Consumer Protection Connection

Consumer Protection

Elliot Kaye Steps Down as CPSC Chair

Posted in Regulations

In line with the chairs of other U.S. government agencies and commissions, U.S. Consumer Product Safety Commission (CPSC) Chairman Elliot F. Kaye has resigned his seat as chairman, according to internal sources. Pursuant to the commissioners’ unanimous vote on January 19, 2017, Vice Chair Ann Marie Buerkle assumes the role of Acting Chair until a permanent replacement is appointed by President Trump and confirmed by the Senate.

Acting Chair Buerkle is a proponent of reducing testing burdens faced by manufacturers and working closely with the stakeholder community. She has opposed the recent increase in CPSC’s civil penalty settlements and criticized a lack of transparency in the civil penalty process.

Kaye was nominated by President Barack Obama on March 31, 2014, and was confirmed by the U.S. Senate on July 28, 2014, to a term set to run until 2020. He had two separate commissions—one as commissioner and one as chairman—and resigning the chairman’s seat does not automatically affect his seat as commissioner.

FTC Finds Water Company Claims Are All Washed Up

Posted in Advertising

The push to “Buy American” aims to encourage consumers and businesses to support homegrown industry.  So, when a water filter maker’s claims of “buil[t] in the U.S.” didn’t hold water, the company quickly found itself in a sea of trouble with the FTC.

Georgia-based iSpring advertised and sold its water filter to consumers on its website as well as via major retailers such as Amazon, Overstock, Sears, Home Depot, and Walmart.  The FTC complaint alleged that iSpring Water Systems misled consumers with “false, misleading, or unsupported claims” that its water filtration systems are “Built in USA.” The problem, FTC alleged, was that the company used substantial components produced overseas.

Under the standard terms of its settlement with the FTC, iSpring is prohibited from making any representation regarding country of origin unless such representation is demonstrably true and cannot describe its products as “Made in USA” unless it can establish that virtually all of its components are sourced and manufactured in the United States. Qualified “Made in USA” claims are, of course, permissible so long as iSpring makes them “include a clear and conspicuous disclosure about the extent to which the product contains foreign parts, ingredients, [or] processing.”

“Supporting American manufacturing is important to many consumers. If a product is advertised or labelled as ‘made’ or ‘built’ in the USA, consumers rightly expect that to be the case when they part with their hard-earned money,” said Acting FTC Chairman Maureen Ohlhausen. “This is an important issue for American business and their customers, and the FTC will remain vigilant in this area.”

Many consumers do look for products made in America.  The decision confirms that the FTC, which has been very active in enforcing against similar products over the past couple of years, will continue to take a close look at such claims.  Public comments on the proposed agreement will be accepted until March 3, 2017, and interested parties can submit comments here.

Smart TV Tracking Without Permission? Not So Clever

Posted in Privacy

Have you ever had the niggling suspicion your television was watching you?  Apparently, if it was made by smart technology manufacturer VIZIO, it very well may have been.  In a $2.2 million settlement with the Federal Trade Commission (FTC) and the New Jersey Attorney General, VIZIO acknowledged that it collected and sold data from 11 million televisions without viewers’ knowledge.

According to the FTC complaint, beginning in February 2014, VIZIO smart televisions covertly recorded continuous data of what viewers watched without their knowledge or consent. The television’s Smart Interactivity feature was advertised simply as way to get program recommendations.  But when the feature was activated, rather than make viewing suggestions, it collected data from cable, on-air broadcasts, dvds, broadband, and streaming devices and sent it back to VIZIO via the company’s embedded, proprietary ACR software.  The data, including a persistent identifier for each television, program and commercial viewed, when it was viewed, how long it was viewed, and what channel it was on, was then sold to third parties for audience measurement, analyzing advertising effectiveness, and behavioral advertising purposes. The complaint asserts that these actions violated Section 5 of the FTC Act and New Jersey consumer protection laws.

Under a stipulated federal court order, VIZIO is required to obtain express consent for its data collection and sharing practices, and must institute a comprehensive data privacy program.  The company is also barred from mispresenting the privacy, security, and confidentiality of consumer information it collects.

FTC Acting Chairman Maureen K. Ohlhausen issued a concurring statement in which she noted that “[e]vidence shows that consumers do not expect televisions to collect and share information about what they watch.”  She went on, however, to caution:

We must determine whether the practice causes substantial injury that is not reasonably avoidable by the consumer and is not outweighed by benefits to competition or consumers. This case demonstrates the need for the FTC to examine more rigorously what constitutes “substantial injury” in the context of information about consumers. In the coming weeks I will launch an effort to examine this important issue further.

