Ad Law Access PodcastAs covered in this blog post, on June 24, 2020, the Secretary of State of California announced that the California Privacy Rights Act (CPRA), had enough votes to be eligible for the November 2020 general election ballot. CPRA is a ballot initiative, which, if adopted, would amend and augment the California Consumer Privacy Act (CCPA) to increase and clarify the privacy rights of California residents. The result is a law that is closer in scope to robust international privacy laws, such as the GDPR.

On the latest episode of the Ad Law Access Podcast, Privacy partner Alysa Hutnik and associate Carmen Hinebaugh discuss the initial highlights of CPRA and provide some takeaways for you to begin to understand this new California privacy development.

Listen on Apple,  SpotifyGoogle Podcasts,  Soundcloud or wherever you get your podcasts.

For more information on health claims and other topics, visit:

Advertising and Privacy Law Resource Center

Product and Earnings Claims in the Time of COVID-19
On Wednesday, July 8, we will be holding a webinar for anyone who is currently making or plans to make product claims or earnings claims, anyone new to claims or in need of a refresher.

The FTC has recently sent warning letters to hundreds of companies for allegedly falsely implying that products can be used to treat, cure, mitigate, or prevent COVID-19.  The FTC has also issued warning letters for implied earnings claims connected to the pandemic, alleging that some have overpromised on the financial opportunities available and misleadingly tied them to the pandemic.  These announcements have made clear that any claim mentioning COVID-19, the pandemic, or even “these times” will be closely scrutinized.

Please join us for a webinar covering the basics of advertising product and earnings claims, and how those should be applied during the pandemic. Discussion topics include:

  • Claim Substantiation and Puffery
  • Express and Implied Product Claims
  • Express and Implied Earnings Claims
  • Enforcement Examples and Takeaways
  • Monitoring Third Parties Making Claims on Your Behalf (Endorsers, Independent Distributors)
  • What to do if you receive a warning letter or other enforcement action

Register here

Trade Association Antitrust 101
Please join us on July 14 for a webinar geared toward association legal counsel, executives, marketers, staff and members, participants in association activities or attendees to association meetings.

Antitrust issues are a constant concern for trade associations and their members. Competition regulators will have associations and their members under even greater scrutiny as groups work together to address the ongoing challenges presented by COVID-19. Please join us for a webinar covering the basics of antitrust compliance for association legal and compliance counsel, executives, staff and outside advisers. This webinar is designed to help association professionals and those who attend association functions identify potential antitrust issues and provide practical guidance for effective compliance programs and mitigating risk. Finally, we will talk about how to respond to enforcement actions in the event your organization is involved in an investigation.

Discussion topics include:

  • Antitrust law basics
  • Best practices for associations and its membership
  • Effective compliance and training programs
  • Strategies for responding to warning letters or other enforcement actions

Register here

Additional webinars will be announced soon.

Upcoming Webinars: Product and Earnings Claims in the Time of COVID-19 and Trade Association Antitrust 101

A California federal judge has dismissed a putative class action against Kellogg for failing to back up the plaintiff’s theory that Kellogg’s Bear Naked Granola V’nilla Almond does not include vanilla flavoring derived exclusively from vanilla beans.

The plaintiff challenged the labeling of Bear Naked Granola V’nilla Almond as deceptive, claiming that the product’s labeling leads consumers to believe it contains vanilla flavor derived exclusively from vanilla beans when it actually does not.  To support the theory that consumers believe the product’s vanilla flavoring is derived exclusively from vanilla beans, the plaintiff relied on the use of the word “V’nilla” in the product’s name, the front of the product’s label displaying “naturally flavored” immediately below the words “V’nilla Almond,” and the back of the label depicting a vignette of a vanilla plant with only the word “Vanilla” below the vignette.  As to the allegation that the product’s vanilla flavoring was not derived exclusively from vanilla beans, the plaintiff claimed that, because vanilla is an unusually expensive and in-demand ingredient, Kellogg would be incentivized to list it as an ingredient but did not—instead listing “natural flavors.”  Therefore, the plaintiff maintained, Kellogg’s “listing of ‘natural flavors’ as opposed to vanilla flavor or vanilla extract is tacit acknowledgment that the ‘natural flavors’ is not a synonym for the required vanilla ingredients.”  “In other words,” the court explained, “the omission is the admission.”

