy Coney Barrett, President Trump’s nominee to join the Supreme Court, has often affirmed her textualist beliefs. This past summer, Barrett was quoted as explaining that “textualism matters because it is a theory, one that I think is consistent with the judicial role under the Constitution of what I do quite often, which is interpreting statutes.” Although Barrett was not on the Seventh Circuit’s Credit Bureau panel that reversed Amy Travel and concluded the FTC does not have broad restitution powers under Section 13(b), she did join the majority of the Seventh Circuit in voting to deny rehearing of that panel decision. This, along with her textualist bona fides, strongly suggests a Justice Barrett would affirm the Seventh Circuit and reverse the Ninth Circuit, concluding that Section 13(b) does not allow for monetary relief.

Even in the unlikely event Judge Barrett is not confirmed to the Supreme Court, any of the other women on President Trump’s short list are likely to take a similar textualist position. Even the shrinking liberal wing of the High Court has lately been going textualist, especially when it comes to statutory language akin to that of Section 13(b), language that is far from unambiguous.

Earlier this year, in Liu v. Securities and Exchange Commission, the Supreme Court analyzed a similar statute found in the Securities Exchange Act, Section 21(d)(5). The appellate courts had historically treated that statute similarly to 13(b) of the FTC Act, allowing the SEC to use it to seek monetary relief even though its text said nothing about disgorgement. In its June 22, 2020 ruling, the Supreme Court significantly narrowed the disgorgement remedy, finding that the text of the Exchange Act does not allow for the broad monetary disgorgement SEC has been wielding. Notably, it was Justice Sotomayor—now probably the most liberal member of the Court—that authored the Supreme Court’s Liu decision.

Textually, Section 13(b) provides even more limited powers than Section 21(d)(5) of the Exchange Act. While the Exchange Act specifically allows for “any equitable relief,” Section 13(b) of the FTC Act expressly limits itself to injunctive relief. Given the textualist inclinations of the current Court, and its continuing march toward textualism if Barrett is elevated to the bench—there is good reason to believe the justices will soon narrow or even do away with the FTC’s ability to seek monetary relief under 13(b).

And forces in favor of doing exactly that are ensuring their voices will be heard.  An amicus brief filed last week by the Washington Legal Foundation summarized the position of the groups in a manner that they hope will be fruitful:

To ‘start with the obvious,’ ‘injunction’ does not mean ‘restitution.’  Credit Bureau Ctr., 937 F.3d at 771-772.  ‘Apples,’ after all, does not mean ‘oranges.’  Nor does ‘injunction’ mean ‘equitable relief (including, at times, restitution).’  That would be like saying that ‘apples’ means ‘fruit (including, at times oranges).’  Nor, finally, can it be said that some aspect of the FTC Act’s structure reveals Congress’s subtle intent to use ‘injunction’ to mean ‘injunction, but maybe restitution too.’  Section 13(b) is plainly designed to be ‘a simple stop-gap measure,’ 910 F.3d at 431 (O’Scannlain, J., specially concurring), one that enables the FTC to enjoin a practice while it uses other statutory authority to prosecute an offender.

The Issue is Having an Effect in the Courts and at the Negotiating Table

With the fate of Section 13(b) in the balance, practitioners and lower courts are catching on. In late August, for example, a Northern District of California court granted the Motion to Stay of defendant LendingClub in a 13(b) action, pending the Supreme Court’s determination in Credit Bureau. The district court reasoned that, if the High Court significantly narrows 13(b)’s scope, “the viability of the remedy motivating the case” against Lending Club would disappear.

The trial in LendingClub had been scheduled for October. In finding a stay of that trial warranted, the LendingClub court emphasized that the FTC’s authority to seek monetary relief under Section 13(b) (or lack thereof) is “an issue of enormous consequence to this case.” The court explained, “[g]oing forward with trial would needlessly burden LendingClub to put on a trial defense only to possibly have the entire enterprise mooted by the FTC’s inability to seek any monetary relief under Section 13(b).”

Lending Club is not the only defendant caught in the FTC’s crosshairs to raise the prospect of a near-term sea change. To date, at least nine other defendants in 13(b) actions around the country have requested that courts stay their cases pending the Supreme Court’s decision in Credit Bureau. We fully expect to see a flurry of these motions in the months ahead.

Earlier this month,  a federal district court judge in the Northern District of Texas granted one such motion, staying an FTC action against Match Group, Inc. In its complaint, the FTC had alleged that the company used fake love interest advertisements to trick consumers into purchasing paid subscriptions on Match.com, and sought disgorgement under Section 13(b). Notably, the Texas court chose to stay the case even though it was at an early stage – discovery had not yet commenced – evidently believing that the FTC would abandon its action if it could no longer receive a monetary remedy.

And just this past Friday, a federal district court in the Central District of California ruled for the FTC and against the defendants in FTC v. Cardiff, another 13(b) action. While the court had denied the defendants’ motion to stay the case prior to resolution of liability, “the Court recognized that the United States Supreme Court will likely decide whether restitution is available under Section 13(b)” in the coming term. The Cardiff court therefore stayed the resolution of liability pending the Supreme Court’s ruling, even though it had conclusively determined the defendants were liable under 13(b).

