This week, President Trump signed an executive order outlining a national plan to promote the development and adoption of artificial intelligence (AI) technologies.  The order serves as the official launch of the “American AI Initiative,” which includes five areas of focus:

  • Invest in AI R&D – Prioritize AI investment in Federal agencies’ R&D missions
  • Unleash AI Resources – Enhance availability of Federal data, models, and computing resources to America’s AI research and development experts
  • Set AI Governance Standards – Led by the National Institute of Standards & Technology (NIST), develop technical standards for reliable, secure, trustworthy, and interoperable AI systems
  • Build the AI Workforce – Prioritize fellowships and training with Federal agencies to cultivate AI-focused skills and education
  • International Engagement and Protecting the U.S. AI Advantage – Implement an action plan to protect U.S. AI intellectual property

The order does not include a timeline or allocate specific funding for AI initiatives, though the Administration has indicated that a detailed plan to further the goals in the order will be released this year.

The order comes a day after remarks by FTC Commissioner Rohit Chopra that referred to potential negative outcomes of AI technology. In a speech at the Silicon Flatirons Conference in Colorado, Commissioner Chopra raised concerns about biases, and potential inequality based on gender or race, that can result from “black box” decision-making technology that combines AI algorithms with massive data collection. Commissioner Chopra noted that current consumer protection laws that exist to address human bias in the marketplace must similarly be structured to account for AI-generated biases, echoing sentiments raised by participants at the FTC’s AI-focused competition and consumer protection hearing held last year.

Most of our posts regarding “Made in USA” claims relate to FTC investigations and enforcement actions. Private plaintiffs, however, also closely watch those claims. For example, in 2018 plaintiffs filed a class action lawsuit against New Balance Athletics Inc. challenging qualified “Made in USA” claims. Although the plaintiffs acknowledged that New Balance qualified the claim in some places to indicate that the domestic value is at least 70%, they alleged that the general impression is that the products are American made. To resolve that litigation, a California federal judge recently granted preliminary approval to a proposed $750,000 settlement.

In Dashnaw v. New Balance Athletics, Inc., consumers alleged that New Balance mischaracterized its line of “Made in USA” sneakers because as little as 70% of the product was made with domestic components or labor. The claim appeared in advertising, on the shoes, and on the shoe boxes. The complaint acknowledged that New Balance disclosed in some places that its “Made in USA” sneakers contain a domestic value of 70% or greater, but alleged that an “Made in USA” claim appeared in places like the shoe and the shoe box. Because 30% of the value of those shoes could be attributed to a foreign country, plaintiffs alleged that the claims violated both California law, requiring that foreign materials must not exceed 5% of the final wholesale value, and FTC guidelines, stating that a product must be “all or virtually all” made in the United States.

The case was transferred from state court to the U.S. District Court for the Southern District of California, where the parties initiated settlement discussions. In April, the parties proposed a settlement of $750,000, with $215,000 going to settlement administration costs and compensation and $535,000 to consumers, with each consumer receiving up to $10. Judge Lorenz denied the settlement stating that the proposed amount was not enough for the estimated 1 million class action members. In response, the parties explained that a 5% participation rate among class members would result in full compensation and even with a 10-15% participation rate, each class member would receive 35-50% of the maximum damages the class could receive at trial, which they called a “reasonable settlement amount.” Judge Lorenz granted preliminary approval to the proposed settlement of $750,000 on January 25, 2019.

This case reminds advertisers that when using a disclosure to qualify a Made in USA claim or any other claim, the disclosure must appear consistently to maximize effectiveness. The FTC has also cautioned that even qualified claims may imply more domestic content than exists, so advertisers should avoid qualified claims unless the product has a significant amount of U.S. content or U.S. processing.

Last week, five advertising and marketing trade associations jointly filed comments with the California Attorney General seeking clarification on provisions within the California Consumer Privacy Act (CCPA).

While expressing “strong support” for the CCPA’s intent, and noting the online ad industry’s longstanding consumer privacy efforts like the DAA’s YourAdChoices Program, the group proposed the following three clarifications relating to CCPA provisions that, unless modified, the group believes could reduce consumer choice and privacy:

  • Notice relating to a sale of consumer data: A company’s written assurance of CCPA compliance should satisfy the requirement to provide a consumer with “explicit notice” (under 1798.115(d)) when a company sells a consumer’s personal data that the company did not receive directly from such consumer;
  • Partial opt-out from the sale of consumer data: When responding to a consumer’s request to opt out of the sale of personal data, companies can present consumers with choices on the types of “sales” from which to opt-out, the types of data to be deleted, or whether to opt out completely, rather than simply offering an all or nothing opt-out.
  • No individualized privacy policies: Businesses should not be required to create individualized privacy policies for each consumer to satisfy the requirement that a privacy policy disclose to consumers the specific pieces of personal data the business has collected about them.

