Regulatory Developments

Register Now for Keeping Up with the Consumer Product Safety Commission: Update on Recent CPSC Developments, the latest in our 2017 Advertising and Privacy Law Webinar Series

Keeping Up with the CPSCWith the complexity of today’s product safety regulatory environment and the civil penalty amounts for failure to report safety hazards, it is more important than ever for manufacturers and retailers to identify and resolve potential liability issues confidentially before they draw scrutiny from regulators and negative publicity.

Please join chair of Kelley Drye’s Advertising and Marketing and Consumer Product Safety practice Christie Grymes Thompson for an update on consumer product safety. The webinar will cover hot button legal issues and summarize significant developments in consumer product safety and at the Consumer Product Safety Commission.

Kelley Drye Speakers:

Christie Grymes Thompson, Partner

To register, please click here.

CLE Information:

Kelley Drye is an accredited provider of NY, IL & CA CLE. This non-transitional continuing legal education program has been approved for 1.0 NY Professional Practice credit, 1.0 Illinois credit, and 1.0 CA General credit. We will apply for CLE credit in other jurisdictions, upon request, but cannot guarantee approval. If you are interested in applying to receive CLE credit, please include your desired jurisdiction and your bar registration number when you register.

Follow the Practice

 

Did you know Kelley Drye’s Advertising Law practice produces a newsletter, Ad Law News and Views, every two weeks to help you stay current on ad law and privacy matters? Click here to access our Publication Sign Up and select Advertising and Marketing to subscribe. Find contents from the latest issue below:

Click here to view with images.

Recent News

Chairman Kaye Steps Down as CPSC Chair; Republican Buerkle Assumes Role of Acting Chair

CFSAN Director Anticipates “Tweaks,” Not Rollbacks Despite Administration’s De-Regulation Emphasis

Smart TV Manufacturer “Smarting” after $2.2 Million Privacy Enforcement

FTC Announces Changes at the Helm of the Bureau of Consumer Protection; Thomas Pahl to Take Over as Acting Bureau Director Following Jessica Rich’s Departure

Not a Passing Grade: FTC Settles with Company Over Alleged False Advertising for High School Diploma Program

EU Data Protection Authority Issues GDPR Action Plan, Swiss Sign Privacy Deal with U.S.

New FTC Acting Chair Maureen Ohlhausen Offers Insight into Consumer Protection Priorities

CIT Adds New Requirements for ‘Assembled in USA’ Claims Analysis

FTC Cries Foul On Breathometer Accuracy Claims

Spotlight On Our New Texas Offices

Kelley Drye & Warren LLP recently merged with Jackson Gilmour & Dobbs, P.C., a highly respected Texas law firm best known for success in environmental litigation matters. The team also brings substantial experience in sophisticated regulatory and commercial litigation matters. The merger strengthens Kelley Drye’s litigation and environmental practices, as well as extends our national presence.

The collective environmental practices broaden Kelley Drye’s nationwide capabilities in site remediation, cost recovery, natural resource damages, and related insurance litigation, creating a powerhouse firm for businesses contemplating sales and acquisitions, debt and equity financings, and real estate development and construction where environmental issues may be present.

Please read more about our Environmental Law and Environmental Litigation capabilities, as well as our new offices in Houston and Austin

Analysis 

Marketing in a Multi-Device World: Update on Cross Device Tracking

On January 25, Kelley Drye hosted a webinar on maintaining transparency and respecting consumer choice while achieving marketing objectives. Megan Cox, Attorney at the Federal Trade Commission, J. Jurgen Van Staden, Vice President, Policy & Technology at the Network Advertising Initiative, and partner Dana Rosenfeld discussed recent law enforcement activity, such as the FTC’s recent settlement with Turn Inc., as well as self-regulatory guidance and enforcement issues surrounding cross device information tracking and uses. For a copy of the slide deck, please click here.

Our next webinar will be on “Litigation is Inevitable: Update on Recent Advertising Class Actions” February 22. Please click here for more information and to register.

