Consumer Protection Connection

Consumer Protection

Best Buy Agrees to Pay $3.8 Million for Selling Recalled Products

Posted in Product Safety, Regulations

Mega-retailer Best Buy agreed to pay $3.8 million to settle allegations that the company distributed and sold recalled products, a violation of the Consumer Product Safety Act (CPSA) after the 2008 amendments. U.S. Consumer Product Safety Commission (CPSC) staff alleged that the retailer sold more than 600 recalled units, including over 400 Canon cameras, to consumers, as well as items such as electric ranges (subject to a 2012 recall) and dishwashers (subject to a 2012 recall). Overall, the retailer sold 16 separate products subject to recalls announced between September 2010 and July 2015. CPSC and the retailer jointly reannounced 10 of the recalls in July 2014. In addition to the $3.8 million civil penalty, Best Buy agrees to maintain a compliance program designed to ensure compliance with the CPSA, including program for the appropriate disposal of recalled products. The CPSC asserted that the Company’s prior system failed to accurately identify, quarantine, and prevent the sales of recalled products. In some case, the company apparently failed to permanently block specific product codes, or even reactivated those codes or had them overridden. This occurred even after the company had assured CPSC the measures were adopted to prevent the sale of recalled products.

This settlement is notable for two reasons. First, this announcement is one of several in recent years involving the sale of recalled products, and in this case (as in some previous cases) it involves a retailer that was not the initiator of the recall. The CPSC has increasingly sought to obtain settlements from companies for the further sale of recalled products. In these settlements, the CPSC has generally imposed requirements to implement two separate but related systems: (1) a system for ensuring compliance with the CPSA, and in particular for the reporting of information about substantial product hazards to the CPSC and for the appropriate disposal of recalled products; and (2) a system of internal controls and procedures. The settlement in this case serves notice on all members of the supply chain that they are under an obligation not to sell recalled products.

Second, this settlement is yet another data point showing a trend of the increasing high stakes for settling CPSC civil penalty actions. The Best Buy announcement is the first settlement announced in fiscal year 2017 (which began October 1, 2017), but the table below shows the civil penalty trends for the last three federal fiscal years:

CPSC Civil Penalty Settlements: The Numbers

Fiscal Year

No. of Settlements

Total Amount

Average Amount

FY 2014 5 $7.175 million $1.435 million
FY 2015 9 $24.4 million $2.711 million
FY 2016 5 $31.25 million $6.25 million
FY 2017 (as of Oct. 6, 2016) 1 $3.8 million $3.8 million


Given the increasing penalty amounts and the increasing focus by CPSC on actions by all members of the supply chain, careful attention to internal compliance processes and procedures is a must.

Another State AG Weighs in on Children’s Privacy

Posted in Privacy

Texas Attorney General (AG) Ken Paxton announced a settlement with an app developer over concerns that the developer’s apps infringed children’s privacy.

The developer, Juxta Labs, Inc., offers a range of mobile apps and games.  According to the AG’s press release, the company’s apps and social media were easy for children of any age to access.  Some of the apps offered free children’s games that used advertisements and in-app purchases, and transmitted personal information (including internet protocol addresses and geolocation information).  One app in particular – Jott – has apparently become popular among teens because it allows message exchange without resorting to either Wi-Fi or cellular networks (instead, it can operate via a Bluetooth mesh network).

The settlement resolves alleged violations of the Texas Deceptive Trade Practices Act and includes specific commitments to comply with the federal Children’s Online Privacy Protection Act (COPPA).  The Company agreed to implement age-screening and pay a penalty of $30,000.

Following on the heels of a recent settlement by the New York Attorney General, it is clear that state regulators, as well as the Federal Trade Commission (FTC), are closely reviewing children’s privacy practices.