The associations signing on to the comments include the Association of National Advertisers, American Advertising Federation, Interactive Advertising Bureau, American Association of Advertising Agencies, and the Network Advertising Initiative. The comments represent an “initial” submission intended to raise the proposals above and, more broadly, highlight to the California AG the importance of the online-ad supported ecosystem and its impact on the economy.  The associations plan to submit more detailed comments in the coming weeks.

The comments coincide with a series of public forums that the California AG is hosting to provide interested parties with an initial opportunity to comment on CCPA requirements and the corresponding regulations that the Attorney General must adopt on or before July 1, 2020.

 

In the Data Business? You May Be Obligated to Register in Vermont by Thursday

Data brokers have until this Thursday to register with the Vermont Secretary of State as part of a new data broker oversight law that became effective January 1st.

Approved unanimously by the Vermont Senate last May, the Vermont Data Broker Regulation, Act 171 of 2018, requires data brokers to register annually, pay an annual filing fee of $100, and maintain minimum data security standards, but the law does not prevent data brokers from collecting or selling consumer data.

What Qualifies as a “Data Broker”?

The law only applies to “data broker[s],” defined as a “business, or unit or units of a business, separately or together, that knowingly collects and sells or licenses to third parties the brokered personal information of a consumer with whom the business does not have a direct relationship.” Continue Reading In the Data Business? You May Be Obligated to Register in Vermont by Thursday

As we noted previously, the California Attorney General is holding a series of public forums on the California Consumer Privacy Act (CCPA) to provide the public with an initial opportunity to comment on CCPA requirements and the corresponding regulations that the Attorney General must adopt on or before July 1, 2020.  On Friday, January 25, 2019, the Attorney General’s Office held its fourth of six hearings before a full auditorium in Los Angeles.  This blog post summarizes the main themes discussed at the hearing.

Timing/Scope:  For businesses hoping for CCPA clarity and guidance soon, that seems unlikely. California Deputy Attorney General Lisa Kim initiated the hearing, emphasizing that the Attorney General’s Office was in the beginning of its rulemaking process and noting that she anticipated the formal review process not to start until Fall 2019.  For now, the Attorney General’s Office encouraged interested parties to submit comments by the end of February, focusing on subjects within the scope of the Attorney General’s rulemaking responsibilities, as set forth in the CCPA, including:

  • Categories of Personal Information
  • Definition of Unique Identifiers
  • CCPA Exemptions
  • Submitting and Complying with Consumer Requests
  • Uniform Opt-Out Logo/Button
  • Notices and Information to Consumers, including Financial Incentive Offerings
  • Certification of Consumers’ Requests

During the hearing, the Attorney General’s Office displayed this PowerPoint deck, summarizing the CCPA regulatory process.

Main Themes

Continue Reading California Privacy Update: What We Heard at Friday’s CCPA Hearing

On Monday, France’s Data Protection Agency announced that it levied a €50 million ($56.8 million) fine against Google for violating the EU’s new General Data Protection Regulation (GDPR).  The precedent-setting fine by the Commission Nationale de l’Informatique et des Libertés (“CNIL”) is the highest yet imposed since the new law took effect in May 2018.

How Does Google Violate GDPR, According to CNIL?

  • Lack of Transparency: GDPR Articles 12-13 require a data controller to provide data subjects with transparent, intelligible, and easily accessible information relating to the scope and purpose of the personal data processing, and the lawful basis for such processing. CNIL asserts that Google fails to meet the required level of transparency based on the following:
    • Information is not intelligible: Google’s description of its personal data processing and associated personal data categories is “too generic and vague.”
    • Information is not easily accessible: Data subjects must access multiple Google documents or pages and take a number of distinct actions (“5 or 6”) to obtain complete information on the personal data that Google collects for personalization purposes and geo-tracking.
    • Lawful basis for processing is unclear: Data subjects may mistakenly view the legal basis for processing by Google as legitimate interests (that does not require consent) rather than individual consent.
    • Data retention period is not specified: Google fails to provide information on the period that it retains certain personal data.
  • Invalid Consent: Per GDPR Articles 5-7, a data controller relying on consent as the lawful basis for processing of personal data must be able to demonstrate that consent by a data subject is informed, specified, and unambiguous. CNIL claims that Google fails to capture valid consent from data subjects as follows:
    • Consent is not “informed”: Google’s data processing description for its advertising personalization services is diluted across several documents and does not clearly describe the scope of processing across multiple Google services, the amount of data processed, and the manner in which the data is combined.
    • Consent is not unambiguous: Consent for advertising personalization appears as pre-checked boxes.
    • Consent is not specific: Consent across all Google services is captured via consent to the Google Terms of Services and Privacy Policy rather than a user providing distinct consent for each Google personal data use case.

