Regulatory Developments

Last week, five advertising and marketing trade associations jointly filed comments with the California Attorney General seeking clarification on provisions within the California Consumer Privacy Act (CCPA).

While expressing “strong support” for the CCPA’s intent, and noting the online ad industry’s longstanding consumer privacy efforts like the DAA’s YourAdChoices Program, the group proposed the following three clarifications relating to CCPA provisions that, unless modified, the group believes could reduce consumer choice and privacy:

  • Notice relating to a sale of consumer data: A company’s written assurance of CCPA compliance should satisfy the requirement to provide a consumer with “explicit notice” (under 1798.115(d)) when a company sells a consumer’s personal data that the company did not receive directly from such consumer;
  • Partial opt-out from the sale of consumer data: When responding to a consumer’s request to opt out of the sale of personal data, companies can present consumers with choices on the types of “sales” from which to opt-out, the types of data to be deleted, or whether to opt out completely, rather than simply offering an all or nothing opt-out.
  • No individualized privacy policies: Businesses should not be required to create individualized privacy policies for each consumer to satisfy the requirement that a privacy policy disclose to consumers the specific pieces of personal data the business has collected about them.

The associations signing on to the comments include the Association of National Advertisers, American Advertising Federation, Interactive Advertising Bureau, American Association of Advertising Agencies, and the Network Advertising Initiative. The comments represent an “initial” submission intended to raise the proposals above and, more broadly, highlight to the California AG the importance of the online-ad supported ecosystem and its impact on the economy.  The associations plan to submit more detailed comments in the coming weeks.

The comments coincide with a series of public forums that the California AG is hosting to provide interested parties with an initial opportunity to comment on CCPA requirements and the corresponding regulations that the Attorney General must adopt on or before July 1, 2020.

 

The FTC’s “Hey Nineteen” blog post caught our attention this past week, and not just for its witty title. One of those reasons is the reference to continued interest in “Made in USA” claims.  As we’ve written about here, “Made in America” has been a frequent enforcement target in recent years and 2018 generally continued this trend.  Here’s how it stacked up:

The FTC completed 25 investigations, settling four enforcement actions and issuing 21 closing letters.

Similarly, in 2017 the FTC settled two enforcement actions and issued 22 closing letters. All indications are that these trends will continue in 2019.

So what can companies do to avoid being the subject of an upcoming FTC Business Center blog post? Here are some tips:

Tip #1: Audit Inventory Management Systems and Processes

Mistakes can launch FTC investigations, as one company learned this past year.

In response to inquiries from the FTC, Prime-Line Products Company, a maker of corner shields, stated that after depleting its inventory of US-made corner shields, it substituted identical imported corner shields. Then, apparently inadvertently, the company continued to apply the “Made in USA” label.

Eventually, the FTC closed its investigation without bringing an enforcement action against the company. But the case serves as a reminder to companies employing the “Made in USA” label to closely manage inventory.  If only a percentage of supply is sourced to the US, companies should create internal processes to avoid mislabeling inventory.

Of course, inventory management can become challenging, especially when working with multiple dealers, distributors, or resellers that may not be familiar with inventory changes. Companies should proactively develop a compliance plan to ensure marketing remains accurate in all sales channels.

Tip #2: Train Employees

Employees, from marketing and sales to the warehouse floor, are the first line of defense against false “Made in USA” claims. Employees should be aware of when “Made in USA” claims may be made, and should be trained on processes for alerting management if they observe any inadvertent errors.

As detailed in multiple closing letters, companies targeted by FTC investigations told the FTC that they would retrain staff on proper, non-deceptive claims. This common-sense approach is advisable for all companies.  All training materials should conform to the standards laid out by the FTC in its Complying with the Made in USA Standard guidance, but should also be practical and easy-to-use.  Checklists, webinars, and workplace posters are good options for educating a company’s workforce.

Tip #3: Qualify Advertising Claims

Last year’s cases show that investigations skewed toward plain, unqualified “Made in USA” claims. Qualified claims, which provide more detail about a component made domestically or process that occurred domestically, may take up more space or obscure a company’s marketing message.  Nevertheless, when it comes to “Made in USA” labeling, accuracy counts.

In one example from the last year, The Gillette Company, LLC, was the target of an FTC inquiry due to its “Boston Made Since 1901” advertising. The FTC closed its investigation, but the example is instructive.  Gillette has deep roots in Boston and sought to use this information in an advertisement.  But without a qualification, the FTC viewed the advertisement as asserting that all of Gillette’s products are made in the US.  Gillette stated that it would re-focus its advertising campaign to highlight its Boston-based employees and manufacturing and the FTC closed the matter.

Tip #4: Size Doesn’t Matter

When it comes to enforcement of the “Made in USA” standards, there is no safe harbor for small businesses. Companies large and small were the target of investigations in 2018.

That included large companies, like Hallmark Cards, Incorporated, and IKEA Purchasing Services (US), Inc. The FTC closed investigations into each of these companies via a closing letter, without further action.

