Consumer Protection Connection

Consumer Protection

GDPR Publication Starts Countdown to May 2018 Compliance Date for New Privacy Rules

Posted in Legislation, Privacy, Regulations
EU Flag

The new General Data Protection Regulation (GDPR) (Regulation 2016/69, Apr. 27, 2016), approved by the European Parliament and the Council of the European Union, was formally published in the Official Journal of the European Union on May 4, 2016, and will replace the Data Protection Directive (Directive 95/46/EC) effective May 28, 2018. This new set of requirements has been a long time coming, but brings a host of new requirements important to companies that use or process data in the EU or simply use or process data about EU citizens anywhere in the world outside the U.S. Unlike a directive, the GDPR does not require enabling legislation by Member States to apply, but Member State action is nonetheless anticipated in areas like updating penalties and defining a “child” for purposes of the Regulation.

Among the key requirements created by the GDPR are the following:

  • Companies outside the EU that are targeting EU consumers will be subject to the GDPR.
  • Data controllers will be required to maintain paperwork, and to conduct Privacy Impact Assessments (PIAs) for more sensitive types of data processing.
  • Data subjects’ consent must be clear, unambiguous, and—for sensitive data—explicit; consent may also be withdrawn.
  • A single data protection authority (DPA) will be able to be the “lead DPA,” enabling the lead DPA and other concerned DPAs to handle local or urgent cases in manner that will (hopefully) be more streamlined.
  • DPAs will be authorized to impose fines of up to 4% of global annual turnover for certain infringements, or 2% for less serious infringements.
  • Notifications of data breaches must be accomplished within 72 hours of learning of the breach, where feasible, although notification need not be made to the DPA if it is unlikely to result in risk to the rights or freedoms of individuals.
  • Many companies will be required to designate a data protection officer (DPO).
  • Special rules will apply to children’s data. Unlike the U.S., where a “child” is defined as “under 13” per the Children’s Online Privacy Protection Act (COPPA), Member States have the ability to establish an age between 13 and 16 as the age of a “child” for purposes of the GDPR. Divergence could create real headaches for businesses given practical limitations of getting “verifiable parental consent” when dealing with teens.

The GDPR comes at a sensitive time for many companies, with tensions over the “right to be forgotten” and the EU-U.S. Privacy Shield continuing to garner criticism from some DPAs. Companies with business or customers in the EU should begin preparing for the GDPR, if they have not begun already. Creating the relevant structures and laying out appropriate documentation will rapidly consume the two years before the GDPR applies mandatorily. The starting point for many companies will be to assess current practices and identify gaps now and use that to map out a compliance plan that fully prepares them for the new GDPR world in 2018.

Millar to Lead Toy Marketing Panel at CARU

Posted in Events, Privacy

Even as advertising to kids gets more complicated, the basic principles remain the same.

This week, Children’s Advertising Review Unit (CARU), an independent self-regulatory organization within the Council of Better Business Bureaus (CBBB) which monitors children’s advertising and helps marketers vet ads and campaigns, is hosting its annual conference, “Reimagining Children’s Advertising: Getting it Right in an Evolving Landscape,” in Marina del Rey, California. This dynamic program will bring together legal experts and major children’s advertisers to examine the children’s marketing landscape. Longtime CARU supporter and participant Sheila Millar will moderate a panel on marketing toys—“To Infinity and Beyond! Toy Story: What You Need to Know When Marketing Toys.” This panel will address the unique challenges when marketing both new and traditional toys and games to children.

Millar to Speak on Green Marketing at Foodservice Packaging Conference

Posted in Advertising

Environmental claims are attractive to marketers because they are attractive to consumers. The Federal Trade Commission (FTC) has issued guidance—the Guides for the Use of Environmental Marketing Claims, or Green Guides—to help industry assess what consumers will understand about various “green” claims. Among the most important claims is whether a product is “recyclable,” and determining when an unqualified claim of recyclability can be made is based in large part on the availability of recycling to consumers. The more broadly consumers in the sales area will have access to recycling, the stronger a marketer’s claim of recyclability can be. Less access means that a marketer must qualify its claim, which also (necessarily) reduces its impact.  Because the term “recyclable” is so important to marketers, and because its use is predicated on showing consumer access to recycling facilities, studies demonstrating the availability of recycling are critical substantiation tools in the field of green claims.  Similarly, substantiation requirements for other claims, like non-toxic, renewable, degradable and the like, often require a specific understanding of relevant standards, with the overlay of assessing implications from a consumer perception standpoint. 

