California Governor Jerry Brown recently signed into law Assembly Bill 2632, which amended California’s slack fill law to create several new exemptions, hopefully providing some relief from the plague of slack fill lawsuits that has hit the food and beverage industry, among others, particularly hard in recent years.  For those who are unfamiliar, slack fill is non-functional empty space in product packaging.  The argument that plaintiffs have been using is that this non-functional space renders the products misleading to consumers, causing them to think that they are getting more of the product than they actually are.  Although there have been many lawsuits filed, they have met with little success.  Nevertheless, they persist, as we’ve written about here.

Here’s a summary of the changes to California’s law:

    • Online Sales Exempted.       Perhaps the most significant change of the new law is that it exempts packaging sold in a mode of commerce that does not allow the consumer to view or handle the physical container or product. This would appear to exempt online sales, which is consistent with the rationale that a consumer could not be misled by packaging that he or she didn’t handle prior to purchase.
    • Only If It’s Substantial. The law was amended to add the clarification that “nonfunctional slack fill is the empty space in a package that is filled to substantially less than its capacity for reasons other than any one or more of the following:…” “Substantially” is not defined but seems likely to create an argument that some degree of non-functional space is acceptable provided that it is not substantial. Consistent with this, the new law also states that “slack fill shall not be used as grounds to allege a violation of this section based solely on its presence unless it is nonfunctional slack fill.”
  • Actual Size. The prior CA law required that the actual size of the product be depicted on the exterior packaging. The new law specifies that this depiction can be on any side of the packaging, excluding the bottom. “Actual size” must be noted in a clear and conspicuous disclosure.
  • Fill Line. The new law also allows for a line or graphic representing the “fill line” on either the actual product or the product container. The “fill line” must be clearly and conspicuously depicted. If the product is subject to settling, the fill line must represent the minimum amount of expected settling.

 

The changes also apply to California’s Sherman Food and Drug Act. Slack fill lawsuits against food and beverage companies declined between 2016 and 2017 as courts resisted indulging arguments such as an inability to understand basic item counts clearly labeled on a container’s front label.  We’ll see whether these changes collectively help drive numbers even lower.

In June of this year, California passed the California Consumer Privacy Act (CCPA) giving California residents specific rights related to their online privacy, similar to those proscribed by GDPR. The law was passed hastily to avoid a stricter ballot measure on the subject, but Governor Brown recently signed a bill amending the law.

Many of the amendments clarify some of the CCPA’s “technical” errors, such as solidifying that the Act should not be enforced to contradict the California Constitution. The most significant change, however, deals with the enforcement of the Act. Although Section 1798.198 makes the Act operative on January 1, 2020, the newly-added Section 1798.185(7)(c) prevents the Attorney General from bringing an enforcement action under the Act until July 1, 2020, or six months after the final regulations made pursuant to the Act are published, whichever is sooner. Thus, although the effective date is January of 2020, the California Attorney General may not be able to bring enforcement actions until up to six months after the enactment date, depending on when the office promulgates regulations. The amendments also extend the date by which the Attorney General must promulgate regulations from January 1, 2020 to July 1, 2020.

Another point worth noting is that the amendments remove the requirement for a private plaintiff to inform the Attorney General of a claim he or she has brought to enforce his or her private cause of action under the Act. This eliminates the ability of the Attorney General to bring its own action in lieu of a private one.

Additional changes include specifying additional laws to which the Act does not apply, including: (1) the Confidentiality of Medication Information Act or regulations promulgated in response to HIPAA, or the Health Information Technology for Economic and Clinical Health Act; (2) the Federal Policy for Protection of Human Subjects; and (3) the California Financial Information Privacy Act. The amendments also limit the civil penalty to $2,500 per violation, or $7,500 for each intentional violation.

Although this bill has clarified some issues with the original law, this will likely not be the last set of amendments to the CCPA before it goes into effect. We will keep you posted.