What Does This Mean for Other Companies?

Continue Reading C’est la vie? French Regulator Fines Google Nearly $57 million for GDPR Non-compliance

Earlier this week, the Direct Selling Self-Regulatory Council (DS-SRC) opened its doors for business. Its objective is to provide independent, impartial, and comprehensive monitoring of direct selling companies on an industry-wide basis, address income misrepresentations (including unsubstantiated lifestyle claims) and false product claims by companies and salesforce members, and enhance the reputation of direct selling.

The DS-SRC will be administered by the Advertising Self-Regulatory Council (ASRC), which operates under the Council of Better Business Bureaus.   This should help the new self-regulatory body achieve its goals, considering the great success of ASRC and the programs it currently administers, including the National Advertising Division (NAD), Children’s Advertising Review Unit (CARU), National Advertising Review Board (NARB), Electronic Retailing Self-Regulation Program (ERSP) and Online Interest-Based Advertising Accountability Program (Accountability Program.).

Peter Marinello, Vice President of CBBB, will serve as Executive Director of the DS-SRC, and will oversee the program and its staff.  Additional staffing will include a senior legal analyst, and a staff attorney. DS-SRC may utilize monitoring services at its discretion, and in consultation with the Direct Selling Association (DSA).

DS-SRC’s will have jurisdiction over the following:

  • Independent monitoring of the direct selling marketplace;
  • Matters referred by the DSA Code Administrator based on a pattern and practice of complaints identified, or pursuant to media reports, or matters identified by consumers;
  • Matters raised by competitor challenges;
  • Inquiries received from distributors, customers and other users of direct selling companies products or services; and
  • Complaints from Better Business Bureaus directed to DS-SRC.

DS-SRC’s legal standards will be rooted in case decisions, FTC guidance, self-regulatory decisions of the National Advertising Division and the Electronic Retailing Self-Regulation Program, the DSA Code of Ethics, and the BBB Code of Advertising.

DS-SRC’s independent monitoring will allow for the review of relevant promotional content created by direct selling companies and their salesforces, including websites and social media.  Any problematic content will be identified, and companies will be provided an opportunity to address the issues.

When a matter is referred by the DSA Code Administrator, pursuant to media reports, or inquiries, DS-SRC will identify content of concern, and the company will be given an opportunity to address these concerns within 15 business days.  In the event that substantiation is not sufficient, DS-SRC may request additional information or recommend corrective measures or remedial instruction to the salesforce.  It will also issue a case report with a summary of issues.

With respect to competitor challenges, DS-SRC will allow companies to challenge the income representations and/or product claims of competitor companies, with a submission addressing the content with a reasonable level of specificity.  A company will also be given the opportunity to address content, and the DS-SRC will issue a decision which will then be reported publicly (so long as it has not been appealed).    DS-SRC reserves the right to not hear a case if the complaint is overly broad, if a party publicizes the case while pending, if the matter is the subject of litigation, or if the content has been withdrawn.

Companies that do not agree to implement corrective measures, ignore the inquiry, or do not participate, may be referred to the appropriate government agency, most likely the Federal Trade Commission.

DS-SRC will issue case decisions within 30 days of the last document received, prepare a case decision, and invite the company to provide a responsive statement.  Should the DS-SRC find that the content at issue is not adequately substantiated, the company will have to submit a response indicating whether it (1) agrees to comply with DS-SRC’s recommendations; (2) will not comply with DS-SRC’s recommendations; or (3) will appeal all or part of DS-SRC’s decision.

Once a case decision has been made, they will be published in Case Reports.  The decision will include a summary of the content at issue, a summary of each party’s position, and the ultimate resolution (including whether a party complied or was unresponsive).

The formation of the DS-SRC responds directly to statements made by FTC commissioners, bureau directors, and senior staff over the years, and should be viewed as a very positive step for an industry that is frequently the subject of regulatory attention.  Expect greater self-regulatory focus on income misrepresentations and lavish lifestyle claims in the months ahead, with the objective of promoting truthful and accurate advertising among direct selling companies and, in turn, raising the credibility of the industry.

43 State Attorneys General and the District of Columbia announced yesterday a settlement with Neiman Marcus Group LLC resolving the states’ investigation into the company’s 2013 data breach and its security practices. Over a three-month period in 2013, a breach of the Dallas-based retailer exposed customer credit card data at 77 Neiman Marcus stores nationwide. The data breach, discovered in 2014, resulted in access to over 370,000 Neiman Marcus credit cards, at least 9,200 of which the states alleged were used fraudulently.

