Welcome to our monthly roundup of regulatory and litigation highlights impacting the dietary supplement and personal care products industries.


NAD tackled substantiation for “#1 Dermatologist Recommended” claims in a challenge involving L’Oreal’s CeraVe moisturizer and use of syndicated survey data to support related claims.

Health claim substantiation was front and center in a Council for Responsible Nutrition-led challenge involving glutathione and the level of evidence required to support claims relating to low-glutathione levels.


Indirectly related to dietary supplements and consumer care, the FTC announced a settlement with app-maker Flo regarding allegations that the company shared the health information of users with outside data analytics providers after promising that such information would be kept private.

As we noted here, the FTC has new civil penalty authority relative to false COVID-related advertising claims and practices.


As it has since relaxing the regulatory standards relative to manufacturing of hand sanitizers in March 2020, FDA continued issuing warning letters related to hand sanitizer products that contain active ingredients other than those allowed per the hand sanitizer tentative final monograph, primarily methanol, and relative to hand sanitizers that are allegedly sub-potent.

The agency also continued its enforcement relative to COVID-related claims with warning letters issued to AusarHerbs and Allimax US (joint warning letter with the FTC), as well as non-COVID-related letters to companies whose products featured claims relating to joint health, hair loss, and inflammation, which caused the products to be considered unapproved new drugs.  The letters rely heavily on evidence from social media posts, blog posts, and product websites.

Prop 65

Our sister blog, Kelley Green Law, featured two Prop 65 developments that may impact certain products, including Prop 65 warnings required on products that may expose consumers to THC and a proposal to minimize use of the short form warning format.  Also, although not directly in the personal care space, given the proliferation of many products that feature disinfectant claims, companies may want to note this post regarding EPA enforcement on unregistered disinfectants.

Class Action Litigation

In a significant win for the dietary supplement industry, the Ninth Circuit Court of Appeals upheld the Northern District of California’s grant of summary judgment to Target Corp., ruling that state law false advertising challenges to permissible structure/function claims are preempted by the Federal Food, Drug and Cosmetic Act.  See our blog post discussing the case here.

Other highlights from courtrooms around the country include…

Southern California skincare company Yes To Inc. agreed to pay $775,000 to a proposed class of consumers to resolve allegations it misrepresented the dangers of its Grapefruit Vitamin C Glow-Boosting Unicorn Paper Mask, which was recalled after a flood of consumers reported facial skin irritation and burning. (Law360 subs. req’d.)

A California federal judge has thrown out for the last time a proposed class action alleging that Johnson & Johnson Consumer Inc. and Bausch Health US LLC misled customers about the safety of their talc products, saying even after five chances to amend the complaint, the pleadings still fall short.  (Law360 subs. req’d.)

Skincare company Murad LLC was hit with a proposed class action claiming the company deceived buyers by wrongly representing its moisturizer as “oil-free” when the product actually contains oils.  (Law360 subs. req’d.)

A woman suing Charlotte’s Web Holdings Inc. argued that the CBD company shouldn’t be able to pause or escape her proposed class action over its labeling of products as dietary supplements, saying that identifying them as such violates state and federal laws. (Law360 subs. req’d.)  There are several cases involving this issue.  See a recent post on this issue on Cannabis Law Update.

*                      *                      *

Thanks for reading our first installation of the dietary supplement and personal care monthly highlights.  See you in March!

Advertising and Privacy Law Resource Center

Two articles from the weekend perusal of the Washington Post are worthy of mention here.  First, it seems that pandemic eyebrows are driving us all crazy.  I don’t have an answer for that problem other than to acknowledge that the struggle is real and none of us stands alone.

Pandemic Eyebrows

Second, and possibly more importantly, WaPo reported that there has been an uptick in consumer complaints relating to companies charging hidden covid fees to cover the costs of personal protective equipment, enhanced cleaning, etc.  The article states as follows:

“According to a survey by The Washington Post of attorney general offices and financial departments in 52 states and territories, U.S. consumers in 29 states have filed 510 complaints of coronavirus-related surcharges at dentist offices, senior living facilities, hair salons and restaurants.”

The article includes discussion of several facilities of the types listed above and fee-related complaints and conundrums.

