As privacy and personal data issues continue to be a focus of both legal action and media coverage, privacy policy statements are getting dusted off and reviewed by more eyes.  Imprecise or inaccurate policy statements, themselves, can expose a company to potential liability.  While most of the recent California Consumer Privacy Act (“CCPA”) attention has focused on the significant operational requirements, data flow classifications, attorney general future enforcement, and the limited private right of action for data breaches, perhaps the largest near-term CCPA risk issue will be how the law overlaps with other California consumer protection statutes, and litigation efforts focusing on alleged inaccuracy or deception based on the public statements companies make about their privacy practices.

CCPA’s Limited Private Right of Action

The Attorney General’s Office was granted wide discretion and enforcement powers to impose fines of up to $2,500 for unintentional violations and up to $7,500 for each intentional violation.  Cal. Civ. Code 1798.155.  The CCPA, however, provides for only limited private right of action for individual consumers related to data security breaches.  Cal. Civ. Code 1798.150.  Plaintiffs can recover actual damages or statutory damages of $100 to $750.  A broader potential private right of action was considered and would have permitted individuals to sue for any and all CCPA violations.  SB 561.  But that amendment failed to pass in May.

Where There’s a Will, There’s a Way?

But anyone expecting that companies will only face privacy-related consumer litigation in the context of a data breach is under-selling the risk.  While direct actions under the CCPA may be limited, the requirements of the CCPA may serve as the basis for claims under other consumer protection statutes.  And, importantly, the public statements and policies that companies issue will be scrutinized not just for their actual compliance, but for whether companies are fulfilling their own promises.  Indeed, nothing prevents individuals from filing putative consumer class action claims alleging false statements, unfair business practices, or misleading conduct on behalf of companies in connection with their privacy policies and practices.

What Types of Claims Are Likely to be Filed?

These claims are likely to be brought pursuant to other California consumer protection statutes, such as California’s Unfair Competition Law (Bus. & Prof. Code 17200), False Advertising Law (Bus. & Prof. Code 17500), and Consumer Legal Remedies Act (Civ. Code 1750).  For example:

  • Section 17200 prohibits “any unlawful, unfair or fraudulent business act or practice and unfair, deceptive, untrue or misleading advertising.”  Put differently, a violation of any other California law, including the CCPA, can serve as the basis for a claim.  That is true even where that underlying statute does not, itself, give rise to a private right of action.
  • Similarly, Section 17500 can give rise to a claim based on by disseminating untrue or misleading statements concerning the performance of services.  That would include statements made concerning the collection, use, handling, storage, dissemination, or destruction of personal information in connection with a business’s activities.
  • Finally, the CLRA prohibits a broad range of representations and statements concerning a company’s policies, procedures, and services.  In addition to actual damages, the statute also permits for recovery of punitive damages and recovery of attorney’s fees.

Courts have found that violations of internal policies and/or statements concerning those policies provide sufficient foundation for such actions.  See, e.g., In re Adobe Sys., Inc. Privacy Litig., 66 F. Supp. 3d 1197 (N.D. Cal. 2014) (plaintiffs’ allegations that they relied on Adobe’s claims that personal data would be protected sufficient to establish UCL standing); Smith v. Chase Mortg. Credit Grp., 653 F. Supp. 2d 1035, 1045-46 (E.D. Cal. 2009) (concluding that defendant’s alleged violation of internal policy provides basis for unfairness claim).   

Precision in Privacy Promises

These risks are a good reminder that it is critical not just to have the CCPA required disclosures in privacy statements and communications in response to consumer rights requests, but also to be vigilant and precise about the descriptions of privacy practices and how the company is honoring the rights requests.  In the end, a company’s statements about its CCPA compliance could end up triggering potential exposure far greater than anything available under the CCPA itself.

On another new episode of the Ad Law Access PodcastAlysa Hutnik starts at the beginning and explains a few of the issues you need to think about before starting a telemarketing texting campaign.

For additional information see the Ad Law Access blog posts:

To stay current on TCPA (and related) matters, case developments and petitions pending before the FCC, visit our monthly TCPA Tracker.

For a deeper focus on TCPA-related issues at the FCC, listen to the “Inside the TCPA” series on Kelley Drye Full Spectrum.

The Ad Law Access podcast is available now through Apple PodcastsSpotifyGoogle PlaySoundCloud, and other podcast services.

Yesterday, the FTC released a new guide and video designed to help influencers understand when and how they should disclose the relationships they have to the brands they endorse. The guidance doesn’t break new ground, and readers of this blog shouldn’t find too many surprises, but it does summarize the key requirements in an easy-to-read format.