The court rejected this admission-by-omission theory as merely speculative.  It explained that the plaintiff “provides no factual basis for this argument other than the lack of vanilla’s inclusion on the ingredients list.”  The court emphasized that the plaintiff did not allege what else might be in the product other than flavoring derived from vanilla beans.  The plaintiff’s speculation, the court concluded, was insufficient to “nudge [his] claims . . .  across the line from conceivable to plausible.”  The court granted the plaintiff leave to amend.

The decision is Zaback v. Kellogg Sales Co., No. 320CV00268BENMSB, 2020 WL 3414656 (S.D. Cal. June 22, 2020), and is a noteworthy decision drawing the distinction between speculative and plausible in one of the numerous vanilla flavor-based actions filed over the past year.  For example, in Figueroa v. Trader Joe’s Co., No. 20-cv-322 (E. D. NY.), Trader Joe’s is facing a putative class action for allegedly misleadingly labeling its Just the Clusters Vanilla Almond Granola Cereal to lead consumers to believe that vanilla is the product’s exclusive flavoring ingredient when, according to the complaint, the product’s ingredients list shows that the cereal contains “Natural Flavor” instead of vanilla.

We will continue monitoring this wave of flavoring litigation and its effect on the food and beverage industry.

Ad Law Access Podcast

On the same day that the FCC set a call blocking declaratory ruling for vote at its July 2020 Open Meeting, the FCC’s Consumer and Governmental Affairs Bureau issued rulings in two long-pending petitions for clarification of the requirements of the Telephone Consumer Protection Act (“TCPA”). Although these clarifications do not address the core questions regarding the definition of an autodialer and consent requirements that were remanded two years ago in ACA International v. FCC, they may signal an effort to clean up TCPA issues in what is expected to be the waning months of FCC Chairman Pai’s tenure at the Commission.

In the first ruling, P2P Alliance, the Bureau ruled that an automatic telephone dialing system (“ATDS”) is not determined by whether the equipment has the capability to send a large volume of calls or texts in a short period of time. Instead, the Bureau, while recognizing that the Commission’s interpretation of the ATDS definition remains pending, ruled that “whether the calling platform or equipment is an autodialer turns on whether such equipment is capable of dialing random or sequential telephone numbers without human intervention.” The Bureau also provides an illuminating discussion of the so-called “human intervention” element of prior FCC statements regarding autodialers.

In the second ruling, Anthem, Inc., the Bureau denied a petition to exempt certain healthcare-related calls from the TCPA’s consent requirements. In this order, the Bureau breaks less new ground and instead reiterates that prior express consent must be obtained before a call (or text) is made and that the supposed value or “urgency” of the communication does not necessarily make it permissible.

Besides these two petitions, the Commission has nearly three dozen petitions pending before it on a variety of matters relating to exemptions from the TCPA’s consent requirements, the collection and revocation of consent, the “junk fax” provisions, and other questions raised by the flood of TCPA class action litigation in the last five years. If the FCC begins addressing these other pending petitions, the course of TCPA class action litigation could change significantly.

In March 2018, the United States Court of Appeals for the D.C. Circuit issued a landmark rebuke of the FCC’s interpretation of the TCPA. The case, ACA International v. FCC, reviewed a 2015 Omnibus Declaratory Ruling on a variety of matters, the most notable of which was the FCC’s expansive interpretation of an “automatic telephone dialing system” (“ATDS”), the use of which triggers therobo TCPA’s prior express consent requirements and private right of action provisions. In ACA International, the court found the FCC’s interpretation “impermissibly broad” and remanded the case to the FCC for further consideration.

Since that time, the FCC has taken comment twice on the ACA International remand, but FCC Chairman Pai has focused the agency’s efforts on identifying and reducing illegal robocalls rather than addressing the remand. Chairman Pai has repeatedly said that unwanted automated calls is a top consumer complaint and he has pursued a multi-faceted approach to preventing or blocking those calls before they reach consumers.

