Photo of Sheila A. MillarPhoto of Tracy P. Marshall

In the continuing absence of Congressional action on a comprehensive U.S. federal privacy law, five states have now enacted their own laws. We previously provided a summary of the California, Virginia, and Colorado laws (available here), and Connecticut and Utah have since enacted new privacy laws. The Connecticut Act Concerning Personal Data Privacy and Online Monitoring (CTDPA) was signed into law on May 10, 2022 and is scheduled to take effect on July 1, 2023. The Utah Consumer Privacy Act (UCPA) was signed into law on March 24, 2022 and is scheduled to take effect on December 31, 2023. The CTDPA and UCPA are similar to the recently enacted Colorado Privacy Act (CPA) and Virginia Consumer Data Protection Act (VCDPA) in many respects, but there are some key differences among these laws and the California Consumer Privacy Act (CCPA), which took effect in 2020 and was amended by the California Privacy Rights Act (CPRA). To help businesses plan for compliance, Keller and Heckman LLP has created a side-by-side comparison of some of the key provisions of each law, along with an overview of some recently introduced federal privacy bills. Click here to read the full article.

Photo of Sheila A. MillarPhoto of Tracy P. MarshallPhoto of Mike Gentine

Alvaro Bedoya, a Democrat, was confirmed on May 11, 2022, to serve as the fifth Commissioner of the Federal Trade Commission (FTC). With the Senate deadlocked at 50-50 along partisan lines, Vice President Kamala Harris cast the tie-breaking vote. Bedoya replaces former Commissioner Rohit Chopra, who left the FTC last October to lead the Consumer Financial Protection Bureau. Bedoya will serve for a term of seven years (beginning September 26, 2019).

Bedoya founded the Center on Privacy and Technology at Georgetown University Law Center, where he was a Visiting Professor of Law. His academic work centered on privacy law, particularly the effects of facial recognition technology on race and gender. Prior to his tenure at Georgetown, Bedoya served as Chief Counsel of the U.S. Senate Judiciary Subcommittee on Privacy, Technology, and the Law, where he worked on issues relating to mobile location privacy and biometrics, drafted bipartisan legislation to protect victims of sexual assault, and helped draft the USA FREEDOM Act.

Bedoya’s confirmation comes on the heels of a debate in Congress over the Consumer Protection Remedies Act of 2022 (S.4145), which would empower the FTC to seek court orders for restitution, refunds, rescission of contracts, or disgorgement where the FTC believes a company has violated Section 13 of the Federal Trade Commission Act (FTCA).

Section 13(b) of the FTCA allows the FTC to pursue injunctions against ongoing or future violations in court, and for years the FTC had requested – and courts had granted – equitable and monetary relief in the form of refunds or restitution. In April 2021, however, a unanimous Supreme Court held in AMG Capital Management that the clear language of Section 13(b) does not authorize such equitable monetary relief orders. The Consumer Protection Remedies Act would expressly authorize those orders. The FTC does have authority to seek monetary relief under the provisions of Section 19 of the FTCA, but the FTC seeks expanded authority to go directly to court to obtain both monetary and injunctive relief.

Currently, there is no House companion to the Consumer Protection Remedies Act, and some industry groups have raised objections to an expansion of FTC authority.

Photo of Sheila A. MillarPhoto of Anushka N. Rahman

In a complaint dated April 12, 2022, the Federal Trade Commission (FTC) brought its first action under the new Made in USA Labeling Rule (the Rule) against Lithionics Battery LLC (Lithionics) and its owner, Steven Tartaglia, for falsely advertising Lithionics’ lithium-ion batteries as USA-made.

According to the FTC’s complaint, from at least 2018 until at least August 30, 2021, Lithionics advertised its lithium-ion batteries as American-made by labeling its products “Proudly Designed and Built in USA” alongside an image of the American flag. The company repeated similar claims on its social media pages and on its website, where the “Made in USA” link stated that the company’s “battery systems are engineered and manufactured in Clearwater, FL USA …” In addition, the company’s marketing materials included a *chart that emphasized the “‘advantage[s]’ of Lithionics’ battery systems over imported competing products,” when in fact, all Lithionics batteries included foreign sourced lithium-ion cells and “significant other imported components.”