Ohlhausen’s statement is consistent with earlier dissenting and concurring statements in other cases suggesting that FTC privacy and data security enforcement actions should focus on instances where business actions resulted in actual harm to consumers. The type of review Ohlhausen describes may result in affirming the importance of all three factors under the Commission’s 1980 Unfairness Policy Statement.  With the Internet of Things exploding, manufacturers of smart products should stay tuned.


NIST Issues New Update to Cybersecurity Framework

Posted in Cybersecurity

On January 10, 2017, the National Institute of Standards and Technology (NIST) released an update to its Cybersecurity Framework, first issued in 2014. The Framework focuses on using business drivers to guide cybersecurity activities and considering cybersecurity risks as part of the organization’s risk management processes. The new draft provides details on managing cyber supply chain risks, clarifies key terms, and introduces measurement methods for cybersecurity. According to NIST, the new Framework for Improving Critical Infrastructure Cybersecurity Version 1.1 incorporates feedback and suggestions received since 2014, including responses from a December 2015 request for information and comments from attendees of a workshop held in April 2016.

The changes in the latest Framework include a new section on cybersecurity measurement; a more detailed explanation of how to use the Framework for Cyber Supply Chain Risk Management purposes; refinements to better account for authentication, authorization, and identity proofing; and a more thorough explanation of the relationship between Implementation Tiers and Profiles.

NIST is a branch of the U.S. Department of Commerce which provides measurement standards. On February 12, 2013, President Obama issued an Executive Order that called for the development of a risk-based, voluntary set of industry standards and best practices to help organizations manage cybersecurity risks. The Cybersecurity Framework is intended to “help organizations manage cybersecurity risk in the nation’s critical infrastructure, such as bridges and the electric power grid,” and was developed in consultation with industry, academia and government agencies. The Cybersecurity Enhancement Act of 2014 calls for NIST to continue its work on the framework.

Details of the changes can be found in Appendix A of the draft Framework. Comments on the draft will be accepted until April 10, 2017, and should be sent to From ransomware attacks to data breaches at major retailers, health care facilities and others, cybercrime continues to present serious threats to businesses across the supply chain. With these growing risks, it is important for businesses in all sectors to monitor best practices and assess, implement, and re-assess security solutions periodically.

Turn, Inc. Settles with FTC Over Deceptive Consumer Tracking

Posted in Privacy

In 2015, Verizon found itself in hot water over charges it was using a “super cookie” that continued to operate even when users believed they had opted out of mobile phone data tracking. Verizon allegedly then sent the data obtained to a third party for targeted advertising purposes without its customers’ consent. Verizon settled with the FTC in 2015, and now, the third party at the heart of the FTC’s complaint, Turn Inc., has followed suit, agreeing to the terms of a consent order with the FTC on December 20, 2016.

Turn’s demand side platform and data management platform enables sellers to target consumers with digital advertisements. According to the FTC, Turn’s privacy policy indicated that Verizon wireless customers could set their web browser to block targeted advertising or limit cookies, but that web data tracking continued even after customers had taken the appropriate steps to turn it off.

The proposed consent order requires Turn to provide an effective opt-out for consumers who do not want their data used for targeted advertising; place a hyperlink on its homepage to an explanation of what information is collected and used for targeted advertising; and provide an accurate representation of its privacy policy.

Public comments on the proposed agreement will be accepted through January 19, 2017, and interested parties can submit comments here.

California Department of Toxic Substances Control Releases Draft Alternatives Analysis Guide

Posted in Product Safety

On December 12, 2016, the California Department of Toxic Substances Control (DTSC) released a draft Alternatives Analysis (AA) Guide under the state’s green chemistry program, Safer Consumer Products (SCP). Under the SCP program, product designers and manufacturers are encouraged to reduce or eliminate the use of certain targeted chemicals in their products, and the Guide is intended to help businesses navigate the SCP Alternatives Analysis process.  It also provides useful approaches, methods, resources, tools, and examples of best practices.

A webinar to discuss the draft Guide will be held on January 10, 2017; registration information is available here.  The comment period is open now and runs until January 20, 2017.

Clocking in at over 200 pages, the draft Guide is far from light reading, but businesses and trade associations that use chemicals currently or that are potentially targeted in the SCP process should keep close tabs on AA developments  and consider submitting comments. AAs will impose substantial expense on companies and industries, in part because the California SCP legislation establishes proscriptive requirements that no currently available AA tool will meet.

