Photo of Sheila A. MillarPhoto of Mike Gentine

After more than five months of silence regarding its choices to lead the U.S. Consumer Product Safety Commission (“CPSC”), the Biden Administration has now unveiled all three of its CPSC nominees in less than two weeks, with its July 13 announcement of President Biden’s intent to nominate Richard Trumka, Jr., currently General Counsel and Staff Director at the House Oversight and Investigations Committee’s Subcommittee on Economic and Consumer Policy.

On July 2, the White House had announced it would nominate Alexander Hoehn-Saric, Chief Counsel for Communications and Consumer Protection with the House Energy & Commerce, to be a CPSC Commissioner and the agency’s chairperson, and Mary Boyle, currently CPSC’s Executive Director as a Commissioner, as well.

As we wrote previously, the Commission currently has one vacant seat with another opening this October with Commissioner Elliot Kaye’s departure after his hold-over year, and a third available Commission slot with the end of Acting Chairperson Bob Adler’s term. We assumed that Hoehn-Saric and Boyle would be slotted for the open seat and Kaye’s; the White House has confirmed that assumption with its formal submission of their nominations to the Senate. That means Trumka would be slotted for Adler’s seat. Assuming the three nominees are confirmed, the Commissioners and their terms would be as follows through the current Biden Administration:

Biden Consumer Product Safety Commission
Commissioner Term Through
Dana Baiocco (R) 2024
Mary Boyle (D) if confirmed 2025
Peter Feldman (R) 2026
Alexander Hoehn-Saric (D, Chair) if confirmed 2027
Richard Trumka, Jr. (D) if confirmed 2028

The Senate Committee on Commerce, Science, and Transportation will need to hold one or more hearings to consider the three nominees. With the Senate’s August recess looming, a hearing in the next three weeks seems unlikely, but is possible. A Committee vote on their nominations would come after a hearing, and a floor vote some time after that. With Kaye slated to depart October 27, and Adler expressing a desire to step down rather than stay for a holdover year, we anticipate action this fall on all three nominees.

Photo of Sheila A. MillarPhoto of Jean-Cyril Walker

Goods advertised as “Made in the USA” (MUSA) are potential money-makers for manufacturers tapping into the market of consumers who seek home-grown products. In recent years, however, the Federal Trade Commission (FTC) has investigated companies that deceptively marketed their goods as American-made, sending out warning letters, closing out investigations of companies that quickly change their advertising, and initiating more forceful enforcement action against advertisers who cannot substantiate MUSA claims. The FTC now has an additional legal basis for these investigations: a new rule that requires business making unqualified MUSA claims on their labels to prove their products are “all or virtually all” sourced and manufactured in America – or potentially pay hefty fines.

The Made in USA Labeling Rule (The Rule) codifies the Commission’s Decisions and Orders and its Enforcement Policy Statement on U.S. Origin Claims. It applies to all labels, whether they appear on product packaging or online, and includes mail order catalogs or mail order promotional materials that include a seal, mark, tag, or stamp declaring goods are “Made in the United States.”

Under the Rule, companies are barred from making unqualified MUSA claims unless they can establish that:

  • Final assembly or processing of the product occurs in the United States;
  • Significant processing that goes into the product occurs in the United States; and
  • All or virtually all ingredients or components of the product are made and sourced in the United States.

The Rule provides an exemption for companies that can show their unqualified MUA claims are not deceptive. This isn’t a new concept. However, it also empowers the FTC to pursue civil penalties of up to $43,280 per violation against companies that make false MUSA claims.

The vote to approve the Final Rule was 3-2. Voting in favor, Commissioners Rohit Chopra, Rebecca Kelly Slaughter, and Chair Lina Khan issued a statement praising the action, which is consistent with a 1994 statute codified in 15 U.S.C. § 45(a). The Rule reflects longstanding guidance and legal precedent without imposing new obligations on businesses. The three Commissioners applauded the “broader range of remedies including the ability to seek redress, damages, penalties, and other relief from those who lie about a Made in USA label” authorized by the Rule. Commissioner Christine S. Wilson dissented, saying that the Rule is overbroad and “could be read to cover all advertising, not just labeling.” She argued that the rule thereby exceeds the FTC’s statutory authority. She added: “The Supreme Court’s recent decision in AMG  has eliminated the FTC’s ability to seek equitable monetary relief under Section 13(b) of the FTC Act to compensate consumers. Thus, the temptation to test the limits of our remaining sources of authority is strong.”