NTIA Announces Multistakeholder Workshop on IoT Security Patching

Posted in Cybersecurity, Data Security

The National Telecommunications and Information Administration (NTIA) has announced it is convening a series of multistakeholder meetings concerning Internet of Things (IoT) Security Upgradability and Patching. The initial meeting will be held in Austin, Texas, on October 19, 2016. An associated Federal Register notice (expected to be published September 19, 2016) describes the short-term goal of this new multistakeholder process as to “develop a broad, shared definition or set of definitions around security upgradability for consumer IoT, as well as strategies for communicating the security of IoT devices to consumers.”

This workshop is an outgrowth of two earlier NTIA initiatives. The first is its March 2015 request for comment to “identify substantive cybersecurity issues that affect the digital ecosystem and digital economic growth where broad consensus, coordinated action, and the development of best practices could substantially improve security for organizations and consumers.” The second is NTIA’s April 2016 request for comment on the benefits, challenges, and potential roles for the government in fostering the advancement of the IoT. Many comments in response to the April request did raise the issue of security.

NTIA notes that, to realize the full potential of IoT, users need reasonable assurance that connected devices, embedded systems, and their applications will be secure. In so noting, NTIA describes the ultimate goal of this multistakeholder initiative as fostering a market that offers more devices and more systems that support security upgrades. This will be accomplished, in part, through increased consumer awareness and understanding. Given the enormous complexity of the IoT environment, this first workshop is expected to focus on the scope and organization of the work.

With the Federal Trade Commission’s (FTC) enforcement agenda focusing on security vulnerabilities and expectations for business practices, and the explosive growth of IoT devices in the marketplace, both security and privacy implications of their use are expected to remain important topics for policy development and for enforcement. To read an article on these and other issues raised by IoT that Keller and Heckman LLP published earlier this year, click here.

FCC Grants TCPA Relief to Energy Utilities and Schools

Posted in Data Security, Privacy

On August 4, 2016, the Federal Communications Commission (FCC) released a Declaratory Ruling granting in part two separate petitions that were filed last year – one by the Edison Electric Institute and American Gas Association, and another by Blackboard, Inc. – regarding application of the Telephone Consumer Protection Act of 1991 (TCPA) to certain types of non-telemarketing, informational “robocalls” placed by energy utilities and schools, respectively.  The TCPA prohibits, among other things, robocalls (calls and texts that are placed using an autodialer or a prerecorded or artificial voice) to mobile numbers unless they are made for an “emergency purpose” or with “prior express consent.”

The Declaratory Ruling confirms that:

(1) Energy utilities are deemed to have the requisite “prior express consent” to place robocalls regarding matters “closely related to the utility service” (namely, calls regarding planned or unplanned service outages or service restoration, calls regarding meter work, tree trimming, or other field work, calls regarding payment or other problems that threaten service curtailment, and calls about potential brown-outs due to heavy energy use) if placed to numbers provided by customers; and

(2) Schools can lawfully place certain types of robocalls to members of the school communities pursuant to the “emergency purpose” exception in the TCPA (namely, calls concerning weather closures, incidents of threats and/or imminent danger due to fires, dangerous persons, or health risks, and unexcused absences), and schools are deemed to have the requisite “prior express consent” to place other types of robocalls that are “closely related to the school’s mission” (namely, notifications of upcoming teacher conferences and general school activities) if placed to numbers provided by the recipients.

For a more detailed summary of the Declaratory Ruling, click here.

While the FCC largely granted the relief requested by the petitioners regarding the type of consent that is required to place “robocalls,” the agency reminded businesses of their obligation to comply with other TCPA requirements when placing robocalls, such as the opt-out requirements and ceasing robocalls to numbers that have been reassigned to new subscribers.  TCPA litigation is on the rise, and the FCC has adopted stringent requirements for automated calls and texts, so all businesses should ensure that they understand their obligations when using these technologies to communicate with current and former customers, employees, and others.