Keller and Heckman partner Sheila Millar will address recyclable and other green claims at this week’s FPI Spring 2016 Conference during a panel session on “Environmental Marketing Claims and Foodservice Packaging.” The panel will also discuss results of a new “availability of recycling programs” study and what it means for the foodservice packaging industry. Established in 1933, the Foodservice Packaging Institute (FPI) is the trade association for the foodservice packaging industry in North America. FPI’s members include raw material and machinery suppliers, packaging converters, foodservice distributors and operators/retailers. The conference is being held in Ponte Vedra Beach, Florida.

California Adds Styrene to Proposition 65 List; Proposes NSRL

Posted in Product Safety, Regulations, Uncategorized

On April 22, 2016, California’s Office of Environmental Health Hazard Assessment (OEHHA) added styrene to the Proposition 65 list of carcinogens. OEHHA maintains a list of chemicals required under Proposition 65 (formally, the California Safe Drinking Water and Toxic Enforcement Act) that are “known to the state” to be reproductive toxicants or carcinogens based on Proposition 65 criteria. OEHHA also proposed a No Significant Risk Level, or NSRL, for styrene of 27 µg per day. Under Proposition 65, companies that sell products in the state must inform consumers if their products or establishments will expose consumers to a listed chemical above the NSRL.

OEHHA’s listing follows a litigation settlement with the Sierra Club. The settlement agreement required OEHHA to decide whether to list a number of substances under Proposition 65’s “authoritative bodies” listing mechanism if there is sufficient evidence to conclude that the chemical is a carcinogen to humans. OEHHA’s listing is based on a 2011 action by the National Toxicology Program’s (NTP) Report on Carcinogens, which listed styrene as “reasonably anticipated to be a human carcinogen.”

Comments on the proposed NSRL are due by June 6, 2016.

NTIA Steps into IoT Debate

Posted in Cybersecurity, Privacy
NTIA Steps into IoT Debate

Continuing its tradition of active involvement in digital economy questions, the Department of Commerce’s (DOC) National Telecommunications and Information Administration (NTIA) issued a request for public comment on questions posed by the growth of the Internet of Things (IoT). The explosive growth of connected products, anticipated to reach 25 billion by 2020, is one reason for the request for comment. The request for comment is intended to reflect the “four pillars” of DOC’s Digital Economy Agenda: promoting a free and open Internet worldwide; promoting trust and confidence online; ensuring Internet access for workers, families and companies; and promoting innovation in the digital economy.

NTIA seeks comment on a range of IoT questions grouped under various headings, including general, technology, infrastructure, policy and international engagement. Questions touch on technical and policy opportunities to promote (or hinder) growth, challenges (including privacy and cybersecurity, impacts on rural communities, etc.), infrastructure needs (interoperability, standards, spectrum, available network infrastructure, etc.) and international engagement. NTIA has previously sponsored several multi-stakeholder workshops, including a current initiative on facial recognition technology, and specifically solicits comment on whether a multi-stakeholder initiative would be useful. After receiving comments, NTIA will use the input to draft a “green paper” identifying key issues affecting deployment of IoT, discussing potential benefits and challenges, and outlining roles for the federal government in advancing IoT technologies in collaboration with the private sector. Comments are due by 5 p.m. ET on May 23, 2016.

Appeals Court Agrees That Health Solutions Provider’s Insurance Requires Defense in Data Disclosure Class Action

Posted in Data Security, Litigation, Privacy

Availability of insurance is often among the first questions that arises when a company encounters a data breach or other Internet-related problem involving company records, even where the company lacks a cyberinsurance policy. The federal Fourth Circuit Court of Appeals recently affirmed a ruling by a District Court that required insurance coverage for an inadvertent disclosure of private healthcare information under the policy’s provisions regarding the publication of material that may give “unreasonable publicity” to, or disclose information about, a person’s private life. Travelers Indem. Co. v. Portal Healthcare Solutions, LLC, Case No. 14-1944 (4th Cir. April 11, 2016) (unpublished).  Two patients of Portal Healthcare who found their medical information through a Google search filed a class action suit against the hospital for allegedly having inadvertently made hospital medical records available and unprotected on the Internet. Portal then sought coverage against its insurer, Travelers Indemnity Company.

Travelers, in turn, sought a declaratory judgment that it was not obliged to defend Portal under the traditional policies that Portal had purchased. The trial court found coverage under policy language covering an injury arising from the “electronic publication of material” that discloses information about a person’s private life. See Travelers Indem. Co. v. Portal Healthcare Solutions, LLC, 35 F. Supp. 3d 765 (E.D. Va. 2014). This type of traditional invasion of privacy claim has historically been covered by this type of policy. According to the trial court, the private medical information was “published” because it was available to everyone on the Internet—even though it was unclear whether anyone besides the two plaintiffs had ever accessed it—and because the information clearly related to the patient’s private life. The appellate court agreed with the trial court’s reasoning and affirmed the finding that Travelers had a duty to defend Portal in the suit.