To sign up to receive future webinar invitations, please click here and sign up to receive communications from the Advertising and Marketing practice group.

Suing over Empty Space: Why Lawsuits over Slack Fill in Packaging Are Growing

Partner Kristi Wolff co-authored the Nutritional Outlook article “Suing over Empty Space: Why Lawsuits over Slack Fill in Packaging Are Growing.” The article discusses the rise in lawsuits regarding slack fill, or the difference between the capacity of a container and the volume of the product inside. Read more…

ABA Section of Antitrust Law Presidential Transition Report

Partner Bill MacLeod addressed the American Bar Association’s Section of Antitrust Law with an introductory note to the Section’s 2017 Presidential Transition Report. The American Bar Association Section of Antitrust Law released its 60-page eighth sequential Presidential Transition Report, which offers a retrospective of current state and federal antitrust and consumer protection law and policy, as well recommendations for ways the new Trump administration might consider further strengthening policy and enforcement to deal with new antitrust challenges on the horizon. Read more…

Has the Supreme Court’s Resolution of Spokeo Played Out as Expected?

Partner Lee S. Brenner co-authored the Bloomberg BNA article “Has the Supreme Court’s Resolution of Spokeo Played Out as Expected?” On May 16, 2016, the United States Supreme Court held in Spokeo Inc. v. Robins that a consumer cannot satisfy the injury-in-fact demands of Article III by alleging only a bare procedural violation of a statute, divorced from any concrete harm. The article examines the Spokeo decision and how that case impacted litigation in various contexts, including data privacy, the Truth in Lending Act (TILA), the Fair and Accurate Credit Reporting Act (FACTA), and the Telephone Consumer Protection Act (TCPA). Read more…

Fifty Countries and Counting, Sixty Sessions and More – at Spring Meeting: A Message From Bill MacLeod, Chair, Section of Antitrust Law

Partner William MacLeod authored his monthly address to the American Bar Association’s Section of Antitrust Law. This month’s message features The Spring Meeting of the Section of Antitrust Law. Read more…

Upcoming Events and Speeches

Toys for Sale: IoT Devices and Connected Kids
February 15, 2017 |WEBINAR
American Bar Association
Dana B. Rosenfeld Litigation is Inevitable: Update on Recent Advertising Class Actions
February 22, 2017 | WEBINAR
Jeffrey S. JacobsonRegulation of Cosmetics
March 3, 2017 | WASHINGTON, DC
Introduction to U.S. Food Law and Regulation
Kristi L. Wolff

Doing Data Right: Legal Best Practices for Making Your Data Work
March 16, 2017 |SAN JOSE, CA
Strata + Hadoop World 2017
Alysa Zeltzer Hutnik, Crystal N. Skelton

Eyes on the 1-800 Prize: IP Restrictions and Online Competition
March 29, 2017 | WASHINGTON, DC
65th Antitrust Law Spring Meeting
David H. Evans

Multi-State Privacy/Security Investigations: Expert Roundtable
April 20, 2017 |WASHINGTON, DC
Global Privacy Summit 2017
Alysa Zeltzer Hutnik

Impact of the 2016 Election on Antitrust and Consumer Protection Class Actions
April 27, 2017 |SEATTLE, WA
Law Seminars International’s Litigating Class Actions
Jeffrey S. Jacobson

Follow the Practice

 
Follow us on
Facebook
Follow us on
Twitter
Follow us on
LinkedIn

 

Think a colleague might find this newsletter of interest? Please invite others to subscribe at the Kelley Drye publication Sign Up.

 

On January 16, 2017, the Article 29 Working Party (“Working Party”)—the EU’s central data protection advisory board—published a press release regarding its Action Plan for 2017, which was adopted as part of its wider implementation strategy for the General Data Protection Regulation (“GDPR”).  The Action Plan follows up on the actions initiated in 2016 and outlines the priorities and objectives for the year to come in anticipation of the entry into force of the GDPR in May 2018.