 

Just when you think you’ve tackled the Wild, Wild West of GDPR and privacy compliance, California decides to mix it all up again.

This November 6th, California voters will decide on the California Consumer Privacy Act (“Act”), a statewide ballot proposition intended to give California consumers more “rights” with respect to personal information (“PII”) collected from or about them.  Much like CalOPPA, California’s Do-Not-Track and Shine the Light laws, the Act will have broader consequences for companies operating nationwide.

The Act provides certain consumer “rights” and requires companies to disclose the categories of PII collected, and identify with whom the PII is shared or sold. It also includes a right to prevent the sale of PII to third parties, and imposes requirements on businesses to safeguard PII.  If passed, the Act would take effect on November 7, 2018, but would apply to PII collected or sold by a business on or after nine (9) months from the effective date – i.e., on August 7, 2019.

Who is Covered?

The Act is intended to cover businesses that earn $50 million a year in revenue, or businesses that “sell” PII either by (1) selling 100,000 consumer’s records each year, or (2) deriving 50% of their annual revenue by selling PII. These categories of businesses must comply if they collect or sell Californians’ PII, regardless of whether they are located in California, a different state, or even a different country. Continue Reading SADDLE UP AMERICA: California Aims to Pass its Own GDPR Law

Western UnionLast week, California became the 50th state to join the multistate settlement with Western Union over its alleged complicity in fraud-induced wire transfers.  This followed Western Union’s $5 million agreement with 49 state and the District of Columbia for costs and fees in January, not to mention a whopping $586 million in settlement agreements with the United States DOJ and FTC.  While DOJ brought wire fraud and anti-money laundering charges against Western Union, and the FTC alleged violations of Section 5 of the FTC Act, and the Telemarketing Sales Rule, the states raised violations of their respective consumer protection laws.  California brought its complaint pursuant to the Unfair Competition Law, Cal. Bus. & Prof. Code §§ 17200-17209 (“UCL”), its analog to the FTC Act.

Some quick background on the UCL:

  • Traditionally, the UCL is thought to prohibit unfair competition, which includes unfair, deceptive, misleading, or false advertising.  § 17200; see Lavie v. Procter & Gamble Co., 105 Cal. App. 4th 496, 512 (2003) (whether “the ordinary consumer acting reasonably under the circumstances” is likely to be deceived).
  • But the UCL also forbids business activity unconnected with advertising when such activity constitutes an “unlawful” or “unfair” business practice that either violates another law or violates an established public policy.  § 17200; see e.g., In re Anthem Data Breach Litig., 162 F. Supp. 3d 953, 990 (N.D. Cal. 2016); Ballard v. Equifax Check Servs., Inc., 158 F. Supp. 2d 1163, 1176 (E.D. Cal. 2001).  Some common defenses to these claims include compliance with the underlying law, the practice is not unfair or is justified, and federal preemption.
  • The UCL provides private plaintiffs with the ability to bring claims for restitution and injunctive relief, while the government can also impose civil penalties of up to $2,500 per violation.  §§ 17203, 17206; see e.g., People v. JTH Tax, Inc., 212 Cal. App. 4th 1219, 1254 (2013) (“[T]he court could have imposed penalties of over $9 million, but only imposed penalties of $715,344 for these advertisements.”).

Here, the California Attorney General alleged that Western Union, during the course of its money transferring services, failed to scrutinize and stop complicit agents that did not comply with anti-money laundering policies, inadequately trained, vetted and reported agents, and overall did not “prevent fraudulent telemarketers, sellers, and con artists from using Western Union’s money transfer system to perpetrate their frauds.”  In other words, Western Union exposed its customers to fraud in violation of the UCL.

As part of the global settlement, Western Union agreed to implement a comprehensive anti-fraud program to detect and prevent future incidents.  California consumers who made a wire transfer through Western Union are entitled to a share of the DOJ restitution fund and may be eligible for more than $65 million in refunds.  The California Department of Justice also may recoup costs and fees from the $5 million multistate fund.