The Commission has

authorized voice service providers to block incoming calls that “reasonable call analytics” identify as likely illegal calls,

mandated that service providers implement a call authentication framework to prevent unlawfully spoofed calls,

directed specific service providers to block certain calls or have their own calls blocked by other providers,

proposed multiple fines exceeding $100 million each for illegally spoofed calls, and

authorized a comprehensive database to identify when telephone numbers have been reassigned from a subscriber who may have given consent to a new subscriber.

Indeed, on the same day as the rulings we will discuss, the Commission set for a vote a proposal to provide a safe harbor for voice service providers that erroneously block calls in good faith and to establish protections against blocking critical calls by public safety entities.  According to an FCC staff report issued the same day, these actions are helping to reduce illegal robocalls.

The Anthem and P2P Alliance Rulings

Against this backdrop, the flood of TCPA class action cases has powered a rising tide of petitions for declaratory rulings addressing specific aspects of the TCPA’s requirements, from when consent is needed, how it may be obtained, and how it may be revoked. At Kelley Drye, we have chronicled these developments in our monthly TCPA Tracker and its accompanying FCC Petitions Tracker of the nearly three dozen pending petitions. The total number of petitions has risen slightly over time, as new petitions have modestly outnumbered decisions issued by the Commission.

P2P Alliance Petition (Two-Way Texting With Manual Intervention). In May 2018, the P2P Alliance, a group that represents providers and users of “peer to peer” text messaging services, sought a declaratory ruling that peer to peer messaging services did not involve an ATDS and thus were not subject to the restrictions on ATDS calls/texts contained in the TCPA. The petition sought a ruling with respect to text messaging services that enable two-way text communication, requiring a person to manually send each message. Although the Bureau declined to rule with respect to any specific platform – citing a lack of sufficient evidence regarding the how the platforms operate – the Bureau issued a ruling with several important clarifications.

First, the Bureau ruled that the ability of a platform or equipment to send “large volumes of messages” is not probative of whether that platform or equipment constitutes an ATDS under the TCPA. The Bureau declared that “whether the calling platform or equipment is an autodialer turns on whether such equipment is capable of dialing random or sequential telephone numbers without human intervention.”

This conclusion effectively puts to rest ambiguous statements in some prior orders that TCPA plaintiffs had argued brought any high-volume calling platform within the scope of the TCPA. Furthermore, the Bureau’s conclusion appears most consistent with decisions by several U.S. Courts of Appeal that have ruled an autodialer must employ a random or sequential number generator to meet the TCPA’s definition of an ATDS. The Bureau noted, however, that the “details” of the interpretation of an ATDS were before the Commission in ACA International so, until the Commission addressed that issue, the Bureau was relying solely on “the statutory definition of autodialer.”

The Bureau’s ruling contains an illuminating discussion of the so-called “human intervention” element of prior FCC statements regarding autodialers. Per the Bureau’s ruling, “If a calling platform is not capable of dialing such numbers without a person actively and affirmatively manually dialing each one, that platform is not an autodialer.” The Bureau explained the “actively and affirmatively” dialing standard as requiring a person to manually dial each number and send each message one at a time. Use of such technologies is not an “evasion” of the TCPA, the Bureau commented, because the TCPA “does not and was not intended to stop every type of call.”

Thus, while the full contours of the ATDS definition are still to be defined by the Commission, the Bureau’s P2P Alliance ruling helps to clarify that an “active and affirmative” manual process for sending calls or messages removes a platform or piece of equipment from the ambit of the TCPA. This ruling could buttress many district court rulings that have found sufficient human intervention in the operation of many calling or texting platforms.

Anthem Petition (Prior Express Consent for Healthcare-Related Calls). The Anthem petition addressed by the Bureau was filed in June 2015, one month before the FCC released the Omnibus Declaratory Ruling addressed in ACA International. (Anthem has a more recent petition addressing post-Omnibus order issues that remains pending.) In the June 2015 petition, Anthem asked the Commission to create an exemption for informational healthcare-related calls/texts initiated by healthcare providers and sent to existing patients, arguing that such communications were beneficial to patients and could be protected by an opt-out process it believed the Commission was then considering for ATDS calls. The Commission received limited comment in September 2015 (while the ACA International appeal was being litigated) and has received virtually no filings discussing the petition since that time.