Whether a particular insurance policy will cover a particular data breach depends on the terms of the relevant provisions, and this case may represent a unique situation in both the contractual terms and the facts surrounding the alleged breach. However, the appeals court’s decision is a persuasive reminder that insurance policies are generally read to benefit the insured where possible and where ambiguity lies. Companies managing their data flows should ensure that agreements with vendors appropriately to maximize data protections and appropriately apportion responsibility in the event of breach. Insurance coverage is also an important consideration. In this era of exponential growth in data breach litigation, companies should also carefully examine insurance policies for both coverage and for exclusions, as the insurance industry’s response to this sort of coverage decision may involve added limits on the types of claims that are covered.


FCC Adopts Broadband Privacy NPRM

Posted in Privacy, Regulations

At its Open Meeting yesterday, the Federal Communications Commission (FCC) adopted a Notice of Proposed Rulemaking (NPRM) that would apply the privacy protections in Section 222 of the Communications Act to broadband Internet Service Providers (ISPs). The text of the NPRM, which reportedly seeks public comment on more than 500 questions relating to privacy and security obligations for ISPs when handling customer data that they obtain in the provision of Internet access services, has not yet been released.

As we previously reported, the proposal focuses on ensuring that customers have choice as to how their data is used, a clear understanding of what data is being collected about them, and assurances that their data is secure. Of particular significance, the FCC has proposed that ISPs provide customers the ability to opt-out of the use of their data to market communications-related services that are unrelated to services they have purchased, and that customers be required to provide opt-in consent before their data can be used for other purposes. In addition, the NPRM proposes data security requirements to protect customer data against breaches and other vulnerabilities and data breach notification requirements.

The NPRM does not apply to web sites and other “edge services” over which the Federal Trade Commission (FTC) has jurisdiction.  Commission votes on the NPRM were split along party lines, with the three Democratic Commissioners approving and the two Republican Commissioners dissenting. In their separate statements, Republican Commissioners O’Rielly and Pai questioned the FCC’s authority and expertise to regulate privacy and data security, and opined that these matters would be better addressed by the FTC, which has more experience enforcing privacy and data security laws in a technology-neutral manner. While this debate will continue, there is no question that the NPRM proposes a host of new requirements that add more complexity to the evolving U.S. privacy and data security landscape.

CPSC Obtains Record $15.45 Million Settlement from Dehumidifier Manufacturer

Posted in Product Safety

The U.S. Consumer Product Safety Commission (CPSC) today announced that it had obtained a record $15,450,000 settlement of civil penalty liability from three Gree Electric entities (Gree Electric Appliances, Inc., of Zhuhai; Hong Kong Gree Electric Appliances Sales Co., Ltd.; and Gree USA Sales, Ltd.) (collectively, Gree). (The settlement is provisional until after the public has an opportunity to comment on it.) The settlement relates to the sale of dehumidifiers under 13 different brand names and allegations that Gree knowingly:

  • failed to report a defect and unreasonable risk of serious injury to CPSC immediately (within 24 hours) with dehumidifiers sold;
  • made misrepresentations to CPSC staff during its investigation; and
  • sold dehumidifiers bearing the UL safety certification mark that did not meet UL flammability standards.

The dehumidifiers have been the subject of three recall announcements, in September 2013 (the original recall), January 2014 (an expansion), and May 2014 (a reannouncement). The dehumidifiers could overheat, smoke, and catch fire, posing fire and burn hazards to consumers and their property. In the May 2014 reannouncement, the CPSC noted that:

  • the number of incidents had increased from 119 to 471 (a 395% jump);
  • the number of fires increased from 46 to 121 (a 263% jump); and
  • property damage reports increased from $2.15 million to nearly $4.5 million (a 209% jump).

The settlement includes the maximum penalty available under the Consumer Product Safety Act (CPSA), $15.15 million, plus $100,000 per misrepresentation for certification misrepresentations, as noted by Commissioner Joseph P. Mohorovic in his statement on the penalty. In the settlement, where Gree does not admit to the CPSC staff’s charges, the company agrees to implement a compliance program (in line with recent CPSC settlements), including:

  • written standards, policies, and procedures for CPSA compliance;
  • confidential employee compliance concern reporting;
  • training and communication regarding compliance policies and procedures;
  • senior management and board responsibility for compliance; and
  • record retention requirements.

Commissioner Mohorovic was joined by Commissioner Marietta Robinson in praising the CPSC staff for their work in obtaining this settlement. Commissioner Ann Marie Buerkle voted against accepting the provisional settlement.

A high dollar settlement has long been rumored, particularly given statements by CPSC Chairman Elliot Kaye to the effect that he believed Congress expected double-digit-million penalties after increasing the CPSC’s maximum penalty amount in the 2008 Consumer Product Safety Improvement Act (CPSIA). The allegations in the proposed order, including alleged false use of a third-party safety seal and the failure to notify the CPSC promptly on learning of the improper use of the seal, are especially serious, making the penalty amount perhaps less surprising. This type of conduct is, fortunately, extremely rare and the proposed order should not serve as a model for the range of penalties that might be proposed for vastly different conduct.