As the readers of this blog know, customer complaints can contribute to regulatory scrutiny of individual businesses or business practices.  Fees relating to safety equipment and cleaning may be allowed in many contexts, but they must be disclosed.  Failure to disclose may run afoul of federal and state consumer protection laws.  Put another way, there’s no shame in hiding your covid brows, but don’t try to hide covid fees.


For additional information on COVID-19 issues, visit our COVID-19 Response Resource Center. For advertising, privacy, and consumer protection issues, visit the Advertising and Privacy Law Resource Center and subscribe to the Ad Law Access podcast and blog.

As 2020 drew to a close and Congress scrambled to reach a deal to continue funding the federal government, tucked in amidst the 2124 pages of the 2021 Appropriations Bill is a new power for the FTC:  civil penalty authority for deceptive COVID-related acts and practices.  Titled the COVID-19 Consumer Protection Act (see page 2094 here), the law states as follows:

(b) For the duration of a public health emergency declared pursuant to section 319 of the Public Health Service Act (42 U.S.C. 247d) as a result of confirmed cases of the 2019 novel coronavirus (COVID–19), including any renewal thereof, it shall be unlawful for any person, partnership, or corporation to engage in a deceptive act or practice in or affecting commerce in violation of section 5(a) of the Federal Trade Commission Act (15 U.S.C.45(a)) that is associated with—

(1) the treatment, cure, prevention, mitigation, or diagnosis of COVID–19; or

(2) a government benefit related to COVID–19.


(1) VIOLATION.—A violation of subsection (b) shall be treated as a violation of a rule defining an unfair or deceptive act or practice prescribed under section 18(a)(1)(B) of the Federal Trade Commission Act (15 U.S.C. 57a(a)(1)(B)).

The civil penalty authority is granted through the duration of the current public health emergency.  The current maximum civil penalty amount per violation is $43,280.

Here’s why this is significant:  The FTC generally does not have authority to seek civil penalties for a first violation of the FTC Act.  However, if a company or individual is subject to an order and then violates that order or where the FTC has obtained a final cease and desist order via litigation and subsequently put a non-party on notice of a violation, the FTC can seek civil penalties.   With the authority granted in the COVID-19 Consumer Protection Act, though, the FTC can identify practices relating to COVID-19 treatment, cure, prevention, mitigation, diagnosis, or a government benefit that the agency considers deceptive per Section 5 of the FTC Act and seek civil penalties for that violation.

The law does not specify how each violation will be calculated.  However, at a recent webinar, the Rose Sheet reports that Richard Cleland, FTC Assistant Director for Advertising Practices, indicated that “Every ad is a separate violation and every day that that ad runs or is disseminated to the public is a separate violation.”

As we chronicled, the FTC issued hundreds of COVID-related warning letters relating to deceptive COVID claims during 2020.  And yet, the agency faced criticism from members of Congress who questioned why the FTC did not pursue financial remedies on consumers’ behalf.  With the rollout of the vaccines, potentially more financial assistance in the works, and the virus raging on, the FTC has a larger hammer than it did just a year ago and advertisers of COVID-related products should expect them to use it.


For additional information on cannabis matters, visit our Cannabis Law Update blog. For more information on FTC and other regulatory matters, visit the Advertising and Privacy Law Resource Center and subscribe to the Ad Law Access podcast and blog.

Seven months after being called upon by members of Congress to investigate Zoom’s data security practices, a divided FTC announced on November 9 a settlement with the videoconferencing platform.

The FTC’s five-count administrative complaint alleges that Zoom deceived users about several of its security features and harmed users by circumventing security and privacy controls provided by their operating systems and browsers.  The proposed consent order requires Zoom to make changes to its data security practices, implement a comprehensive information security program, and obtain independent assessments of its program for 20 years after entry of the order – but does not require the company to pay monetary relief.  In separate dissents, Commissioners Chopra and Slaughter argue that the proposed relief does not go far enough.

Companies watching the FTC’s data security enforcement trends will want to take note of two main takeaways: claims about the strength of security protections in products and services warrant close scrutiny, and software deployments that weaken or circumvent other security controls on users’ devices will likely receive a tough reception from the FTC.