In the ruling, the Bureau denied virtually all of Anthem’s requests, emphasizing instead the TCPA’s requirements for prior express consent for ATDS calls. Specifically, the Bureau ruled that “makers of robocalls generally must obtain a consumer’s prior express consent before making calls to the consumer’s wireless telephone number.”  (emphasis in original). It rejected Anthem’s request for an exemption permitting such calls, subject to opt-out, and repeated that the “mere existence of a caller-consumer relationship” does not constitute consent. Importantly, however, the Bureau affirmed prior statements that a consumer who has knowingly released their phone number for a particular purpose has given consent to receive calls at that number.

To the extent that the Anthem petition sought an exemption based on the “urgency” of healthcare-related communications, the Bureau declined to create such an exception, emphasizing, however, that the “emergency purposes” exception could apply to the extent the calls/texts satisfied the Commission’s rules and its recent COVID-19 Declaratory Ruling.

In the end, the ruling likely will not change the status quo for calls and texts being made today. The Bureau emphasized previous rulings requiring prior express consent and endorsed previous statements about how such consent may be obtained. Further, the Bureau affirmed the “emergency purposes” exception, although declining to expand its scope. Thus, entities making calls or texts following prior FCC guidance should not need to make any changes as a result of the Anthem ruling.

Looking Ahead

These decisions are not the broad rulings that many hoped for when ACA International was remanded to the FCC in March 2018. Chairman Pai was highly critical of the 2015 Omnibus order from the FCC (from which he dissented) and welcomed the ACA International decision. He has focused the agency on reducing unwanted calls prior to addressing the legal interpretations called for by the remand. Now, however, with those actions at an advanced stage and with his expected time as Chairman of the FCC about to end, many are wondering if the Pai Commission will revisit the ATDS definition, revocation of consent, and safe harbor questions remanded to it. Even if it does not, however, the Commission has nearly three dozen other petitions still pending, which could provide needed guidance on discrete issues that have arisen in TCPA litigation.

We don’t know at this time which way the FCC is likely to go, or even if it will address more TCPA issues during Chairman Pai’s tenure, but enterprises and service providers should watch the FCC closely over the next few months.


Advertising and Privacy Law Resource Center

On June 15, the Eastern District of California, Judge Morrison J. England, granted CBD retailer Global Widget, LLC’s (“Global Widget”) request to stay the case of Glass v. Global Widget LLC, Case No. 2:19-cv-01906 (E.D. Cal.) until the U.S. Food and Drug Administration (“FDA”) completes its rulemaking regarding the marketing and labelling of CBD ingestible products.  This marks the third time this year that a federal court has paused class action litigation over alleged misbranding of products containing CBD.

Judge England’s decision relied heavily on the CV Sciences, Inc. decision from Judge Phillips that we covered previously.  In both cases, the class action plaintiffs alleged that they would not have purchased the defendants’ CBD products if they had known that the products were not legally sold in the United States (as they alleged).  Judge England adopted the same analysis from the CV Sciences, Inc. decision and stayed the case pursuant to the primary jurisdiction doctrine.  This is another decision in a constantly-growing string of authority pausing false advertising claims over CBD products, and we expect a wave of motion practice, as well as new complaints being filed, once FDA’s final guidelines are released.

Ad Law Access Podcast

Further to ongoing efforts to evaluate and regulate how companies advertise and label that their products are “Made in the USA,” last week the FTC issued a staff report and a proposed rule that would include the possibility of civil penalties up to $43,280 per violation.

FTC Chairman Joseph Simons joined Commissioners Rohit Chopra and Rebecca Slaughter in support of the proposed rule, which would prohibit marketers from including unqualified Made in USA claims on product labels unless they can show that:

  1. final assembly or processing of the product occurs in the United States;
  2. all significant processing that goes into the product occurs in the United States; and
  3. all or virtually all ingredients or components of the product are made and sourced in the United States.

Commissioner Noah Phillips, who voted against the rule, and Commissioner Christine Wilson, who voted to proceed with the notice and comment rulemaking process, each wrote separate dissenting opinions criticizing the broad scope of the proposed rule.

The proposed rule explicitly covers unqualified Made in USA claims appearing in seals, marks, tags, or stamps in mail order catalogs or mail order promotional materials, defined in the proposed rule as “any materials, used in the direct sale or direct offering for sale of any product or service, that are disseminated in print or by electronic means, and that solicit the purchase of such product or service by mail, telephone, electronic mail, or some other method without examining the actual product purchased.”