The effects of a potential Supreme Court decision neutering Section 13(b) also have implications outside of the courtroom. For companies currently engaged in FTC negotiations, knowing that a potential Supreme Court ruling limiting the FTC’s equitable powers under 13(b) can be a valuable asset. The awareness that the FTC may not be able to obtain monetary relief through Section 13(b) has an obvious effect on the context of such negotiations. Savvy practitioners now have the ability (some might say the obligation) to leverage the potential limitation of Section 13(b) restitution in order to push the FTC to discount monetary demands. After all, the FTC may soon lose any ability at all to demand monetary relief under 13(b).

What Comes Next?

Under the current 13(b) framework, the FTC has the ability to take a party directly to court, and to sue for both monetary and injunctive relief. If the FTC’s ability to sue for monetary relief goes away, the FTC will still be able to use Section 13(b) to enjoin a party in federal court, but in order to obtain monetary restitution, the FTC will have to resort to Section 19 of the FTC Act.

Under Section 19 of the Act, the FTC can seek monetary damages against a party in federal court, eventually. But the process to do so is cumbersome and time-consuming. First, the FTC must bring the case at the Commission before an Administrative Law Judge. Assuming the FTC prevails before the ALJ, the losing party can (and almost certainly will) appeal that decision to the full Commission. The FTC must make its case a second time before the Commission in order to receive a final order, allowing the case to be brought in federal court. Only then can the FTC begin prosecuting the actual lawsuit against the party. Especially compared to the current Section 13(b) framework, the Section 19 process is lengthy and convoluted, making it far harder for the FTC to obtain quick and effective monetary remedies.

There is some hope for those concerned about the FTC losing a major weapon in its arsenal following the Supreme Court’s Credit Bureau decision. On September 17, four Senate Republicans introduced S. 4626, the Setting an American Framework to Ensure Data Access, Transparency, and Accountability (SAFE DATA) Act – a comprehensive privacy bill. Section 403 of the bill, as currently written, would modify the text of Section 13(b) to clarify that the FTC has the explicit ability to obtain monetary restitution. The proposed provision comes in response to numerous agency requests for Congressional action on 13(b) following ongoing legal challenges to the scope of its authority.

While some portions of the SAFE DATA Act are contentious, revising Section 13(b) seems to carry bipartisan support. At a September 23 hearing on privacy legislation, Ranking Member Maria Cantwell, a Democratic Senator from Washington, suggested that the “core mission of the FTC would be crippled” without the authority to obtain monetary relief under Section 13(b). This suggests that a bipartisan legislative fix could be in the offing. Of course, given the political climate, such a legislative remedy is unlikely to be enacted until 2021, at the earliest. Without the enactment of such legislation, there is a very real possibility FTC’s ability to obtain monetary restitution from parties under Section 13(b) will be curtailed in the coming year.

Any Legislative Fix Should Curb FTC Excess

In the absence of the availability of monetary restitution under Section 13(b), the FTC will likely make more use of its remaining 13(b) powers. Particularly, the FTC will likely increasingly use Section 13(b) to attempt to enjoin and freeze companies’ assets quickly while a Section 19 action is pending. Instead of the current Section 13(b) landscape, consisting of federal litigation taking place over a defined period of time, followed by a potential money judgment (or not), companies in such a scenario would face potentially years of Section 19 litigation at the FTC and in court while their assets have already been frozen under Section 13(b).  This would have a devastating effect on a company’s business.

By losing its ability to seek 13(b) monetary restitution, the FTC could thereby ironically gain tremendous leverage over companies it ends up suing for injunctive relief under Section 13(b). Many companies would likely choose to settle with the FTC rather than face an indefinite asset freeze, even in those cases where settlement might not be appropriate.

To be sure, you would expect just about all parties to agree that the FTC should not be able to freeze assets of a typical advertiser whose substantiation for a product claim is called into question and there is no evidence that they acted in a dishonest and fraudulent manner. While there is an obvious difference between cases of fraudulent conduct and more run of the mill substantiation cases, the line has become increasingly blurred over the past ten years.

Given the Court’s leanings and the evident bipartisan support to reinvigorate Section 13(b), we may see a legislative fix in the coming year. Any legislative remedy should clarify that Section 13(b)’s remedies—both injunctive and monetary—can only be used against truly bad actors. In this regard, Congress has a clear legislative playbook to follow. Section 19 of the FTC Act allows the FTC to obtain monetary remedies only for “dishonest or fraudulent conduct.”

While the power courts of appeals have given the FTC under their expansive interpretations of Section 13(b) is warranted in severe situations, it should not be doled out to companies engaged in routine if not always perfect behavior, such as an alleged failure to properly substantiate claims. The FTC has other, administrative remedies to deal with those types of problems, and if the current Rules of Practice do not allow for acceptably fast disposition (they do not), those Rules can be revised. Section 13(b), however, is a powerful tool. If and when it is revised, Congress should ensure it is used only when necessary and appropriate – in cases involving dishonest and fraudulent conduct.

