The FTC’s “Hey Nineteen” blog post caught our attention this past week, and not just for its witty title. One of those reasons is the reference to continued interest in “Made in USA” claims.  As we’ve written about here, “Made in America” has been a frequent enforcement target in recent years and 2018 generally continued this trend.  Here’s how it stacked up:

The FTC completed 25 investigations, settling four enforcement actions and issuing 21 closing letters.

Similarly, in 2017 the FTC settled two enforcement actions and issued 22 closing letters. All indications are that these trends will continue in 2019.

So what can companies do to avoid being the subject of an upcoming FTC Business Center blog post? Here are some tips:

Tip #1: Audit Inventory Management Systems and Processes

Mistakes can launch FTC investigations, as one company learned this past year.

In response to inquiries from the FTC, Prime-Line Products Company, a maker of corner shields, stated that after depleting its inventory of US-made corner shields, it substituted identical imported corner shields. Then, apparently inadvertently, the company continued to apply the “Made in USA” label.

Eventually, the FTC closed its investigation without bringing an enforcement action against the company. But the case serves as a reminder to companies employing the “Made in USA” label to closely manage inventory.  If only a percentage of supply is sourced to the US, companies should create internal processes to avoid mislabeling inventory.

Of course, inventory management can become challenging, especially when working with multiple dealers, distributors, or resellers that may not be familiar with inventory changes. Companies should proactively develop a compliance plan to ensure marketing remains accurate in all sales channels.

Tip #2: Train Employees

Employees, from marketing and sales to the warehouse floor, are the first line of defense against false “Made in USA” claims. Employees should be aware of when “Made in USA” claims may be made, and should be trained on processes for alerting management if they observe any inadvertent errors.

As detailed in multiple closing letters, companies targeted by FTC investigations told the FTC that they would retrain staff on proper, non-deceptive claims. This common-sense approach is advisable for all companies.  All training materials should conform to the standards laid out by the FTC in its Complying with the Made in USA Standard guidance, but should also be practical and easy-to-use.  Checklists, webinars, and workplace posters are good options for educating a company’s workforce.

Tip #3: Qualify Advertising Claims

Last year’s cases show that investigations skewed toward plain, unqualified “Made in USA” claims. Qualified claims, which provide more detail about a component made domestically or process that occurred domestically, may take up more space or obscure a company’s marketing message.  Nevertheless, when it comes to “Made in USA” labeling, accuracy counts.

In one example from the last year, The Gillette Company, LLC, was the target of an FTC inquiry due to its “Boston Made Since 1901” advertising. The FTC closed its investigation, but the example is instructive.  Gillette has deep roots in Boston and sought to use this information in an advertisement.  But without a qualification, the FTC viewed the advertisement as asserting that all of Gillette’s products are made in the US.  Gillette stated that it would re-focus its advertising campaign to highlight its Boston-based employees and manufacturing and the FTC closed the matter.

Tip #4: Size Doesn’t Matter

When it comes to enforcement of the “Made in USA” standards, there is no safe harbor for small businesses. Companies large and small were the target of investigations in 2018.

That included large companies, like Hallmark Cards, Incorporated, and IKEA Purchasing Services (US), Inc. The FTC closed investigations into each of these companies via a closing letter, without further action.

Meanwhile, the FTC’s major enforcement actions of the year were primarily against small or mid-size companies. Underground Sports Inc. d/b/a Patriot Puck imported just 400,000 hockey pucks since January 2016, but faced a significant enforcement action.  Notably, American-made claims featured prominently in these companies’ advertising.  Indeed, their conduct was so objectionable, that following announcement of these settlements, discussion has arisen regarding monetary penalties for false “Made in USA” claims.

Tip #5: Act Now!  Financial Penalties May Be Coming

FTC commissioners are very publicly debating the merits of imposing financial penalties for false “Made in USA” claims.

A leading advocate has been Commissioner Rohit Chopra, who argued in a dissent that settlements have been too lenient and are not deterring similar conduct.  But, as reported in December in this blog, Chairman Joseph Simons too is focused on the potential need to impose monetary relief.  At a hearing before the Senate Subcommittee on Consumer Protection, Product Safety, Insurance, and Data Security, Simons said, “Now we’re exploring whether we can find a good case that would be appropriate for monetary relief to serve as an additional deterrent.”