Commissioner Phillips wrote in his dissent that this scope is broader than the FTC’s statutory authority to issue a Made in USA labeling rule, which refers only to “labels on products.”  Commissioner Wilson similarly warned that going beyond the statutory text would mean the rule applies to online advertising or even hashtags, which she warned could be outside the FTC’s jurisdiction. “Expansive interpretations of our rulemaking authority will not engender confidence among members of Congress who have already expressed qualms about the FTC’s history of frolics and detours,” Wilson wrote.

The Staff Report reflects findings from its workshop reviewing Made in USA labeling policy and enforcement.  In particular, Staff cited a 2013 consumer perception study that indicates that Americans “agree that ‘Made in America’ means that all parts of a product, including any natural resources it contains, originated in the United States.”  Another study from the University of Chicago cited in the report found that consumers were willing to pay as much as 28 percent more for U.S.-made products.  Panelists reported that consumers prefer American made goods due to the “qualify of goods, promotion of U.S. jobs, social responsibility, and, to a lesser extent, general patriotism.”

Although the FTC gained rulemaking authority over Made in USA labeling in the early 1990s, the FTC has relied solely on its Section 5 authority to bring enforcement actions for violations of the law.  For example, the FTC has announced several settlements and, in the last two years, the Staff has issued over 40 closing letters regarding Made in USA claims.  The FTC’s new rulemaking effort reflects renewed interest among the commissioners to add deterrence through the threat of penalties for even first time offenses.  As Commissioner Chopra added, “the rule eliminates the perceived litigation risks associated with Section 13(b),” the FTC’s basis for obtaining consumer redress which has been scrutinized as covered extensively on this blog.

Companies making claims about the U.S. origin of their products and services should closely watch these developments. At a minimum, that should involve a review of existing claims, and some companies may choose to file comments in response to the proposed rule.


For more information on these and other topics, visit:

Advertising and Privacy Law Resource Center

Earlier this month, we offered our analysis and takeaways from a Magistrate Judge’s decision that defendant Capital One was required to produce a third-party data breach assessment report as part of ongoing consumer litigation.  Available here.  Not surprisingly, Capital One appealed that order.  On June 25, 2020, District Court Judge Anthony Trenga affirmed the decision, ordering Capital One to produce the report.

Brief Recap of the Incident and Order   

In November 2015, Capital One retained FireEye, Inc. d/b/a Mandiant (“Madiant”) to provide support in case of a data breach or security incident.  When a breach occurred in March 2019, Capital One’s outside counsel called on Mandiant.  While they executed a new letter agreement, the analysis requested from Mandiant was the same as that outlined in the 2015 Scope of Work.

Several putative consumer class actions were filed and a multi-district litigation is currently pending in the Eastern District of Virginia, captioned In re Capital One Consumer Data Breach Litigation, Case No. 1:19-md-2915.

There is no valid argument that the Mandiant report does not qualify as relevant and responsive information; however, Capital One argued that it was shielded from discovery by the attorney work product doctrine.  Plaintiffs filed a motion to compel its production.  On May 26, 2020, Magistrate Judge John Anderson granted Plaintiffs’ motion, finding that Capital One failed to meet its burden of establishing a valid privilege.

District Court Affirms

Capital One objected to the Magistrate Judge’s ruling and sought relief from the District Court Judge under Federal Rule of Civil Procedure 72(a).  The Magistrate Judge’s decision was subject to evaluation under a “clearly erroneous or contrary to law” standard.  The Court considered whether the order failed to apply or misapplied relevant statutes, case law, or procedure.

The District Court focused on whether the report was compiled “because of the prospect of litigation.”  The Court questioned whether the prospect of litigation was “the driving force behind” the preparation of the Mandiant report.  Despite retention by outside counsel, the Court found that Mandiant’s investigation would have been conducted, and report compiled, in materially the same way whether or not there was litigation or counsel involved.  The Court also agreed with the Magistrate Judge that Capital One’s broad distribution showed that the Mandiant report “was significant for regulatory and business reasons” and underscored that business purpose.