For more information on the FTC and other topics, see:

 

Advertising and Privacy Law Resource Center

Last week, the New York Attorney General’s Office announced that Bombas had agreed to pay $65,000 and implement a number of injunctive provisions to settle allegations that the sock startup failed to comply with the state’s data breach notification statute. According to the press release, Bombas learned in November 2014, that an unauthorized intruder had inserted malicious code designed to steal payment card information into its ecommerce platform. Bombas allegedly waited almost two months before remediating, and then mistakenly re-inserted the code into the website a few weeks later.

The company determined that the incident resulted in unauthorized access to the names, addresses, and credit card information of almost 40,000 customers nationwide, but did not notify those consumers until May 2018. New York’s data breach notification statute requires that businesses provide notice of a breach of personal information “in the most expedient time possible and without unreasonable delay” to both the affected resident(s) and the Attorney General, the Department of State, and the Division of State Police.

The AG’s Office has not made a copy of the settlement agreement public, but explains that the injunctive provisions are intended to help prevent future breaches and ensure compliance with the law, N.Y. Gen. Bus. Law § 899-aa. They include requirements for thorough and expeditious investigations into any future breaches and training for all appropriate officers, managers, and employees. This settlement highlights the importance of preparing for a breach, including developing and implementing policies and procedures that will allow the business to comply with the patchwork of state requirements in an efficient and timely manner.

Yesterday, the U.S. House of Representatives approved the 2015 Financial Services and General Government Appropriations bill, which provides funding for the CPSC but includes an amendment that would prohibit the Commission from using those funds to finalize, implement, or enforce its proposed rule on voluntary recalls. The amendment, which was introduced by Rep. Marsha Blackburn (R-TN) late Tuesday night, was adopted on a vote of 229 to 194.

Introduced in November 2013, the proposed rule represents a departure from longstanding Commission practice regarding voluntary recalls. Specifically, the proposed rule would: (1) make corrective action plans that implement voluntary recalls legally binding; (2) allow the CPSC to mandate the adoption of legally binding compliance programs; (3) reduce flexibility in the voluntary recall process by standardizing recall notice content; and (4) limit a company’s ability to disclaim that a product is defective or presents a substantial product hazard. As the House Report notes, the voluntary recall process is largely successful, but the proposed changes “would serve to negatively impact small businesses . . . , [and the Appropriations] Committee opposes making unnecessary changes to a recall system that has worked well over the past 40 years.”

The House Report also expresses concerns over proposed changes to the Commission’s public disclosure rules, which would affect companies’ ability to prevent the CPSC’s disclosure of information about the company, and notes that the proposed changes “threaten to undermine a successful partnership based on openness and trust between industry and the Commission.” The Committee also characterizes the proposed changes to certification requirements as costly and burdensome.

On the other side of the aisle, the Senate Committee on Commerce, Science and Transportation on Tuesday approved three CPSC nominees – Elliott Kaye, Joseph Mohorovic, and current Commissioner Robert Adler. If confirmed by the Senate, Mr. Kaye, the current CPSC Executive Director, would become Chairman. Mr. Mohorovic, senior vice president of strategic management in Intertek’s consumer goods division, would become the second Republican Commissioner (joining Ann Marie Buerkle), and Commissioner Adler, currently serving as Acting Chairman, would stay on for a second term. We will continue to monitor the progress of the appropriations bill and the Senate vote and keep you apprised of any developments.

Welcome to our monthly digest of litigation and regulatory highlights impacting the food and beverage industry.  As it has been for many months, the story was mostly about what’s going on in the food court.  Let’s take a look….

Litigation

Vanilla, vanilla, and more vanilla….The plaintiff’s bar remains skeptical of any product labeled as vanilla.  Among the many vanilla-related lawsuits filed, McDonald’s, Whole Foods and Trader Joe’s defended suits alleging that their vanilla ice cream, vanilla almond milk, and vanilla almond cereal respectively were falsely labeled as vanilla.  However, in a win for industry, a NY federal judge found that Topco did not improperly label its vanilla almond milk, ruling that although the product is not exclusively flavored with real vanilla, the suit failed to allege that a reasonable consumer would believe that a vanilla milk’s flavor was solely sourced from vanilla.

Other flavorings haven’t been immune from scrutiny, though.  Frito-Lay appears to have settled a case involving allegations that the company’s cheddar and sour cream chips are misleadingly labeled.  The plaintiff alleged that the images of cheddar cheese and sour cream on the front of Ruffles-brand and Baked Lays Cheddar + Sour Cream Flavor potato chips, reasonable buyers would think that those ingredients flavor the chips.  In fact, plantiff claimed that Frito Lay used synthetic diacetyl to provide the sour cream flavor in the chips, but did not disclose the artificial flavor on the front of the packaging, as required per the FDCA regulations.