Bottom line: the UCL is a dynamic enforcement mechanism with the potential to curtail many different types of business activities that seemingly harm consumers, and provides the Attorney General with the ability to inflict stiff penalties for violations.

On Monday, a California federal judge enforced the California choice-of-law clause in Facebook’s online terms of use, and on that basis refused to consider the claims of a New Jersey resident that aspects of those terms of use violated New Jersey’s consumer contract disclosure law, the Truth-in-Consumer Contract, Warranty, and Notice Act (“TCCWNA”).  The decision should provide some peace-of-mind to online retailers based outside New Jersey who have choice-of-law clauses in their terms of use.  A note of caution is warranted, however, because the judge found it important that Facebook’s contract chose California law, and “California’s consumer protection laws have been recognized as among the strongest in the country.”  

The case is Palomino v. Facebook, Inc., No. 16-cv-4230-HSG (N.D. Cal.).  The plaintiffs claimed that Facebook’s terms of use contained provisions purporting to “disclaim liability” for willful misconduct, and to “bar claims for personal and economic injury and punitive damages” and “for deceptive and fraudulent conduct.”  Whether provisions like this actually violate the TCCWNA is a matter of dispute in other cases pending in state and federal courts in New Jersey and elsewhere.  Judge Haywood S. Gilliam held that he did not have to reach that question, however, because Facebook’s enforceable choice-of-law clause favoring California law precluded the plaintiff, a New Jersey resident, from suing under his home state’s consumer protection laws.

California’s test for enforcing a choice-of-law clause, set forth by the California Supreme Court in Washington Mut. Bank, F.A. v. Superior Court, 24 Cal. 4th 906, 916 (2001), begins by asking whether the chosen state has a substantial relationship to the parties or their transaction or, if not, whether there is any other reasonable basis for the choice.  If the answer to either question is yes, a plaintiff seeking to avoid application of the contractual choice must establish both “that the chosen law is contrary to a fundamental policy” of the alternative state and that the alternative state “has a materially greater interest in the determination of the particular issue.”  Facebook easily cleared the burden-shifting hurdle because it is headquartered in California.  Plaintiffs then failed to meet their burden because they “failed to show that California’s consumer protection law,” which itself precludes a wide array of false and deceptive practices and “aim[s] to accomplish the same end,” is “contrary to New Jersey policy.”  That California’s law “affords different rights and remedies” is immaterial because “[c]ourts should not refrain from applying the chosen law merely because this would lead to a different result.”     

The decision’s caveats are important, but the bottom line is that non-New Jersey choice-of-law clauses, applied by online retailers outside New Jersey, may preclude TCCWNA claims.  

 

Last week, California Governor Jerry Brown signed into law three bills that revise California’s data breach notification statute. The bills, which take effect January 1, 2016, establish specific formatting requirements for the consumer breach notice letter; define “encrypted”; and create notice, security, and privacy obligations for data captured by automated license plate recognition (ALPR) systems. The enactment of these bills, and others, indicates California’s continued commitment to reviewing and revising privacy- and security-related legislation to address perceived gaps and new threats.

Currently, California’s breach notification statute requires that the plain-language notice to affected consumers include (1) the notifying entity’s name and contact information; (2) a list of the types of personal information subject to the breach; (3) the date of the breach; (4) whether notification was delayed due to a law enforcement investigation; (5) if the breach involved Social Security, driver’s license, or California identification card numbers, the phone numbers and addresses of the major credit reporting agencies; and (6) if identity theft and mitigation services are offered, all information necessary to take advantage of that offer. S.B. 570 adds the following formatting requirements:

  1. The notice must be titled “Notice of Data Breach.”
  2. The required content (listed above) must be described under the following headings:  “What Happened,” “What Information Was Involved,” “What We Are Doing,” “What You Can Do,” and “For More Information.”  Additional information may be provided as a supplement to the notice.
  3. The format of the notice must be designed to call attention to the nature and significance of the information it contains.
  4. The title and headings must be clearly and conspicuously displayed.
  5. The text must be at least 10-point type.