The Court downplayed the prospect of potential litigation.  The Court agreed with the Magistrate Judge that “[t]here is no question that at the time Mandiant began its ‘incident response services’ in July 2019, there was a very real potential that Capital One would be facing substantial claims following its announcement of the data breach.”  Capital One’s website confirms that the breach resulted in access to consumer and small business credit card applications from 2005 to 2019, transaction data for certain customers, and about 140,000 social security numbers and information from 80,000 bank accounts.  Even before the full extent of the breach was known and a report compiled, Capital One almost certainly had reason to believe this could be a litigation event.

Rather than a subjective (or even objective) analysis of the potential for litigation, the Court focused on whether the report would have been compiled in the same form whether there was a litigation threat or not.  On that point, Capital One failed to demonstrate any input, direction, or strategic guidance from its outside counsel.  The report was compiled as it had been envisioned for “business critical” purposes in 2015, and without any focus on the potential for litigation.  That contributed significantly to Capital One’s inability to establish a privilege.

Thus, Capital One was ordered to produce the Mandiant report “forthwith.”  If it wants to press the issue further, Capital One’s next option would be to seek permission for an interlocutory review by the Fourth Circuit Court of Appeals.

Implications and Lessons

The District Court’s affirmance and acceptance of the Magistrate Judge’s order confirms the importance of having proper protocols and protections in place when engaging an external (or even internal) expert to assist with litigation-relevant analyses.  As detailed in our prior post, if a written report is required, companies should keep certain key points in mind, along with one new point emphasized by the District Court as to active involvement by outside counsel in the report itself:

  • Clearly Defined Legal Scope of Work: Where a consultant has already been engaged and works with the company, the retainer signed at the direction of counsel must clearly define the terms and scope of work as distinct from the previous business relationship.
  • Paid by Legal: If a consultant is being retained to provide support for legal advice or concerning potential legal claims, that work should be managed and paid for by legal personnel.
  • Outside Counsel Active Involvement in Written Work Product:  Outside counsel should be actively involved in providing input and strategic direction to the consultant as to what the consultant report addresses and incorporating legal considerations.
  • Narrow Internal Distribution: Distribution of investigation reports should be limited to those individuals necessary to complete the legal analysis and litigation work.
  • No External Non-Legal Distribution: Investigation reports should not be distributed to third parties.
  • Track Distribution: Distribution of investigation reports should be tracked so that limited distribution can be demonstrated.
  • Segregate Legal from Operational Work: Where business and legal issues or analysis are part of the same investigation, steps should be taken to segregate the legal- and litigation-related work product from business or operational reports and work.

While no protocol is guaranteed to satisfy every court, and each factual situation is unique, these guideposts improve the odds of meeting the burden required to withhold production of a consultant’s report.

Should you have any questions concerning these issues or would like advice concerning how to approach the interplay of consultants and privilege, please feel free to contact us.


Ad Law Access Podcast

The California Consumer Privacy Act (CCPA) right to non-discrimination explainedOn June 24, 2020, the Secretary of State of California announced that the California Privacy Rights Act (CPRA), had enough votes to be eligible for the November 2020 general election ballot. CPRA is a ballot initiative, which, if adopted, would amend and augment the California Consumer Privacy Act (CCPA) to increase and clarify the privacy rights of California residents.  The result is a law that is closer in scope to robust international privacy laws, such as the GDPR. For more information on the CCPA, please see our posts here.

To be eligible for the November 2020 ballot, CPRA needed to obtain over 623,212 verified signatures. If passed by a simple majority of California voters in November, as is looking likely, the CPRA will become effective on January 1, 2021, with most compliance obligations required by January 1, 2023. With the exception of the access right, the CPRA would apply only to personal information collected after January 1, 2022. Additionally, the CPRA would extend the CCPA’s temporary business to business exemption and employee data exemptions (which are scheduled to sunset on January 1, 2021) until January 1, 2023.

Until January 1, 2023, businesses would need to comply with the CCPA and any finalized regulations in force (which could mean both CCPA and CPRA regulations). The Attorney General would preserve its authority to issue CCPA regulations and enforcement during this period, and a new privacy agency would be formed with its own rulemaking and enforcement authority.