Here are some key points:

  • The term “endorsement” should be read broadly. For example, simply tagging a brand, without anything more, can be an endorsement. (If there are any surprises here, it’s the idea that a “like” can be an endorsement. It’s not clear how the FTC expects companies to make disclosures when they “like” a brand.)
  • The term “relationship” should be read broadly, as well. If an influencer receives payments or free products, that’s obviously a relationship that should be disclosed. But even if an influencer just receives a discount or “other perks,” that could also trigger a disclosure requirement.
  • Disclosures should be hard to miss. For example, they should appear up-front, in conjunction with the endorsement, and in a manner that makes it likely that consumers will see them. The guides give some examples of how disclosures can be made in different platforms and media.
  • Disclosures should be made in clear language. If an influencer uses a hashtag, it should be something that consumers are likely to understand. For example, the FTC encourages influencers to avoid abbreviations and shorthand. Unfortunately, influencers may not be able to rely on platform tools to make disclosures.
  • Endorsements should be truthful and not misleading. For example, influencers shouldn’t talk about their experiences with products they’ve never used or praise products they don’t actually like. Similarly, they shouldn’t make claims that the advertiser can’t substantiate.

Although the guidance is directed to influencers, brands should also pay attention to the guides and ensure they communicate these requirements when they engage influencers to speak on their behalf.

The continuing questions over the extent of the FTC’s enforcement authority to obtain monetary relief under Section 13(b) did not stop the Commission from filing a lawsuit on November 1 against multi-level marketer Neora, LLC and its CEO Jeffrey Olson for purportedly operating an illegal pyramid scheme that used deceptive marketing to sell supplements, skin creams and other products.

Pursuant to Section 13(b), the FTC seeks an injunction to stop Neora’s alleged pyramid scheme and an award of restitution to return money to consumers. The lawsuit, filed in the District of New Jersey, alleges that Neora (formerly known as Nerium International) and its CEO offered false promises that potential distributors could earn financial independence if they joined the company’s pyramid scheme – while, in reality, most recruits would end up losing money.

The lawsuit comes as part of the Commission’s larger efforts to crack down on multi-level marketing pyramid schemes. But interestingly, when it saw the lawsuit against it coming, Neora opted to lodge an aggressive attack of its own against the FTC.

In a lawsuit filed in the Northern District of Illinois (Seventh Circuit) against the FTC, Neora and Olson asked the court to declare that its company did not operate as a pyramid scheme. The company’s complaint also asserted that the FTC is not authorized to seek restitution or disgorgement under Section 13(b) – effectively contending that the FTC’s attempt to punish Neora by seeking restitution is not available as a remedy.

So what happens next? As an initial matter, the Department of Justice will have first crack at the case, given that Neora is seeking a declaratory judgment. Regardless of whether DOJ or the FTC leads the government’s response, we would expect a motion for a change of venue from Illinois to New Jersey, with argument that it is not possible to litigate the motion for declaratory judgment without litigating the facts of the underlying case. If the court agrees, the case would be moved to New Jersey where there is binding precedent that is more favorable to the Commission’s position.

Section 13(b) Questioned in the Seventh Circuit

The company’s choice of forum was no doubt driven by the Seventh Circuit’s landmark decision earlier this year in FTC v. Credit Bureau Center LLC. In that case, the Seventh Circuit held that the FTC could not obtain monetary relief in the form of restitution under Section 13(b).  The court reasoned that Section 13(b)’s text cites injunctions as the FTC’s exclusive remedy, thus foreclosing the FTC from seeking restitution.  As we have reported previously, the Seventh Circuit’s decision overturned three decades of its own precedent and broke with eight other federal appellate courts.

The FTC has stated that the opinion will not change its enforcement behavior. In a recent panel discussion, FTC Chief Litigation Counsel Bikram Bandy remarked that Credit Bureau Center would not alter the Commission’s approach to deterring fraud by seeking restitution. In ongoing litigation where the FTC is seeking monetary relief from defendants, according to Mr. Bandy, the FTC has prevailed (so far) on all motions raised by opposing counsel that have attempted to assert the legal theories advanced in Credit Bureau Center as a means of blocking a restitution award.

However, Mr. Bandy also noted that the FTC’s desire to remain aggressive would continue in all circuits that have not adopted the Credit Bureau Center holding – which is to say, all circuits other than Seventh. Neora’s decision to file against the FTC in the Northern District of Illinois means that the court will not be able to ignore Credit Bureau Center’s holding relating to Section 13(b).