Consumers were also dismayed to find out that 7-Eleven’s Yumions may not, in fact, be made from real onions and, separately, that the Keebler elves allegedly may not be making their cookies with “real fudge”.

The lesson from these cases and others is that flavor and ingredient-related representations continue to face considerable scrutiny.  If businesses are updating labels or branding for the new year, it’s worth the time to review flavor descriptions and consider the arguments that these plaintiffs are asserting to help understand and assess risk.

(links from Law360, subscription req’d.)

FDA

FDA warning letters focused on claims that cause products to be considered unapproved new drugs, including claims featured on an aloe product relating to joint mobility, inflammation, and acid reflux.  In other enforcement, a Washington-state federal judge entered a consent decree against a juice processor accused of distributing adulterated juice products.

FDA published findings of its leafy greens e. coli outbreak investigation, identifying cattle grazing upslope from the growing area as the likely source of contamination.

In a recall turned class action litigation story, Midwestern Pet Foods, Inc., initiated a recall of multiple pet foods on December 30, related to the presence of aflatoxin.  Consumers whose pets perished after consuming the food recently filed suit alleging that the foods caused their pets’ deaths.

Undeclared allergens and potential presence of listeria monocytogenes and other contaminants were the most common reasons for food recall listed in FDA’s recall database.

Prop 65

Our sister blog, Kelley Green Law, featured two Prop 65 developments that may impact certain products, including Prop 65 warnings required on products that may expose consumers to THC and a proposal to minimize use of the short form warning format.  Also, although not directly in the personal care space, given the proliferation of many products that feature disinfectant claims, companies may want to note this post regarding EPA enforcement on unregistered disinfectants.

FTC

The FTC did not announce any food-specific settlements or litigation in January 2021.

NAD

NAD did not issue any food-specific decisions in January 2021, but see select dietary supplement highlights here.

*                      *                      *

Thanks for reading our first installation of the food industry litigation and regulatory highlights.  See you in March!

Ad Law News and Views Newsletter - https://www.kelleydrye.com/News-Events/Publications/Newsletters/Ad-Law-News-and-Views

Subscribe to our Ad Law News and Views where we compile the recent advertising and privacy law news and analysis all in one place, including new State Privacy Legislation Update.

 

Welcome to our monthly roundup of regulatory and litigation highlights impacting the dietary supplement and personal care products industries.

NAD

NAD tackled substantiation for “#1 Dermatologist Recommended” claims in a challenge involving L’Oreal’s CeraVe moisturizer and use of syndicated survey data to support related claims.

Health claim substantiation was front and center in a Council for Responsible Nutrition-led challenge involving glutathione and the level of evidence required to support claims relating to low-glutathione levels.

FTC

Indirectly related to dietary supplements and consumer care, the FTC announced a settlement with app-maker Flo regarding allegations that the company shared the health information of users with outside data analytics providers after promising that such information would be kept private.

As we noted here, the FTC has new civil penalty authority relative to false COVID-related advertising claims and practices.

FDA

As it has since relaxing the regulatory standards relative to manufacturing of hand sanitizers in March 2020, FDA continued issuing warning letters related to hand sanitizer products that contain active ingredients other than those allowed per the hand sanitizer tentative final monograph, primarily methanol, and relative to hand sanitizers that are allegedly sub-potent.

The agency also continued its enforcement relative to COVID-related claims with warning letters issued to AusarHerbs and Allimax US (joint warning letter with the FTC), as well as non-COVID-related letters to companies whose products featured claims relating to joint health, hair loss, and inflammation, which caused the products to be considered unapproved new drugs.  The letters rely heavily on evidence from social media posts, blog posts, and product websites.

Prop 65

Our sister blog, Kelley Green Law, featured two Prop 65 developments that may impact certain products, including Prop 65 warnings required on products that may expose consumers to THC and a proposal to minimize use of the short form warning format.  Also, although not directly in the personal care space, given the proliferation of many products that feature disinfectant claims, companies may want to note this post regarding EPA enforcement on unregistered disinfectants.

Class Action Litigation

In a significant win for the dietary supplement industry, the Ninth Circuit Court of Appeals upheld the Northern District of California’s grant of summary judgment to Target Corp., ruling that state law false advertising challenges to permissible structure/function claims are preempted by the Federal Food, Drug and Cosmetic Act.  See our blog post discussing the case here.

Other highlights from courtrooms around the country include…

Southern California skincare company Yes To Inc. agreed to pay $775,000 to a proposed class of consumers to resolve allegations it misrepresented the dangers of its Grapefruit Vitamin C Glow-Boosting Unicorn Paper Mask, which was recalled after a flood of consumers reported facial skin irritation and burning. (Law360 subs. req’d.)

A California federal judge has thrown out for the last time a proposed class action alleging that Johnson & Johnson Consumer Inc. and Bausch Health US LLC misled customers about the safety of their talc products, saying even after five chances to amend the complaint, the pleadings still fall short.  (Law360 subs. req’d.)