In addition to its authority under the Rule, the FTC will continue to pursue deceptive MUSA advertising claims via its authority under Section 5 of the FTC Act.

One thing has been clear across several different administrations: false MUSA claims are a concern to regulators and will continue to garner enforcement attention. Companies that wish to label and/or advertise products as U.S.-made should make sure they understand the Rule as well as advertising basics, and confirm that they can substantiate express or implied MUSA claims on packaging, labeling, and advertising. False claims on labels could trigger civil penalties.

Photo of Sheila A. MillarPhoto of Tracy P. Marshall

On June 4, 2021, the European Commission adopted  a new set of standard contractual clauses (SCCs) governing exchanges of personal data between data controllers and data processors and transfers of personal data from the EU to the U.S. or other countries that are not deemed to ensure adequate protection for personal data. The revised SCCs reflect new requirements for the protection of personal data under the EU General Data Protection Regulation (GDPR) and take account of the July 2020 judgment of the Court of Justice of the European Union (CJEU) in Schrems II that declared the EU-U.S. Privacy Shield framework for data transfers invalid and stipulated stricter requirements for transfers of personal data based on SCCs.

The new SCCs are designed to reflect the growing complexities of cross-border data processing and digital supply chains by offering a more flexible, if more stringent, approach that adds additional scenarios under which personal data is transferred. The new SCCs enter into force on September 28, 2021 for new contracts. There is an 18-month transition period for existing contracts based on previous sets of SCCs. The old SCCs should be replaced by the new version by December 28, 2022.

Key provisions of the new SCCs include:

Types of data transfers

The new SCCs provide different “modules” to address transfers of personal data in four scenarios. As with previous sets of SCCs, the new SCCs cover controller to controller transfers (Module One) and controller to processor transfers (Module Two). For the first time, the European Commission has also addressed processor to controller transfers (Module Three) and processor to processor transfers (Module Four).

Compliance with Schrems II

The CJEU’s decision in Schrems II upheld the validity of SCCs, but the court ruled that organizations must warrant that third countries to which data is exported provide adequate protection for personal data transfers under EU law. Organizations that cannot comply with this requirement must either introduce additional safeguards or cancel transfers.

The new SCCs appear to address this issue by allowing organizations to take a risk-based approach that assesses the state of the art, implementation costs, the nature, scope, context, and purpose(s) of processing, and whether public authorities are likely to access the personal data being transferred. The clauses include notification obligations to the data exporter, and, where possible, the data subject, of a legally binding request from a public authority for personal data. Because the Schrems II decision focused on disclosure of personal data of EU residents to the U.S. government, these clauses may be particularly significant for companies facing demands from a variety of U.S. agencies for such data.

Sensitive Data

Where a transfer involves “sensitive” personal data as defined under EU law (i.e., data revealing racial or ethnic origin, political opinions, religious or philosophical beliefs, or trade union membership, genetic data, or biometric data for the purpose of uniquely identifying a natural person, data concerning health or a person’s sex life or sexual orientation, or data relating to criminal convictions or offences) the data importer must apply special restrictions or adopt safeguards appropriate to the specific risk involved, such as restricting who can access personal data, adopting added security measures (such as pseudonymization), or other measures.

Onward transfers

Onward transfers to additional recipients in third countries are allowed only if:

  • The onward transfer is to a country with adequate safeguards in place for the protection of personal data or the third party otherwise ensures appropriate safeguards; or
  • The onward transfer is necessary for the establishment, exercise, or defense of legal claims in administrative, regulatory, or judicial proceedings or is necessary to protect the vital interests of the data subject or of another natural person.

“Docking clause”

More than two parties can now sign onto to a single contract pertaining to data transfers at any time during its term.

Recordkeeping

Data importers are required to document their processing activities and inform data exporters if they become unable to comply with the SCCs. Data exporters must document that they used reasonable efforts to ensure that data importers are able to comply with the new contractual clauses.

***

Global businesses as well as policymakers have a strong interest in making certain that personal data can be freely transferred and that the data is appropriately protected. The European Commission’s decision should help ensure that SCCs remain a tool for businesses to meet their GDPR obligations in today’s complex world.

Photo of Sheila A. MillarPhoto of Mike Gentine

After more than five months of eager anticipation, the CPSC community finally knows who will be leading the agency, assuming confirmations go as smoothly as expected. President Biden announced on July 2, 2021 that he will nominate Alexander Hoehn-Saric for Chair and a seat on the Commission. Hoehn-Saric is currently Chief Counsel to the House Consumer Protection & Commerce Subcommittee, the arm of the House Energy & Commerce Committee that has oversight of CPSC.

Biden has also nominated Mary Boyle for a seat on the Commission. Boyle has been a longtime CPSC career staffer, currently serving as the agency’s Executive Director after years in the Office of General Counsel that included a term as General Counsel.

Currently, one spot on the five-member body is open as well as the Chairmanship. Current Acting Chair Bob Adler’s term is set to end in October; he can hold over for up to a year if no replacement is confirmed for his seat, although he has expressed a desire to leave the agency when his term ends this year. Commissioner and former Chair Elliot Kaye is already in his holdover year and will leave the agency no later than October unless he is renominated and confirmed. We understand Hoehn-Saric and Boyle will be nominated for the open seat and Commissioner Kaye’s slot, leaving Commissioner Adler to remain as Commissioner while the White House selects a third nominee.

CPSC Commissioners serve for fixed terms regardless of confirmation dates. As a result, whoever takes the open seat would have a term running through 2025, whoever takes Commissioner Kaye’s seat would serve through 2027, and whoever takes Commissioner Adler’s seat would serve through 2028. The two Republican Commissioners, Dana Baiocco and Peter Feldman, have terms that run to 2024 and 2026, respectively. CPSC is allowed no more than three Commissioners from the same political party. With two Republicans already serving and a remaining seat to fill, President Biden has an opportunity to add another Democrat to round out a full complement of Commissioners.

Photo of Sheila A. MillarPhoto of Mike Gentine

After completing its review of testing and labeling regulations for children’s products, staff of the Consumer Product Safety Commission (CPSC) recommended leaving the current product testing and component part testing regulations as is. The CPSC carried out this review of the “Testing and Labeling Regulations Pertaining to Product Certification of Children’s Products, Including Reliance on Component Part Testing” (testing rule) under section 610 of the Regulatory Flexibility Act (RFA), which requires a review 10 years after publication for any rule that has a significant impact on a substantial number of small businesses. Along with 16 C.F.R. part 1109, “Conditions and Requirements for Relying on Component Part Testing or Certification, or Another Party’s Finished Product Certification, to Meet Testing and Certification Requirements” (component part testing rule), the testing rule was up for review this year, as both rules do have a significant impact on many small businesses.

The testing rule lays out rules and standards for manufacturers to follow in obtaining third party testing for children’s products periodically and when there has been a material change in a product’s design or manufacturing process. It also specifies how products may be labeled to indicate compliance with Section 14 of the Consumer Product Safety Act (CPSA). The component part testing rule specifies how manufacturers can use third party tests of component parts of products to certify the compliance of the finished product. The component part testing rule was intended to reduce the costs and other burdens of testing finished children’s products.

Section 610 requires agencies to consider five factors in reviewing rules to minimize any significant economic impact of the rule on small entities:

  1. The continued need for the rule;
  2. The nature of complaints or comments received concerning the rule from the public;
  3. The complexity of the rule;
  4. The extent to which the rule overlaps, duplicates, or conflicts with other Federal rules, and, to the extent feasible, with State and local governmental rules; and
  5. The length of time since the rule has been evaluated or the degree to which technology, economic conditions, or other factors have changed in the area affected by the rule.

Following an analysis of the feedback received by staff during the 60-day public comment period and after considering the five factors, the CPSC concluded that no changes to the testing and component part testing rules were warranted at this time. The Commission acknowledged that the costs of third-party testing for compliance certification still pose significant costs on some small businesses, but rejected requests for test burden relief, such as reducing the required frequency of periodic testing or revising the definition of small batch manufacturer, as either inconsistent with ensuring compliance or precluded by statute. The CPSC did note that additional guidance on using the component part testing rule could help small businesses use the rule to reduce their costs. Input from children’s product companies on that point may be useful in developing approaches that achieve both compliance and cost reduction goals.

To learn more about current product safety issues and regulatory considerations for connected devices, register now for our free webinar: Product Safety and Regulation of Connected Products, June 24 at noon.

Photo of Sheila A. Millar

The Federal Trade Commission (FTC) and the Food and Drug Administration (FDA) recently sent warning letters to five dietary supplement companies– LeRoche Benicoeur/ConceiveEasy; EU Natural Inc.; Fertility Nutraceuticals LLC; SAL NATURE LLC/FertilHerb; and NS Products, Inc. – warning them that advertising their products as treatments that could cure or treat infertility without substantiating evidence violates the FTC Act. Such claims also subject the products to FDA scrutiny as drugs under the Federal Food, Drug, and Cosmetic Act, which prohibits the introduction or sale of new drugs into interstate commerce without prior FDA approval. In each case, the agencies asserted that the companies promoted their products as able to “cure, treat, mitigate, or prevent disease.” Such assertions “establish that the product is a drug under section 201(g)(1)(B) of the Federal Food, Drug, and Cosmetic Act because it is intended for use in the cure, mitigation, treatment, or prevention of disease” and require FDA approval even if they are labeled as dietary supplements.

For example, NS Products promises on their website that by using their NaturaCure supplement “You will get pregnant very fast and give birth to healthy children regardless of . . . how severe or chronic your infertility disorder.” Similarly, Fertility Nutraceuticals assured customers that their CONFLAM Forte supplements are “[W]ell suited for women with infertility, a history of implantation failure, chemical pregnancies and miscarriages or with known inflammatory conditions, like obesity, polycystic ovary syndrome (PCOS), severe allergies and autoimmune conditions” and were the “best fertility supplements to boost your chance of pregnancy or improve your IVF success rate.”

Warning letters have been an important tool the agencies have used during the COVID-19 pandemic to address COVID treatment claims. Claims that a product can treat a medical condition, whether it involves infertility, a virus, or something else, must be substantiated by competent and reliable scientific evidence and comply with applicable registration or other regulatory obligations or face some potentially expensive consequences in the form of civil penalties or other enforcement actions.

Photo of Sheila A. MillarPhoto of Tracy P. Marshall

The Federal Trade Commission (FTC) has released the final agenda for its first workshop on the use of “dark patterns” online, Bringing Dark Patterns to Light: An FTC Workshop, which will be held virtually on April 29, 2021. The workshop will explore how to define “dark patterns,” their prevalence, possible harms (including to vulnerable groups) and potential solutions, among other things. The agency is also soliciting comments on relevant issues (see our earlier post for a list of topics).

The issue is receiving broader attention on the policy front. The FTC workshop provides an opportunity to explore the issues in more detail, and interested parties are encouraged to submit comments.

Photo of Sheila A. MillarPhoto of Tracy P. Marshall

The long trudge towards final regulations implementing the California Consumer Privacy Act (CCPA) continues. In December of last year, the California Attorney General issued a fourth set of proposed regulations. These additions were approved by the California Office of Administrative Law (OAL) on March 15, 2021 and took effect immediately. Here are the key changes businesses should know about.

New “Do Not Sell” Icon

The new regulations offer a voluntary opt-out icon that may be used in addition to (but not in place of) posting the notice of a California consumer’s right to opt-out of the sale of personal information.

Businesses must post the notice of right to opt-out on the webpage that consumers are directed to after clicking on the “Do Not Sell My Personal Information” link on their homepage (or landing page/menu in the case of mobile apps).

Businesses Must Streamline the Opt-Out Request Process

Businesses must ensure that their notices of the right to opt-out use simple language, are easy for consumers to understand, and require minimal steps to complete. Businesses cannot require consumers to click through or listen to reasons why they should not submit a request to opt-out, provide personal information that is not necessary to implement the request, or search or scroll through a privacy policy, similar document, or webpage to submit a request to opt-out.

Offline Opt-Out Notices

Businesses that collect personal information from consumers offline must also inform consumers by an offline method of their right to opt-out, as follows:

  • Businesses that collect personal information from consumers in a physical location may inform consumers of their right to opt-out via paper forms or signage
  • Businesses may inform consumers of their right to opt-out during a phone call in which the business collects personal information

In both scenarios, businesses must tell consumers where to find the opt-out information online.

Authorized Agents

California residents are permitted to use authorized agents to submit requests to know or to delete their personal information. The new regulations clarify that businesses may require consumers to prove that an agent has permission to submit the request and to verify their own identity directly with the business.

California Privacy Protection Agency Board Appointments

While the state continues to fine-tune the CCPA regulations – and application of the CCPA to employee information remains deferred until 2022 – the clock is already ticking on the newest iteration of California’s privacy law, the California Privacy Rights Act (CPRA). Although CPRA does not take effect until 2023, the ballot initiative directed establishment of the California Privacy Protection Agency (CPPA) in advance of the effective date. Governor Gavin Newsom, in conjunction with state officials, has appointed the first slate of CPPA members.

With the enactment of the Virginia Consumer Data Protection Act, and with other states also considering privacy legislation, the U.S. landscape is quickly becoming more confusing for consumers and businesses alike.

Photo of Sheila A. MillarPhoto of Tracy P. Marshall

As Congress remains locked in a stalemate over the terms of a comprehensive federal privacy law, states continue to forge ahead. Following California, Virginia is the second U.S. state to enact its own comprehensive privacy law governing the collection and use of personal data. Governor Ralph Northam signed the Virginia Consumer Data Protection Act (CDPA) into law on March 2, 2021.

The CDPA applies to businesses that operate in Virginia or produce products or services that are targeted to Virginia residents, and (1) in any calendar year, control or process personal data of at least 100,000 Virginia residents, or (2) control or process personal data of at least 25,000 Virginia residents and derive more than 50% of gross revenue from the sale of personal data.

Concepts in the bill draw from other laws, such as the EU General Data Protection Regulation (GDPR), but the bill includes some pragmatic approaches designed to enhance privacy and to align with other laws, and in a manner that businesses can operationalize. Importantly, the CDPA does not authorize a private right of action.

Key Definitions

The CDPA provides several rights to “consumers,” defined as Virginia residents acting in an individual or household context, and not individuals acting in a commercial or employment context. The CDPA appears to borrow some of its terminology from the GDPR, namely, the terms “controller” (defined as “the natural or legal person that, alone or jointly with others, determines the purpose and means of processing personal data”), “processor” (defined as “a natural or legal entity that processes personal data on behalf of a controller”), and “personal data” (defined as “any information that is linked or reasonably linkable to an identified or identifiable natural person,” but excluding de-identified and publicly available information).

Consumer Rights

The CDPA grants consumers the right, subject to verification of their identity, to access, correct, delete, or obtain a copy of personal data, and the right to opt out of (1) the processing of personal data for the purposes of targeted advertising, (2) the sale of personal data, or (3) profiling “in furtherance of decisions that produce legal or similarly significant effects concerning the consumer.” Businesses as controllers are prohibited from discriminating against consumers for exercising their rights, but with some exceptions, such as offers in connection with loyalty, rewards, club card, and similar programs.

The CDPA allows for a parent or legal guardian to invoke these rights on behalf of a child. The term “child” is defined as an individual under 13, which aligns with the Children’s Online Privacy Protection Act (COPPA). Parental consent rights for the collection, processing, and sale of children’s personal data also are consistent with COPPA.

Business Obligations

In addition to responding to consumer requests described above, any business subject to the CDPA as a controller must provide a privacy notice that describes the categories of personal data processed, the purposes for processing data, how consumers can exercise their rights, the categories of personal data shared with third parties, the categories of third parties with whom personal data is shared, and how consumers can opt out of the sale of personal data to third parties or the processing of personal data for targeted advertising (if applicable). Controllers are also required to follow data minimization principles and to establish, implement, and maintain reasonable security practices to protect personal data.

Processors are required to assist controllers in meeting their obligations under the CDPA and controllers must have contracts in place with processors that impose specific requirements, as set forth in the CDPA.

The CDPA also requires that controllers obtain consent before they collect and process “sensitive data,” which includes data collected from children. However, the CDPA is drafted in a manner that avoids the possible conflict with COPPA; it prohibits processing of sensitive data concerning a known child unless the processing is in accordance with COPPA. This approach preserves the commonsense exceptions to parental consent and the “sliding scale” options for obtaining it, as well as the important “support for internal operations” exception to COPPA.

Similar to the GDPR, the CDPA requires that controllers conduct and document a data protection assessment when processing data for targeted advertising, engaging in the sale of personal data, processing personal data for profiling purposes, processing sensitive data, or engaging in processing activities that present a heightened risk of harm to consumers. Importantly, the bill takes a practical approach, establishing that a single assessment may address “a comparable set of processing obligations that include similar activities,” and that assessments conducted for purposes of compliance with other laws may comply if they have a reasonably comparable scope and effect. Businesses are not obligated to conduct mandatory audits.

Enforcement

The Attorney General has exclusive authority to enforce violations of the CDPA; there is no private right of action. Civil penalties of up to $7,500 may be imposed for each violation of the Act.

The CDPA will take effect on January 1, 2023. The CDPA model merits strong consideration by other U.S. jurisdictions considering comprehensive privacy legislation. But the real solution for consumers and businesses is, of course, a thoughtful federal privacy policy that preempts state law and not a patchwork of different state requirements.

Photo of Sheila A. MillarPhoto of Tracy P. Marshall

The Federal Trade Commission (FTC) has issued orders to five e-cigarette manufacturers (JUUL Labs, Inc., R.J. Reynolds Vapor Company, Fontem US, LLC, Logic Technology Development LLC, and NJOY, LLC) seeking information about the companies’ 2019 and 2020 sales, advertising, and promotions. The FTC sent similar orders to the same companies in October 2019 seeking information for prior years as part of an ongoing FTC study of the rapidly expanding U.S. e-cigarette market.

The new compulsory orders request detailed information about flavors, the specific form of nicotine used in each product, sales, and giveaways for each brand; product placements, websites and social media accounts used to advertise, promote, or sell e-cigarette products; marketing and advertising expenditures for social media and other campaigns; promotional events (including those held on college campuses); and the use of influencers and brand ambassadors, and other advertising matters. Any company that has received any FTC compulsory order knows first-hand how time-consuming it can be to respond. Responses are due no later than May 12, 2021.

Both the FTC and the Food and Drug Administration (FDA) have been active in reviewing vaping companies’ advertising practices. In 2019, the agencies issued warning letters to four e-liquid manufacturers that used influencers to promote their products because the influencers failed to include the FDA-required nicotine warning. The FTC took the opportunity to remind companies of their obligation to ensure that their influencers clearly and conspicuously disclose their relationships to the brands when promoting or endorsing products, as required by the FTC’s Endorsement Guides.

In addition to actions by the FTC and FDA, social media sites have updated their guidelines over the years to address advertisements and posts pertaining to e-cigarettes and other regulated products. Thus, there are a host of regulations and guidelines for vaping companies to consider when promoting their brands and products online and hiring or encouraging others to help spread the word.