In a different development that also could have far-reaching implications for the FTC’s ability to obtain civil monetary penalties, the U.S. Supreme Court granted certiorari on November 1 in Liu v. SEC. The Supreme Court will consider whether the SEC may obtain disgorgement under the Securities Act, which only mentions “equitable relief.” The SEC has obtained disgorgement in many instances by asserting that it is a form of equitable relief, but Liu has asserted that disgorgement is a penalty – not an equitable remedy – and therefore is not permitted under a plain reading of the Securities Act. The Court’s interpretation in Liu could prompt courts to reevaluate whether Section 13(b) of the FTC Act allows for restitution.

The FTC’s Campaign Against Multi-Level Marketers

Why was Neora determined to go on the offensive? According to Neora’s complaint, the FTC has been “improperly” reinterpreting the law on pyramid schemes without proper legislation or rulemaking in an attempt to effectively outlaw multi-level marketing (MLMs.) Neora alleges that the FTC assumes that no incentives can be paid for recruitment of participating distributors, even when the MLM makes robust sales to satisfied consumers.

In a statement, Andrew Smith, the Director of the FTC’s Bureau of Consumer Protection, distinguished between legitimate MLMs and pyramid schemes, in alleging that Neora’s business model functions as part of the latter: “Participants in legitimate multi-level marketing companies earn money based on actual sales to real customers, rather than recruitment. But pyramid schemes depend on recruitment of new participants to pay out to existing participants, meaning that the vast majority of participants will ultimately lose money.”

In alleging that Neora directs its distributors to focus on recruiting instead of selling its product, the FTC cited a 2015 promotional video, where one of the company’s top earners remarked that distributors must take three steps to “explode” their business: “Number one. Recruit. Number two: Recruit. Number three: Recruit.” Beyond the recruitment-related allegations, the FTC also contended that Neora and its CEO deceptively promoted certain supplements as a means of curing concussions, chronic traumatic encephalopathy caused by brain trauma and Alzheimer’s disease.

Neora was not the only company targeted in the FTC’s investigation: the Commission also brought lawsuits against Signum Bioscienes and Signum Nutralogix. Unlike Neora, both Signum entities agreed to settle with the FTC. As per the terms of the settlement agreement, both entities will stop making certain claims relating to specific supplements at issue.

On a similar note, last month, the FTC announced it had entered into a $150 million settlement order with AdvoCare International, L.P. and its former chief executive officer. The settlement bans AdvoCare from the multi-level marketing business to resolve the FTC’s charges that the company operated an illegal pyramid scheme that deceived consumers into believing that they could earn considerable income as distributors of health and wellness products. In announcing the settlement, the FTC’s Smith stated: “The FTC is committed to shutting down illegal pyramid schemes like this and getting money back for consumers whenever possible.”

Firing Back at the FTC

But will the FTC be permitted to continue seeking such restitution awards? In Neora’s complaint against the FTC, the company alleges that the FTC had threatened to sue Neora in the Northern District of Illinois since July 2018 under Section 13(b). Neora claims that the FTC only threatened to sue in the District of New Jersey – where it eventually brought the lawsuit – as a result of the Seventh Circuit’s contrary opinion in Credit Bureau Center.

In a detailed “factual background” section in its complaint, Neora covers the “string of federal court losses” suffered by the FTC relating to the extent of its authority to file lawsuits without first exhausting its own administrative process, regarding its authority to recover monetary relief and relating to its authority to seek injunctive relief. Neora’s complaint predicts that “other Circuit Courts” will follow the Seventh Circuit’s lead in limiting the FTC’s enforcement powers to only restraining orders and injunctions under Section 13(b).

Thus, Neora seeks a declaration from the Northern District of Illinois that Section 13(b) does not authorize the FTC to seek “rescission or reformation of contracts, restitution, the refund of monies paid, disgorgement of ill-gotten monies, and other equitable relief” and instead only authorizes the Commission to seek injunctive relief for ongoing conduct.

If Neora succeeds, the FTC’s goal of “getting money back for consumers” would no longer be on the table – at least within courts in the Seventh Circuit. Neora’s hard-hitting approach to challenging the FTC’s claims against it – especially by invoking the ongoing debate over Section 13(b) – certainly bears watching.

Stay tuned for more installments of the “Section 13 (b)log.” 


On a new episode of the Ad Law Access PodcastAlysa Hutnik provides an update to the California Consumer Privacy Act (CCPA) including discussion of the amendments, the draft regulations, and she touches on some of the classification issues.

For additional information see the Ad Law Access blog posts:

The Ad Law Access podcast is available now through Apple PodcastsSpotifyGoogle PlaySoundCloud, and other podcast services.



In exactly two months, the California Consumer Privacy Act (CCPA) takes effect. Many businesses are devoting resources to timely comply, but between the late rollout of the Attorney General’s draft regulations, recent amendments to the law, and a lack of consensus in the industry on interpretation of key CCPA terms, tackling compliance can be daunting. Perhaps that’s why in two polls released this year, businesses have overwhelmingly told the International Association of Privacy Professionals that they are not prepared for the CCPA.