Shielded: EU Approves Privacy Pact with the U.S., Fee Schedule Proposed

Posted in Cybersecurity, Privacy

The European Commission (EC) approved the EU–U.S. Privacy Shield on Tuesday, July 12, after European Union member states, through the Article 31 committee, approved the pact the previous week (more on the draft adequacy decision back in March here and the earlier agreement laying out the Privacy Shield here). The decision will allow U.S. companies that have self-certified to process the data of European citizens, while giving EU citizens greater privacy protections and the ability to file suit in U.S. courts to redress alleged privacy invasions. The Privacy Shield took immediate effect upon notification to Member States on July 12, and will be published in the Federal Register within 30 days of the Article 31 committee approval. Companies who want to self-certify compliance with the Privacy Shield can do so starting August 1, 2016, and will be required to pay a cost recovery fee according to a fee schedule dependent on annual revenues (the fee ranges from $250 to $3,250, for companies from $0 to over $5 billion in annual revenues).

The EC’s approval is the culmination of months of negotiations between EU and U.S. authorities on data transfer mechanisms in the wake of the European Court of Justice’s (ECJ) Schrems v. Data Protection Commissioner decision in October 2015 (Case C-362/14) invalidating the EU–U.S. Safe Harbor Agreement. The Schrems decision deemed the previous Safe Harbor Framework inadequate and concluded that Data Protection Authorities (DPAs) could independently evaluate whether EU citizens’ right to privacy would be protected by the Safe Harbor.

The Privacy Shield imposes more robust obligations on participating U.S. companies to protect the personal data of Europeans than the prior Safe Harbor as the basis to continue to transfer data between the U.S. and the EU. New requirements include the following:

  • Companies handling employee data must commit to comply with EC and DPAs’ decisions in their privacy policies;
  • Companies processing individuals’ data must commit to following the Privacy Shield Principles in privacy policies, making the commitment enforceable under U.S. law;
  • Companies must include a link to the U.S. Department of Commerce’s (DOC) Privacy Shield website;
  • Companies must inform individuals of:
    • their rights to access their own personal data,
    • the requirement that the company must disclose information in response to lawful requests from government authorities, and
    • the company’s liability where data is transferred onward to third parties; and
  • Companies must respond promptly to requests and inquiries from the DOC, and must make public any Privacy Shield–related Federal Trade Commission (FTC) or court orders based on non-compliance with the Privacy Shield.

European citizens will also have redress for alleged misuse of their data through new obligations of companies to respond to complaints and through no-charge alternative dispute resolution, among other routes. They will also be able to enforce privacy rights against U.S. government entities in U.S. courts based on the Judicial Redress Act, passed earlier this year and signed by President Obama on February 24, 2016. Adoption of a law recognizing this right was a key element in the negotiation process.

The deal also requires the DOC and FTC to engage in more robust monitoring and enforcement. U.S. law enforcement and national security access to EU citizens’ personal data will have to be the exception, and “must be used only to the extent necessary and proportionate.” An annual joint review of the Privacy Shield will also be conducted.

The FTC remains committed to enforcing representations about compliance with public privacy promises and privacy self-regulatory or certification programs. The FTC announced late last week (on July 14, 2016), for example, that it sent warning letters to 28 companies that claimed to be participating in the certification program under the Asia-Pacific Economic Cooperative’s (APEC) Cross-Border Privacy Rules (CBPR) system. Companies can be certified as compliant with the CBPR program if they comply with nine data privacy protection principles: preventing harm, notice, collection limitation, use choice, integrity, security safeguards, access and correction, and accountability.

The FTC’s actions to enforce U.S. companies’ promises about adhering to the APEC CBPR align with its obligation to take enforcement actions under the Privacy Shield. Regulatory scrutiny of representations about cross-border privacy practices are likely to increase in coming months and years as both the FTC and EU regulators have every reason to establish the Privacy Shield as a reliable and safe way to that personal data transferred to the U.S. is handled appropriately.