Avoid Being Held Hostage: FTC Releases Ransomware Guidance

Posted in Cybersecurity

New research from security company Kaspersky Labs suggests that the use of ransomware is now so widespread that nearly every moment, a ransomware attack is being launched somewhere in the world on businesses and consumers.

Ransomware, or malicious software that infiltrates computer systems and uses tools like encryption to deny access or hold data “hostage” for a ransom, is becoming an epidemic. According to Kaspersky’s data, ransomware attacks increased threefold between January and September 2016. Forty-two percent of small and medium-sized businesses were hit with ransomware attacks, while individual consumer attacks escalated from one every twenty seconds to one every ten. Ransoms demanded typically range from $500 to $1,000, but some criminals have demanded as much as $30,000, and only one in five small- to medium-sized companies have been able to retrieve their data after payment.

The threat is so great that Federal Trade Commission (FTC) held a workshop on ransomware on September 7, 2016. In her opening remarks, FTC Chairwoman Edith Ramirez cautioned businesses to be aware of the dangers of ransomware, and to adhere to FTC recommendations.

As a follow-up to the workshop, the FTC released ransomware guidelines on November 10, 2016, including a video outlining the dangers. The guidance offers four important steps that the FTC believes businesses should adopt to minimize the risk of ransomware threats:

  • Training and education. Implement education and awareness programs to train employees to exercise caution online and avoid phishing attacks.
  • Cyber hygiene. Practice good security by implementing basic cyber hygiene principles. Cyberhygiene initiatives include important steps:
    • Assess the computers and devices connected to networks to proactively identify the scope of potential exposure to malware.
    • Identify technical measures that can mitigate risk, including endpoint security products, email authentication, intrusion prevention software, and web browser protection.
    • Implement procedures to keep security current. Update and patch third-party software to eliminate known vulnerabilities.
  • Back up your data early and often.
    • Identify business-critical data in advance and establish regular and routine backups.
    • Keep backups disconnected from your network so that you can rely on them in the event of an attack.
  • Prepare for an attack. Develop and test incident response and business continuity plans.

The FTC also advises victims of ransomware on three steps they should adopt in response to attacks:

  • Contain the attack. Disconnect infected devices from your network to keep ransomware from spreading.
  • Restore your computer. If you’ve backed up your files, and removed any malware, you may be able to restore your computer. Follow the instructions from your operating system to re-boot your computer, if possible.
  • Contact law enforcement. Report ransomware attacks to the Internet Crime Complaint Center or an FBI field office. Include any contact information (like the criminals’ email address) or payment information (like a Bitcoin wallet number). This may help with investigations.

Generally, authorities do not recommend that businesses pay the ransom. Too often they simply get higher demands, become targets again, or don’t get the data back.

It is also important for businesses to remember that ransomware attacks often constitute data breaches that may be reportable under federal or state data breach notification laws. Conducting tabletop exercises to educate staff and test preparedness is helpful.

The FTC’s recommendations are consistent with overall steps that the Commission and other experts have recommended to address data breaches. It’s important for business to pay attention to this sort of FTC guidance. The only thing worse than being held hostage by ransomware perpetrators is being held hostage and then also facing an FTC inquiry for alleged failure to adequately safeguard data.

Best Buy Agrees to Pay $3.8 Million for Selling Recalled Products

Posted in Product Safety, Regulations

Mega-retailer Best Buy agreed to pay $3.8 million to settle allegations that the company distributed and sold recalled products, a violation of the Consumer Product Safety Act (CPSA) after the 2008 amendments. U.S. Consumer Product Safety Commission (CPSC) staff alleged that the retailer sold more than 600 recalled units, including over 400 Canon cameras, to consumers, as well as items such as electric ranges (subject to a 2012 recall) and dishwashers (subject to a 2012 recall). Overall, the retailer sold 16 separate products subject to recalls announced between September 2010 and July 2015. CPSC and the retailer jointly reannounced 10 of the recalls in July 2014. In addition to the $3.8 million civil penalty, Best Buy agrees to maintain a compliance program designed to ensure compliance with the CPSA, including program for the appropriate disposal of recalled products. The CPSC asserted that the Company’s prior system failed to accurately identify, quarantine, and prevent the sales of recalled products. In some case, the company apparently failed to permanently block specific product codes, or even reactivated those codes or had them overridden. This occurred even after the company had assured CPSC the measures were adopted to prevent the sale of recalled products.