Skincare company Murad LLC was hit with a proposed class action claiming the company deceived buyers by wrongly representing its moisturizer as “oil-free” when the product actually contains oils.  (Law360 subs. req’d.)

A woman suing Charlotte’s Web Holdings Inc. argued that the CBD company shouldn’t be able to pause or escape her proposed class action over its labeling of products as dietary supplements, saying that identifying them as such violates state and federal laws. (Law360 subs. req’d.)  There are several cases involving this issue.  See a recent post on this issue on Cannabis Law Update.

*                      *                      *

Thanks for reading our first installation of the dietary supplement and personal care monthly highlights.  See you in March!

Advertising and Privacy Law Resource Center

The Oregon AG recently announced a $545,000 settlement with the Vitamin Shoppe over allegations that the store violated Oregon state law by selling dietary supplements containing ingredients that FDA has deemed unsafe or unlawful. The new settlement agreement places significant burdens on the Vitamin Shoppe to monitor developments on ingredient status. The burdens are the same regardless of whether the Vitamin Shoppe sells a product under one of its own brands – or if it sells a product that was manufactured, labeled, and sold to it by a third party vendor.

Under the terms of the agreement, if the Vitamin Shoppe “receives or learns of” a “written notice” from FDA that an ingredient may be unsafe or unlawful, it must “take immediate action to suspend the sale of such products or products known to contain the ingredients.” If the Vitamin Shoppe becomes aware of any other “public announcement, warning, alert, publication, notice, or report” suggesting that the U.S. government, Australia, Canada, Britain, or the EU might consider a dietary ingredient unsafe or unlawful under the FDCA, then the Vitamin Shoppe must conduct a “reasonable due diligence review,” which may result in a decision not to sell any products containing the ingredient.

This settlement is notable for at least two reasons:

  1. It identifies FDA warning letters sent to the Vitamin Shoppe or anyone else as “written notice” that FDA has deemed an ingredient unsafe or unlawful.  Warning letters, however, state only allegations and are not considered “guidance” under FDA’s rule on “good guidance practices.”  Well after a warning letter is issued, the lawfulness of a particular dietary ingredient can be the subject of much ongoing debate, and even the FDA’s official guidance document on ingredient status remains in flux after years of debate.
  2. The settlement represents an aggressive stance by Oregon on a retailer’s liability for product formulation and labeling by third parties.  As we’ve discussed before, there isn’t a whole lot of precedent for regulators going after the retailer, rather than the product seller.

The Oregon Attorney General is currently in litigation against another retailer over similar allegations related to the legal status and safety of a dietary ingredient.

Kelley Drye Ad Law publishes News & Views: Dietary Supplement Advertising, which covers developments ranging from FTC and FDA regulation, class actions, Customs developments, and Prop 65. Subscribe to future issues by filling out your information and checking the Dietary Supplements Practice Group box here.

This month we sent out the first edition of News & Views: Dietary Supplement Advertising. This newsletter is specifically for our clients marketing dietary supplements. We’ll cover developments ranging from FTC, FDA, and Customs to class actions and Prop 65. Check out our first issue and subscribe to future issues by filling out your information and checking the Dietary Supplements Practice Group box here.

 

It has been a full year since the California Consumer Privacy Act (“CCPA”) took effect at the top of 2020. In the cases filed in the second half of the year, the complaints more frequently assert a violation of the CCPA as a standalone cause of action, though it remains common for a CCPA violation to be asserted as a predicate to support a separate cause of action, such as a violation of California’s Unfair Competition Law (“UCL”).

In this post, we include our round-up of representative cases filed in the third and fourth quarters of the year. Our prior summaries of CCPA-related litigation filed last year can be found in our Q1 2020 CCPA Litigation Round-Up and CCPA Litigation Round-Up: Q2 2020. We have separately analyzed trends emerging from the 2020 CCPA litigation landscape. Going forward into 2021, we will continue to report on relevant developments in CCPA consumer litigation, and also provide updates in our CCPA Litigation Tracker chart.

  1. Cases Filed in Q3/Q4 2020 Alleging Direct Violation of CCPA

Shadi Hayden v. The Retail Equation, Inc. et al., No. 8:20-cv-01203 (C.D. Cal.)