Meanwhile, the FTC’s major enforcement actions of the year were primarily against small or mid-size companies. Underground Sports Inc. d/b/a Patriot Puck imported just 400,000 hockey pucks since January 2016, but faced a significant enforcement action.  Notably, American-made claims featured prominently in these companies’ advertising.  Indeed, their conduct was so objectionable, that following announcement of these settlements, discussion has arisen regarding monetary penalties for false “Made in USA” claims.

Tip #5: Act Now!  Financial Penalties May Be Coming

FTC commissioners are very publicly debating the merits of imposing financial penalties for false “Made in USA” claims.

A leading advocate has been Commissioner Rohit Chopra, who argued in a dissent that settlements have been too lenient and are not deterring similar conduct.  But, as reported in December in this blog, Chairman Joseph Simons too is focused on the potential need to impose monetary relief.  At a hearing before the Senate Subcommittee on Consumer Protection, Product Safety, Insurance, and Data Security, Simons said, “Now we’re exploring whether we can find a good case that would be appropriate for monetary relief to serve as an additional deterrent.”

Given the political interest in increasing the penalties for false claims, companies may want to (make and actually stick to) a New Year’s resolution to make sure their “Made in USA” claims are substantiated. If you’re new to this area or need a refresher, check out our webinar and materials here.

On January 10, 2019, Massachusetts Governor Charlie Baker signed into law the Massachusetts’s Data Breach Notification Act, which amends Massachusetts data breach reporting laws. The new law, available here, amends the timing and content of individual and regulator data breach notifications, and provides for credit monitoring services when social security numbers may have been compromised.

Key updates to the state’s data breach notification laws include the following:

  • Free Credit Monitoring: Following breaches involving Social Security numbers, entities must “contract with a third party to provide” free credit monitoring services to impacted Massachusetts residents at no cost for at least 18 months (42 months, if the company is a consumer reporting agency), and provide consumers with instructions on how to access these services.
  • No Mandatory Arbitration Clauses: Companies are prohibited from asking individuals to waive their right to a private action as a condition for receiving credit monitoring services.
  • Additional Required Information for the Breach Notice: The required notice to consumers, the Massachusetts Attorney General, and the Office of Consumer Affairs and Business Regulation already provided for under current Massachusetts law must now also include additional information such as the name and address of the person that experienced the breach of security, the person responsible for the breach, if known, and the type of personal information compromised. Entities are also required to submit to regulators a sample of the notification letters that they send to consumers, which will be posted online.
  • Notice Timing: An entity may not delay notice to affected individuals on the grounds that it has not determined the total number of individuals affected. Rather, the entity must send out additional notices on a rolling basis, as necessary.
  • Disclosure of Parent/Affiliate Company: If the company experiencing a breach is owned by a separate entity, the individual notice letter must specify “the name of the parent or affiliated corporation.”

Under Massachusetts data security regulations (201 CMR § 17.03), any entity that owns or licenses personal information about a Massachusetts resident is currently obligated to develop, implement, and maintain a comprehensive written information security program that incorporates the prescriptive requirements contained in the regulation.

The Massachusetts’s Data Breach Notification Act will take effect on April 11, 2019. This is a good opportunity for businesses to update their data breach notification related policies and procedures to ensure that they are in compliance with all state requirements. We will continue to track any updates to state breach notification statutes and post on this blog.

Subscription plans that automatically renew at the end of a term are becoming more popular with companies. They’re also getting more scrutiny from regulators. As we’ve posted before, some states regulate how these plans can be structured, and there have been both lawsuits and regulatory investigations targeting companies that have failed to comply. This week, Washington, DC joined the crowd by enacting a new law governing automatic renewals.

The law requires businesses that sell goods and services on a recurring basis to clearly and conspicuously disclose their automatic renewal provisions and cancelation procedures in their contracts. In addition, if a contract has an initial term of at least 12 months and will automatically renew for a term of at least one month, a business must take steps to notify consumers before renewal. This must be done by mail, e-mail, text message, or in-app notification. (For text messages, don’t forget the TCPA.) The reminder must be sent at least 30 – but no more than 60 – days before the deadline to cancel.

Businesses that offer free trials of at least one month that automatically renew must receive a consumer’s affirmative consent to sign up for the automatic renewal program one to seven days before the expiration of the free trial term.

Subject to narrow exceptions, violations of the law will constitute violations of the DC Consumer Protection Procedures Act and render the automatic renewal provision void.

The 2018 Farm Bill legalized cultivation and processing of industrial hemp and various by-products.  One hemp-based derivative of considerable interest to manufacturers of personal care products, dietary supplements, cosmetics, and OTC drugs is cannabidiol (“CBD”).  As industry races to commercialize and advertise CBD, it’s important to understand the regulatory hurdles that remain.  Ad law partner, Kristi Wolff, addresses several common misunderstandings in an article recently published online in Nutritional Outlook

Yesterday, Christine Wilson was sworn in as FTC Commissioner. Commissioner Wilson – the fifth and final Trump appointee – joins the FTC from Delta Airlines and assumes former Commissioner Maureen Ohlhausen’s seat. Commissioner Ohlhausen announced her departure on Tuesday – the day her term ended, concluding over six years of service as Commissioner, including a year-and-a-half as the agency’s Acting Chair before current Chair Joseph Simons assumed the role.