Allegations in the FTC’s Complaint

Deception.  Although Zoom has grown rapidly during the coronavirus pandemic, much of the FTC’s complaint focuses on conduct that predates the massive shift to videoconferencing as a substitute for in-person family, business, social, and religious gatherings.  Specifically, the FTC alleges that Zoom misrepresented several features of its service through blog posts, user documentation, and other publicly available statements:

  • End-to-end encryption: Zoom asserted that it used end-to-end encryption (i.e., encryption that only the parties to a communication can decipher) but did not disclose that, for most versions of its service, Zoom stored encryption keys that would also allow Zoom to decrypt users’ communications.
  • Level of encryption: Zoom claimed to use 256-bit encryption keys but apparently used 128-bit keys.
  • Unencrypted storage: Zoom stored meeting recordings in unencrypted form for 60 days before moving them to encrypted storage.
  • Disguised updates: A software update billed as providing “minor bug fixes” did not disclose that it would install a web server on users’ devices.

Unfairness.  In addition, the FTC alleges that Zoom unfairly harmed users’ privacy and security interests by installing a “secret” web server as part of a 2018 update to its app for Apple Mac computers.  According to the complaint, this update worked around privacy and security protections in the Safari browser and exposed Zoom users to potential phishing, denial of service, and remote code execution vulnerabilities.  The complaint notes that Zoom users share health, financial, proprietary and other sensitive information but does not describe actual breaches involving such information.

Proposed Order Provisions

The Zoom order is generally consistent with recent changes in FTC data security orders, which reflect the agency’s efforts to ensure that its orders are specific enough to be enforceable, set tighter standards for security program assessments, and impose requirements for managerial oversight and order compliance.  Along these lines, key requirements in the Zoom order are as follows:

  • Comprehensive Information Security Program.  Zoom’s security program that Zoom must, at minimum, meet 10 families of requirements, most of which consist of multiple sub-requirements.
  • Independent Assessments.  Zoom must obtain independent security assessments every other year during the order’s 20-year term.  Among other requirements, the assessor must identify the evidence obtained to support its conclusions and may not rely on “primarily on assertions or attestations” by the company.
  • Annual Certifications.  A “senior corporate manager” must file an annual certification stating that the company has met the requirements of the order and is not aware of any “material noncompliance” that has not been corrected or disclosed to the FTC.
  • Incident Reporting.  Finally, Zoom must report to the FTC instances of unauthorized access to or acquisition of recorded or livestream video or audio content within 30 days of discovering such an incident, unless the incident affects fewer than 500 users or meets other exceptions.

Dissents:  A Preview of the Next FTC?

Consistent with their dissents in a string of major privacy and data security cases (e.g., YouTube and Facebook), Commissioners Chopra and Slaughter criticize the Zoom settlement for falling short in the relief provided to consumers and the changes required in Zoom’s business practices.

Perhaps most significantly in light of the potential changes in store for the FTC under a Biden-Harris administration, Commissioners Chopra and Slaughter endorse a list of seven recommendations to “restore credibility” (in Commissioner Chopra’s words) and “improve the effectiveness” of the FTC’s enforcement efforts:

  1. Strengthen orders to emphasize more help for individual consumers and small businesses, rather than more paperwork.
  2. Investigate firms comprehensively across the FTC’s mission.
  3. Diversify the FTC’s investigative teams to increase technical rigor.
  4. Restate existing legal precedent into clear rules of the road and trigger monetary remedies for violations.
  5. Demonstrate greater willingness to pursue administrative and federal court litigation.
  6. Increase cooperation with international, federal, and state partners.
  7. Determine whether third-party assessments are effective.

With respect to Zoom in particular, Commissioner Slaughter argues that the company’s practices harmed consumers’ privacy interests and that a “more effective order” would require Zoom to address privacy and security risks in its services.  Despite the greater specificity in the Zoom order compared to FTC data security orders of a few years ago, Commissioner Chopra criticizes this settlement as a “status quo approach” that does not provide for direct notice or relief for Zoom’s customers.

For more information on the FTC and other topics, visit:

Advertising and Privacy Law Resource Center


In a series of orders issued earlier this month, Judge Dale S. Fischer of the Central District of California dealt two strikes to putative class claims against ticket merchants Ticketmaster/LiveNation and StubHub that seek refunds for Major League Baseball games cancelled or “postponed” in the wake of the coronavirus pandemic.  See Ajzenman, et al. v. Office of the Commissioner of Baseball, et al., No. 2:20-cv-03643 (C.D. Cal. Apr. 20, 2020).