For more information on the comparison between CCPA and CPRA, please see our chart below. While there are no immediate action items, companies may benefit from reviewing the CPRA requirements to assess what changes may be necessary should the ballot pass. And a reminder — the CCPA enforcement date is set for July 1, 2020, although it is not yet clear whether the CCPA regulations will be effective by then; the Office of Administrative Law’s review remains pending. Please contact any of the attorneys in Kelley Drye’s Privacy Group if you would like assistance in California privacy compliance.

“Business” Threshold $25 million annual revenue; or 50,000+ consumers; or 50% of annual revenue derived from selling consumers personal data $25 million annual revenue; or buys, sells or shares 100,000+ consumers or households; or 50% of annual revenue derived from selling or sharing consumers’ personal data
Operative date January 1, 2020 January 1, 2023, and applies only to personal information collected on or after January 1, 2022, except with regard to access requests.
Employee and B2B exemptions Sunsets January 1, 2021 Sunsets January 1, 2023
“Sold” and “Shared” Definitions “Sell,” “selling,” “sale,” or “sold,” means selling, renting, releasing, disclosing, disseminating, making available, transferring, or otherwise communicating … for monetary or other valuable consideration. The term “sold” is broadened to “sold or shared.” This change is accompanied by a change in the definition of what it means to sell, which removes the carve-out for sharing personal information with a service provider (although this point is addressed in a more narrow definition of “third party”).
Service Providers and Contractors

A Service Provider is an entity “that processes information on behalf of a business … provided that the contract prohibits the entity receiving the information from retaining, using, or disclosing the personal information for any purpose other than for the specific purpose of performing the services specified in the contract for the business…”


Introduces new requirements to qualify as a “service provider” and adds a new definition of a “contractor” that mirrors the definition of a service provider.

Clarifies and provides additional requirements regarding service providers’ use of the data, such as a requirement that service providers silo the data they learn about a consumer from other sources.  (This is more restrictive than the AG CCPA regulations).

Requires contractual terms, similar to the GDPR.

Consent Consent is not required in the CCPA. However, the definition of sale contains guidance regarding “intentional interactions.”

Consent is defined as any freely given, specific, informed and unambiguous indication of the consumer’s wishes by which he or she… signifies agreement to the processing of personal information relating to him or her for a narrowly defined particular purpose.

Introduces the concept of “dark patterns” defined as a user interface designed or manipulated with the substantial effect of subverting or impairing user autonomy, decision-making or choice, as further defined by regulation.  Agreement obtained through use of dark patterns does not constitute consent.

Sensitive information Does not contain separate provisions for sensitive information (other than increased verification requirements.) Contains disclosure, opt-out, and purpose limitation requirements for sensitive information.
Automated Decision-Making N/A

Introduces concept of “profiling.”

Calls for regulations requiring businesses’ response to access requests to include meaningful information about the logic involved in such profiling, as well as a description of the likely outcome of the process with respect to the consumer.

Right to Correct N/A Gives consumers the right to correct inaccurate information.
Opt Out of Targeted Advertising The CCPA does not restrict targeted advertising if it can be conducted without “selling” data.

Providing advertising or marketing services is a business purpose but this does not include “Cross-Context Behavioral Advertising,” a newly defined term to describe ads targeted to consumers based on a profile or predictions about the consumer related to the consumer’s activity over time and across multiple businesses or distinctly-branded services, websites or applications.

Contains a broader opt-out provision (for both “sale” and “sharing”) and specifically limits service providers from engaging in any “cross-context behavioral advertising.”

Retention The CCPA does not contain any requirements that businesses disclose their retention practices to consumers.

Businesses must disclose, at the time of collection: the length of time the business intends to retain each category of personal information, including sensitive personal information, or if that is not possible, the criteria used to determine such period.

A business cannot retain personal information for longer than is reasonably necessary for that disclosed purpose.

GDPR Concepts




Contains language to promote the following GDPR principles:

  • Data Minimization
  • Purpose Limitation
  • Duty to Avoid Secondary Use

Enforced by the Attorney General



Allows a 30 day period to cure violations

Establishes the California Privacy Protection Agency that would have a broad scope of responsibilities and enforcement powers.

Security breaches include email/password/challenge questions.

Modifies the 30-day cure period to apply to a private right of action for security breach violations, rather than for general privacy violations of the law.