On August 3, a class action amended complaint was filed by thirteen named plaintiffs against The Retail Equation, Inc. (“TRE”) and a variety of retailers: Sephora USA, Inc., Advance Auto Body Parts, Inc., Bed Bath & Beyond, Inc., Best Buy Co., Inc., Buy Buy Baby, Inc., Caleres, Inc., CVS Health Corporation, Dick’s Sporting Goods, Inc., L Brands, Inc., Stein Mart, Inc., The Gap, Inc., The Home Depot, Inc., and The TJX Companies, Inc. (the “Defendant Retailers”) in the District Court for the Central District of California.  Plaintiffs’ CCPA claim alleges that the Defendant Retailers, without their customers’ knowledge or consent, collect large amounts of data about their retail customers, including: (1) “Consumer Commercial Activity Data,” which includes “the unique purchase, return, and/or exchange histories of individuals consumers”; and (2) “Consumer ID Data,” which includes “the unique identification information contained on or within a consumer’s driver’s license, government-issued ID card, and/or passport” such as “the consumer’s name, date of birth, race, sex, photograph, complete street address, and zip code.” Plaintiffs allege that this data is shared with TRE as non-anonymized, individual data sets, which TRE processes to create consumer reports and a risk score for each customer. The risk score is allegedly used to advise the retailer about whether a customer’s attempted return or exchange is fraudulent or abusive.  The amended complaint alleges that “Defendants’ policies and practices failed to hold plaintiffs’ and Class members’ personal information secure by, for example, [the Retailer Defendants’ sharing of] the personal information . . . in an unsecured, unrestricted manner with TRE to create consumer reports and generate a ‘risk score’ that TRE then shared with other Defendant Retailers alongside other personal information.”

McCoy v. Alphabet, Inc. et al., 5:20-cv-05427 (N.D. Cal.)

On August 5, 2020, plaintiff Robert McCoy filed a class action complaint against defendants Alphabet Inc. and Google LLC for monitoring and collecting the sensitive personal data of Android Smartphone users when they interact with non-Google applications on their smartphones, without obtaining consent. This personal data includes the duration of time spent on non-Google apps and how frequently those apps are opened.  Plaintiff’s CCPA cause of action alleges that defendants failed to disclose that they collect the class members’ personal data and the true purpose for collecting the data, which plaintiff alleges is to gain a competitive edge over rival companies. Plaintiff’s proposed class definition includes “All Android Smartphone users from at least as early as January 1, 2014 through the present.”

On September 30, 2020, Google filed a Motion to Dismiss, including arguments that the CCPA claim fails because (1) plaintiff fails to allege his information was subject to a data breach; and (2) relief is only available to a consumer, which is defined as a “California resident,” and plaintiff is a New York resident.

Guzman v. RLI Corp. et al., No. 2:20-cv-08318 (C.D. Cal.)

On September 10, 2020, plaintiff Jose Guzman filed a class action complaint against defendants RLI Corp. and RLI Insurance Company alleging that defendants, through the Pacer filing service, disclosed the login credentials to computer systems containing personal and confidential information of class members. Plaintiff alleges that as a surety, defendants requested access to the records of Libre by Nexus, which secures bonds for detained undocumented immigrants. Plaintiff alleges that, in a separate suit, defendants disclosed Libre’s login credentials by filing them publicly, giving anyone with a Pacer login access to class members’ personal and confidential information including dates of birth, names of minor children, home address, Social Security Numbers, and taxpayer identification numbers and financial account information.

On October 22, 2020, defendants filed a Motion to Dismiss, including arguments that the CCPA claim fails because: (1) defendants’ access was court-authorized and therefore not unauthorized; (2) plaintiff failed to establish that there was a “violation of the duty to implement and maintain reasonable security procedures and practices”; and (3) plaintiff did not comply with the mandatory 30-day notice and cure provision. On November 6, 2020, the action was voluntarily dismissed without prejudice.

Gardiner v. Walmart Inc. et al., 4:20-cv-04618 (N.D. Cal.)

On July 10, 2020, plaintiff Lavarious Gardiner filed a class action complaint against retailer Walmart alleging that vulnerabilities on Walmart’s website led to breaches of Walmart’s systems, allowing hackers to steal customers’ personally identifiable information (including full names, addresses, financial account information, and credit card information), and allowed hackers to attack Walmart’s customers’ computers directly as well. The CCPA cause of action alleges that Walmart violated its duty to implement and maintain reasonable security procedures and practices appropriate to the nature of the personal information. On October 29, 2020, the Parties stipulated to a briefing schedule on defendant’s Motion to Dismiss which is scheduled to be completed by February 3, 2021.

Flores-Mendez et al v. Zoosk, Inc. et al., 3:20-cv-04929 (N.D. Cal.)

On July 22, 2020, plaintiffs Juan Flores-Mendez and Amber Collins filed a class action complaint against Zoosk, Inc., an online dating site, and its parent company, Spark Networks SE, alleging that cybercriminals hacked and obtained 30 million of Zoosk’s user’s records, containing their name, email, date of birth, and password, due to Zoosk failing to maintain reasonable security controls and systems.  Plaintiffs only sought injunctive and equitable relief but alleged that if Zoosk could not cure the breach within 30 days of its July 14 notice letter, they intended to amend to seek actual and statutory damages. On October 30, 2020, plaintiffs filed an Amended Complaint.

Warshawsky et al v. cbdMD, Inc et al., No. 3:20-cv-00562 (W.D.N.C.)