The enforcement penalties support good faith and reasonable efforts to achieve compliance, but the CCPA grants the Attorney General the ability to seek civil penalties of $2,500 for each violation of the law, without defining “each violation.” As with any new law, common sense typically prevails on what early enforcement will address. In general, such cases tend to be the obvious non-compliance, rather than the borderline cases.

Beyond penalties, the CCPA will set the standard for how businesses describe their data practices and privacy commitments to consumers. Non-compliant or confusing privacy messages or practices may have reputational and public relations costs as well. Importantly, the Attorney General cannot bring an enforcement action until, July 1, 2020, at the latest, but any such enforcement action can focus on noncompliance that began on January 1, 2020.

For businesses seeking to comply, and fast, we highlight considerations for prioritizing compliance efforts. Of course, each business is different, and consultation with legal counsel is the surest way to develop a plan to comply with the new law.

Priority: Consumer-Facing Obligations

The CCPA is laser-focused on providing consumers with the tools to exercise their rights to access, delete, or opt out of the sale of their personal information. In particular, the CCPA requires businesses to describe these rights and how they comply in their privacy policies and other required notices.

Companies can prioritize building consumer-facing processes and notices that demonstrate publicly that the business respects and complies with the CCPA. This prioritization includes:

  • Prioritizing Transparency: Post plain language, straightforward consumer notices that address the current CCPA requirements in a manner that a consumer would actually understand (a challenge given reports that many privacy policies require a college reading level). Reviewing privacy policies is often the first step that a consumer – or regulator – can take to see if a company is complying with the CCPA. Privacy policies are public representations and should be vetted to confirm that they accurately reflect a company’s practices and do not contain allegedly false or deceptive statements.
  • Adopting a Privacy-Centric Company Culture: Businesses can establish procedures for personnel, including customer service agents and others most likely to interact with California consumers, so they are prepared to handle privacy rights discussions, or escalate or transfer such requests to those who can. The more straightforward the process, the less likely consumers will become confused and complain. A spike in complaints can be a key source for regulators and others to scrutinize a company’s practices.
  • Creating User-Friendly Options for Privacy Rights Requests: Provide clear directions on how consumers can submit requests, and through which channels. In particular, the CCPA requires a toll-free number (except for online-only businesses) and, for companies that “sell” personal information, a link on the home page that enables consumers to opt out of the sale of personal information.
  • Setting the Right Tone: As with all customer interactions, tone and responsiveness matter. When a consumer makes a privacy rights request, provide a brand-consistent, friendly response within 10 days that confirms receipt and provides information about how the request will be processed.

Priority: Protect Personal Information

The CCPA encourages implementing and maintaining reasonable security procedures and practices. In particular, the CCPA provides a private right of action to any consumer whose unencrypted and unredacted personal information is subject to a security incident due to a business’s failure to implement and maintain reasonable security procedures and practices. Among other remedies, the CCPA provides for statutory damages of $750 per consumer per incident or actual damages, whichever is greater.

Given the significant potential for litigation and statutory damages, prioritizing cyber security is more important than ever. “Reasonable Security” includes:

  • Compliance with Reasonable Industry Standard Practices: As described in a prior California Attorney General report, Critical Security Controls identified by the Center for Internet Security provide a “minimum level of information security that all organizations that collect or maintain personal information should meet.” These controls include reviewing hardware and software connected to a company’s network; implementing key security settings; limiting user and administrator privileges; assessing vulnerabilities and patching holes to stay current; securing critical assets and attack vectors; defending against malware and intrusions; blocking vulnerable access points; providing security training to employees and vendors with access to the network; monitoring accounts and network audit logs; testing defenses; and planning a response to security incidents. Importantly, businesses should document these efforts. Being able to demonstrate that it followed these controls, and how, will be a critical part of a company’s defense.
  • Third-Party Liability for Vendor Compliance: An important aspect of the business/service provider relationship is that a business that discloses personal information to a service provider “shall not be liable … if the service provider … uses it in violation of the [CCPA], provided that, at the time of disclosing the personal information, the business does not have actual knowledge, or reason to believe, that the service provider intends to commit such a violation.” Businesses can review vendor contracts, vendor-posted public terms, vendor descriptions of their services and how they use data, as well as vendor privacy policies and data processing addenda, to support that a vendor reasonably qualifies as a “service provider” and that there are no “red flags” that could provide a basis for third party liability. Depending on how many vendors a business has, it may be reasonable to tackle these efforts by tiered priority.