Fines for violations involving children’s personal data are tripled.



Advertising and Privacy Law Resource Center

The Supreme Court issued an 8 to 1 decision today in the highly-anticipated case of Liu v. SEC. The opinion, authored by Justice Sotomayor (with Justice Thomas dissenting), holds that “[a] disgorgement award that does not exceed a wrongdoer’s net profits and is awarded for victims is equitable relief,” and allows the SEC to seek such relief under the Securities Act. Importantly, the decision indicates support for the argument that such relief, whether referred to as restitution, disgorgement, or an accounting, also qualifies as equitable relief under other statutes – including potentially under Section 13(b) of the FTC Act.

As we explained in January, the case involved two petitioners who had solicited contributions for the construction of a cancer-treatment center in California, but used $20 million of the almost $27 million collected for marketing expenses and salaries – contrary to representations in the private offering memorandum. The SEC brought an action, and the District Court found for the SEC, granting an injunction, imposing a civil penalty, and ordering disgorgement equal to the full amount the petitioners had raised from investors. The District Court concluded that the disgorgement award was a “reasonable approximation of the profits causally connected to [their] violation,” and the Ninth Circuit affirmed.

The Supreme Court concluded that disgorgement is relief that is “typically available in equity” provided that it (1) is not deposited into Treasury funds, (2) does not impose joint-and-several liability, and (3) deducts legitimate expenses. It vacated the previous decisions and remanded the case to the District Court to ensure the remedy satisfies these requirements. Notably, the Court cited the following text from Porter v. Warner Holding Co.:

Decisions from this Court confirm that a remedy tethered to a wrongdoer’s net unlawful profits, whatever the name, has been a mainstay of equity courts.

The FTC has cited this case in its petition for writ of certiorari following the Seventh Circuit decision in FTC v. Credit Bureau Center, over whether the authority to grant a permanent injunction under Section 13(b) includes the authority to require wrongdoers to return money that they illegally obtained.

The decision is limited to the relief available under the Securities Act, but indicates that the Court could agree with the FTC that restitution to consumers (i.e., monetary relief) qualifies as equitable relief under Section 13(b). However, the differences in statutory language could distinguish the two cases. Section 13(b) authorizes injunctive relief, while the Securities Act provides more broadly for “equitable relief” in civil actions, and the Supreme Court decision focuses on the definition of this term. The Court has not yet ruled on the cert petition, and the Solicitor General had previously requested an extension until after the Liu decision.

Earlier this year, Align Technology filed an NAD challenge against SmileDirectClub over claims that company made about its teeth aligners. After that, SmileDirectClub filed its own challenge against Align over claims that Align made about its own teeth aligners. After the dust settled on these cases, neither company was left smiling. Although the cases cover a lot of ground, we’re just going to focus on one issue in the second case that frequently comes up – identifying the object of a comparison.

Align advertised that its Invisalign clear aligners are “more comfortable and better-fitting,” as well as “easier to put on and take off.” Comparative claims like these often beg the same question: “more comfortable,” “better fitting,” and “easier to put on and take off” . . . than what? SmileDirectClub argued that consumers would understand that to be a superiority claim against competing aligners, such as the ones it sells. Align argued that a footnote tied to the claim made clear that wasn’t the case.

A disclosure at the bottom of the web page explained that the comparison was against “aligners made from single layer .030 inch (Ex30) material.” And to support its claims, Align presented various types of evidence comparing how consumers felt about “Invisalign brand aligners made out of the older EX30 material” versus “Invisalign brand aligners made out of new ST30 material.” Thus, Align argued that the comparison was against its previous product and that the claim was substantiated.

NAD didn’t agree, for a number of reasons. First, the disclosures were ineffective because they appear far removed from the claims they modify and they were too small for consumers to easily notice, read, and understand. Second, NAD found the disclosures were too technical, and that consumers would not realize that the comparison was against the company’s previous product. In absence of any clarification, consumers are likely to believe the claims to be a comparison against competing products.

There are at least two important lessons to take away from this decision. First, it’s important to clearly identify the basis of your comparison. That should be identified in the claim itself or in a clear disclosure that appears close to the claim – a footnote may not work. And second, ST30 really does seem to be better than EX30.