Children’s Confection Advertising Initiative Launched

Posted in Advertising

The newly launched Children’s Confection Advertising Initiative (CCAI), modeled on the Children’s Food and Beverage Advertising Initiative (CFBAI) and its Core Principles, is the latest food industry self-regulatory announcement under which participants agree to limit advertising to children under 12 or in elementary schools (from pre-kindergarten through sixth grade). The Council of Better Business Bureaus (CBBB) and the National Confectioners Association (NCA) will lead the CCAI.

The initiative is aimed at small- and mid-sized companies and has fewer administrative requirements than the CFBAI. “Charter participants” are Ferrara Candy Company; Ghirardelli Chocolate Company; Jelly Belly Candy Company; Just Born Quality Confections; The Promotion in Motion Companies, Inc.; and R.M. Palmer Company. They join six CFBAI participants (American Licorice Company; Ferrero USA; The Hershey Company; Mars, Incorporated; Mondelez International; and Nestlé) in the pledge to restrict advertising to kids under 12.

Federal Trade Commission (FTC) Chairwoman Edith Ramirez released a statement praising the formation of the initiative: “This new initiative is a welcome addition to the CBBB’s existing [CFBAI] and represents the type of self-regulatory solution the FTC has long advocated…. I also hope that this new partnership with the [NCA] will encourage other smaller candy companies to participate.”

The FCC Continues Privacy Push with Draft Proposal Regulating ISP Customers’ Data

Posted in Data Security, Privacy, Regulations
Members of the Federal Communications Commission, Nov. 2013

Members of the Federal Communications Commission, Nov. 2013

On the heels of the Open Internet Order adopted by the Federal Communications Commission (FCC) last year, FCC Chairman Tom Wheeler has circulated a Notice of Proposed Rulemaking (NPRM) to fellow Commissioners that would apply the privacy protections of the Communications Act to broadband Internet access services. Wheeler’s proposal will be voted on at the FCC’s March 31, 2016 Open Meeting and, if adopted, will be released for public comment. According to the Fact Sheet released by the FCC that summarizes the NPRM, the proposal is limited in scope in that it does not address the privacy practices of websites over which the Federal Trade Commission (FTC) has jurisdiction, other types of services offered by broadband Internet Service Providers (ISPs), or government surveillance, encryption, and law enforcement issues. The proposal nevertheless has major implications for ISPs and the rapidly evolving U.S. privacy and data security landscape.

The proposal would separate the use of customer data by ISPs into three categories, focusing on ensuring that customers have choice in how their data is used, clear understanding of what data is being collected about them, and assurances that their data is secure. The three categories are organized around customer consent:

  • Consent Inherent in Decision to Purchase Broadband Services. ISPs would be able to use customer data as necessary to provide broadband services and direct service-related marketing to customers without obtaining additional consent, based on a customer’s decision to purchase broadband service.
  • Opt-Out Required. ISPs would be able to use customer data to market communications-related services unrelated to the service purchased by a customer and to share data with affiliates for such purposes, but customers must be given an opt-out option with respect to such data usage.
  • Opt-In Required. All other uses of customer data would require express, affirmative opt-in consent from customers.

Thus, under the proposal, ISPs would not be prohibited from using and sharing customer data, but customers would have choices about how their data is used and shared.

The proposal would also establish data security requirements for ISPs to protect customer data against data breaches and other vulnerabilities, which reportedly includes (among other things) requirements for internal risk management, employee training, strong customer authentication, and protection of information shared with third parties. In the event of a breach of customer data, ISPs would be required to notify (1) affected customers within 10 days of discovery, (2) the FCC within 7 days of discovery, and (3) the Federal Bureau of Investigation and the U.S. Secret Service (for breaches affecting more than 5,000 customers) within 7 days of discovery of the breach. These proposed timeframes for notifications are shorter than most state data breach notification laws currently in effect.

This NPRM is just one of several instances of the FCC taking an active interest in consumer privacy and data security issues over the last few years. Earlier this week, the FCC settled with Verizon Wireless over its use of “supercookies” and alleged failure to adequately protect customers’ information (see our post here). Last year, AT&T settled with the FCC for $25 million over allegations that employees at the company’s call centers had inappropriately shared customers’ information with cellphone traffickers (see our post here). That settlement remains the FCC’s largest relating to data security. With these recent actions, the FCC has become a major player in the privacy and data security arena, along with the FTC, state attorneys general, plaintiffs’ lawyers, and foreign regulators.

Consumer Protection Connection