Proliferating laws and regulations governing privacy and data security make the compliance challenge ever more complex for global businesses. The new regime under the EU General Data Protection Regulation (GDPR) coming into force in 2018 adds an extra-territorial twist, requiring all companies doing business internationally to become familiar with the new requirements and begin now to implement new compliance measures. (See our GDPR compliance checklist here as a starting point.) Staying on top of privacy is more important than ever in an ever-changing landscape.

The Scrutiny Continues: Social Media Activities Continue to Draw Consumers and Consumer Protection Enforcement Alike

Posted in Advertising, Enforcement

Since we last wrote about how marketers can craft social media policies to offer engaging promotions while meeting the scrutiny of regulators, social media has continued to be a popular venue for marketers to reach consumers. The Federal Trade Commission (FTC) has also kept the spotlight on compliance with the FTC Guides Concerning Use of Endorsements and Testimonials in Advertising, targeting companies that fail to meet obligations to disclose “material connections” when working with influencers to promote products in social media. Some recent FTC actions are summarized below.

  • In July 2016, Warner Bros. Home Entertainment, Inc., settled with the FTC over charges that the company deceived consumers by running a marketing campaign for the video game Middle Earth: Shadow of Mordor in 2014 without properly disclosing that online influencers, including the prominent PewDiePie, were allegedly paid from hundreds to tens of thousands of dollars to generate “buzz” for the game. These influencers posted gameplay videos on social media sites including YouTube without, according to the FTC, incorporating clear statements that the videos were sponsored. Although Warner Bros. did require some disclaimers about sponsorship, this information was generally only visible if consumers clicked on a button to reveal more details in a description about the video. The company allegedly also pre-approved at least one video without adequate sponsorship disclosure.
  • In June 2016, the FTC settled claims with SmartClick Media LLC, doing business as “Doctor Trusted,” relating to a certification program that allegedly represented to consumers that products sold on websites were independently evaluated by doctors using their medical expertise, when in fact they were not. The company used seals on websites that appeared to operate independently from SmartClick, including health-product review sites, but which were in fact operated by SmartClick. Although SmartClick had hired freelance doctors to conduct some reviews, these reviews were allegedly cursory, and the seals were sold to—and appeared on—800 websites. The FTC’s order imposed a judgment of $603,588 on the defendants, which was to be suspended upon their payment of $35,000.
  • In March 2016, the FTC finalized an order settling charges that Machinima, Inc. engaged in deceptive advertising by failing to disclose that it paid “influencers” to post YouTube videos that endorsed Microsoft Xbox One games as well as the platform. The FTC first announced the proposed order in September 2015, alleging that the company paid endorsers $15,000 and $30,000 for posting videos on the popular video playing platform that resulted in 250,000 views and 730,000 views, respectively. The settlement did not involve a financial payment by Machinima, but the company agreed not to violate the FTC’s deception policy in the future. Microsoft and its advertising agency both received closing letters in 2015 that found them partially responsible, but the FTC concluded that these companies’ failures were “one-offs.”

*          *          *          *          *

The social media landscape is no longer new. Companies are expanding social media initiatives with good reason – because it’s where the eyeballs are. But all companies, large and small, must take care to assure that their social media initiatives, particularly those involving influencers, comply with the FTC’s guidelines on endorsements.  A word to the wise: The FTC staff, just like consumers, is looking at social media sites like YouTube, Pinterest and others. The difference is that the FTC is on the lookout for violations of its rules and guidelines.

State Data Breach Notification Laws – Overview of Requirements for Responding to a Data Breach (Updated June 2016)

Posted in Data Security, Privacy, Regulations

We have updated our summary of state data breach notification laws in light of recent amendments to some of the laws since our last update in September 2015.

Notably, Tennessee amended its data breach notification law, the Identity Theft Deterrence Act, effective July 1, 2016, by eliminating an encryption safe harbor and requiring that affected residents be notified of a breach affecting their personal information immediately, and no later than 45 days after discovery of the breach.  Thus, the notification obligation extends to all computerized data that is subject to unauthorized acquisition, regardless of whether the data is encrypted or unencrypted.  Tennessee is the first state to extend data breach notification obligations to encrypted data.