Given the political interest in increasing the penalties for false claims, companies may want to (make and actually stick to) a New Year’s resolution to make sure their “Made in USA” claims are substantiated. If you’re new to this area or need a refresher, check out our webinar and materials here.

In the Data Business? You May Be Obligated to Register in Vermont by Thursday

Data brokers have until this Thursday to register with the Vermont Secretary of State as part of a new data broker oversight law that became effective January 1st.

Approved unanimously by the Vermont Senate last May, the Vermont Data Broker Regulation, Act 171 of 2018, requires data brokers to register annually, pay an annual filing fee of $100, and maintain minimum data security standards, but the law does not prevent data brokers from collecting or selling consumer data.

What Qualifies as a “Data Broker”?

The law only applies to “data broker[s],” defined as a “business, or unit or units of a business, separately or together, that knowingly collects and sells or licenses to third parties the brokered personal information of a consumer with whom the business does not have a direct relationship.” Continue Reading In the Data Business? You May Be Obligated to Register in Vermont by Thursday

As we noted previously, the California Attorney General is holding a series of public forums on the California Consumer Privacy Act (CCPA) to provide the public with an initial opportunity to comment on CCPA requirements and the corresponding regulations that the Attorney General must adopt on or before July 1, 2020.  On Friday, January 25, 2019, the Attorney General’s Office held its fourth of six hearings before a full auditorium in Los Angeles.  This blog post summarizes the main themes discussed at the hearing.

Timing/Scope:  For businesses hoping for CCPA clarity and guidance soon, that seems unlikely. California Deputy Attorney General Lisa Kim initiated the hearing, emphasizing that the Attorney General’s Office was in the beginning of its rulemaking process and noting that she anticipated the formal review process not to start until Fall 2019.  For now, the Attorney General’s Office encouraged interested parties to submit comments by the end of February, focusing on subjects within the scope of the Attorney General’s rulemaking responsibilities, as set forth in the CCPA, including:

  • Categories of Personal Information
  • Definition of Unique Identifiers
  • CCPA Exemptions
  • Submitting and Complying with Consumer Requests
  • Uniform Opt-Out Logo/Button
  • Notices and Information to Consumers, including Financial Incentive Offerings
  • Certification of Consumers’ Requests

During the hearing, the Attorney General’s Office displayed this PowerPoint deck, summarizing the CCPA regulatory process.

Main Themes

Continue Reading California Privacy Update: What We Heard at Friday’s CCPA Hearing

On Monday, France’s Data Protection Agency announced that it levied a €50 million ($56.8 million) fine against Google for violating the EU’s new General Data Protection Regulation (GDPR).  The precedent-setting fine by the Commission Nationale de l’Informatique et des Libertés (“CNIL”) is the highest yet imposed since the new law took effect in May 2018.

How Does Google Violate GDPR, According to CNIL?

  • Lack of Transparency: GDPR Articles 12-13 require a data controller to provide data subjects with transparent, intelligible, and easily accessible information relating to the scope and purpose of the personal data processing, and the lawful basis for such processing. CNIL asserts that Google fails to meet the required level of transparency based on the following:
    • Information is not intelligible: Google’s description of its personal data processing and associated personal data categories is “too generic and vague.”
    • Information is not easily accessible: Data subjects must access multiple Google documents or pages and take a number of distinct actions (“5 or 6”) to obtain complete information on the personal data that Google collects for personalization purposes and geo-tracking.
    • Lawful basis for processing is unclear: Data subjects may mistakenly view the legal basis for processing by Google as legitimate interests (that does not require consent) rather than individual consent.
    • Data retention period is not specified: Google fails to provide information on the period that it retains certain personal data.
  • Invalid Consent: Per GDPR Articles 5-7, a data controller relying on consent as the lawful basis for processing of personal data must be able to demonstrate that consent by a data subject is informed, specified, and unambiguous. CNIL claims that Google fails to capture valid consent from data subjects as follows:
    • Consent is not “informed”: Google’s data processing description for its advertising personalization services is diluted across several documents and does not clearly describe the scope of processing across multiple Google services, the amount of data processed, and the manner in which the data is combined.
    • Consent is not unambiguous: Consent for advertising personalization appears as pre-checked boxes.
    • Consent is not specific: Consent across all Google services is captured via consent to the Google Terms of Services and Privacy Policy rather than a user providing distinct consent for each Google personal data use case.