Notices using the following model security breach notification form will be deemed to be compliant. CA Form

Under California law, a breach has occurred only if the compromised personal information is not encrypted. A.B. 964 defines “encrypted” as “rendered unusable, unreadable, or indecipherable to an unauthorized person through a security technology or methodology generally accepted in the field of information security.”

S.B. 34 amends the definition of “personal information,” adding “information or data collected through the use or operation of an automated license plate recognition system.” Additionally, the bill requires that ALPR operators and end-users maintain reasonable security procedures and practices, including operational, administrative, technical, and physical safeguards, to protect ALPR information, and a usage and privacy policy detailing their ALPR information collection, use, maintenance, sharing, and dissemination practices. The bill also creates a private right of action, under which individuals may bring a civil action, and a court may award actual damages of up to $2,500, punitive damages, reasonable attorney’s fees and costs, and/or other preliminary and equitable relief.

Last week, California Governor Jerry Brown signed into law A.B. 1116, prohibiting manufacturers’ use of smart televisions’ voice recognition feature for advertising purposes. Effective January 1, 2016, consumers must be “prominently informed” during initial set-up or installation of the operation of a voice recognition feature, and any recordings collected through the operation of the feature cannot be sold or used for any advertising purpose by either the manufacturer or the manufacturer’s third-party contractor. Although the law does not create a private right of action, the Attorney General and district attorneys may seek injunctive relief, as well as a civil penalty of up to $2,500 for each television knowingly sold or leased in violation of the statute.

The bill received bipartisan support and passed both the Senate and Assembly unanimously. Yet again, California leads the nation, becoming the first state to enact legislation addressing the growing concerns with information collection and use by connected devices. According to the bill’s author, most consumers understand that they may receive targeted advertising based on their internet activity, but may not realize that their connected appliances may utilize similar technology. It will be interesting to see if other states follow California’s lead. Smart TV

Yesterday, the California Public Utilities Commission announced it had approved a $33.4 million settlement with Comcast, which resolves allegations that, due to vendor switches, the company disclosed and published the contact information – name, address, and telephone number – of almost 75,000 California customers. Although the information published included contact information only, the affected customers had paid Comcast $1.25 or $1.50 per month for non-published phone numbers. The CPUC alleged that Comcast did not honor customers’ choice to keep that information private, and was slow to act after receiving complaints about the unauthorized disclosure and publication of customer information.

Under the terms of the agreement, Comcast will pay a $25 million civil penalty and approximately $8.4 million in restitution, including $100 each to the 74,774 affected customers, $432,000 for home security and/or safety-related services for 216 customers with specific safety concerns related to the disclosure, and $517,714 in refunds for non-published fees collected. For injunctive relief, Comcast has agreed to enhance its practices with respect to non-published phone numbers, including by (1) auditing vendors with access to customer directory listing information; (2) implementing detailed processes to handle customer inquiries and complaints; and (3) providing customers with a simplified explanation of the XFINITY Voice non-published feature to resolve concerns that customers do not fully understand the feature’s scope. In addition, the company must provide compliance reports to the CPUC for the next three years.

This settlement serves as another reminder to companies of the costs associated with failing to reasonably ensure that marketing representations, including those about customer privacy, are accurate and supported.

Last week, Lands’ End tried a second time to dismiss a “Made in U.S.A.” class action with the novel argument that, because the company had already reimbursed the plaintiff for the necktie she purchased, she is not injured and lacks standing.