On October 9, 2020, plaintiffs Michael Warshawsky and Michael Steinhauser filed a class action complaint against cbdMD Inc., and CBD Industries, LLC. Plaintiffs allege that due to two data breaches, hackers accessed consumers’ names, credit card numbers, CVV security codes, credit card expiration dates, addresses, email addresses, and bank account numbers. Plaintiffs’ CCPA cause of action alleges that defendants’ computer systems and data security practices were inadequate to safeguard its customers’ personal information.

Diczhazy et al v. Dickeys Barbecue Restaurants Inc. et al., No. 3:20-cv-2189 (C.D. Cal.)

On November 9, 2020, plaintiffs Ross Diczhazy and Wesley Etheridge II filed a class action complaint against Dickey’s Barbecue Restaurants Inc. and Dickey’s Capital Group, Inc. for their alleged failure to secure and safeguard the names, payment card numbers and security codes of proposed class members in a data breach in violation of the CCPA. The complaint purports two classes: (a) All California residents who made a purchase from Dickey’s using a payment card, or otherwise disclosed payment card information to Dickey’s, since January 1, 2020, and whose personal information was compromised including as part of the Joker’s Stash BlazingSun data set; and (b) All persons who made a purchase from Dickey’s using a payment card, or otherwise disclosed payment card information to Dickey’s, since January 1, 2018, and whose personal information was compromised including as part of the Joker’s Stash BlazingSun data set.

Marquez v. Dickey’s Barbecue Resturants, Inc. et al., No. 3:20-cv-2251 (S.D. Cal.)

On November 18, 2020, plaintiff Jose Luis Marquez also filed a class action complaint against Dickey’s Barbecue Restaurants Inc. and Dickey’s Capital Group, Inc. for their failure to secure and safeguard their customers’ personal identifying information. As in Diczhazy (above), there is a nationwide class as well as a California subclass alleged: (a) All persons residing in the United States who made a credit or debit card purchase at any affected Dickey’s Barbecue Pit restaurant during the period of the Data Breach; and (b) All persons residing in the State of California who made a credit or debit card purchase at any affected Dickey’s Barbecue Pit restaurant during the period of the Data Breach.

Gitner v. U.S. Bank National Association et al., No. 0:20-cv-02101 (D. Minn.)

On November 20, 2020, plaintiff Barry Gitner filed a first amended class action complaint in the District of Minnesota against U.S. Bank National Association and U.S. Bancorp for their alleged failure to secure and safeguard the confidential, personally identifiable information of thousands of consumers, including names, account numbers, Social Security Numbers, driver’s license numbers, and dates of birth. Specifically, plaintiffs allege that a computer server with consumer information was stolen from defendants’ corporate offices. Under the CCPA cause of action, plaintiffs seek injunctive or other equitable relief but reserve their rights to amend the complaint to seek actual and statutory damages if the breach is not cured within 30 days. On January 13, 2021, the Court stayed the action pending arbitration of Plaintiff’s individual claims, after defendants’ Motion to Compel Arbitration was unopposed.

Schaubach v. Hotels.Com, LP et al., No. 8:20-cv-2370 (C.D. Cal.)

On December 17, 2020, plaintiff Lauren Schaubach filed a class action complaint against defendants Hotels.com, L.P. (“HLP”), Expedia Group, Inc. (“Expedia”) and Amazon Web Services, Inc. (“AWS”) after a Cloud Hospitality server hosted by Defendant AWS and containing information for customers of Defendant HLP and Defendant Expedia was hacked and tens of millions of data records were exposed, including full names, email address, ID numbers, phone numbers, credit card numbers, security codes and expiration dates. Plaintiff seeks to represent a class of “all consumers in California whose personally identifiable information was compromised in the Breach.” On December 17, 2020, the action was voluntarily dismissed without prejudice.

  1. Cases Filed in Q3/Q4 2020 Alleging CCPA Violations As a Predicate For UCL Causes of Action

Pygin v. Bombas, LLC et al., No. 4:20-cv-04412 (N.D. Cal.)

On July 1, 2020, plaintiff Alex Pygin filed a class action complaint against defendants Bombas, LLC, Shopify (USA) Inc. and Shopify, Inc., alleging that sock and apparel retailer Bombas uses an ecommerce platform supplied by Shopify to take customers’ personal and payment information (including name, billing, shipping and email addresses, along with credit card numbers, expiration dates, and security codes) and that the customers’ information was compromised during a data breach due to defendants’ negligent and/or careless acts and omissions and failure to protect the data.

While plaintiff brings no claim under the CCPA, he alleges that class members have suffered injury including “deprivation of rights they possess under . . . the California Consumer Privacy Act” by “failing to maintain reasonable security procedures and practices appropriate to the nature of the personally identifiable information.” As part of its causes of action for negligence and violation of the UCL, plaintiff alleges that defendants: (i) had a duty to take reasonable steps and employ reasonable methods of safeguarding the personally identifiable information of class members, as required under the CCPA; (ii) failed to maintain those reasonable security procedures and practices by storing the information in an unsecure electronic environment; and (iii) failed to disclose the data breach to class members in a timely and accurate manner as required by the CCPA.