What Does This Mean for Other Companies?

Continue Reading C’est la vie? French Regulator Fines Google Nearly $57 million for GDPR Non-compliance

While many today returned to work after the Holiday season, things remained quieter than usual here in the nation’s capital – with many federal workers furloughed until further notice as the federal government continues to be in a partial shutdown.  President Trump is reportedly meeting with congressional leaders today ahead of Thursday’s start to a new congressional session but, at least for now, there’s no immediate end to the shutdown in sight.

Here’s how the shutdown is affecting federal agencies responsible for overseeing and enforcing advertising and privacy laws:

  • The FTC closed as of midnight December 28, 2018.  All events are postponed and website information and social media will not be updated until further notice.  While some FTC online services are available, others are not.  More information here.
  • The CPSC is also closed, although a December 18, 2018 CPSC memorandum summarizing shutdown procedures indicates that certain employees “necessary to protect against imminent threats to human safety” will be excepted employees and continue work during the shutdown.  The CPSC consumer hotline also continues to operate. Companies should remember that obligations to report potential safety hazards are not furloughed, so the mantra of “when in doubt, report” still applies, even if public announcement of a recall may be delayed.
  • Roughly 40% of FDA is furloughed according to numbers released by its parent agency, the Department of Health and Human Services.  In a post on its website, the agency explained that it will be continuing vital activities, to the extent permitted by law, including monitoring for and responding to public health issues related to the food and medical product supply.  The agency is also continuing work on activities funded by carryover user fee balances, although it is unable to accept any regulatory submissions for FY 2019 that require a fee payment.
  • Because the CFPB is funded through the Federal Reserve and not Congress, it remains in operation.

Just when you think you’ve tackled the Wild, Wild West of GDPR and privacy compliance, California decides to mix it all up again.

This November 6th, California voters will decide on the California Consumer Privacy Act (“Act”), a statewide ballot proposition intended to give California consumers more “rights” with respect to personal information (“PII”) collected from or about them.  Much like CalOPPA, California’s Do-Not-Track and Shine the Light laws, the Act will have broader consequences for companies operating nationwide.

The Act provides certain consumer “rights” and requires companies to disclose the categories of PII collected, and identify with whom the PII is shared or sold. It also includes a right to prevent the sale of PII to third parties, and imposes requirements on businesses to safeguard PII.  If passed, the Act would take effect on November 7, 2018, but would apply to PII collected or sold by a business on or after nine (9) months from the effective date – i.e., on August 7, 2019.

Who is Covered?

The Act is intended to cover businesses that earn $50 million a year in revenue, or businesses that “sell” PII either by (1) selling 100,000 consumer’s records each year, or (2) deriving 50% of their annual revenue by selling PII. These categories of businesses must comply if they collect or sell Californians’ PII, regardless of whether they are located in California, a different state, or even a different country. Continue Reading SADDLE UP AMERICA: California Aims to Pass its Own GDPR Law

Florida attorney general Pam Bondi filed a complaint last week against Icebox Cafe, L.C. alleging that the restaurant violated Florida’s Deceptive and Unfair Trade Practices Act by making misleading claims that its food products were “locally-sourced” and “sustainable.”  The defendant operates a self-proclaimed “farm-to-table” restaurant in Miami Beach, along with select locations at airports.

According to the complaint, Icebox sought to capitalize on the market for locally sourced and sustainable food products by making false and misleading claims.  For example, the Icebox Miami airport location claimed that its menu items were “farm-to-terminal” and “local,” but the company’s invoices indicate that almost none of the products were sourced from local farms and distributors, according to the action.  The complaint also alleges that defendant’s menus contained representations that its products were from specific local farms and distributors, but its invoices again belied this assertion.

The complaint additionally identifies allegedly misleading claims about “wild” salmon and other fish that had been purportedly caught the same day it was sold to consumers.  While the complaint doesn’t address the substantiation that the advertiser would have needed to support these claims, general advertising law principles require advertisers to have a reasonable basis to support such claims.  The Florida AG points to Icebox’s invoices as evidence that the defendant lacked such a basis and could not support the claims.

