Photo of Sharon Kim Schiavetti

(202) 342-8592

California recently passed the California Consumer Privacy Act (CCPA), providing new rights for California consumers (broadly defined as California residents) regarding their personal data. The CCPA is modeled after the EU’s General Data Protection Regulation (GDPR), which provides EU citizens with a number of rights related to data processing and imposes specific requirements on companies that process EU citizen data. The new California law provides similar requirements for businesses that collect data from California consumers. The following are some key points of comparison. Continue Reading GDPR Sidebar: Comparing the California Consumer Privacy Act to the GDPR

Under the GDPR, processors must have a lawful basis for processing any data of an EU data subject. Consent is one of six lawful bases[1] under the GDPR, and in this installment of GDPR SIDEBAR, we’ll cover best practices that can help achieve an acceptable level of compliance with GDPR consent requirements.

Valid consent under the GDPR must be: (1) freely given; (2) specific; and (3) informed. And a consumer must make a clear, affirmative action to consent. This means pre-populated check boxes aren’t going to count as valid consent for GDPR purposes. Here are a few tips for meeting GDPR’s consent requirements:

  • Make sure consent is specific. Identify what type of processing the data subject is consenting to, so that the data subject understands exactly what data is collected and how it is used. Example 1 provides a consent mechanism for each specific type of communication (text message, email, etc.). This makes it clear to the data subject what she is signing up for when she consents to processing.

  • Make sure consent is unbundled. Provide a separate consent mechanism for each type of processing the data is expected to be used for. Do not bury consent in an agreement for terms and conditions or a general privacy policy. Example 2 offers unbundled options for separately consenting to marketing messages and the website’s terms and conditions.

Continue Reading GDPR SIDEBAR: Best Practices for Complying with GDPR Consent Requirements

On May 29, Colorado Governor John Hickenlooper signed into law HB18-1128 to strengthen data breach notification requirements for companies and government entities collecting and maintaining personal information from Colorado residents.

Effective September 1, covered entities will be required to notify individuals within 30 days of discovery of a security breach, unless the entity is notified that such a disclosure will impede a criminal investigation. Existing law requires notification to be made “in the most expedient time possible, and without unreasonable delay.” Republican state representative and bill co-sponsor Cole Wist stated the term “reasonable” was “too subjective and loose,” and could prevent consumers from acting quickly to prevent identity theft.  This makes the new law one of the strictest data breach notification laws in the country.  The following identifies pertinent changes to existing law.

Mandatory Information Security Procedures or Programs

Businesses must implement “reasonable” information security procedures or programs to protect the personal data they have – including data that has been shared with third parties – from unauthorized access, use, modification, disclosure, or destruction. Businesses that maintain paper or electronic documents containing customer personal information must develop a written policy for the destruction of such documents once they are no longer needed. Continue Reading Colorado Reaches New High with Strict Data Breach Notification Law

You’ve probably heard of the dreaded four-letter word – GDPR.  Companies around the globe had been preparing for the May 25th implementation date for quite some time.  But U.S.-based companies with no apparent EU presence may not have thought twice about whether the data protection law across the pond even applies to them.  Let’s face it, we have enough federal and state laws here in the U.S. to worry about.  But now that the GDPR dust has settled a bit, these U.S. companies may want to take a closer to look to confirm they aren’t captured within GDPR’s sweeping scope.

In this first installment of GDPR SIDEBAR, we address the fundamental threshold question of whether and to what extent a U.S.-based company must comply with the GDPR.  [click here for a primer on GDPR]

Continue Reading GDPR SIDEBAR: Should You Be Complying with the New Data Protection Law?

On September 20, the Ninth Circuit blocked the City and County of San Francisco from implementing an ordinance that would have required health warnings on advertisements for beverages that contain one or more added sweeteners and more than 24 calories per 12 fluid ounces of beverage. The Ninth Circuit’s panel opinion, in reversing a district court order, held the ordinance likely chilled protected commercial speech under the First Amendment.

The 2015 ordinance would have required that advertisements (not labels) for sweetened beverages contain an explicit health warning that “occup[ied] 20 percent of the advertisement [] set off by a rectangular border”, like so:

The American Beverage Association, the California Retailers Association, and the California State Outdoor Advertising Association (“Associations”) sued to enjoin the implementation of the ordinance on constitutional grounds.  The district court denied a preliminary injunction and the Ninth Circuit granted interlocutory appeal.

Under established precedent, regulations that compel speech by imposing a disclosure are governed by the framework set forth in the SCOTUS case of Zauderer v. Office of Disciplinary Counsel of Supreme Court of Ohio (1985) (upholding a state bar disciplinary rule requiring that attorney advertisements regarding contingent-fee rates inform clients they would be liable for costs (as opposed to legal fees), even if their claims were unsuccessful). The Zauderer framework historically had been applied to government-mandated disclosures needed to prevent consumer deception.

The Ninth Circuit panel opinion applied the Zauderer framework beyond the context of preventing consumer deception.  Under the framework, the Ninth Circuit held that compelled disclosures could be related to other substantial government interests, such as promoting public health, but had to be “factual and non-controversial” and not “unjustified or unduly burdensome.”

The San Francisco ordinance satisfied neither of these factors.  The Ninth Circuit panel observed the warning falsely conveyed the message that sweetened beverages contribute to obesity, diabetes, and tooth decay, regardless of the quantity consumed or other lifestyle choices.  This message was contrary to statements by the FDA that added sugars are “generally recognized as safe,”  and “can be a part of a healthy dietary pattern when not consumed in excess amounts.”

The Ninth Circuit also held the warning was misleading.  “By focusing on a single product, the warning conveyed the message that sugar-sweetened beverages were less healthy than other sources of added sugars and calories and were more likely to contribute to obesity, diabetes, and tooth decay than other foods.”  This message was found to be deceptive in light of the current state of research on the issue.

Finally, the court held the warning requirement unduly burdened and chilled protected commercial speech.  The panel observed the black box warning “overwhelms other visual elements” in the advertisement.  This, according to the panel, would defeat the purpose of the advertisement, “turning it into a vehicle for a debate about the health effects of sugar-sweetened beverages.”

Thus, Ninth Circuit panel concluded that the Associations had shown a likelihood of success on the merits of their First Amendment claim.


The FTC announced last week a settlement with Blue Global Media, LLC  and its CEO Christopher Kay.  The company operated 38 Internet domains that solicited online loan applications from consumers.  The applications collected extensive sensitive personal information, including social security numbers, bank routing numbers, credit scores, and incomes. The company represented to consumers it would use this information to match them with “trusted lending partners” that offered the most favorable loan offers, for example, with the lowest interest rate and the highest qualified loan amount.  As alleged, Blue Media offered these leads to potential buyers through multiple “ping trees”, which are automated, instantaneous, auction-style processes common in the payday lending industry. However, the company’s ping tree participants were not required to be engaged in lending or use lead information to offer loans. In fact, Blue Media allegedly sold the lead to the first buyer, regardless of whether the buyer was a loan provider or offered favorable terms to the consumer.  Blue Media received from buyers up to $200 for each lead sold. Blue Media collected more than 15 million loan applications in this manner. It allegedly sold 26% of the applications to non-lenders, and less than 2% to lenders. In many cases, these lenders were not legally authorized to make loans.

In addition, Blue Media made a number of data security promises it did not deliver. For example, the company represented in its privacy policy that it employed industry-leading security protocols and technology and would “never store [consumers’] information, so your online identity is always safe.” In contrast, Blue Media allegedly shared consumer information indiscriminately, failing to impose any restrictions or conditions to protect against the unauthorized access, use, modification, or disclosure of consumer information.

The FTC alleged these practices constituted unfair and deceptive acts in violation of Section 5. The settlement includes a judgment seeking all revenue received from these practices, an amount over $104 M.