The Rule, which took effect on August 13, 2021, codifies the FTC’s long-established enforcement policy statement on U.S. origin claims. It prohibits companies from labeling products as “Made in USA” (MUSA) unless: (1) “the final assembly or processing of the product occurs in the United States”; (2) “all significant processing that goes into the product occurs in the United States”; and (3) “all or virtually all ingredients or components of the product are made and sourced in the United States.” While the Rule does not impose new responsibilities on businesses, it authorizes the FTC to issue rules relating to MUSA labeling and to seek civil penalties for violations of the Rule’s provisions. It also adds a new partial or full exemption for businesses who can demonstrate that “application of the rule’s requirements to a particular product or class of product is not necessary to prevent the acts or practices to which the rule relates.”

Under the proposed stipulated order, Lithionics and its owner would have to pay a civil penalty of $105,319.56, which an FTC press release explains is equivalent to three times Lithionics’ profits from its illegal activities. The company is required to notify affected consumers that the batteries they purchased were not in fact USA-made and is barred from claiming, expressly or impliedly, that its products are MUSA unless it can prove that those products meet the Rule’s three requirements for such assertions. In the case of partial MUSA claims, the company must ensure that a clear and conspicuous qualification “appears immediately adjacent to the representation that accurately conveys the extent to which the product contains foreign parts, ingredients or components, and/or processing.” For “Assembled in USA” type claims, the company would need proof that “the product is last substantially transformed in the United States, the product’s principal assembly takes place in the United States, and United States assembly operations are substantial.”

Although the case against Lithionics and its owner is the first since the FTC finalized the Rule, the prohibitions under the proposed stipulated order are similar to those imposed under orders the Commission previously issued to other companies for false MUSA claims (see, for example, the FTC’s Decision and Order In the Matter of Sandpiper of California, Inc. and Pipergear USA, Inc.). Where this stipulated order differs is the civil penalty. Over the past six months, the Commission has revived and expanded its Penalty Offense Authority under Section 5(m)(1)(B) of the FTC Act to support settlement amounts. Under the Penalty Offense Authority, companies could face civil penalties of up to $46,517 per violation. While the proposed penalty in this case is much lower than the millions that have been assessed against other companies for false or misleading marketing claims, this enforcement action demonstrates the FTC’s ongoing commitment to cracking down on false MUSA claims. Companies should consider themselves on notice that the FTC can and will enforce against false MUSA claims, and the penalties can be significant.

All case documents are available here (*Exhibit D with chart referred to above was omitted).

Photo of Sheila A. MillarPhoto of Tracy P. Marshall

As cyberattacks from a myriad of sources continue to proliferate and target organizations of all types and sizes, the Cybersecurity and Infrastructure Security Agency (CISA) continues to update its Shield’s Up webpage with specific cybersecurity guidance for organizations, CEOs, business leaders, and individuals. The stated goal is to “reduce the likelihood of a damaging cyber intrusion, ensure that cybersecurity/IT personnel identify and quickly assess any unexpected or unusual network behavior, ensure that the organization is prepared to respond if an intrusion occurs, and maximize the organization’s resilience to a destructive cyber incident.” CISA offers recommendations for responding to all types of cyber incidents, including ransomware attacks, and for improving cyber hygiene.

The Shields Up webpage also provides cybersecurity news updates, useful background materials, and free cybersecurity services and tools from government partners and industry. The Shield’s Up program serves as a helpful reminder to both large and small organizations on how to prepare for, respond to, and mitigate the effects of cyberattacks.

Photo of Sheila A. MillarPhoto of Tracy P. MarshallPhoto of Peter Craddock

After the EU-U.S. Privacy Shield was rendered invalid by the Court of Justice of the European Union (CJEU) in July 2020, and following a prior challenge to the U.S.-EU Safe Harbor, many businesses operating on both sides of the pond scrambled to find other ways to protect data flows between the EU and U.S. that meet the EU General Data Privacy Regulation (GDPR) adequacy standards. Now it appears that a replacement is finally on the horizon. On March 25, 2022, the White House announced that the U.S. and EU have committed to a new Trans-Atlantic Data Privacy Framework (Framework) to facilitate data flows from the EU to the United States and address concerns raised by the CJEU when it struck down the European Commission’s adequacy decision underlying the EU-U.S. Privacy Shield Framework in 2020.

Having worked through two prior frameworks that both governments previously supported, businesses are asking if the new Framework can solve the difficulties that undermined its predecessors. According to the White House press release, the Framework will address the CJEU’s concern in Schrems II, in which the court held that U.S. surveillance activities left EU citizens without a judicial remedy for potential privacy violations by the U.S. government. The new Framework pledges to “strengthen the privacy and civil liberties safeguards governing U.S. signals intelligence activities; establish a new redress mechanism with independent and binding authority; and enhance its existing rigorous and layered oversight of signals intelligence activities.”

The White House gives several examples of how the Framework will address the CJEU’s focus on “surveillance” by the U.S. government, namely:

  • Signals intelligence collection may be undertaken only where necessary to advance legitimate national security objectives and must not disproportionately impact the protection of individual privacy and civil liberties;
  • EU individuals may seek redress from a new multi-layer redress mechanism that includes an independent Data Protection Review Court that would consist of individuals chosen from outside the U.S. Government who would have full authority to adjudicate claims and direct remedial measures as needed; and
  • U.S. intelligence agencies will adopt procedures to ensure effective oversight of new privacy and civil liberties standards.

The Framework’s commitments appear to be a step towards addressing issues raised in the Schrems II decision, and the additional redress mechanisms outlined by the White House provide an independent means for EU residents to raise privacy concerns. However, because details are not yet available, businesses face uncertainty as to whether there will be challenges to the new Framework. To complicate matters, the recent Supreme Court case FBI v. Fazaga granted the U.S. government greater leeway in invoking the state secrets privilege, making it more difficult for both U.S. and EU citizens to challenge surveillance intrusions by the U.S. government in American courts. The interplay between the rights described in the White House press release about the new Framework and U.S. legal precedent requires further analysis.

For the time being, businesses that transfer data between the EU and U.S. can continue using the “adequacy” method they currently employ, provided they take into account the Schrems II judgment and the European Data Protection Board’s recommendations on supplementary measures. The Danish Data Protection Agency has already stressed that the new Framework is still just an agreement in principle and current transfer justification requirements still apply.

For assistance on options to transfer data between the EU and U.S., please contact our Privacy and Data Security team.

Photo of Sheila A. MillarPhoto of Tracy P. Marshall

In 2014, with childhood obesity on the rise in the United States, tech company Kurbo, Ltd. (Kurbo) marketed a free app for kids that, according to the company, was “designed to help kids and teens ages 8-17 reach a healthier weight.” When WW International (WW) (formerly Weight Watchers) acquired Kurbo in 2018, the app was rebranded “Kurbo by WW,” and WW continued to market the app to children as young as eight. But according to the Federal Trade Commission (FTC), Kurbo’s privacy practices were not exactly child-friendly, even if its app was. The FTC’s complaint, filed by the Department of Justice (DOJ) last month, claims that WW’s notice, data collection, and data retention practices violated the Children’s Online Privacy Protection Act Rule (COPPA Rule). WW and Kurbo, under a stipulated order, agreed to pay a $1.5 million civil penalty in addition to complying with a range of injunctive provisions. These provisions include, but are not limited to, deleting all personal information of children whose parents did not provide verifiable parental consent in a specified timeframe, and deleting “Affected Work Product” (defined in the order to include any models or algorithms developed in whole or in part using children’s personal information collected through the Kurbo Program).

Complaint Background

The COPPA Rule applies to any operator of a commercial website or online service directed to children that collects, uses, and/or discloses personal information from children and to any operator of a commercial website or online service that has actual knowledge that it collects, uses, and/or discloses personal information from children. Operators must notify parents and obtain their consent before collecting, using, or disclosing personal information from children under 13.

The complaint states that children enrolled in the Kurbo app by signing up through the app or having a parent do it on their behalf. Once on Kurbo, users could enter personal information such as height, weight, and age, and the app then tracked their weight, food consumption, and exercise. However, the FTC alleges that Kurbo’s age gate was porous, requiring no verification process to establish that children who affirmed they were over 13 were the age they claimed to be or that users asserting they were parents were indeed parents. In fact, the complaint alleges that the registration area featured a “tip-off” screen that gave visitors just two choices for registration: the “I’m a parent” option or the “I’m at least 13” option. Visitors saw the legend, “Per U.S. law, a child under 13 must sign up through a parent” on the registration page featuring these choices. In fact, thousands of users who indicated that they were at least 13 were younger and were able to change their information and falsify their real age. Users who lied about their age or who falsely claimed to be parents were able to continue to use the app. In 2020, after a warning from the FTC, Kurbo implemented a registration screen that removed the legend and the “at least 13” option. However, the new process failed to provide verification measures to establish that users claiming to be parents were indeed parents.

Kurbo’s notice of data collection and data retention practices also fell short. The COPPA Rule requires an operator to “post a prominent and clearly labeled link to an online notice of its information practices with regard to children on the home or landing page or screen of its Web site or online service, and, at each area of the Web site or online service where personal information is collected from children.” But beginning in November 2019, Kurbo’s notice at registration was buried in a list of hyperlinks that parents were not required to click through, and the notice failed to list all the categories of information the app collected from children. Further, Kurbo did not comply with the COPPA Rule’s mandate to keep children’s personal information only as long as reasonably necessary for the purpose it was collected and then to delete it. Instead, the company held on to personal information indefinitely unless parents specifically requested its removal.

Stipulated Order

In addition to imposing a $1.5 million civil penalty, the order, which was approved by the court on March 3, 2022, requires WW and Kurbo to:

  • Refrain from disclosing, using, or benefitting from children’s personal information collected in violation of the COPPA Rule;
  • Delete all personal information Kurbo collected in violation of the COPPA Rule within 30 days;
  • Provide a written statement to the FTC that details Kurbo’s process for providing notice and seeking verifiable parental consent;
  • Destroy all affected work product derived from improperly collecting children’s personal information and confirm to the FTC that deletion has been carried out;
  • Delete all children’s personal information collected within one year of the user’s last activity on the app; and
  • Create and follow a retention schedule that states the purpose for which children’s personal information is collected, the specific business need for retaining such information, and criteria for deletion, including a set timeframe no longer than one year.

Implications of the Order

Following the U.S. Supreme Court’s decision in AMG Capital Management, LLC v. Federal Trade Commission, which halted the FTC’s ability to use its Section 13(b) authority to seek monetary penalties for violations of the FTC Act, the FTC has been pushing Congress to grant it greater enforcement powers. In the meantime, the FTC has used other enforcement tools, including the recent resurrection of the agency’s long-dormant Penalty Offense Authority under Section 5(m)(1)(B) of the FTC Act and a renewed willingness to use algorithmic disgorgement (which the FTC first applied in the 2019 Cambridge Analytica case).

Algorithmic disgorgement involves “requir[ing] violators to disgorge not only the ill-gotten data, but also the benefits—here, the algorithms—generated from that data,” as then-Acting FTC Chair Rebecca Kelly Slaughter stated in a speech last year. This order appears to be the first time algorithmic disgorgement was applied by the Commission in an enforcement action under COPPA.

Children’s privacy issues continue to attract the attention of the FTC and lawmakers at both federal and state levels. Companies that collect children’s personal information should be careful to ensure that their privacy policies and practices fully conform to the COPPA Rule.

Photo of Peter Craddock

“Dark patterns” – social media platform interfaces that can lead users to make unintended and potentially harmful decisions regarding the processing of their personal data – are a subject of increasing scrutiny in the EU. New guidelines of the European Data Protection Board (EDPB) on “dark patterns in social media platform interfaces” confirm the focus of EU authorities on such practices. The guidelines contain lessons for all websites and applications. The bad news for marketers: the EDPB doesn’t always like it when dry legal language is made catchier or dull interfaces more enticing.

To illustrate, in a section of the guidelines regarding the selection of an account profile photo, the EDPB considers the example of a “help/information” prompt saying “No need to go to the hairdresser’s first. Just pick a photo that says ‘this is me.’” According to the EDPB, such a practice “can impact the final decision made by users who initially decided not to share a picture for their account” and thus makes consent invalid under the General Data Protection Regulation (GDPR). In another example, the EDPB criticises a cookie banner with a humourous link to a bakery’s cookie recipe that incidentally says “we also use cookies,” stating that “users might think they just dismiss a funny message about cookies as a baked snack and not consider the technical meaning of the term ‘cookies.’” The EDPB even suggests that the data minimisation principle, and not security concerns, should ultimately guide an organisation’s choice of which two-factor authentication method to use.

Do these new guidelines reflect privacy paranoia or common sense? The answer should lie somewhere in between, but the whole document (64 pages long) in our view suggests an overly strict approach, one that we hope will move closer to common sense as a result of a newly started public consultation process.

Click here for our analysis of what useful lessons – or warnings – can be drawn from the EDPB’s new guidelines.

Photo of Sheila A. MillarPhoto of Jean-Cyril WalkerPhoto of Anushka N. Rahman

On February 24, 2022, Keurig Green Mountain, Inc. (Keurig) agreed to pay $10 million to settle a long-running class action that alleged the coffee company deceptively advertised its K-Cups pods’ recyclability by misleadingly labeling and marketing them as “recyclable” when the pods were in fact not accepted for recycling in many areas. The settlement follows denial of a motion to dismiss in 2021.This is the second recent multimillion dollar settlement Keurig has paid out over its recyclability claims. In January, Keurig settled with Competition Bureau Canada for $2.3 million (plus an $800,000 donation pledge to the Polypropylene Recycling Coalition) due to similar complaints about the pods’ lack of recyclability after the Competition Bureau concluded that the pods were not widely accepted for recycling in Canada.

The class action complaint, filed in the Northern District of California on December 28, 2018, charges that Keurig deceptively advertised its K-Cup pods as “recyclable.” The company packaged the pods with the slogan “Have your cup and recycle it, too” in large type, and included detailed recycling instructions, including a “check locally” notice. Under California state law, Cal. Bus. & Prof. Code § 17580.5, companies can defend against charges of deceptive environmental marketing claims if they can show their ads meet the standards laid out in the Federal Trade Commission’s Guides for the Use of Environmental Marketing Claims (Green Guides). The Green Guides state that claims of recyclability should be qualified if recycling facilities are not available to a “substantial majority” of consumers, and that “if a product is rendered non-recyclable because of its size or components…then labeling the product as recyclable would constitute deceptive marketing.” Keurig argued that it met the Green Guides standard for qualified claims by putting a notice on its K-Cup packaging that alerted consumers they should “check locally” for relevant recycling facilities.

The plaintiffs countered that the qualifying language was not precise enough to avoid giving consumers the misleading impression that the pods were uniformly recyclable and failed to disclose “the extremely limited chance that the Products will ultimately be recycled.” Although polypropylene is accepted for recycling in more than half of recycling facilities in the U.S., the complaint alleges that K-Cups were not recyclable by many municipal recycling facilities for several reasons: the small size of the pods meant that many recycling facilities were unable to process them; the presence of food residue and metal contaminants in the used pods made them unsuitable for recycling; and the lack of any market to convert the pods to reusable material meant that most of the pods ended up in landfills.

In addition to the $10 million payment, the settlement bars Keurig from labeling, marketing, advertising, or otherwise claiming that its K-Cups are recyclable absent qualifiers. The settlement terms are precise about how and where Keurig must use qualifying language, specifying that packaging for K-Cup products must contain the qualifier “Check Locally – Not Recycled in Many Communities.” This language must be placed close to and be printed in a font size more than half as large as any recycling claim language. The settlement further requires that Keurig amends its other advertising and website copy to ensure that consumers understand that the company’s pods may not be recyclable in their area.

As we have discussed previously, environmental claims are increasingly subject to scrutiny. Recent state laws have been enacted that impose stringent requirements on recyclability and other claims, and new requirements for extended producer responsibility and mandated recycled content minimums are being adopted or considered. At the same time, businesses are working on sustainability programs, including evaluating both products and packaging. Consumers can benefit from understanding important environmental attributes of products and packaging, but as this settlement and other cases demonstrate, care in the claims made and use of thoughtful, appropriately placed qualifiers are key to minimizing the risk of false advertising challenges.

Photo of Tracy P. MarshallPhoto of Sheila A. Millar

You might think that paying more than $9 million to settle charges of violating the Federal Trade Commission’s (FTC) Mail Order Rule would have spurred clothing retailer Fashion Nova, LLC to review its consumer protection compliance posture. But for the second time in two years, Fashion Nova has found itself in trouble with the FTC, this time for allegedly suppressing negative product reviews on its website. This was the FTC’s first challenge of its kind.

The FTC’s complaint against Fashion Nova alleges the company used a third-party product review management interface for customers to post reviews, and for approximately four years, Fashion Nova chose to allow more positive reviews to be automatically posted to the website while suppressing more negative reviews. The absence of negative reviews gave the false impression that the company’s products garnered uniform praise.

In addition to paying $4.2 million, the proposed settlement, released on January 25, 2022, requires Fashion Nova to post all product reviews, including critical ones, on its website (except for those containing unlawful or offensive content). The company is also barred from misrepresenting customer reviews or endorsements.

This is the first time the FTC challenged a company’s suppression of negative reviews, but it may not be the last. The FTC also sent letters to ten businesses that offer review management services warning them that sidestepping or discouraging negative reviews is potentially deceptive conduct in violation of Section 5 of the FTC Act. The letters instruct the companies to review their policies and practices to ensure they are not helping clients violate the law.

Guidance to businesses, in addition to enforcement efforts, is part of the FTC’s approach. To assist businesses, the FTC published guidance documents for marketers and platforms that outline principles for publishing online reviews. Such principles include not soliciting reviews likely to be favorably biased and treating positive and negative reviews equally. Online retailers and platforms that use reviews as a marketing tool should take note.

Photo of Sheila A. MillarPhoto of Mike Gentine

Keller and Heckman partner Sheila Millar and counsel Mike Gentine wrote the Inhouse Defense Quarterly article, “The Right to Repair: Implications for Consumer Product Safety and Data Security. The article examines the potential effects of President Biden’s July 9, 2021, executive order that aims to expand consumers’ “right to repair.” Advocates of the right to repair, including the Federal Trade Commission, suggest that requiring manufacturers to broadly allow consumers and others to repair products – including electronic goods – would bring prices down by fostering competition and compelling manufacturers to design products that are easier for untrained repairers to fix

But, as the authors point out, policy decisions should consider the potential impacts on consumers and businesses alike. Failing to safeguard IP could adversely affect global U.S. competitiveness at a time when counterfeiting not only affects profits but can be linked to safety concerns. And unskilled repairs themselves could result in bypassing or disabling safety features and create possible regulatory compliance problems for manufacturers. Changes could potentially create data security vulnerabilities. Compromises to safety, regulatory compliance and privacy could expose manufacturers to liability. It is critical for legislators and regulators to carefully balance consumer and business interests when analyzing whether limits on the right to repair make good sense and reflect sound public policy.

To read the full article, please click here.