In addition to a monetary settlement of $1.5 million, Neiman Marcus has agreed to implement a number of security-relatedinjunctive terms, including:

  • Complying with Payment Card Industry Data Security Standard (PCI DSS) requirements;
  • Maintaining an appropriate system to collect and monitor its network activity, and ensuring logs are regularly reviewed and monitored;
  • Maintaining working agreements with two separate, qualified Payment Card Industry forensic investigators;
  • Updating all software associated with maintaining and safeguarding personal information, and creating written plans for replacement or maintenance of software that is reaching its end-of-life or end-of-support date;
  • Implementing appropriate steps to review industry-accepted payment security technologies relevant to the company’s business; and
  • Devaluing payment card information, using technologies like encryption and tokenization, to obscure payment card data.

Neiman Marcus must also obtain an information security assessment and report from a qualified third-party professional and detail any corrective actions that it takes. The full settlement report is available here.

This settlement follows another multistate resolution with Adobe (here), highlighting the interest and monitoring by State Attorneys General on companies’ data security programs and steps taken to prevent, detect, and remediate data breaches. This most recent case is a good reminder to take steps to make sure you have an appropriate data security program in place, and that your records meaningfully reflect the comprehensive steps taken to address cyber incidents that may arise.

While many today returned to work after the Holiday season, things remained quieter than usual here in the nation’s capital – with many federal workers furloughed until further notice as the federal government continues to be in a partial shutdown.  President Trump is reportedly meeting with congressional leaders today ahead of Thursday’s start to a new congressional session but, at least for now, there’s no immediate end to the shutdown in sight.

Here’s how the shutdown is affecting federal agencies responsible for overseeing and enforcing advertising and privacy laws:

  • The FTC closed as of midnight December 28, 2018.  All events are postponed and website information and social media will not be updated until further notice.  While some FTC online services are available, others are not.  More information here.
  • The CPSC is also closed, although a December 18, 2018 CPSC memorandum summarizing shutdown procedures indicates that certain employees “necessary to protect against imminent threats to human safety” will be excepted employees and continue work during the shutdown.  The CPSC consumer hotline also continues to operate. Companies should remember that obligations to report potential safety hazards are not furloughed, so the mantra of “when in doubt, report” still applies, even if public announcement of a recall may be delayed.
  • Roughly 40% of FDA is furloughed according to numbers released by its parent agency, the Department of Health and Human Services.  In a post on its website, the agency explained that it will be continuing vital activities, to the extent permitted by law, including monitoring for and responding to public health issues related to the food and medical product supply.  The agency is also continuing work on activities funded by carryover user fee balances, although it is unable to accept any regulatory submissions for FY 2019 that require a fee payment.
  • Because the CFPB is funded through the Federal Reserve and not Congress, it remains in operation.

California Attorney General Xavier Becerra announced yesterday that the California Department of Justice will hold a series of six public forums on the California Consumer Privacy Act (CCPA).  The hearings will take place during January and February of this year and will give the public an initial opportunity to comment on the requirements set forth by the CCPA and the regulations the Attorney General must adopt on or before July 1, 2020.

The CCPA was passed in June of this year, and gives California residents specific privacy rights related to their online activities. Starting January 1, 2020, businesses will be required to comply with a number of provisions including requirements to disclose data collection and sharing practices to consumers, grant consumers a right to request deletion of their data, grant consumers a right to opt out of the sale of their personal information, and a prohibition on selling personal information of consumers under the age of 16 without explicit consent.

The CCPA requires the Attorney General to “solicit broad public participation” and adopt regulations regarding issues such as the definition of personal information, considering changes in technology and data collection practices, procedures for how a consumer can submit a request to opt out of the sale of his or her personal information, and procedures for businesses to determine whether a consumer’s request for information is verifiable.

The Attorney General’s announcement is particularly important because CCPA enforcement will not begin until six months after the promulgation of these regulations, or July 1, 2020, whichever is sooner.  These public forums indicate that Attorney General Becerra’s office is taking steps to adopt these rules, meaning CCPA enforcement may come sooner rather than later.

These hearings will serve as the first public forum in which businesses and members of the public can voice their thoughts or concerns about the required regulations. Members of the public who would like to speak at the forums can, but are not required to, register online. Comments may also be submitted via mail or email. A full schedule of the forums can be found here.

Kelley Drye is happy to assist if your business is considering whether to submit comments concerning the CCPA regulations or enforcement.  These forums present a critical opportunity for any stakeholder interested in California privacy law and enforcement to have their voices heard.  For more information on the CCPA and how it may affect your business, please visit our past blog posts here and here.