Legislative Developments

Subscribe to Legislative Developments

Among the many details to absorb in the draft amendments to the CCPA regulations published by the California Privacy Protection Agency (“CPPA”) on May 27 (the “Draft Regulations”) are new and prescriptive disclosure requirements for notices at collection and privacy policies. While these disclosure provisions (and all of the other provisions of the Draft Regulations)

For those not following every detail regarding the progress of the “three corners” federal privacy bill, here’s a summary of where things stand.

In brief, on June 23, the House E&C Consumer Protection Subcommittee held a markup during which it considered a substitute version of the bill (HR 8152), approved it by voice

A New Federal Privacy Law Could Come from an Unexpected PlaceAs we continue to watch the slow motion, often circular efforts in Congress to develop and enact comprehensive privacy legislation, federal action on privacy could end up coming from some surprising places.

By this, we mean it might not come from Senators Cantwell or Wicker, who have championed the leading, competing privacy bills in

On October 6, 2021, the Senate Commerce Committee conducted its second in a series of hearings dedicated to consumer privacy and data, this time addressing Data Security.  Similar to last week’s privacy hearing, the witnesses and Senators appeared to agree that federal data security standards – whether as part of privacy legislation or on their own – are urgently needed. If there were to be consensus around legislative principles, the hearing provides clues about what a compromise might look like.

Prepared Statements. In their opening statements, the witnesses emphasized the need for minimum standards governing data security.

  • James E. Lee, Chief Operating Officer of the Identity Theft Resource Center, explained that without minimum requirements, companies lack sufficient incentives to strengthen their data security practices to protect consumer data. Lee also advocated for more aggressive federal enforcement rather than the patchwork of state actions, which, he said, produce disparate impacts for the same conduct.
  • Jessica Rich, former Director of the FTC’s Bureau of Consumer Protection and counsel at Kelley Drye, emphasized that current laws do not establish clear standards for data security and accountability. She advocated for a process-based approach to prevent the law from being outpaced by evolving technologies and to ensure that it accommodates the wide range of business models and data practices across the economy. Among her recommendations, Rich suggested that Congress provide the FTC with jurisdiction over nonprofits and common carriers and authority to seek penalties for first-time violations.
  • Edward W. Felten, former Deputy U.S. Chief Technology Officer, former Chief Technologist of the FTC’s Bureau of Consumer Protection, and current Professor of Computer Science and Public Affairs at Princeton University, focused on the need to strengthen the FTC’s technological capabilities, including increasing the budget to hire more technologists. Notably, Felten advocated for more prescriptive requirements in data security legislation such as requiring companies to store and transmit sensitive consumer data in encrypted form and prohibiting companies from knowingly shipping devices with serious security vulnerabilities.
  • Kate Tummarello, Executive Director at Engine, a non-profit organization representing startups, addressed the importance of data security for most startups. Tummarello advocated for FTC standards or guidance with flexible options. Cautioning against overburdening startups, Tummarello explained that newer companies take data security seriously because they do not have the name recognition or relationships with consumers that larger companies may have, and a single breach could be extremely disruptive. Additionally, Tummarello highlighted that the patchwork of state laws provides inconsistent and unclear data security guidance and imposes high compliance costs.


Continue Reading Hope Emerges at Senate Data Security Hearing – But Will Congress Grab the Brass Ring?

The Colorado Legislature recently passed the Colorado Privacy Act (“ColoPA”), joining Virginia and California as states with comprehensive privacy legislation. Colorado Governor Jared Polis signed the bill (SB 21-190) into law on July 7, and ColoPA will go into effect on July 1, 2023.

How does the measure stack up against the VCDPA and the CCPA (as amended by CPRA)? The good news is that, in broad terms, ColoPA generally does not impose significant new requirements that aren’t addressed under the CCPA or VCDPA, but there are a few distinctions to note..
Continue Reading Privacy Law Update: Colorado Privacy Bill Becomes Law: How Does it Stack Up Against California and Virginia?

Welcome to our monthly roundup of regulatory and litigation highlights impacting the dietary supplement and personal care products industries.  Sit back, relax, and enjoy the read.  February was a short month, with a lot going on.

NAD

Health claim substantiation was front and center before NAD in a monitoring case involving Pendulum Therapeutics and a “medical probiotic” product featuring claims such as “The only medical probiotic clinically shown to lower A1C & blood glucose spikes for the dietary management of T2D*” (*Consult your physician as part of your total diabetes management plan.  Results may vary from person to person.”)

The advertiser submitted a 12-week multi-center, randomized, double-blind, placebo-controlled study (the “Perraudeau Study”) to assess Pendulum Glucose Control’s safety and effectiveness in improving glycemic control in Type 2 diabetics and, ultimately, their dietary management of the disease – specifically, the role of certain probiotic strains found in prior research to be associated with the promotion of a healthy gut microbiome through the production of short-chain fatty acids (SCFAs).

The advertiser also provided clinical studies and research articles demonstrating the roles of A1C, fasting glucose and postprandial glucose levels in managing Type 2 diabetes. The advertiser also referred to the FDA’s Guidance document (Diabetes Mellitus: Developing Drugs and Therapeutic Biologics for Treatment and Prevention) to demonstrate what level of reduction in HbA1c was clinically meaningful.

While NAD expressed some concerns about the evidence, ultimately, NAD determined that the Perraudeau Study was a good fit for the challenged claim “The only medical probiotic clinically shown to lower A1C & blood glucose spikes for the dietary management of T2D*” (*Consult your physician as part of your total diabetes management plan. Results may vary from person to person.”) but recommended the following modifications: (1) limiting the claim to individuals who are taking metformin; (2) modifying the claim to clarify that the product can be used as part of the dietary management of type 2 diabetes; and (3) removing the references to percent reductions in blood glucose spikes in the absence of evidence in the record demonstrating that the reductions were clinically relevant.

This decision is a helpful discussion of the competent and reliable scientific evidence standard.  Anyone seeking to understand health claims substantiation better should check it out.
Continue Reading Dietary Supplement and Personal Care Products Regulatory Highlights – February 2021

Ad Law Access Blog - the State of Maryland enacted legislation imposing the Digital Advertising Gross Revenues TaxOn February 12, 2021, the General Assembly of the State of Maryland enacted legislation imposing the Digital Advertising Gross Revenues Tax, overriding a prior veto of the legislation by Maryland Governor Larry Hogan. The Act imposes a tax, at rates of up to 10%, on gross revenues “derived from digital advertising services in the state.”