The FTC has recognized the proliferation of online lead generation in various industries.  On October 30, 2015 the FTC held a public workshop entitled “Follow the Lead,” focused on lead generation practices and related privacy and consumer protection issues, which we discussed here and here. Here are some key takeaways from this case and other FTC guidance documents for lead generation operators:

  • Implement transparency and consumer choice. Disclose clearly and conspicuously to consumers what information is being shared and with whom; and allow consumers to make informed choices about when and how to share their personal information.
  • Exercise caution when selling leads that aren’t purchased through the ping tree (commonly referred to as a “remnant lead”). Depending on the circumstances, you may be liable under the FTC Act if the buyer has no legitimate need for the information.
  • Vet potential lead buyers before doing business with them and monitor lead buyers for any misuse of consumer data.
  • Engage in data security protocols that are appropriate for the sensitivity of the information you are collecting
  • Review your privacy policy regularly to ensure it accurately reflects your collection and disclosure practices.

Acting Chairman of the Consumer Product Safety Commission (“CPSC”) Ann Marie Buerkle highlighted her priorities and recent noteworthy developments in a recent newsletter.  She emphasized her desire to collaborate with stakeholders, to take a “balanced and reasonable approach” to regulation when data justifies rulemaking, and to use information campaigns to educate consumers and industry. She shared a few rulemaking updates, including movement on the revocation of the magnet standard from the CFR, oral presentations on the NPRM for portable generators, and progress on the NPR related to table saws.

Buerkle noted the following upcoming events:

  • Monthly educational webinar series sponsored by the CPSC’s Small Business Ombudsman. Last month they provided an overview of updates to the toy standard. More industry-specific resources to come.
  • Solicitation of stakeholder feedback on test burden reduction, recall effectiveness, and the FY 2018 & 2019 priorities. Stay tuned regarding these opportunities once dates are finalized.

Buerkle also noted two key staffing changes:

  • Robert Kaye was named Director of the Office of Compliance and Field Operations.  Mr. Kaye joined the CPSC from the Department of Education, but had spent most of his career at the FTC where he most recently was Chief Litigation Counsel in the Bureau of Consumer Protection.
  • Jim Joholske was promoted to Director of the Office of Import Surveillance. Mr. Joholske had been the deputy head of the Import Surveillance Office since it was first created as a division of Compliance a decade ago.

Chairman Buerkle has repeatedly emphasized transparency and encouraged stakeholders to share feedback with her and her staff about the CPSC’s performance.  We encourage companies and other entities to take her up on that offer, whether through formal submissions such as comments to proposed rulemaking or through informal channels. Anyone interested in subscribing to the periodic newsletter can call the CPSC at 301-504-7978 or send an email via the contact form on the website.


Late Wednesday evening, Democrat Elliot Kaye resigned as chair of the Consumer Product Safety Commission.  Republican Commissioner Ann Marie Buerkle has assumed the position of Acting Chair until a new chair is appointed by the President and confirmed by the Senate.  Kaye will remain on the CPSC as a commissioner, with a term set to expire October 2020.  Buerkle said in a statement last week, “I am honored to have the opportunity to lead CPSC as Acting Chairman as the agency transitions under a new Administration.”  She further stated,

I will work to enhance relationships so that CPSC can leverage the knowledge, insight, and expertise of the entire consumer product safety community. We are all consumers and what we do at CPSC impacts the lives and livelihoods of all Americans. If we take a thoughtful, collaborative approach, we will impact the culture of product safety in a positive and meaningful way.

Commissioner Buerkle has been vocal in her opposition to the CPSC’s recent proposals for the voluntary recall notices and 6(b) proposals.   In a statement made last October, Buerkle advocated that the proposed rules be terminated, calling them “unsalvageable.”  She stated, “Any attempt to move forward now would put the staff in an extremely uncomfortable position of responding to harsh comments on ideas that did not originate with the staff.”

Buerkle’s elevation means that the Commission holds onto its 3-2 Democratic majority, at least until Commissioner Robinson’s term expires this October and the Trump administration appoints a Republican commissioner to replace her.