Priority: Plan for the CCPA’s Impact on Your Digital Advertising

A key area of interest is how the CCPA defines the “sale” of personal information, and how the definition applies to Ad Tech relationships and different services, including the variety of ways your company may use interest-based advertising, enrich your existing data sets, use different types of data analytics services, use matching and re-targeting, or target your advertising to certain defined audience segments.

In particular, publishers may be considered to have “sold” consumer personal information when they pass along persistent identifiers to other Ad Tech participants depending on the relationship with such participants, and how such participants use the data. Just as important, companies that use service providers to assist with their advertising and data analytics efforts should evaluate and firm up such classifications. For partners that are not intuitively service providers or obvious recipients of data sales, more analysis and industry benchmarking on interpretations are likely warranted.

The Interactive Advertising Bureau proposes a framework that will enable publishers and their partners to comply with the CCPA’s provisions on the “sale” of consumer data by providing publishers a technical solution to signal to partners that a consumer has opted out of the “sale” of their personal information. The framework will bind Ad Tech participants using a limited service provider contract. Through this arrangement, the framework maintains the availability of interest-based advertising, but restricts participants in their use of personal information to strictly business purposes.

Otherwise, for companies engaged in digital advertising and analytics, some priorities include:

  • Assessing the “Sale” of Personal Information: Review any disclosure of personal information to other businesses and determine if that disclosure counts as a “sale” for purposes of the CCPA. If so, develop a plan to comply with the CCPA’s requirements.
  • Cataloging Cookies and Pixel Tags: Companies that have contracted with Ad Tech vendors to place cookies or fire pixel tags should catalog these activities and determine the extent to which they represent a “sale” of personal information, or if they reasonably qualify as service provider support. Alternatively, the Company may choose to block them from collecting personal information on the Company’s sites.

If you have any questions about compliance obligations under the CCPA, please contact Alysa HutnikKatie Townley, or Alex Schneider.

FTC Commissioners Rebecca Kelly Slaughter and Christine S. Wilson recently sat down with Cameron Kerry at the Brookings Institution to discuss the FTC’s role in privacy. Although the Commissioners did not agree on everything, both identified the FTC as the best agency to enforce privacy wrongs. The Commissioners also shared their views on issues such as notice and consent, data ownership, privacy harms, and FTC authority.

Both Commissioners agreed that “notice and consent” is an ineffective model. Instead, Commissioner Slaughter suggested focusing on consumer expectations as to how companies will use their data. Commissioner Wilson agreed, but suggested that any new model provide predictability and certainty for businesses in light of laws such as the CCPA and GDPR. Neither Commissioner thought the data ownership model was a proper alternative to “notice and consent,” and Commissioner Slaughter further noted that paying consumers for their data may actually exacerbate data use issues.

The Commissioners also discussed what harms the agency looks for in bringing privacy cases, and what harms any privacy legislation should address. Commissioner Wilson pointed to the FTC’s past enforcement actions, including a recent settlement against app developers who created apps to surreptitiously stalk individuals’ phones. Commissioner Slaughter suggested broadening the legislature’s and agency’s definition of privacy harms to consider new issues, such as data use and targeting that lead to child suicide and self-harm. She noted that harms should not need to be quantifiable to be cognizable.

In terms of how the FTC should use its enforcement authority, the Commissioners agreed that the agency should consider competition in privacy enforcement actions, but they disagreed as to how far to push the limits of the FTC’s authority. For Commissioner Slaughter, the important question is, “What are consumers’ reasonable expectations?” In the Facebook case, for example, Commissioner Slaughter wanted to pursue litigation to push for more transparency and limits on the company’s data collection and use. She noted that litigation is a good tool with which to identify the limits on the agency’s authority. Commissioner Wilson, on the other hand, was concerned about attempting to legislate through a settlement, and viewed the consumer relief in the case as “real and meaningful,” as evidenced by the company having already made changes to its practices as a result of the settlement.

Both Commissioners Slaughter and Wilson agreed that the FTC needs rulemaking and civil penalty authority in the first instance of an enforcement action, although Commissioner Wilson clarified that she thinks rulemaking authority should be limited, similar to COPPA. Both Commissioners also agreed that the FTC needs more resources for enforcement.

The FTC Commissioners also expressed a variety of views on what privacy legislation should look like, but noted that creating the law is ultimately up to Congress. Whether the legislature will pass privacy legislation remains to be seen. In the meantime, businesses will need to stay vigilant monitoring FTC privacy enforcement trends and business guidance, as well as the enactment of new state privacy laws and related state enforcement, private litigation, and relevant industry self-regulatory frameworks, such as the recently proposed IAB CCPA Framework.