In 2017, the Working Party commits to continue and/or finalize work on several key issues:

  • Guidelines on certification and processing likely to result in a high risk and Data Protection Impact Assessments (“DPIA”);
  • Administrative fines;
  • Setting up the administration of the European Data Protection Board (“EDPB”) structure; and
  • Preparation of the one-stop shop and the EDPB consistency mechanism.

New work priorities and objectives for 2017 include:

  • Guidelines on the topics of consent and profiling;
  • Guidelines on the issue of transparency; and
  • Update of existing opinions and guidance documents on data transfers to third countries and data breach notifications.

Moreover, the Working Party commits to continue consultation rounds and will invite relevant stakeholders to provide input on topics of interest.  During a “Fablab” workshop announced for April 5 and 6, stakeholders will have the opportunity to comment on the Working Party’s Action Plan. Non-EU counterparts will have an opportunity to exchange views on the Working Party’s GDPR implementation and the GDPR generally during an interactive workshop scheduled for May 18 -19, 2017.

*           *           *

In other data protection news, on January 11, 2017 the U.S. and Switzerland signed a Privacy Shield Agreement recognizing the adequacy of U.S. data protection legislation in light of Swiss requirements.  Months earlier, on October 7, 2015, the Swiss Data Protection Commission stated that it would follow the Court of Justice of the European Union’s invalidation of the U.S. – EU Safe Harbor framework, and hence, a new framework was required.  Resembling the EU – U.S. Privacy Shield, the new Swiss – U.S. agreement enables certified companies to export data from Switzerland to the U.S. in compliance with Swiss data protection laws.  There are three notable differences between the EU –U.S. and Swiss – U.S. Privacy Shield frameworks:

EU – U.S. Privacy Shield Swiss – U.S. Privacy Shield
EU Data Protection Authority is cooperation and compliance authority Swiss Federal Data Protection and Information Commissioner is cooperation and compliance authority
Sensitive data definition under Choice Principle Modified sensitive data definition under Choice Principle includes ideological or trade union-related views or activities, information on social security measures or administrative or criminal proceedings and sanctions, which are treated outside pending proceedings
Binding arbitration option in place Commerce to work with Swiss Government to put in place binding arbitration option at first annual review

The new agreement replaces the existing U.S. – Swiss Safe Harbor Framework with immediate effect. The Department of Commence will begin accepting self-certification applications on April 12, 2017.

Please join Kelley Drye in 2017 for the Advertising and Privacy Law Webinar Series. Like our annual in-person event, this series will provide engaging speakers with extensive experience and knowledge in the fields of advertising, privacy, and consumer protection. These webinars will give key updates and provide practical tips to address issues faced by counsel.

This webinar series will commence January 25 and continue the last Wednesday of each month, as outlined below.

January 25, 2017 | February 22, 2017 | March 29, 2017 | April 26, 2017 | June 28, 2017
July 26, 2017 | September 27, 2017 | October 25, 2017 | November 29, 2017

Kicking off the series will be a one-hour webinar on “Marketing in a Multi-Device World: Update on Cross Device Tracking” on January 25, 2017 at 12 PM ET. For more information and to register, please click here. CLE credit will be offered for this program.

The advertising industry’s self-regulatory system may be “voluntary,” but ignoring NAD’s recommendations—or declining to participate when asked—buys advertisers a prompt referral to the Federal Trade Commission. NAD often touts its close working relationship with the FTC. But what becomes of these referrals from the self-regulatory system? At NAD’s annual conference last month, Mary Engle, the FTC’s Associate Director for Advertising Practices, pulled back the curtain on the Commission’s treatment of referrals from NAD.

Engle noted that the FTC has received 50 referrals from NAD between January 1, 2011 and August 17, 2016. Not surprisingly, post-referral outcomes vary a great deal. In some cases, the FTC staff takes no action at all. Far more often, however, the FTC delves into NAD’s case file. Sometimes the Commission’s post-referral role involves urging advertiser back to NAD. Other times, FTC staff launches a formal investigation.

