Photo of Katie Townley

Email
(202) 342-8557
Bio

Yesterday, Christine Wilson was sworn in as FTC Commissioner. Commissioner Wilson – the fifth and final Trump appointee – joins the FTC from Delta Airlines and assumes former Commissioner Maureen Ohlhausen’s seat. Commissioner Ohlhausen announced her departure on Tuesday – the day her term ended, concluding over six years of service as Commissioner, including a year-and-a-half as the agency’s Acting Chair before current Chair Joseph Simons assumed the role.

As we previously reported here, Commissioner Wilson overlapped with Chair Simons during his time as Director of the Bureau of Competition, while she served as Chief of Staff to then-Chair Timothy Muris. The FTC currently is in the middle of public hearings on consumer protection, privacy, and competition policy and enforcement, and we expect these hearings and the public comments received to help shape the Commission’s priorities going forward.

On Tuesday, in an 80 to 19 vote, the Senate confirmed Peter Feldman as CPSC Commissioner – to finish Commissioner Mohorovic’s term ending October 26, 2019. Today, in a narrow 51 to 49 vote, the Senate confirmed him to a full, seven-year term. As we discussed here, Mr. Feldman previously served as Senior Counsel to the Senate Commerce Committee, which has oversight of the CPSC. During his June confirmation hearing, he indicated that his focus as Commissioner would be on modernizing the agency and its increasing its transparency.

Once Mr. Feldman is sworn in, the five-member Commission will have a Republican majority for the first time since 2006, although Acting Chairman Ann Marie Buerkle’s (R) nomination to become Chairman is still pending. Despite this delay, with the Commission back to full strength, we will watch for policy and enforcement developments, particularly as the Commission votes on the FY 2019 Operating Plan next month.

You’ve probably heard of the dreaded four-letter word – GDPR.  Companies around the globe had been preparing for the May 25th implementation date for quite some time.  But U.S.-based companies with no apparent EU presence may not have thought twice about whether the data protection law across the pond even applies to them.  Let’s face it, we have enough federal and state laws here in the U.S. to worry about.  But now that the GDPR dust has settled a bit, these U.S. companies may want to take a closer to look to confirm they aren’t captured within GDPR’s sweeping scope.

In this first installment of GDPR SIDEBAR, we address the fundamental threshold question of whether and to what extent a U.S.-based company must comply with the GDPR.  [click here for a primer on GDPR]

Continue Reading GDPR SIDEBAR: Should You Be Complying with the New Data Protection Law?

Just when you think you have it all under control, the data breach notification law landscape changes – again. Over the past few weeks, several data breach notification statutes were updated, including an effective date for Canada’s mandatory breach notification obligations, as well as the adoption of legislation in the two holdout states (Alabama and South Dakota). Here is the latest:

  • Canada: On March 26, the Governor General in Council, on recommendation of the Minister of Industry, set November 1, 2018, as the effective date for the mandatory data breach notification obligations in the Digital Privacy Act 2015, which amended the Personal Information Protection and Electronic Documents Act (PIPEDA). Beginning November 1, any organization must report to the Privacy Commissioner if it has a reasonable belief that a breach of information under its control creates a real risk of “significant harm” to Canadian residents, as well as notify affected individuals. The term “significant harm” includes bodily harm; humiliation; damage to reputation or relationships; loss of employment, business, or professional opportunities; financial loss; identity theft; negative effects on the credit record; and damage to or loss of property. The notice to affected individuals must contain sufficient information to allow the individual to understand the significance of the breach and to take any steps to mitigate or reduce the risk of any resulting harm.
  • Alabama: On May 1, 2018, the Alabama Data Breach Notification Act will take effect, requiring that companies provide notice of the unauthorized acquisition of electronic data containing sensitive personally identifiable information that is reasonably likely to cause substantial harm. The term “sensitive personally identifiable information” includes an Alabama resident’s first name or first initial and last name in combination with Social Security or tax identification number; driver’s license or other unique government-issued identification number; financial account number in combination with the required security code, access code, password, expiration date, or PIN; medical and health insurance information; or online account credentials. The Act sets a 45-day time limit for consumer and Attorney General (if more than 1,000 Alabama residents are affected) notice. The consumer notice must contain (1) the estimated date(s) of the breach; (2) a description of the affected information; (3) a general description of the remedial actions taken; (4) a general description of the steps consumers can take to protect themselves from identity theft; and (5) the company’s contact information. The Attorney General notice must contain (1) a synopsis of the event surrounding the breach at the time notice is provided; (2) the approximate number of affected Alabama residents; (3) any free services offered to affected individuals, and instructions on how to use those services; and (4) the name, address, telephone number, and email address of the company’s point person for the breach. A violation of the Act will constitute an unlawful trade practice under the Alabama Deceptive Trade Practices Act, subject to a civil penalty of up to $5,000 per day.
  • South Dakota: On March 21, South Dakota enacted S.B. 62. Effective July 1, 2018, the statute will require that companies provide notice of the unauthorized acquisition of unencrypted computerized data (or encrypted computerized data and the encryption key) that materially compromises the security, confidentiality, or integrity of personal or protected information. The statute (1) contains expanded definitions of personal and protected information, which include health information, an employer-assigned ID number in combination with the required security code, access code, password, or biometric data, and online account credentials; and (2) sets a 60-day time limit for consumer notice, unless legitimate law enforcement needs require a longer timer period. Attorney General notice is required if the number of affected South Dakota residents exceeds 250. Violators are liable for a civil penalty of up to $10,000 per day per violation.
  • Oregon: On March 16, Oregon enacted amendments to its data breach notification law, which take effect June 2, 2018. The amendments clarify that personal information includes an Oregon resident’s first name or first initial and last name in combination with any information or combination of information that would permit access to her financial account, and require consumer and Attorney General (if the number of affected residents exceeds 250) notice within 45 days of discovery of a breach. Additionally, if a company provides free credit monitoring or identity theft prevention and mitigation services, it may not require that consumers provide a credit or debit card number (or any fee) to take advantage of those free services. Likely prompted by the Experian data breach, the amendments also prohibit consumer reporting agencies from charging a fee for a consumer to place or lift a security freeze. Previously, the statute capped such fees at $10.
  • Arizona: On April 5, the Arizona Governor received H.B. 2154, which if enacted, would (1) expand the definition of personal information to include a private key unique to an individual and used to authenticate or sign an electronic record, medical and health insurance information, passport and taxpayer identification number, unique biometric data, and online account credentials; and (2) require notification to affected consumers, as well as the Attorney General and the three largest credit reporting agencies if more than 1,000 Arizona residents are affected, within 45 days. Such notices would need to include the approximate date of the breach; a brief description of the affected personal information; the toll-free numbers for the three largest CRAs; and the toll-free number, address, and website address for the FTC. Importantly, these amendments would also create notice provisions specific to online account credentials and clarify that notice should not be made to the affected account, and should prompt the individual to (1) immediately change her password or security question and answer, and (2) take appropriate steps to protect the affected account and all other online accounts with the affected account credentials. If Arizona adopts these amendments, it will become the twelfth state to require notice in the event of a breach of online account credentials – joining California, Delaware, Florida, Illinois, Maryland, Nebraska, Nevada, Rhode Island, and Wyoming, and most recently, Alabama and South Dakota.

These developments demonstrate that data breach notification statutes are evolving, often in response to high-profile data breaches and/or concerns about a specific industry or a specific type of data – such as online account credentials. We expect U.S. states to continue to update these laws, and in particular, to (1) expand the definition of personal information to include medical and health insurance information, biometric data, and online account credentials; (2) require notice to consumers and/or regulators within a specific time period; (3) impose data security requirements; and (4) address concerns with specific industries, such as credit reporting agencies. Stay tuned for more updates!

Last Friday, the CPSC voted to sue Britax Child Safety, Inc. to force the company to recall various models of single and double B.O.B. jogging strollers. The one-count administrative complaint alleges that the strollers present a substantial product hazard under Section 15(a)(2) of the Consumer Product Safety Act because they contain a product defect that presents a substantial risk of injury to the public.

The CPSC claims that the three-wheel strollers’ quick release mechanism can fail to secure the front wheel to the fork, allowing that front wheel to detach during use. Furthermore, due to the design of the stroller, consumers are allegedly likely to believe that the wheel is secured when it is not. The CPSC states that it has received over 200 reports of incidents since January 2012 – 97 of which resulted in injuries, some severe, to 50 children and 47 adults. In a press release on the B.O.B. website, Britax counters that the strollers are safe when used as instructed and do not contain a defect. The company points out that the QR mechanism is “widely-used” in bicycles and strollers, and front wheel detachments only occur when wheels are installed improperly – and contrary to available written and video instructions.