Currently pending before the Court is Shopify’s Motion to Dismiss for (1) lack of personal jurisdiction, (2) violation of FRCP 8 for failing to distinguish among defendants and adequately allege that Shopify caused harm, and (3) failure to state a claim, based partially on the argument that the CCPA does not “create any private right of action under any other law.”

Calixte et al. v. Dave, Inc., 2:20-cv-07704 (C.D. Cal.)

On August 24, 2020, five plaintiffs filed a class action complaint against defendant Dave Inc. alleging that its users’ names, emails, date of birth, physical address, phone numbers and social security numbers were compromised as a result of a cyberattack against a former third party service provider of Dave Inc. The complaint alleges that the hackers’ ability to pivot from a third-party vendor’s system to the defendant’s systems without detection demonstrates the lack of controls and cybersecurity measures in use at Dave Inc. to prevent such unauthorized use.

Plaintiffs only allege violations of the CCPA as a predicate to their UCL violation cause of action based on Dave Inc.’s alleged failure to implement and maintain reasonable security measures. The proposed nationwide class is defined as “All persons whose PII was compromised as a result of the Data Breach announced by Dave Inc. in July and August of 2020.” The Parties are currently briefing defendant’s Motion to Compel Arbitration. On November 9, 2020, the action was voluntarily dismissed without prejudice.

Wesch v. Yodlee, Inc. et al., No. 3:20-cv-05991 (N.D. Cal)

On August 25, 2020, plaintiff Deborah Wesch filed a class action complaint against defendants Yodlee, Inc. and Envestnet, Inc. (who acquired Yodlee) alleging that Yodlee sells highly sensitive financial data, such as bank balances and credit card transaction histories, collected from software products that it markets and sells to financial institutions. Plaintiffs allege that when individuals connect their bank accounts to Paypal, they upload their banking credentials using Yodlee’s system. Yodlee then allegedly stores a copy of the credentials on its own system and exploits them, contrary to the disclosed use of the information.

Plaintiff’s UCL cause of action is predicated upon alleged violations of the CCPA, including that defendants: (i) disclose before or at the point of collection, the category of information to be collected and how it will be used; and (ii) refrain from collecting additional information for additional purposes without providing notice.

Plaintiff filed an Amended Complaint on October 21, 2020  and the parties have stipulated to briefing schedule on plaintiff’s anticipated Motion to Dismiss.

Conditi v. Instagram, LLC et al., No. 3:20-cv-06534 (N.D. Cal.)

            On September 17, 2020, plaintiff Brittany Conditi brought a class action complaint against defendants Instagram LLC and Facebook Inc. alleging that Instagram constantly accesses users’ smartphone camera feature and monitors users without permission when they are not interacting with the camera feature, which goes beyond the services it promises to provide. Plaintiff alleges that Instagram does this to collect valuable personal data to increase their advertising revenue.

Plaintiff’s UCL cause of action is based upon allegations that defendants violated the CCPA by failing to disclose that they monitor users through their smartphone cameras, while not in use, to collect personal information. Plaintiff proposes the following class definition: “All Instagram users whose smartphone cameras were accessed by Instagram without their consent from 2010 through the present (the ‘Class Period’).”

 

You can follow developments in CCPA-related cases by referring to our new CCPA Litigation Tracker. If you have any questions about defending and/or preparing for a potential privacy consumer class action, please reach out to our team.

On Tuesday, the New York Attorney General Letitia James announced a settlement with Dunkin’ Brands, Inc. over allegations that the company failed to adequately respond to years of cyberattacks that compromised customers’ online accounts.

According to the lawsuit, Dunkin’ customers with “DD Perks” accounts were first targeted in early 2015 in a series of “credential stuffing attacks” — which were automated attempts to gain access to accounts using usernames and passwords stolen through security breaches of other unrelated websites.

Allegedly, the maker of the Dunkin app repeatedly warned Dunkin of these attacks, but Dunkin’ failed to conduct an investigation into the attacks to identify which accounts had been compromised, what customer information may have been acquired, and whether customer funds had been stolen. The lawsuit alleged that that the 2015 incident impacted nearly 20,000 customers and the subsequent 2018 hack affected another roughly 300,000 customers.

Dunkin provided a statement on Tuesday refuting the claims and stating that they provided notifications and reset passwords for many affected by these breaches. They also state that they increased their security measures prior to the settlement.

Under the terms of the settlement with the Attorney General, Dunkin will be required to notify customers impacted by the attacks, reset those customers’ passwords, and provide refunds for any unauthorized use of customers’ stored value cards. The company must also maintain safeguards to protect against similar attacks in the future, follow incident response procedures when an attack occurs, and pay $650,000 in penalties and costs to New York state.

The full text of the settlement is available here. This case is a good reminder for companies to ensure they have an appropriate data security program in place to address and respond to breaches should the need arise, including those that may be limited to online account credentials.

Advertising and Privacy Law Resource Center

 

For more information on this and other topics, visit: