Federal & State Regulatory

The current and future definition of what qualifies as an automatic telephone dialing system (ATDS or autodialer) remains a hotly debated and evaluated issue for every company placing calls and texts, or designing dialer technology, as well as the litigants and jurists already mired in litigation under the Telephone Consumer Protection Act (TCPA).  Last year, the D.C. Circuit struck down the FCC’s ATDS definition in ACA International v. FCC, Case No. 15-1211 (D.C. Cir. 2019).  Courts since have diverged in approaches on interpreting the ATDS term.  See, e.g., prior discussions of Marks and Dominguez.  All eyes thus remain fixed on the FCC for clarification.

In this post, we revisit the relevant details of the Court’s decision in ACA International, and prior statements of FCC Chairman Ajit Pai concerning the ATDS definition to assess how history may be a guide to how the FCC approaches this issue.

Continue Reading Taking Stock of the TCPA in 2019: What is an “Autodialer”?

With the Illinois Supreme Court’s recent decision in Rosenbach v. Six Flags Entertainment Corp., the floodgates have opened for class actions in Illinois against businesses that collect biometric information from employees or customers.  In Rosenbach, the Illinois Supreme Court decided that alleged procedural violations of Illinois’s Biometric Information Privacy Act (“BIPA”) are enough, without alleging actual injury to an individual, to bring an action under the law. While the particular details of that decision can be relevant to specific situations, if your company currently is collecting biometric information from customers or employees, or considering doing so in the near future, you need to know what to do now in light of this new ruling.

If your company has been collecting biometric data:

  • Conduct a rapid internal audit to determine how your company, or any agent or contractor you hire, is using biometric data for any reason (e.g., security for facilities or devices, time clock or other employment verification, or marketing to consumers).
  • Once you understand the scope of biometric data collection, implement BIPAs requirements, which include: (1) informing an individual that his or her biometric information is being collected or stored; (2) informing the individual of the purpose for the collection, storage, or use and how long such information will be collected, stored, or used; and (3) receiving a written release from the individual to collect the information.

Since the Rosenbach ruling, we have seen a rapid increase in the number of BIPA class action lawsuits filed.  If your company is currently facing a lawsuit over an alleged BIPA violation, consider taking the following steps:

  • Remove the case to federal court.  Based on Supreme Court precedent and a recent decision from an Illinois federal court, defendants facing these class actions may be able to challenge a plaintiff’s standing to bring suit based solely on a procedural violation of the statute where no actual harm has occurred.
  • Identify sources of either express or implied consent for the collection of biometric information.  For example, employees may have received notice from an employee handbook about collection of their biometric data.
  • Assert class action defenses related to typicality and commonality. Typicality is meant to ensure that the named plaintiff’s claims have the same essential characteristics as the claims of the entire class. If proof of the named plaintiff’s claims would not necessarily prove all of the proposed class members’ claims, plaintiff fails the typicality requirement.  Commonality requires plaintiffs to demonstrate that the class members have suffered the same injury, meaning that they were affected by the same violation of the same statute. This emphasis on dissimilarities between plaintiffs will illustrate whether there are any class-wide commonalities.

Finally, companies considering biometric data collection in Illinois should:

  • Prepare explicit disclosures and documents for written consent to collect as required by the BIPA.
  • Determine whether collection of biometric data is truly necessary for the business, given the strict requirements of the BIPA and increase in the number of lawsuits. If this data is necessary, collect as little as possible and consider and whether it can be captured and not retained.
  • Avoid collection of biometric data in Illinois. Some companies have begun altering their behavior in Illinois to adhere to the law. For example, Nest, a maker of smart thermostats and doorbells, sells a doorbell with a camera that can recognize visitors by their faces. However, Nest does not offer that feature in Illinois because of the BIPA.
  • Keep an eye on legislative developments. Many other states have considered biometric privacy legislation over the years, but only Texas (in 2009) and Washington (in 2017) have passed such laws. But that may change soon.  In the first few weeks of 2019 alone, legislators have already introduced new bills in Arizona, Connecticut, New Hampshire, New Mexico, New York, Oregon, and Washington. These initiatives have the potential to introduce a conflicting national patchwork of regulations.
  • In Illinois, there is currently a bill (SB3053) pending before the Illinois legislature to amend the BIPA. The bill proposes to exempt private entities from the BIPA’s requirements under a number of circumstances, including (1) if the biometric information is used “exclusively for employment, human resources, fraud prevention, or security purposes,” (2) if the company “does not sell, lease, trade or similarly profit” from the biometric information, or (3) if the company protects biometric information at least as securely as it secures other sensitive information.