Looking back at referrals from NAD over the past five and a half years, Engle provided the following statistics:

  • 22%: Company returned to NAD at the FTC’s recommendation
  • 22%: Outcome unclear, or FTC staff decided to take no action
  • 20%: FTC staff resolved the matter short of an investigation
  • 14%: Matter remains under review by FTC staff
  • 8%: FTC staff initiated a formal investigation, which it subsequently closed
  • 8%: Matter related to existing FTC investigation/litigation
  • 2%: Referral resulted in FTC law enforcement action
  • 2%: FTC took no action because matter related to non-FTC litigation

The moral of Engle’s story? Don’t dismiss the self-regulatory body too quickly. Refusing to participate, or to comply with NAD’s recommendations, risks unwanted attention from the FTC.

ca-attorney-generalCalifornia Attorney General Kamala Harris announced yesterday that her office has rolled out a new online form to help consumers report companies who violate California’s Online Privacy Protection Act (CalOPPA). Under the California law, a website, app or online service must have a CalOPPA compliant privacy policy that is accessible to the consumer. Moreover, these entities must adhere to the terms of their privacy policy and notify consumers of any substantial changes to the policy.

The form consists of four sections and consumers have the option of reporting one or more of the following violations to the Office of the Attorney General:

  • A Missing or Inapplicable Privacy Policy
  • A Privacy Policy That is Difficult to Locate
  • An Incomplete Privacy Policy
  • A Company that Did Not Follow its Privacy Policy
  • A Company’s Failure to Provide Notice of a Material Change

Continue Reading California Helps Consumers Crowdsource Privacy Policy Violations

peopledataYesterday, the Vermont Attorney General announced a settlement with business-to-business software developer Entrinsik, Inc., resolving allegations that the company’s Informer program violated Vermont law, including the law placing restrictions on the use and disposal of data containing Social Security numbers.

The Informer program is used by businesses, including seven colleges in Vermont, to analyze and create reports of data by extracting that data from databases and presenting it in a web browser. The program also, however, creates a plain-text, unsecured file of this extraction and stores it on program users’ local hard drives, allegedly without their knowledge. According to the Attorney General, in 2013, a Vermont college used Informer to generate a report with 14,000 Social Security numbers. The text file extraction was stored on the computer’s local hard drive and backed up to an external hard drive, which was then misplaced, triggering Vermont’s data breach notification statute, and likely the investigation into Extrinsik and the Informer program.

Under the terms of the settlement agreement, Entrinsik has agreed to take the following actions:

  • Add clear and conspicuous warnings in all user and instructional materials of the functionality that creates plain-text files.
  • Add the following conspicuous warning message to the export dialog: “Note: Exporting data may result in the creation of unsecure/unencrypted temporary or permanent files on your computer. Please contact your system administrator with any questions regarding the proper safeguarding of sensitive information.
  • Issue, and strongly recommend the application of, a patch or other software update to all business consumers in Vermont that includes the new warning.

Importantly, the Attorney General noted that he was not imposing a monetary penalty because he believes the practice of creating “temporary” plain-text files is widespread, “and many companies may not even realize that [it] could violate State law.” This settlement serves as a reminder that companies should evaluate the functionalities of the programs they develop and use to confirm their compliance with applicable data security laws and regulations.

On October 6, 2016, Federal Communications Commission (FCC or Commission) Chairman Tom Wheeler published a blog entry on the Commission’s website outlining proposed privacy rules for broadband Internet Service Providers (ISPs). The proposed rules are scheduled to be considered by the full Commission at its monthly meeting on October 27, 2016. These rules come after the Commission received substantial public comment on its March notice of proposed rulemaking (discussed in an earlier blog post) from stakeholders representing consumer, public interest, industry, academics, and other government entities including the Federal Trade Commission (FTC). The proposed rules appear to soften several elements of the Commission’s initial proposal, which received considerable industry criticism.