The action is an important reminder that advertisers must consider how consumers are likely to interpret “locally sourced” and “sustainable” claims and ensure that they have substantiation to support those takeaways before making the claims.  Unlike many claims for food products that are expressly defined by federal and/or state law, claims about local sourcing and sustainability are not generally defined.  The action here, therefore, reinforces the need to consider substantiation both for claims subject to explicit standards and claims related to undefined terms that may be subject to varying interpretations by different consumers.

In this case, the complaint suggests that the defendant’s invoices demonstrate that the claims were outright false, but one could imagine an instance where some consumers might consider the food sufficiently “local” and others might view the claim as deceptive.  For example, is fish sold in Miami but harvested in north Florida “local”?  What makes a product “sustainable”?  Consumer perception evidence could be useful in these closer calls.  It will be interesting to see whether the terms of any settlement effectively set a new standard for these terms in Florida.  Until then, the lesson for advertisers everywhere is to be precise when using such undefined but attractive language.

 

The FTC today filed a complaint against Lending Club alleging that it deceived consumers by advertising loans with “no hidden fees” and subsequently concealing substantial loan origination fees.  The complaint points to consumer complaints and internal compliance documents as evidence that Lending Club knew that consumers were being misled and continued to misrepresent the loans anyway.

The complaint charges four distinct violations:

  • Deception regarding up-front fees.  While advertising loans with “no hidden fees,” the Commission alleged that Lending Club actually charged substantial loan origination fees (on average, about 5% of the loan amount) and failed to clearly and conspicuously disclose those fees – both in advertising and throughout the application and approval process.  The complaint provides screenshots of the consumer experience from advertisement to sign-up to approval.  In both the desktop and mobile environment, the FTC charged that consumers were deceived because they would need to do either of the following to learn about the fee: (1) hover over a hyperlink explaining advertised APR to learn that the represented rate includes the loan origination fee; or (2) scroll to the bottom of the loan approval page and notice the fee disclosure embedded in the middle of a text heavy page.  The FTC cited frequent consumer complaints and internal compliance documents referencing potential deception to argue that Lending Club knew it was deceiving consumers and decided to continue its practices anyway.
  • Deception regarding loan approval.  The complaint also alleges that Lending Club made deceptive representations that loans were “on the way” or were “100% backed,” notwithstanding that it knew that a more significant approval step had yet to be completed and many consumers would not ultimately obtain the allegedly approved loans.  According to the complaint, Lending Club uses a two-step “front-end” and “back-end” approval process and misleadingly suggested that consumers were approved after just the first step, despite knowing many consumers would be rejected after the “back-end” step.
  • Unfair billing practices.  The complaint also alleges that Lending Club engaged in unfair acts by withdrawing money from consumers’ bank accounts without authorization, or in amounts in excess from consumers’ authorizations.  Many of these unauthorized charges occurred after consumers had already paid off their loans with Lending Club, according to the complaint.
  • Gramm-Leach-Bliley Act (GLBA) violations.  Lastly, the complaint alleges that Lending Club violated GLBA by failing to deliver initial privacy notices to consumers as required under GLBA and FTC and CFPB implementing regulations.  The complaint explains that Lending Club was subject to GLBA because it is a financial institution under the Act in that it services loans, notwithstanding that the loans are actually made by a third-party bank.  The GLBA allegations are a good reminder that the definition of “financial institution” under GLBA is a tricky one that is distinct from similar definitions under other statutes.

The complaint was filed without a consent judgment in federal court in the Northern District of California, and was approved by both remaining Commissioners, Chair Ohlhausen and Commissioner McSweeny.  McSweeny recently announced that she will leave the Commission at the end of this week on April 27.  Five new Commissioners nominated by President Trump are presently awaiting a full Senate confirmation vote.

Last Friday, the CPSC voted to sue Britax Child Safety, Inc. to force the company to recall various models of single and double B.O.B. jogging strollers. The one-count administrative complaint alleges that the strollers present a substantial product hazard under Section 15(a)(2) of the Consumer Product Safety Act because they contain a product defect that presents a substantial risk of injury to the public.