If you have additional questions or need assistance, please contact:

Randall Lehner
(312) 857-7238
rlehner@kelleydrye.com

Janine Fletcher-Thomas
(312) 857-2507
jfletcher@kelleydrye.com

Last week, five advertising and marketing trade associations jointly filed comments with the California Attorney General seeking clarification on provisions within the California Consumer Privacy Act (CCPA).

While expressing “strong support” for the CCPA’s intent, and noting the online ad industry’s longstanding consumer privacy efforts like the DAA’s YourAdChoices Program, the group proposed the following three clarifications relating to CCPA provisions that, unless modified, the group believes could reduce consumer choice and privacy:

  • Notice relating to a sale of consumer data: A company’s written assurance of CCPA compliance should satisfy the requirement to provide a consumer with “explicit notice” (under 1798.115(d)) when a company sells a consumer’s personal data that the company did not receive directly from such consumer;
  • Partial opt-out from the sale of consumer data: When responding to a consumer’s request to opt out of the sale of personal data, companies can present consumers with choices on the types of “sales” from which to opt-out, the types of data to be deleted, or whether to opt out completely, rather than simply offering an all or nothing opt-out.
  • No individualized privacy policies: Businesses should not be required to create individualized privacy policies for each consumer to satisfy the requirement that a privacy policy disclose to consumers the specific pieces of personal data the business has collected about them.

The associations signing on to the comments include the Association of National Advertisers, American Advertising Federation, Interactive Advertising Bureau, American Association of Advertising Agencies, and the Network Advertising Initiative. The comments represent an “initial” submission intended to raise the proposals above and, more broadly, highlight to the California AG the importance of the online-ad supported ecosystem and its impact on the economy.  The associations plan to submit more detailed comments in the coming weeks.

The comments coincide with a series of public forums that the California AG is hosting to provide interested parties with an initial opportunity to comment on CCPA requirements and the corresponding regulations that the Attorney General must adopt on or before July 1, 2020.

 

In the Data Business? You May Be Obligated to Register in Vermont by Thursday

Data brokers have until this Thursday to register with the Vermont Secretary of State as part of a new data broker oversight law that became effective January 1st.

Approved unanimously by the Vermont Senate last May, the Vermont Data Broker Regulation, Act 171 of 2018, requires data brokers to register annually, pay an annual filing fee of $100, and maintain minimum data security standards, but the law does not prevent data brokers from collecting or selling consumer data.

What Qualifies as a “Data Broker”?

The law only applies to “data broker[s],” defined as a “business, or unit or units of a business, separately or together, that knowingly collects and sells or licenses to third parties the brokered personal information of a consumer with whom the business does not have a direct relationship.” Continue Reading In the Data Business? You May Be Obligated to Register in Vermont by Thursday

On January 10, 2019, Massachusetts Governor Charlie Baker signed into law the Massachusetts’s Data Breach Notification Act, which amends Massachusetts data breach reporting laws. The new law, available here, amends the timing and content of individual and regulator data breach notifications, and provides for credit monitoring services when social security numbers may have been compromised.

Key updates to the state’s data breach notification laws include the following:

  • Free Credit Monitoring: Following breaches involving Social Security numbers, entities must “contract with a third party to provide” free credit monitoring services to impacted Massachusetts residents at no cost for at least 18 months (42 months, if the company is a consumer reporting agency), and provide consumers with instructions on how to access these services.
  • No Mandatory Arbitration Clauses: Companies are prohibited from asking individuals to waive their right to a private action as a condition for receiving credit monitoring services.
  • Additional Required Information for the Breach Notice: The required notice to consumers, the Massachusetts Attorney General, and the Office of Consumer Affairs and Business Regulation already provided for under current Massachusetts law must now also include additional information such as the name and address of the person that experienced the breach of security, the person responsible for the breach, if known, and the type of personal information compromised. Entities are also required to submit to regulators a sample of the notification letters that they send to consumers, which will be posted online.
  • Notice Timing: An entity may not delay notice to affected individuals on the grounds that it has not determined the total number of individuals affected. Rather, the entity must send out additional notices on a rolling basis, as necessary.
  • Disclosure of Parent/Affiliate Company: If the company experiencing a breach is owned by a separate entity, the individual notice letter must specify “the name of the parent or affiliated corporation.”

Under Massachusetts data security regulations (201 CMR § 17.03), any entity that owns or licenses personal information about a Massachusetts resident is currently obligated to develop, implement, and maintain a comprehensive written information security program that incorporates the prescriptive requirements contained in the regulation.

The Massachusetts’s Data Breach Notification Act will take effect on April 11, 2019. This is a good opportunity for businesses to update their data breach notification related policies and procedures to ensure that they are in compliance with all state requirements. We will continue to track any updates to state breach notification statutes and post on this blog.

The California Food, Drug, and Medical Device Task Force announced a settlement this week with Goop, the lifestyle brand founded by Gwyneth Paltrow, which we’ve written about here and here. The complaint alleges that Goop made false and misleading representations regarding the effects or attributes of three products—the Jade Egg, Rose Quartz Egg, and Inner Judge Flower Essence Blend. According to the complaint, Goop advertised that the Jade and Rose Quartz Eggs—egg-shaped stones designed to be inserted vaginally and left in for various lengths of time—as well as the Inner Judge Flower Essence Blend could balance hormones, prevent uterine prolapse, increase bladder control and prevent depression. The complaint also alleges that none of Goop’s claims regarding these products were supported by competent or reliable scientific evidence.

The stipulated judgment prohibits Goop from (1) making any claims regarding the efficacy or effects of any of its products without possessing competent and reliable scientific evidence that substantiates the claims; and (2) manufacturing or selling any misbranded, unapproved, or falsely advertised medical devices. In addition, Goop agreed to pay $145,000 in civil penalties and will provide refunds to consumers who purchased the products during 2017.

Goop responded, in part, as follows: “Goop provides a forum for practitioners to present their views and experiences with various products like the Jade Egg. The law, though, sometimes views statements like this as advertising claims, which are subject to various legal requirements.”

Yep. True story. Here are a few other lessons:

  • When made on a site promoting sale of a product, statements by practitioners or other testimonialists about the benefits of that product are advertising (not sometimes, always) and can never be used to support claims that are not otherwise supported by competent and reliable scientific evidence.
  • Competent and reliable scientific evidence is a flexible standard. For health claims, though, it frequently requires well-designed clinical tests. Simply put, the standard isn’t whether there is any evidence; it is whether there is credible evidence that experts in the field would agree is reliable.
  • Fanciful claims that do not rise to the level of disease prevention aren’t necessarily puffery either. Advertisers need to clearly understand when they are making objectively provable claims and have an obligation to substantiate them before dissemination.
  • Products that feature claims of disease treatment or reduction may be classified as medical devices or drugs and may be subject to FDA clearance or approval prior to marketing.

Goop claims to have modified its claims to comply with the settlement. Notably, the Jade Egg remains available. We’ll let you decide what to do with that.

Yesterday, the California legislature passed SB-327, a bill intended to regulate the security of internet-connected devices.  Unlike the California Consumer Privacy Act (CCPA), SB-327 is significantly more narrow.  As enacted, the bill is a “lighter” version of what was first introduced and amended in 2017 (which, at that time, would have included certain disclosure and consent requirements for connected devices).

At its core, SB-327 requires connected devices to be equipped with “reasonable security features” that are:

  1. appropriate to the nature and function of the device;
  2. appropriate to the information it may collect, contain, or transmit; and
  3. designed to protect the device and any information contained therein from unauthorized access, destruction, use, modification, or disclosure.

Subject to the above, if a connected device is equipped with a means for authentication outside a local area network, this is considered a “reasonable security feature” if either: (a) the preprogrammed password is unique to each device manufactured; or (b) the device contains a security feature that requires a user to generate a new means of authentication before access is granted to the device for the first time. These requirements, of course, are in addition to any duties or obligations imposed under other laws (i.e., CCPA).

The term “connected device” is defined as “any device, or other physical object that is capable of connecting to the Internet, directly or indirectly, and that is assigned an Internet Protocol address or Bluetooth address.” Pretty much every device connected to the Internet is assigned either an IP address or Bluetooth address when it is connected. This can include, for example, anything from computers, tablets, and mobile devices, to smart watches, smart home hubs, or app-controlled toys.

The bill does not provide a private right of action. Only the Attorney General, a city attorney, a county counsel, or a district attorney can enforce the law, and the bill does not address (either directly or by implication) any specific penalties or remedies that may be sought by these entities. However, it’s possible that we see the requirement to implement reasonable security measures asserted as a basis for a legal duty in conjunction with other claims (either by the AG or consumers).

The bill was ordered to engrossing and enrolling. If signed by Governor Brown, the law would become effective on January 1, 2020 (same day as the CCPA).

As we enter the dog days of summer, the FCC continues to turn up the heat on equipment marketing enforcement. But while million dollar fines for marketing noncompliant devices capture the spotlight, the FCC also quietly issued a number of equipment marketing actions focused on a single type of device: LED signs. In just the last three months, the FCC has settled over ten investigations involving the marketing of LED signs used in digital billboards for commercial and industrial applications without the required authorizations, labeling, or user manual disclosures. Each action involved an entity that either manufactured or sold (or both) LED signs. The agency’s recent actions should be a shot across the bow to any retailer of LED signs to ensure that their devices are properly tested and authorized prior to sale. Otherwise, these companies may face significant fines and warehouses of unmarketable devices.

Most consumers might not think that LED signs fall within the FCC’s jurisdiction. However, the signs emit radio waves that can interfere with communications services. As a result, the FCC requires most LED signs and other “unintentional” radiators to be tested for compliance with its technical requirements prior to marketing. Importantly, the FCC’s rules prohibit the marketing of such devices unless they have been properly authorized, labeled, and carry the required disclosures. Even with the FCC’s recent efforts at simplification, the rules regarding equipment marketing are complex, requiring close attention to compliance at every step in the supply chain. Continue Reading Read the Signs: FCC Unleashes Wave of Equipment Marketing Actions Involving LED Signs

Kelley Drye introduces a new Full Spectrum series, “Inside the TCPA,” which will offer a deeper focus on TCPA issues and petitions pending before the FCC. Each episode will tackle a single TCPA topic or petition that is in the news or affecting cases around the country. In this inaugural episode, partner Steve Augustino and associate Jenny Wainwright discuss the definition of an autodialer or ATDS. This episode addresses the 2018 D.C. Circuit decision in ACA International and the FCC’s new proceeding to examine the definition. With initial comments filed on June 13th, Steve and Jenny analyze the principal arguments made by commenters and discuss whether Congress will weigh in on the matter. To listen to this episode, please click here.*

Future episodes of “Inside the TCPA” will tackle reassigned numbers, consent, and other topics raised before the FCC. This is a companion to Kelley Drye’s comprehensive list of petitions before the Commission available in our monthly TCPA Tracker newsletter. Please contact us if we can assist you with any of the FCC proceedings.

Kelley Drye’s Full Spectrum is available on iTunes. To subscribe, and keep up to date on the latest trends and topics in communications, simply find the built-in and undeletable podcast app, search “Kelley Drye Full Spectrum,” look for our logo, and hit “subscribe.”

You can also access the podcast through our website, Soundcloud, and Stitcher.

*Audio files may load faster through Google Chrome

FTC Commissioner Terrell McSweeny is scheduled to resign effective April 28 and may leave with acting Chairman Maureen Ohlhausen as the sole commissioner. Law360  published an article by partner John Villafranco and professor Stephen Calkins that discusses whether the FTC can take formal action by a 1-0 vote and when does a commission cease being a commission? To read the full article, please click here.