As background, in October 2014, plaintiff Elaine Oxina filed the putative class action in the U.S. District Court for the Southern District of California, alleging that Lands’ End falsely represented that the necktie she purchased, which label states “Made in China,” was “Made in USA,” in violation of the Lanham Act and California’s Consumer Legal Remedies Act, Unfair Competition Law, and “Made in U.S.A.” statute. In June 2015, the court granted Lands’ End’s motion to dismiss the first amended complaint (which omitted the Lanham Act claim), concluding that Ms. Oxina lacked standing to bring the case under California’s “Made in U.S.A.” statute because Lands’ End made the alleged “Made in U.S.A.” representation online, and the statute applies only to “Made in U.S.A.” claims that appear on the merchandise or the merchandise’s container.

Not easily discouraged, Ms. Oxina filed a second amended complaint at the end of July, alleging that Lands’ End violated California’s consumer protection statutes in general by deceptively advertising a product labeled as “Made in China” as “Made in U.S.A.” Additionally, she claims that she sent Lands’ End a letter in June demanding that the company initiate a corrective advertising campaign and alert affected customers, but it did not comply with her request.

In the motion to dismiss filed last week, Lands’ End argues that, because the company sent Ms. Oxina a refund check for the purchased necktie, plus interest, eight days before she filed the second amended complaint, she lacks the injury necessary to file an action for damages, and therefore lacks Article III standing. Although “Made in U.S.A.” class action lawsuits are popular in California right now, it will be interesting to see whether Lands’ End’s argument passes muster, and whether companies can avoid an alleged violation – of California’s “Made in U.S.A.” statute or its consumer protection statutes in general – by simply reimbursing the aggrieved consumer.

California state law bill SB 763 has stayed relatively under the radar since its introduction in February 2015.  However, with recent traction in the state legislature – including passage in the Senate in June and passage in three Assembly Committees in July – this bill is definitely worth a second look.

SB 763 would require manufacturers of “juvenile products” sold in California to include a statement on the product’s label whether or not the product contains added flame retardant chemicals.  A “juvenile product” would be defined as a product subject to California’s Home Furnishings and Thermal Insulation Act,[1] and intended for use by infants and children under 12.  Covered products would include not only bassinets, floor play mats, crib mattresses, infant bouncers, and infant and booster seats which are used by infants and children, but also products intended for use by adults which the child or infant may come in contact with.  This includes, for example, nursing pads, nursing pillows, infant carriers, and changing table pads.

The bill would require manufacturers to affix the following lengthy labeling statement on covered juvenile products sold in California, and indicate the absence or presence of added flame retardant chemicals by marking a “X” in the applicable space below:

The State of California has determined that this product does not pose a serious fire hazard. The state has identified many flame retardant chemicals as being known to, or strongly suspected of, adversely impacting human health or development.
The fabric, filling, and plastic parts of this product:
_____contains added flame retardant chemicals
_____contains NO added flame retardant chemicals

Additionally, the bill imposes recordkeeping requirements, allows the CA Department of Toxic Substances Control to test products labeled as containing no added flame retardant chemicals for compliance, and permits fines ranging from $2,500 to $15,000 for mislabeling and other violations.

In the past few years, flame retardant chemicals have been highly scrutinized by consumer advocates.  According to the bill’s author, “[g]rowing evidence show(s) that many fire retardant chemicals have serious human and environmental health impacts, including cancer, decreased fertility, hormone disruption, lower IQ, and hyperactivity.”

Although the bill’s intentions are honorable – i.e., to provide parents with information needed to choose safe and healthy products for their children – the reality is that the bill would impose additional requirements on products already regulated by the CPSC, impose costly and burdensome labeling requirements on businesses, and may actually undermine consumer confidence in covered products.

As noted by Anne Northup, Former Congresswoman and Former U.S. CPSC Commissioner, “[i]magine the confusion from expectant parents shopping for needed items when they see that the high chair is labeled as being free of flame-retardants and the crib mattress being labeled as containing them. What are they to conclude about which product is safe?”

Continue Reading California Bill Would Complicate Labeling Requirements for Children’s Products