The actual text of the proposed order is not available, however, a fact sheet along with the Chairman’s blog post outlines the details of the proposal. Under the proposal, mobile and fixed broadband ISPs would have the following requirements:

  • Clear Notification. ISPs would be required to notify consumers about the type of information they collect; explain how and for what purposes that information can be shared or used; and identify the types of entities with which they share information. ISPs will also be responsible for providing this information to customers when they sign up for a service and regularly informing them of any significant changes. The Commission’s Consumer Advisory Committee will be tasked with creating a standardized privacy notice format that will serve as a “safe-harbor” for those ISPs that choose to adopt it.
  • Information Sensitivity-Based Choice. ISPs must get a customer’s “opt-in” consent before using or sharing information deemed sensitive. Geo-location information, children’s information, health information, financial information, social security numbers, web browsing history, app usage history, and communications content are the broad categories of data that would be considered sensitive. All other individually identifiable customer information would be deemed non-sensitive, and will be subject to an “opt-out” approval requirement. For example, the use of service tier information to market an alarm system would be considered non-sensitive and opt-out policies would be appropriate, consistent with customer expectations.  Finally, the rules will infer consent for certain purposes identified in the Communications Act, including the provision of broadband service or billing and collection.
  • Security.
    • Protection: ISPs must take reasonable measures to protect consumer information from vulnerabilities. To help ensure reasonable data protection efforts, ISPs may: a) adopt current industry best practices; b) provide accountability and oversight for security practices; c) use robust customer authentication tools; and d) conduct data disposal consistent with FTC best practices and the Consumer Privacy Bill of Rights.
    • Breach Response: ISPs must notify customers when data is compromised in a way that results in unauthorized disclosure of personal information. ISPs must notify a) the customer no later than 30 days after discovery of the breach; b) the FCC no later than 7 business days after discovery; and c) if it affects more than 5,000 customers, the FBI and U.S. Secret Service no later than 7 business days after discovery.

The proposal addresses other issues, such as,

  • sharing and using de-identified information consistent with the FTC framework;
  • the use of take-it-or-leave-it data usage or sharing policies; and
  • heightened disclosure requirements for discount plans based on consent to data use.

The proposal emphasizes its focus on broadband services. The proposed rules will not apply to the privacy practices of websites or apps, including those operated by ISPs for their non-broadband services, as the Commission believes this is the purview of the FTC.  This is particularly notable in light of the recent 9th Circuit AT&T decision, which has further blurred the boundaries of the FCC and FTC’s jurisdiction (addressed in an earlier blog post). In that case, the Court determined that the FTC’s “common carrier exemption” is “status-based,” and as such exempts telecommunications carriers (like ISPs) from FTC jurisdiction, regardless of whether the company in question is engaging in common carrier activities. Presumably, the 9th Circuit’s reading of the common carrier exemption would extend to websites and apps provided by an ISP, although Chairman Wheeler appears to take a different reading in his privacy proposal.

In response to Chairman Wheeler’s proposal, FTC Chairwoman Ramirez expressed her pleasure with the FCC’s efforts to protect consumer privacy.

We will be tracking this proceeding as it develops, and will follow up with a client advisory when the Commission releases its final rules.

*Avonne Bell, an associate in Kelley Drye’s Communications Practice Group, co-authored this post.

This content is password protected. To view it please enter your password below:

Five months ago, Kelley Drye’s Communications practice group launched the Full Spectrum podcast. Since then, they have recorded and posted ten episodes, featuring several different attorneys speaking on the most timely trends and issues in the Communications industry. While the podcast is still new, it has gained a substantial following through iTunes, SoundCloud, their podcast website, and blog posts.

Episodes are posted twice monthly and include topics such as the monthly FCC Enforcement update. Take a moment to check out the podcast for legal discussions related to the technology, media and telecommunications industries. Kelley Drye’s Full Spectrum is also available on iTunes.