As we previously reported here, Commissioner Wilson overlapped with Chair Simons during his time as Director of the Bureau of Competition, while she served as Chief of Staff to then-Chair Timothy Muris. The FTC currently is in the middle of public hearings on consumer protection, privacy, and competition policy and enforcement, and we expect these hearings and the public comments received to help shape the Commission’s priorities going forward.

On Thursday, June 21, 2018, the U.S. Supreme Court paved the way for states to collect sales or use taxes from sellers with no physical presence in the taxing state by declaring constitutional a South Dakota law requiring out-of-state sellers to remit sales taxes on sales to South Dakota residents if the sellers exceed certain revenue or transaction thresholds.  In South Dakota v. Wayfair, Inc., 585 U.S.             (2018), the Supreme Court overturned its 1967 decision in National Bellas Hess, Incorporated v. Illinois, 386 U.S. 753 (1967) and its 1992 decision in Quill Corporation v. North Dakota, 504 U.S. 298 (1992), which had generally prohibited states from collecting sales or use taxes on sales of tangible personal property from sellers with no physical presence within the state.  The elimination of the physical presence requirement does not necessarily mean that out-of-state sellers now have substantial nexus with all states, however, and sellers should re-evaluate their tax collection and payment obligations on a state-by-state basis. Continue Reading Selling Products Online? U.S. Supreme Court Ruling May Affect Whether or Not You Must Pay State Sales or Use Taxes

Earlier today, an en banc panel of the U.S. Court of Appeals for the D.C. Circuit ruled that the CFPB was constitutionally structured, reversing an earlier decision by a divided three-judge panel and holding that the Dodd-Frank Act permissibly shields the CFPB Director from removal without cause.  The Court’s 7-3 majority opinion only addressed the constitutionality of the Director’s for-cause removal protection; it did not substantively address a related issue concerning the interpretation of the Real Estate Settlement Procedures Act (RESPA) and instead reinstated the three-judge panel’s decision as to substantive RESPA issues.

The Court found that Congress’s choice to include a for-cause removal provision did not impede the President’s Article II executive authority and duty to “take care that the laws be faithfully executed.”  Specifically, the majority held that:

  • Because the President can still remove the Director for “inefficiency, neglect of duty, or malfeasance in office,” the President retains ample tools under Article II to ensure the faithful execution of the laws.  The majority noted that this same removal standard was upheld when the Supreme Court considered the FTC’s for-cause removal provision in its 1935 Humphrey’s Executor decision.
  • The majority rejected the proposed distinction based on the FTC as a multi-member independent agency and the CFPB as a single-director independent agency as “untenable,” asserting that the “distinction finds no footing in precedent, historical practice, constitutional principle, or the logic of presidential removal power.”
  • Finally, the majority held that the functions of the CFPB and its Director, unlike, for example, the Secretary of State or another Cabinet officer, are not core executive functions, and financial and consumer protection regulators have long been afforded a degree of independence, citing the FTC, the Federal Reserve, the FDIC, and others as examples.  The majority asserted that holding otherwise would result in a “wholesale attack on independent agencies—whether collectively or individually led—that, if accepted, would broadly transform modern government.”

The procedural uniqueness of the case makes it uncertain whether it will be appealed to the Supreme Court.  Under the Trump administration, the Justice Department supported the earlier decision finding the CFPB structure unconstitutional and expressed disappointment with today’s decision.  In that PHH could benefit from the reinstatement of the three-judge panel’s decision on RESPA issues, its appetite for appeal may also be limited.  We’ll continue to watch this interesting case closely and post updates here.

Most Popular Ad Law Access Posts of 2017

As reported in our Ad Law News and Views newsletter, Kelley Drye’s Advertising Law practice posted 106 updates on consumer protection trends, issues, and developments to this blog in 2017. Here are some of the most popular:

Ad Law News and Views is produced every two weeks to help you stay current on advertising law and privacy matters. You can subscribe to it and other Kelley Drye Publications here and the Ad Law Access blog by email or RSS feed.

2018 Advertising and Privacy Law Webinar Series 

Please join Kelley Drye in 2018 as we continue our well attended Advertising and Privacy Law Webinar Series. Like our in-person events, this series gives key updates and provides practical tips to address issues faced by counsel as well as CLE credit. This webinar series will start again in February 2018. Please revisit the 2017 webinars here.

The U.S. Copyright Office has imposed new requirements on service providers in order to maintain safe harbor protection under the Digital Millennium Copyright Act (“DMCA”).  Service providers who don’t meet these requirements will lose the safe harbor protections afforded by the DMCA.  The deadline to comply with these requirements is December 31, 2017.

DMCA and the Safe Harbor

The DMCA was enacted by U.S. Congress in October 1998 with the purpose of addressing certain intellectual property issues in the wake of the Internet.  Among the DMCA’s key provisions is “safe harbor” protection, designed to shield companies from liability for infringement due to content posted by a user on the company’s website, provided that the company qualifies as a “service provider.
Continue Reading Regulatory Changes Affecting All “Service Providers” – 12/31/17 Deadline