The CPSC claims that the three-wheel strollers’ quick release mechanism can fail to secure the front wheel to the fork, allowing that front wheel to detach during use. Furthermore, due to the design of the stroller, consumers are allegedly likely to believe that the wheel is secured when it is not. The CPSC states that it has received over 200 reports of incidents since January 2012 – 97 of which resulted in injuries, some severe, to 50 children and 47 adults. In a press release on the B.O.B. website, Britax counters that the strollers are safe when used as instructed and do not contain a defect. The company points out that the QR mechanism is “widely-used” in bicycles and strollers, and front wheel detachments only occur when wheels are installed improperly – and contrary to available written and video instructions.

The complaint requests a finding that the strollers present a “substantial product hazard” under the CPSA and an order Britax that implement a corrective action plan that includes initiating a stop-sale, notifying consumers and the public of the recall, and providing a remedy. The Commissioners voted to approve the complaint along party lines, with Acting Chairman Ann Marie Buerkle opposing the filing. As we have previously reported, the Commission’s priorities could shift if she and Republican nominee Dana Baiocco are confirmed.

Under the CPSA, manufacturers, distributors, and retailers have an obligation to report to the CPSC as soon as they obtain information that reasonably supports the conclusion that a consumer product contains a defect that could create a substantial product hazard, or creates an unreasonable risk of serious injury or death. The CPSC takes this reporting obligation very seriously, and staff do not hesitate to reach out to companies after receiving a number of consumer complaints related to a single consumer product (or set of products).

The FDA & FTC today posted warning letters to 11 marketers and distributors of opioid cessation products, alleging that such products were unapproved new drugs that violated the Federal Food, Drug and Cosmetic Act (FDCA) and that made unsubstantiated, deceptive claims in violation of the FTC Act.  In addition to the 11 joint warning letters issued to named marketers and distributors, the FTC issued four additional warning letters to unidentified marketers of similar products.  It is not clear why these four marketers were not identified by name or targeted by FDA, although it is possible that they used less egregious claims than those targeted in the 11 joint warning letters.

As to issues under the FDCA, the warning letters allege that the identified products are unapproved new drugs because they are intended to diagnose, cure, mitigate, treat, or prevent disease.  The warning letters identify representative claims that render the products “drugs” under the FDCA, including:

  • “For temporary relief of cravings, irritability, and inability to concentrate related to the use and over-use of. . .  alcohol and narcotics”;
  • “Support withdrawal relief, effective detox, and lasting recovery from addiction”; and
  • “Opiate withdrawal aid supplement.”

Because the products are not generally recognized as safe and effective for these marketed “drug” uses, the products constitute unapproved new drugs that violate the FDCA, according to the warning letters.  The warning letters further provide that the products are marketed for treatments that are not amenable to self-diagnosis or treatment without the supervision of a licensed practitioner, and thus would be prescription drugs even if they were recognized as a safe and effective treatment for opiate withdrawal.

Two warning letters targeted products labeled as “homeopathic” under FDA enforcement policies set forth in FDA’s Compliance Policy Guide (CPG), “Conditions Under Which Homeopathic Drugs May be Marketed.”  While that policy suggests that FDA will exercise enforcement discretion as to certain drug products labeled as “homeopathic” and marketed without FDA approval, the letters state that the CPG acknowledges that special circumstances may apply that supersede that policy.  According to the warning letters, the nationwide public health emergency relating to opioid addiction is one such circumstance and thus the enforcement policy does not apply to drugs marketed for opiate addiction.  In December 2017, FDA released a draft guidance that proposed a new risk-based enforcement approach to homeopathic drug products marketed without FDA approval that would prioritize regulation and enforcement for products that pose the greatest risk to patients.

As to the FTC Act violations, the warning letters note that health-related claims must be supported by competent and reliable scientific evidence at the time the claims are made.  The warning letters point to previous FTC enforcement actions challenging unsupported claims for the treatment of opiate addiction and withdrawal symptoms as evidence that such claims are likely unsubstantiated under the FTC Act.

The warning letters request unique responses to both FTC and FDA within 15 working days and direct the marketers and distributors to explain the steps they are taking to address both FDA and FTC-related concerns.