The complaint requests a finding that the strollers present a “substantial product hazard” under the CPSA and an order Britax that implement a corrective action plan that includes initiating a stop-sale, notifying consumers and the public of the recall, and providing a remedy. The Commissioners voted to approve the complaint along party lines, with Acting Chairman Ann Marie Buerkle opposing the filing. As we have previously reported, the Commission’s priorities could shift if she and Republican nominee Dana Baiocco are confirmed.

Under the CPSA, manufacturers, distributors, and retailers have an obligation to report to the CPSC as soon as they obtain information that reasonably supports the conclusion that a consumer product contains a defect that could create a substantial product hazard, or creates an unreasonable risk of serious injury or death. The CPSC takes this reporting obligation very seriously, and staff do not hesitate to reach out to companies after receiving a number of consumer complaints related to a single consumer product (or set of products).

Last Friday, ten consumer and privacy advocacy groups, including the Electronic Privacy Information Center, Center for Digital Democracy, and Consumer Watchdog, sent a letter to Acting Chairman Ann Marie Buerkle, requesting that the CPSC recall the Google Home Mini smart speaker. The speaker was designed to respond to the voice commands, “OK, Google” and “Hey, Google,” as well as to a consumer pressing a small button on the top of the unit. Last week, the blog Android Police reported a glitch that caused the device to detect a touch even when a consumer was not pressing the button and remain “always on.” In response, Google issued a software update and completely disabled the button functionality.

The groups claim that this glitch resulted in Google intercepting and recording private conversations without consumers’ knowledge or consent, and that the device therefore poses a risk to consumer safety. Although they acknowledge that “the privacy concerns associated with Internet-connected devices appear different from traditional public safety concerns,” the groups call on the CPSC and its “broad mandate” to respond to such concerns, particularly in light of the “failure” of the FTC to investigate complaints involving Internet-connected devices.

Under the Consumer Product Safety Act, manufacturers, importers, distributors, and retailers have an obligation to immediately report to the CPSC when they obtain information that reasonably supports the conclusion that a consumer product contains a defect that could create a substantial product hazard, or creates an unreasonable risk of serious injury or death. While the groups note that the CPSC recently announced a recall of Internet-connected devices, the cited recall involved a product that posed an actual injury to consumers. CPSC action based on a non-physical injury, such as invasion of privacy, would be breaking new ground, but manufacturers, distributors, and retailers of IoT and other connected products should continue to watch for new developments and consider the potential safety issues associated with the products.

The Senate Committee on Commerce, Science and Transportation approved Acting Chairman Ann Marie Buerkle’s nomination to become CPSC Chairman last Thursday in a 14-13 vote along party lines. She is expected to be confirmed by the full Senate, and would then be able to move forward with staff appointments. Buerkle has served as Acting Chairman since February, and was nominated to become Chairman in July. For more information about Acting Chairman Buerkle’s priorities at the CPSC, please view our previous blog posts here and here.

Associate Lauren Myers contributed to this post. She is practicing under the supervision of principals of the firm who are members of the D.C. Bar.

Yesterday, President Trump announced his intent to nominate Dana Baiocco as CPSC Commissioner. If confirmed, Ms. Baiocco would replace Commissioner Marietta Robinson when her term expires on October 27, and would serve a seven-year term. Ms. Baiocco would join Acting Chairman Ann Marie Buerkle and Commissioner Joseph Mohorovic, and give the five-member Commission a republican majority once again. She has already received the support of Chairman Bob Latta (R-OH) of the House Energy and Commerce Committee’s Digital Commerce and Consumer Protection Subcommittee.

Currently, Ms. Baiocco is a partner at Jones Day in Boston, and her practice focuses on products liability and tort litigation, as well as regulatory and reporting obligations enforced by the CPSC, for a number of high-profile clients. Ms. Baiocco attended Duquesne University School of Law, and clerked for The Honorable Gustave Diamond of the U.S. District Court for the Western District of Pennsylvania prior to joining Jones Day’s Pittsburgh office as an associate. She became partner in 2007, and helped found the firm’s Boston office in 2011.

The Senate Commerce Committee also announced yesterday that, on September 27, they will hold a nomination hearing for Acting Chairman Ann Marie Buerkle to become CPSC Chairman. She has served as Acting Chairman since February, and was nominated to become Chairman in July. Acting Chairman Buerkle has emphasized her desire to collaborate with stakeholders, to take a “balanced and reasonable approach” to regulation when data justifies rulemaking, and to use information campaigns to educate consumers and industry.