In April, fans hit the MLB, 30 MLB teams and the ticket merchants with a proposed class action lawsuit alleging that the postponement of games (as opposed to the cancellation of games) was a conspiratorial decision to avoid paying refunds to fans for their tickets.

Of the initial eight named plaintiffs in the suit, just three purchased tickets directly from the ticket merchants—one from Ticketmaster/LiveNation, and two from StubHub.  Judge Fisher compelled all three of these plaintiffs to arbitrate their claims.  Relying on Lee v. Ticketmaster LLC, 817 F. App’x 393 (9th Cir. 2020) and related caselaw, Judge Fisher determined that these plaintiffs entered into enforceable modified or “hybrid” clickwrap agreements with Ticketmaster/LiveNation and StubHub because the companies adequately made their terms and conditions—including an arbitration agreement—available by a sufficiently prominent hyperlink on registration, sign-in, and purchase pages.

The ticket merchants also moved to dismiss the claims of the five remaining plaintiffs who purchased their tickets from the MLB defendants, on the grounds that they failed to sufficiently allege a conspiracy.  Judge Fisher noted that many of the conspiratorial allegations in the complaint were vague, and that the more specific allegations were irrelevant to Ticketmaster/LiveNation and StubHub.  Still further, the court found that Ticketmaster did not have the power to cancel baseball games, and thus plaintiffs’ theory that all the defendants formed a conspiracy to cancel games was implausible.

Judge Fisher gave the fans one last chance to amend their allegations, suggesting that if plaintiffs’ theory was that “all Defendants formed a conspiracy not to give refunds rather than not to cancel games in order to avoid refunds, they must allege it in their complaint.”

The MLB defendants similarly filed motions to compel arbitration and motions to dismiss, which are still pending.

The court’s skeptical view of the plaintiff’s alleged conspiracy will likely mean that this refund class action will end up in individual arbitration—like most refund class actions with plaintiffs who agreed to terms in connection with their purchase.  Plaintiffs will be hard pressed to hold parties liable unless they purchased their tickets directly from them.



After gyms closed in mid-March due to the coronavirus pandemic, LA Fitness was among the many fitness facilities faced with unforeseeable closures, outraged members, and class action litigation.  Last Thursday, a Florida federal judge ruled that a gym member did not have Article III standing to maintain a class action because he had already received a full refund of membership dues, and another gym member was bound to arbitrate his claims.  See Barnett v. Fitness International, LLC, No. 20-cv-60658 (S.D. Fla. Mar. 30, 2020).

On March 30, 2020, Plaintiff Kip Barnett filed a putative class action for negligence and unjust enrichment against Fitness International, LLC d/b/a LA Fitness, alleging that it had voluntarily closed its fitness facilities around the country and kept millions of dollars in unearned membership fees for the month of March.  This filing came after LA Fitness told members that it was suspending all billing beginning on April 1, and offered to either extend memberships for longer than the duration of the closure or provide a complimentary three-month membership for a friend or family member.  LA Fitness also started providing refunds to all members “in good standing who [] made such a request instead of choosing the other benefits offered to them.”

LA Fitness moved to compel arbitration based on an arbitration agreement in Plaintiff Barnett’s personal training agreement, as there was no such clause in his general membership contract.

Shortly thereafter, Plaintiff Barnett filed an amended complaint, adding a second plaintiff (Samuel Enzinna) who had not signed an arbitration agreement.  However, at the time of this amended filing, Plaintiff Enzinna had already received a full refund of his March dues.

LA Fitness then moved to dismiss the amended complaint and the Court granted its motion as to both plaintiffs in different orders.  First, the Court ruled that Plaintiff Barnett had agreed to arbitration and dismissed his claims without prejudice.  Second, the Court found that, because Plaintiff Enzinna had been fully compensated for his alleged loss, he lacked Article III standing.  The court also rejected Enzinna’s request for injunctive relief in the form of a guarantee that LA Fitness will not charge membership fees at some future time during the pandemic, finding the argument to be “unduly conjectural and hypothetical” given that LA Fitness had already suspending its billing.