The National Advertising Review Board (“NARB”) recently upheld an NAD decision regarding Goya Foods, Inc.’s claim, “La Pasta Favorita de Puerto Rico” or “Puerto Rico’s Favorite Pasta,” finding that the claim was not puffery and that it required substantiation. As we summarized here, NAD previously determined that use of the term “favorite” in this context was an objective claim that required sales data or consumer survey data as support. NARB agreed.

Although Goya did not have sales or survey data, the company argued that “favorite” was “subjective and immeasurable,” especially in light of the other fanciful claims present on the label such as “delicious.” Goya also pointed to an Eighth Circuit case that found that the word “favorite” was puffery in the context of the claim, “America’s Favorite Pasta.”

NARB was not convinced, determining that here, “favorite” conveys an objective preference message that requires substantiation. NARB noted that the Spanish definitions of “favorite,” like the English definitions, convey a message of preference. Although consumers may have different reasons for identifying a pasta as their favorite, they could easily determine which product was their “favorite” if given a survey.

NARB also noted that as a self-regulatory body, neither NAD nor NARB is bound by the Eighth Circuit ruling. Still, NARB did not think its decision conflicted with the Eighth Circuit case, as evaluating whether something is puffery is a fact-specific determination that depends on the context of the claim. In this context, “favorite” was an objectively provable claim. Thus, NARB upheld NAD’s suggestion that Goya discontinue use of the “favorite” claim.

Companies considering a “favorite,” “first,” or “best” claim should not assume that the terms are automatically puffery. Instead, advertisers should consider the context of the claim and whether that context conveys a message that requires substantiation.

With the new CCPA draft regulations out, you may be wondering—how can I comment?  What are the deadlines?  When will the draft regulations be finalized and go into effect?  This blog post summarizes the process and timing for the CCPA proposed regulations.  Businesses should consider filing comments to provide the Attorney General’s Office with insights on the operational and practical effects of some of the regulations as proposed, particularly where there may be unintended consequences and effects that were not sufficiently considered.  This blog post also walks through California’s rulemaking process under the California Administrative Procedures Act to provide more insights on the realistic timeframe for when the draft rules are likely to be finalized and go into effect.

CCPA Hearings and Comment Process

Comments are important if businesses are concerned about the proposed draft CCPA regulations.  The Attorney General’s Office is required to consider all relevant and timely comments, both written and oral.  After the comment period ends, the Attorney General’s Office also must respond to these comments in a document called the “Final Statement of Reasons,” which will explain how the Office modified the proposed regulations to accommodate the comments.

The deadline to submit written comments is December 6, 2019 by 5:00 p.m. (PST).  Any interested party, or someone authorized to act on their behalf, may submit written comments regarding the proposed CCPA regulations.  This can be done by sending the comments, by email, to  Comments also can be submitted in-person at the public hearings, or by mail to:

  • Privacy Regulations Coordinator
    California Office of the Attorney General
    300 South Spring Street, First Floor
    Los Angeles, CA 90013

There will be four hearings to provide an opportunity for interested parties to present their feedback as follows:  December 2 (Sacramento), December 3 (Los Angeles), December 4 (San Francisco), and December 5 (Fresno).  All hearings start at 10 am.

Expected Timing for the Final Rules?

It depends, but as a practical matter, the earliest they could be finalized and effective is likely April 1, 2020 (and that’s if there are no substantive changes made).

In response to the comments filed, the Attorney General may decide to make changes to the proposed CCPA draft regulations.  If only non-substantial changes are made, there is no further notice and comment period.  If the changes are substantial but reasonably foreseeable (in light of the initial proposed regulations), there is an additional 15 day notice and comment period required. If there are substantial proposed changes that are not sufficiently related to the original proposed regulations, the Attorney General’s Office will need to repeat the full 45 day notice and comment process (this is less likely to occur).

If the agency relies on new material outside of the initial statement of reasons for the originally proposed draft regulations, it must make this material available for comment for 15 days.

Once the Attorney General’s Office completes its review of all comments on the additional proposed changes, and the notice and comment periods are exhausted, the Office will submit the rule to Office of Administrative Law, which has 30 working days to review the rulemaking record and confirm it is consistent with administrative procedure requirements.  If all is in order, that office will file the adopted rules with California’s Secretary of State.

The final CCPA rules’ effective date depends on the date that they are filed with the Secretary of State.  For example:

  • If filed September 1 – November 30: the effective date is January 1.
  • If filed December 1- February 29: the effective date is April 1.
  • If filed March 1 – May 31: the effective date is July 1.
  • If filed June 1 – August 31: the effective date is October 1.

These effective dates may vary based on a variety of factors, but generally the effective dates follow the timeline outlined above.  Once the final rule is adopted it has the force of law.