On August 2, 2017, the U.S. District Court for the Central District of California dismissed a putative class action lawsuit against Ross Stores that accused the discount retailer of misleading promotional pricing practices. The lawsuit stemmed from February and May 2015 purchases by the two lead plaintiffs of items bearing price tags with a selling price and an instruction to “Compare At” the higher, reference price. Ross has since changed the reference price signal from “Compare At” to “Comparable Value.”

The Second Amended Complaint, filed in March 2016, contained the following allegations:

  • The use of “Compare At” is deceptive, as the higher, reference price is not a price at which substantial sales of the item were made in California.
  • The higher, reference price is the price of similar, non-identical merchandise – a material fact that Ross fails to adequately disclose.
  • A reasonable consumer would expect the reference price to refer to the price of an identical item.
  •  The retailer’s explanation of its comparison pricing is “buried” on the website and out of view in stores. Specifically, the explanation states that the comparison pricing “represents a recent documented selling price of the same or similar product in full-price department stores or specialty stores[, and w]here identical products are not available [Ross] may compare to similar products and styles.”

According to the plaintiffs, these practices violate California law, which promotional pricing statutes (1) prohibit retailers from making a false or misleading statement of fact concerning the reason for a price reduction, and (2) require that an advertised reference price have been the prevailing market price for the item within the immediately preceding three months. See Cal. Civ. Code § 1770(a)(13); Cal. Bus. & Prof. Code § 17501.

In May, Ross and the plaintiffs filed a motion for summary judgment and motion for class certification, respectively. With respect to the new, “Comparable Value” signal, the Court determined that the plaintiffs lacked standing to challenge these tags because they failed to present evidence that they actually relied on the phrase when making their purchases, or that they suffered any economic injury as a result of Ross’s use of the phrase. As a result, the Court granted the motion for summary judgment with respect to Ross’s use of “Comparable Value.”

With respect to the “Compare At” signal, the Court found that the phrase is not “obviously false or misleading on its face,” and the plaintiffs had not presented evidence, other than their own declarations and price tags, in support of their argument that the reasonable consumer would expect the reference price to refer to the price of an identical item. Regardless, the Court concluded, the plaintiffs also failed to demonstrate economic harm, and therefore lacked standing to pursue their claims. Importantly, the Court rejected the plaintiffs’ reliance on the Ninth Circuit decision in Hinojos v. Kohl’s Corp., noting that, “the standard of proof on a motion for summary judgment is higher” and demands proof that the items purchased were not worth as much as Ross claims, rather than vague averments of injury.

On Monday, the FTC submitted comments to the draft National Telecommunications and Information Administration (NTIA) guidance intended to improve Internet of Things (IoT) device security and increase consumer transparency. While recognizing the benefits (and proliferation) of IoT devices, the Commission’s comments caution that such benefits can only be realized when device manufacturers both incorporate – and adequately inform consumers of – reasonable security measures.

The comments begin by highlighting several “lessons learned” from FTC enforcement actions involving IoT devices such as home security cameras, baby monitors, and smart TVs. Specifically, the Commission explains that such actions emphasize the need for manufacturers to take reasonable security measures and to continuously manage security risks. The comments, in addition, note the several policy initiatives, consumer and business educational materials, and company-specific guidance (in lieu of enforcement) intended to assist IoT manufacturers with device security.

The Commission also recommends several changes to the NTIA guidance’s “Elements of Updatability”:

  • Edits to “Key Elements” Prior to Purchase – The Elements of Updatability recommend three pre-sale “key elements”: (1) disclosure of whether the device can receive security upgrades, (2) disclosure of how the device receives such upgrades, and (3) the anticipated timeline for the end of security support. The FTC recommends that manufacturers disclose the minimum support period, rather than an anticipated timeline, as well as disclose if the device will lose functionality or become highly vulnerable when security support ends.
  • Edits to “Additional Elements” Before or After Purchase – The FTC adds several “additional elements” that manufacturers should consider conveying to consumers, either before or after purchase. Such additional elements include (1) adopting a uniform notification method to, for example, notify consumers of updates (if updates are not automatic); (2) enabling consumers to sign-up for affirmative security support notifications that are separate from marketing communications; and (3) providing real-time notifications when support is about to end.
  • Omission of One “Additional Element” – The FTC also advises omission of the “additional element” describing the update process, explaining that such description imposes costs on manufacturers with little benefit to consumers who can “feel overburdened by choice and ignore critical information.”