Refund cases make up a majority of COVID-19 class action filings, ranging from suits involving universities, monthly memberships, travel cancellations, and sporting events.  This case—one of the earliest decided—suggests that companies that took prompt action to remedy their customers’ injuries may be spared from the time and expense of lengthy class action litigation.

This is not another post about coronavirus claims, but we do need to start there.

Truvani makes a dietary supplement that was formerly called “Under the Weather.” The company’s webpage devoted to that supplement featured reviews from various users, including the following:

  • Michael K. (Verified Buyer): “Very happy with the product, I feel BC so well protected from COVID-19 with your supplements….”
  • Theresa O. (Verified Buyer): “I really think I had undiagnosed corona virus. Nothing helped. Until I started taking under the weather. A few days later I started improving. I haven’t stopped taking it since.”

NAD was concerned that the reviews were presented as testimonials and that they conveyed an unsupported message regarding the product’s ability to protect against COVID-19. In response, Truvani pointed to Section 230 of the Communication Decency Act and argued that the reviews were independent content provided by third parties, rather than ads.

NAD disagreed, noting that “customer reviews on a company’s website may be advertising if they are curated Reviewsto promote specific messages about the underlying product or if they are collected in a manner that does not ensure that they are reliable (i.e., submitted by verified users and reflect their truthful opinions) and representative of the range of consumer reactions to the product.”

The decision doesn’t provide a lot of information about the context in which the reviews appeared or how they were collected, so it’s hard to know exactly where Truvani went wrong. However, this case serves as a good reminder that while companies are generally not liable for the content of consumer reviews (as illustrated by this case), they can be held liable if they promote those reviews or curate them in a misleading manner.

The replay for our July 30, 2020 California Consumer Privacy Act (CCPA) for Procrastinators: What You Need To Do Now If You Haven’t Done Anything Yet webinar is available here.

The coronavirus pandemic has put many things on hold, but CCPA enforcement is not one of them. The California Attorney General’s enforcement authority kicked in on July 1, 2020, and companies reportedly have begun to receive notices of alleged violation. In addition, several class actions have brought CCPA claims. Although final regulations to implement the CCPA have yet to be approved, compliance cannot wait.

If you’re not yet on the road to CCPA compliance (or would like a refresher), this webinar is for you. We covered:

  • Latest CCPA developments
  • Compliance strategies
  • Potential changes to the CCPA if the California Privacy Rights Act (CPRA) ballot initiative passes

Anyone who has not begun their CCPA compliance efforts or thinks they need a refresher should watch this webinar.

To view the presentation slides, click here.

To view the webinar recording, click here.

Subscribe to our Ad Law News and Views newsletter to receive information on our next round of webinars and to stay current on advertising and privacy matters.

Visit the Advertising and Privacy Law Resource Center for additional information for additional information, past webinars, and educational materials.

Ad Law Access Podcast

As we previously reported, “Phase I” of class action filings relating to the COVID-19 pandemic has become a significant contagion of its own with more than 500 cases being filed since March challenging refund policies, school closures, event cancellations, and marketing and pricing practices.  As the economy gradually reopens, “Phase II”—how companies respond to these cases—is just beginning.  Not surprisingly, defendants are fighting hard and early to defeat these claims, with many opting to file motions to dismiss rather than answering the complaint and entering into lengthy and expensive discovery.

Early Action in Cases Against Public-Facing Businesses

Public-facing businesses—such those in the retail, travel and hospitality industries—have been the first to re-open and are currently navigating a patchwork of state guidelines on how to do so safely.  Compounding this burden, these same companies are facing a wave of lawsuits by customers and employees alleging negligence, breach of contract, and unfair business practices during the pandemic.

These industries are not new to class action litigation and many companies have included arbitration clauses and class arbitration waivers in their consumer contracts.  These defendants have, not surprisingly, moved to compel arbitration, and plaintiffs have responded with unique (but likely ineffective) allegations of unconscionability, fraud and duress to try to stay in court.  For example, in a case against Amazon, the plaintiffs alleged that the arbitration agreement was unconscionable because they were under duress during the pandemic and were forced to purchase products from Amazon.  Amazon’s response was based on the black-letter principle that unconscionability is measured at the time of contracting, and not at the time of the challenged conduct.