Illinois also amended its data breach notification law, the Personal Information Protection Act (PIPA), effective January 1, 2017.  Consistent with some other state laws, the amendments to PIPA expand the definition of “personal information” to include medical information, health insurance information, and unique biometric data when used with an individual’s first and last name, as well as a user name or e-mail address plus a password or security question and answer that would provide unauthorized access to an online account.  In addition, covered entities and business associates that are subject to the Health Insurance Portability and Accountability Act and Health Information Technology for Economic and Clinical Health Act and are required to notify the Secretary of Health and Human Services of a breach will be deemed to be in compliance with PIPA if they notify the Illinois Attorney General of the breach within five business days of notifying the Secretary.

To view the latest summary on our website and/or download a copy, click here.

FAA Paves the Way for More Ubiquitous Use of Drones

Posted in Regulations

On June 21, 2016, the Federal Aviation Administration (FAA) released its much-anticipated new Small Unmanned Aircraft System (UAS) Rule (Part 107). Simultaneously with its release, the White House issued a Fact Sheet for the new Rule. The Rule permits the operation of small UAS (an unmanned aircraft weighing less than 55 pounds) in the National Airspace System, and paves the way for the more ubiquitous use of UAS (aka drones) for commercial, public safety, scientific, and educational purposes.

The FAA has historically accommodated non-recreational small UAS use through special airworthiness certificates, exemptions, and certificates of waiver or authorization. In its latest annual Aerospace Forecast Report for Fiscal Years 2016 to 2036, the FAA noted that, as of March 16, 2016, more than 4,000 exemptions had been granted for commercial UAS operations, and the FCC had received approximately 408,000 registration applications for UAS weighing less than 55 pounds.

The new Rule will permit UAS operations for applications such as the delivery of consumer goods, inspections of cell phone towers, bridges, pipelines, electric lines, and oil rigs, crop monitoring, search and rescue missions, research and development, and aerial photography, to name a few. The Rule limits small UAS to daylight and twilight operations with appropriate collision lighting, confined areas of operation, and visual-line-of-sight operations, and imposes operational limitations and remote pilot in command certification and responsibilities. There is a waiver mechanism to accommodate new technologies and unique circumstances if a proposed operation can be conducted safely under the terms of a certificate of waiver.

While the FAA’s new Rule does not address privacy issues, this is a developing area that will remain at the forefront. Several Federal agencies have instituted UAS privacy pursuant to a Presidential Memorandum issued last year, Promoting Economic Competitiveness While Safeguarding Privacy, Civil Rights, and Civil Liberties in Domestic Use of Unmanned Aircraft Systems. In addition, the National Telecommunications and Information Administration (NTIA) convened a multi-stakeholder process to examine the privacy, transparency, and accountability issues relating to commercial and private use of UAS. NTIA recently released an updated Voluntary Best Practices for UAS Privacy, Transparency, and Accountability, which focuses on when UAS operators should provide notice and/or obtain consent from individuals whose personal data they collect, and how such data should be used, shared, and stored.

The small UAS Rule is the first of many steps in the advancement of aviation technologies to enhance operational efficiencies, public health and safety, and quality of life.

Preparing for the EU General Data Protection Regulation: A Checklist for Businesses

Posted in Data Security, Privacy

The new European Union General Data Protection Regulation (GDPR) (Regulation 2016/679, Apr. 27, 2016) will replace the Data Protection Directive (Directive 95/46/EC) effective May 25, 2018.  The GDPR has been a long time coming, and introduces a host of new requirements for companies that use or process data in the EU, or simply use or process data about EU citizens anywhere in the world outside of the United States.  The reforms will give European consumers new rights and control over their personal information, and impose new obligations on businesses, to the extent that they collect personal information from EU citizens, regardless of where they reside, or individuals who reside in the EU, regardless of their nationality.