Our firm will continue to review draft CCPA regulations as we work with clients to develop practical guidance on complying with the CCPA. If you have questions on how the regulations may impact your business, or if you would like our assistance with drafting comments to the regulations, please contact Alysa HutnikKatie Townley, or Khouryanna DiPrima.



The reach of Section 13(b) of the FTC Act – and the extent of the FTC’s enforcement authority — has been a hotly-debated topic following the Third Circuit’s decision in Shire ViroPharma and the Seventh Circuit’s decision in Credit Bureau Center.  

In this first installment of what we are calling the “Section 13 (b)log,” we summarize a recent discussion between Bikram Bandy (FTC Chief Litigation Counsel), John Villafranco (Kelley Drye), Berin Szoka (Tech Freedom), and Noah Kaufman (Morgan Lewis) on this issue during an ABA Antitrust Law Section panel, revisit the Shire and Credit Bureau Center cases, and opine as to the next steps that the Supreme Court may take when it weighs in on Section 13(b). [Find our original posts on these cases here and here]

In recent months, there has been a good deal of speculation — if not hand-wringing — as government lawyers and private practitioners grapple about the reach of Section 13(b) of the FTC Act following  the Third Circuit’s decision in Shire ViroPharma and the Seventh Circuit’s decision in Credit Bureau Center. 

On Friday, Bikram Bandy (FTC Chief Litigation Counsel), John Villafranco (Kelly Drye), Berin Szoka (Tech Freedom), and Noah Kaufman (Morgan Lewis) discussed this issue during an ABA Antitrust Law Section panel.

During his remarks, Mr. Bandy stated that the two cases have had only a limited effect on FTC enforcement decisions, and he expects no major changes to the Commission’s long-time approach moving forward.  In ongoing litigation where the FTC is seeking monetary relief from defendants, according to Mr. Bandy, the FTC has prevailed (so far) on all motions raised by opposing counsel that have attempted to assert the legal theories advanced in Shire ViroPharma or Credit Bureau Center as a means of blocking a restitution award.

As followers of the agency and readers of this blog know, the FTC has regularly sought restitution or other monetary relief as a remedy for fraud, deceptive conduct, or other wrongful acts under Section 13(b).  According to Mr. Bandy, that strategy will not change: the FTC will continue to be aggressive, at least in the numerous circuits that have not adopted the holdings in Shire ViroPharma or Credit Bureau Center – which is to say, all circuits other than the Third and Seventh.

While Mr. Bandy was confident in the FTC’s prospects for obtaining restitution, other panelists made clear that there could be choppy waters ahead.  Mr. Villafranco made the point that the FTC should expect to face more defendants who are willing to litigate, as opposed to agree to a settlement order, based on the possibility that they may not have to pay a single dollar, as opposed to settle for tens or hundreds of millions.  The Supreme Court also could weigh in on the correct interpretation of Section 13(b), as two important petitions for certiorari were filed by defendants in Section 13(b) cases on Friday – increasing the likelihood that this issue is headed to the Roberts Court for resolution.

Shire and Credit Bureau Center, Revisited

By way of review, the Third Circuit held earlier this year in FTC v. Shire ViroPharma Inc. that the FTC cannot bring a case under Section 13(b) unless the FTC can articulate specific facts that a defendant is violating or is about to violate the law.  In other words, the Third Circuit decided Section 13(b) authorizes the FTC to bring a lawsuit in federal court only in cases of ongoing or imminent – as opposed to past – misconduct.

During the panel discussion, Mr. Bandy commented that most of the Commission’s enforcement activities involve ongoing conduct.  Therefore, the Third Circuit’s holding would not foreclose the Commission’s enforcement efforts.  Despite this, Mr. Bandy remarked that the Third Circuit’s decision left some important questions unanswered, especially relating to the timing around when the wrongful conduct ended.  The conduct by the defendant in Shire ViroPharma had ceased five years earlier, with no evidence of recurring conduct in the interim.  Mr. Bandy said it remains unclear how a court would view a closer call – such as where the conduct ceased only two months prior or where the conduct had stopped only after the FTC issued a Civil Investigative Demand.

Mr. Bandy noted that one effect of the Shire ViroPharma decision is that the FTC is requesting parties sign tolling agreements when they engage in investigations under Part 2 of the FTC’s Rules of Practice.  Mr. Villafranco expressed reservations about signing an agreement that could impair any number of equitable defenses, particularly when it is combined with the waiver of any other defense based on the timeliness of asserted claims.  He also expressed concern about the broadening of the scope of liability beyond what the courts might conclude is the correct reach under Section 13(b).