Other companies have focused on substance, arguing that they complied with their contractual obligations and that their customers have not suffered damages.  For example, in the case of recurring monthly payments for fitness club memberships, defendants have argued that their membership agreements do not mandate refunds for temporary closures, and therefore plaintiffs who filed suit within days or weeks of the initial closure did so too quickly. Continue Reading What will “Phase II” of COVID-19 Class Actions Look Like?

Kelley Drye Advertising Law Summer Webinar Series This Wednesday, July 22
Selling Online: How to Avoid Flattening the Curve of an Uptick in Website Traffic
Register Here

COVID-19 has increased the already dizzying amount of online sales, making the applicable marketing requirements increasingly important. These rules affect not just how companies advertise and promote products and services online, but also how they bill and otherwise interact with consumers before, during, and after a transaction.

This webinar will include practical tips to help companies minimize risk of enforcement and litigation and provide practical guidance. Topics include:

  • Endorsers and Influencers
  • Promotions and Pricing
  • Subscription Plans and “Free” Trials
  • Shipping and Delivery
  • Consumer Reviews and the Consumer Review Fairness Act
  • Customer Service Considerations – how timely refunds and responsiveness can help reduce legal risks

Register Here

Kelley Drye Advertising Law Summer Webinar SeriesJuly 29
Cleaning Up From 2020: Guidance for Disinfectant, Germ and Virus Killing Claims
Register Here

COVID-19 has brought a proliferation of products claiming to kill or otherwise inhibit viruses, bacteria and other germs. These products, before they can be legally sold, are heavily regulated by the U.S. Environmental Protection Agency (EPA), Food and Drug Administration (FDA), and sometimes both. Major enforcement actions are pending against companies making illegal claims or selling unregistered products. Meanwhile, the FTC regulates advertising of many sanitizing products and the agency has pursued enforcement on companies that overstate their products’ germ-killing performance.

Please join us for a webinar covering the basics of germ killing and related product claims.

Discussion topics include:

  • The regulatory landscape: Who regulates what – EPA, FDA and FTC jurisdiction and requirements
  • What can you say and when can you say it
  • Potential liability and enforcement considerations
  • What to do if you receive a warning letter or other enforcement action

Anyone who is currently making or planning to make pesticide products, microbiology laboratory personnel with efficacy testing responsibilities, manufacturers of sanitizing products including lights, retailers of sanitizing products, anyone new to claims or in need of a refresher should join us for this webinar.

Register Here

July 30
California Consumer Privacy Act (CCPA) for Procrastinators: What You Need To Do Now If You Haven’t Done Anything Yet
Register Here

The coronavirus pandemic has put many things on hold, but CCPA enforcement is not one of them. The California Attorney General’s enforcement authority kicked in on July 1, 2020, and companies reportedly have begun to receive notices of alleged violation. In addition, several class actions have brought CCPA claims. Although final regulations to implement the CCPA have yet to be approved, compliance cannot wait.

If you’re not yet on the road to CCPA compliance (or would like a refresher), this webinar is for you.

We will cover:

  • Latest CCPA developments
  • Compliance strategies
  • Potential changes to the CCPA if the California Privacy Rights Act (CPRA) ballot initiative passes

Anyone who has not begun their CCPA compliance efforts or thinks they need a refresher should join us for this webinar.

Register Here

Also join our counterparts for:

COVID-19 Response Labor and Employment Labor and Employment Counseling and Compliance Labor and Employment LitigationTuesday, July 21
Not Normal: the Challenges of a Changed Workplace
Register Here

Four months ago, the Dow was close to 30,000, employment rates were at historic highs, the coronavirus was still “novel,” and millions had not yet taken to the streets in global protests against police brutality and racial inequality. The workplace we now return to exists in this supercharged social and political climate, with new rules, laws, risks and social issues creating new and uncharted waters for employers to navigate.  Join Kelley Drye’s Labor and Employment partners Barbara HoeyMark Konkel, and Kimberly Carter as they identify risks and share pragmatic solutions to these new challenges.  Topics will include:

  • Politics, speech and activism in the workplace
  • The changing role of HR
  • What “diversity” means now
  • New employment laws

Register Here

Advertising and Privacy Law Resource CenterFind replays of our webinars and other key resources relevant to advertising and marketing, privacy, data security, and consumer product safety and labeling on the Advertising and Privacy Law Resource Center.