Given the magnitude of new requirements in the GDPR, it will be important for companies to begin the compliance process now.  A good starting point is for businesses to assess their current practices and identify gaps, and use that to map out a step by step compliance plan specific to their data collection practices that fully prepares them for the new GDPR world in 2018.

Keller and Heckman LLP attorneys have prepared a summary of the key requirements in the GDPR and a compliance checklist for businesses.  To view them on our website and/or download a copy, click here.  For more information on the GDPR or other privacy and data security matters, please contact Sheila Millar (+1 202.434.4143, or Tracy Marshall (+1 202.434.4234,

Supreme Court Requires Plaintiffs to Show Harm or Risk of Harm, Not Bare Procedural Violation, to Get Statutory Damages

Posted in Cybersecurity, Data Security, Litigation, Privacy
SCOTUS at dusk, Joe Ravi | CC-BY-SA 3.0
Joe Ravi | CC-BY-SA 3.0

Last year, we noted that the Supreme Court had granted certiorari in a case that could limit the ability of plaintiffs to sue defendants over bare statutory violations without the showing of actual injury. The case implicates a wide variety of statutes that grant monetary awards to successful plaintiffs on the basis of statutory violations. In order to pursue a claim in federal court, a plaintiff must demonstrate standing (the right to be heard in court), which requires (among other things) an “injury in fact,” which occurs when a legally protected interest is invaded and that invasion is “concrete and particularized.”

Here, in Spokeo, Inv. v. Robins, plaintiff Thomas Robins alleged that Spokeo was covered by the Fair Credit Reporting Act (FCRA) and violated the statute by providing inaccurate information about him through its “people search engine” website. Willful violations of the FCRA allow consumers to seek statutory damages of $100 to $1,000, plus punitive damages.

The Supreme Court decided against the plaintiff, concluding that a “bare procedural violation” cannot satisfy Article III, and remanding the case. Justice Alito wrote for the majority:

Congress plainly sought to curb the dissemination of false information by adopting procedures designed to decrease that risk. On the other hand, Robins cannot satisfy the demands of Article III by alleging a bare procedural violation. A violation of one of the FCRA’s procedural requirements may result in no harm.

So, violating mere procedural niceties will not necessarily meet the injury-in-fact requirement. The Court was, however, careful to note that “intangible injuries can nevertheless be concrete,” and a “concrete” injury can incorporate a “real risk of harm.” Thus, “[f]or example, the law has long permitted recovery by certain tort victims even if their harms may be difficult to prove or measure.” A risk of injury that is substantial enough may satisfy the concreteness element of the injury-in-fact requirement. As a counterexample, the court noted that “[i]t is difficult to imagine how the dissemination of an incorrect zip code, without more, could work any concrete harm.”

On this basis, the Court vacated the Ninth Circuit’s finding that Robins “particularized” injury satisfied the injury-in-fact requirement. A particularized injury is necessary—the Court took no issue with the Ninth Circuit’s finding on that point – but not sufficient. The Court directed the Ninth Circuit to conduct further analysis of whether “whether the particular procedural violations alleged in this case entail a degree of risk sufficient to meet the concreteness requirement” of Article III standing requirements.

Going forward, under a variety of federal statutes, plaintiffs for whom Congress has provided damages will need to prove not merely that a statute was violated but will have to inquire whether a statutory or procedural violation actually meets the concreteness requirement, including by showing that the procedural violation is not only in violation of procedural requirements, but also showing that the violation “harm[s] or presents the risk of harm.” For claims under statutes that authorize minimum monetary damages for statutory violations—such as the Telephone Consumer Protection Act (TCPA), which authorizes $500 to $1,500 in damages for unsolicited text messages—harms or risks of harm may be hard to prove.

Justice Alito was joined by Chief Justice Roberts, and Justices Kennedy, Thomas, Breyer, and Kagan. Justice Thomas also concurred, and Justice Ginsburg dissented, joined by Justice Sotomayor.

Consumer Protection Connection