Mr. Kaufman (counsel in the Shire ViroPharma case) commented that the FTC likely would have sought certiorari review if the Shire  case was “close” – and the Commission’s decision not to seek such review is telling.  He commented that the holdings in both Shire ViroPharma and Credit Bureau Center emphasize that the plain text of Section 13(b) should govern, and that both cases were correctly decided.

In FTC v. Credit Bureau Center LLC, decided six months after Shire ViroPharma, the Seventh Circuit held that the FTC could not obtain monetary relief in the form of restitution under Section 13(b).  The court sided with the defendant’s argument that, because Section 13(b)’s text cites injunctions as the FTC’s exclusive remedy, the FTC could not seek restitution.  The Seventh Circuit’s decision overturned three decades of its own precedent and broke with eight other federal appellate courts.

Bandy said although this holding is a setback, the FTC would proceed “full speed ahead” in all other circuits besides the Seventh Circuit in attempting to obtain restitution when appropriate.  However, if Credit Bureau Center’s holding is approved in other circuits (or if the Supreme Court decided that Section 13(b) did not authorize monetary relief), the FTC would be forced to rely on its own administrative adjudication process – a process that is slow-moving — rather than seeking restitution in federal courts, Bandy said.

Petitions for Certiorari: How Will the Supreme Court Weigh In?

The panelists speculated that the Supreme Court would be asked to clarify the Section 13(b) circuit split and weigh in relating to the FTC’s authority to seek restitution.  Later in the day, this prediction proved correct, as two petitions for certiorari were filed on Friday pertaining to Ninth Circuit cases where the FTC’s ability to obtain monetary relief under Section 13(b) was upheld.

In FTC v. AMG Capital Mgmt., LLC, 910 F.3d 417 (2018), the Ninth Circuit affirmed the FTC’s ability to obtain monetary relief under 13(b) because it was bound by precedent.  Notably, there was subsequent motions practice in the district court case directly about the holding in Credit Bureau Center, and the FTC prevailed in its argument that 13(b) permitted monetary relief.  In FTC v. Publishers Business Services, No. 17-15600 (9th Cir. 2018), the Ninth Circuit again upheld the FTC’s ability to obtain monetary relief, finding that 13(b) grants district courts the power to impose equitable remedies, including restitution and disgorgement of unjust gains in these cases.

Because cert petitions were filed in AMG Capital Mgmt and Publishers Business Services, the FTC now has to grapple with its next steps in Credit Bureau Center.  If the FTC also opts to file a petition for cert in that case to challenge the Seventh Circuit’s holding, the Supreme Court would have several pending cert petitions before it raising the same (or similar) issues.  The Supreme Court could choose to hear the first-filed case, or adopt a procedure whereby it would combine the pending petitions.  The court also could decide to take neither case, although that may be unlikely given the Credit Bureau Center ruling created a direct circuit split.

While practitioners await the Supreme Court’s guidance on the future of Section 13(b), the panelists provided their perspective on how the current legal framework will impact ongoing litigation.  Mr. Villafranco observed that, until the issue is definitively resolved, it will be raised by defendants in virtually every case the FTC brings under the statute.   Sure enough, on Thursday of last week a motion to dismiss was filed by the defendant in Federal Trade Commission v. Match Group, Inc. (N.D. Tex.).  Match contended that the FTC was wrongly seeking injunctive monetary relief against it based on its purported unfair practices because its conduct had been permanently discontinued.  Match’s brief also asserted that monetary relief, including restitution, should not be available as a remedy.  The Fifth Circuit has not adopted Shire ViroPharma or Credit Bureau Center, so it will be interesting to see how the court weighs these arguments.

A Legislative Fix?

The FTC also intends to seek a legislative remedy to settle the confusion over Section 13(b), as Congress could rewrite the statute to clarify the FTC’s power. The panelists agreed that legislative action would be the best outcome but it is far from certain that Congress will act.

Mr. Szoka said Congress should take concrete action to fully revise and reconsider the FTC’s mandate – a process that Congress only undertook in 1994, 1996 and 2006 and only for limited purposes.  Because the FTC maintains uniquely broad power, Szoka commented that the FTC Act needs a better enforcement structure that consistently spells out standards for settlements, the investigative process, and other issues relating to enforcement.

However, many are aware that even when there is bi-partisan support for a bill in Congress, having Congress act – and pass actual legislation — is an unlikely outcome.

Although the future of FTC enforcement power is unclear, what is clear is that Shire ViroPharma and Credit Bureau Center will impact the FTC’s enforcement choices until they are resolved.  The holdings in these seminal cases place all parties who deal with the FTC on shifting ground until the FTC’s enforcement power is clarified by either the Supreme Court or Congress.

Stay tuned for more installments of the “Section 13 (b)log.”