This settlement is notable for two reasons. First, this announcement is one of several in recent years involving the sale of recalled products, and in this case (as in some previous cases) it involves a retailer that was not the initiator of the recall. The CPSC has increasingly sought to obtain settlements from companies for the further sale of recalled products. In these settlements, the CPSC has generally imposed requirements to implement two separate but related systems: (1) a system for ensuring compliance with the CPSA, and in particular for the reporting of information about substantial product hazards to the CPSC and for the appropriate disposal of recalled products; and (2) a system of internal controls and procedures. The settlement in this case serves notice on all members of the supply chain that they are under an obligation not to sell recalled products.

Second, this settlement is yet another data point showing a trend of the increasing high stakes for settling CPSC civil penalty actions. The Best Buy announcement is the first settlement announced in fiscal year 2017 (which began October 1, 2017), but the table below shows the civil penalty trends for the last three federal fiscal years:

CPSC Civil Penalty Settlements: The Numbers

Fiscal Year

No. of Settlements

Total Amount

Average Amount

FY 2014 5 $7.175 million $1.435 million
FY 2015 9 $24.4 million $2.711 million
FY 2016 5 $31.25 million $6.25 million
FY 2017 (as of Oct. 6, 2016) 1 $3.8 million $3.8 million


Given the increasing penalty amounts and the increasing focus by CPSC on actions by all members of the supply chain, careful attention to internal compliance processes and procedures is a must.

Another State AG Weighs in on Children’s Privacy

Posted in Privacy

Texas Attorney General (AG) Ken Paxton announced a settlement with an app developer over concerns that the developer’s apps infringed children’s privacy.

The developer, Juxta Labs, Inc., offers a range of mobile apps and games.  According to the AG’s press release, the company’s apps and social media were easy for children of any age to access.  Some of the apps offered free children’s games that used advertisements and in-app purchases, and transmitted personal information (including internet protocol addresses and geolocation information).  One app in particular – Jott – has apparently become popular among teens because it allows message exchange without resorting to either Wi-Fi or cellular networks (instead, it can operate via a Bluetooth mesh network).

The settlement resolves alleged violations of the Texas Deceptive Trade Practices Act and includes specific commitments to comply with the federal Children’s Online Privacy Protection Act (COPPA).  The Company agreed to implement age-screening and pay a penalty of $30,000.

Following on the heels of a recent settlement by the New York Attorney General, it is clear that state regulators, as well as the Federal Trade Commission (FTC), are closely reviewing children’s privacy practices.

NTIA Announces Multistakeholder Workshop on IoT Security Patching

Posted in Cybersecurity, Data Security

The National Telecommunications and Information Administration (NTIA) has announced it is convening a series of multistakeholder meetings concerning Internet of Things (IoT) Security Upgradability and Patching. The initial meeting will be held in Austin, Texas, on October 19, 2016. An associated Federal Register notice (expected to be published September 19, 2016) describes the short-term goal of this new multistakeholder process as to “develop a broad, shared definition or set of definitions around security upgradability for consumer IoT, as well as strategies for communicating the security of IoT devices to consumers.”

This workshop is an outgrowth of two earlier NTIA initiatives. The first is its March 2015 request for comment to “identify substantive cybersecurity issues that affect the digital ecosystem and digital economic growth where broad consensus, coordinated action, and the development of best practices could substantially improve security for organizations and consumers.” The second is NTIA’s April 2016 request for comment on the benefits, challenges, and potential roles for the government in fostering the advancement of the IoT. Many comments in response to the April request did raise the issue of security.

NTIA notes that, to realize the full potential of IoT, users need reasonable assurance that connected devices, embedded systems, and their applications will be secure. In so noting, NTIA describes the ultimate goal of this multistakeholder initiative as fostering a market that offers more devices and more systems that support security upgrades. This will be accomplished, in part, through increased consumer awareness and understanding. Given the enormous complexity of the IoT environment, this first workshop is expected to focus on the scope and organization of the work.

With the Federal Trade Commission’s (FTC) enforcement agenda focusing on security vulnerabilities and expectations for business practices, and the explosive growth of IoT devices in the marketplace, both security and privacy implications of their use are expected to remain important topics for policy development and for enforcement. To read an article on these and other issues raised by IoT that Keller and Heckman LLP published earlier this year, click here.

Consumer Protection Connection