On January 19, 2017, Commissioners at the Consumer Product Safety Commission elected Commissioner Ann Marie Buerkle to be the next vice chair.  Commissioner Buerkle was appointed to the agency by President Obama in May 2013 with a term expiring in October 2018.   As vice chair, Buerkle would become acting CPSC chair if that position is vacated by Elliot Kaye.  Chairman Kaye, who was nominated by President Obama in 2014, has not indicated any intention to step down, but may be asked to leave, as CPSC regulations allow, by the new Administration.   If Chairman Kaye voluntarily steps down or is asked to leave, Vice Chairwoman Buerkle would assume the position of Acting Chair until a new chair is appointed by the President and confirmed by the Senate.

Commissioner Buerkle has been vocal in her opposition to the CPSC’s recent proposals to increase civil monetary penalties and to modify the voluntary recall program and 6(b) rules.  “Without question,” Commissioner Buerkle testified, “these initiatives undermine any engagement and collaborative efforts” between the Agency and all stakeholders, especially the regulated community. 

The election of Commissioner Buerkle comes one day before the White House ordered an immediate freeze of pending regulations. In a memo to federal departments and agencies, the Trump Administration said the freeze was designed to ensure President Donald Trump’s appointees or designees “have the opportunity to review any new or pending regulations.” The regulatory freeze halts until further notice any regulation yet to be sent or yet to be published in the Federal Register.  This includes a number of regulations proposed by the CPSC, in particular, the proposed 6(b) rules setting forth CPSC’s policy on the public disclosure of information from which the identity of a manufacturer or private labeler of a product can be ascertained. 

We will continue to monitor for further developments. 

CaptureThe Department of Homeland Security (DHS) has published non-binding principles and best practices to help businesses work through key Internet-of-Things (IoT) security issues.   Entitled “Strategic Principles for Securing the Internet of Things (IoT), Version 1.0,” the principles seek to provide stakeholders with tools to account for security as they develop, manufacture, implement, or use network-connected devices.  The guidance is in line with DHS’ mission to secure cyberspace, protect critical infrastructure, and ensure public safety.  A summary of the principles follows.

  • Incorporate security at the design phase: Security should be evaluated as an integral component of any network-connected device.  Enable security by default; build the device using the most recent operating system and with hardware that incorporates security features.  Design the product with system and operational disruption in mind.
  • Promote security updates and vulnerability management: Mitigate security vulnerabilities after product deployment through patching, security updates, and vulnerability management strategies.  Develop automated mechanisms for addressing vulnerabilities, and develop a policy regarding the coordinated disclosure of vulnerabilities.
  • Build on recognized security practices: Start with basic software security and cybersecurity practices and apply them to the IoT ecosystem in flexible, adaptive, and innovative ways.  Refer to relevant sector-specific guidance, practice defense in depth, and participate in information-sharing programs.
  • Prioritize security measures according to potential impact: Recognize that risk models differ substantially across the IoT ecosystem and inform where security efforts should be directed.  Identify and authenticate devices connected to the network, especially for industrial consumers and business networks.  Perform a “red-teaming” exercise, where developers actively try to bypass the security measures needed at the application, network, data, or physical layers.
  • Promote transparency across IoT:  Determine whether vulnerabilities exist in the software and hardware components provided by vendors outside the organization.  Conduct end-to-end risk assessments that account for both internal and third-party vendor risks.  Consider developing a bug bounty program and a software bill of materials.
  • Connect carefully and deliberately:  Consider whether continuous connectivity is needed given the use of the IoT device and the risks associated with its disruption.  Advise IoT consumers on the intended purpose of any network connections.  Build in controls to enable selective connectivity.  Note that this principle departs from the FTC’s guide, “Start with Security: A Guide for Businesses”.  DHS notes that while it may be convenient to have continuous network access, it may not be necessary for the purpose of the device and may invite vulnerability.

In the press release announcing the guidance, Secretary of Homeland Security Jeh Johnson emphasized the importance of data security in the IoT space: “The growing dependency on network-connected technologies is outpacing the means to secure them. Securing the Internet of Things has become a matter of homeland security. Th[is] guidance [] is an important step in equipping companies with useful information so they can make informed security decisions.”