Supplement Company Settles with FTC Over Diabetes Pill Marketing Claims

By Sheila Millar and Tracy Marshall on December 27, 2018 Posted in Advertising

Any product purporting to be a panacea for a serious health issue needs serious evidence to back up such a promise. Take Nobetes, a dietary supplement touted as “the miracle product [diabetics have] been waiting for.” The company and its two principal officers claimed Nobetes lowered blood sugar and reduced the need for insulin. They even had a “doctor” endorse the product on TV.

The Federal Trade Commission (FTC) doesn’t believe in miracle products, however. The FTC’s complaint alleges that between 2015 and 2018, Nobetes Corporation and its officers marketed and sold Nobetes on television, radio, and social media in violation of Sections 5(a) and 12 of the FTC Act, which prohibit unfair or deceptive acts or practices and false advertisements for food, drugs, devices, services, or cosmetics. Among the unsubstantiated claims made in the ads were that Nobetes can “control blood sugar within normal levels” and “fill the nutritional shortages that diabetes causes.” The company failed to provide scientific evidence to support the claims, even after the Food and Drug Administration (FDA) warned the company in 2016 that it needed to back up such assertions with reliable scientific evidence.

In addition, one of the television ads used consumer testimonials from people who stated that they were able to reduce their insulin intake with Nobetes. The company failed, however, to disclose that the consumers featured in the ads were being compensated with free products in exchange for their testimonials and that the “doctor” endorsing Nobetes in the same ad was in fact a paid actor. This violates the FTC’s Endorsement and Testimonial Guides, which require that any connection between an advertiser and an endorser that might materially affect the weight or credibility of the endorsement be fully disclosed.

But wait, there’s more! Consumers were offered a two-for-one deal that required them to give a credit card number to only to cover shipping and handling costs of $6.95. Yet, according to the FTC, the company then used the credit card numbers to automatically enroll customers in a continuity program, charging a $29.95 monthly fee without their authorization.

The FTC charged the company and its officers with making unsubstantiated health claims, using fake “experts” to endorse the product, neglecting to disclose material connections between spokespersons and the company, failing to disclose the terms of “free trial” offers, and billing customers without their consent. Under the terms of the settlement order, the company is required to pay a fine of $182,000 and its officers are permanently barred from advertising or selling Nobetes or any other diabetes product. They are also prohibited from using false endorsements, making unsubstantiated health claims, billing consumers without their consent, and misrepresenting the terms of any free trial or other special offer.

The FTC has been active in enforcing the Endorsement and Testimonial Guides. Just last year, the agency sent out letters to 90 marketers and their influencers warning them of their obligation to clearly and conspicuously disclose their relationships when promoting or endorsing products through social media. The Nobetes settlement is a reminder for companies to familiarize themselves with the FTC’s rules, regulations, and guidelines when marketing their goods and services and ensure that any product claims are backed up by credible evidence.

CPSC Settles with Britax over Allegedly Defective Strollers

By Sheila Millar on December 10, 2018 Posted in Product Safety

The U.S. Consumer Product Safety Commission (CPSC) settled an administrative lawsuit against Britax Child Safety, Inc. over claims that some models of their B.O.B. jogging strollers present a substantial product hazard due to an alleged design defect. As we previously reported, the suit was filed in February 2018 after reports that the front wheel of the strollers can detach during use if consumers don’t fully engage the quick-release mechanism for attaching the front wheels. Britax opposed a recall, arguing that the problem was caused by user error rather than any design flaw.

Under the terms of the consent agreement, Britax will develop and launch an information campaign that will include an instructional video demonstrating how to safely and correctly operate the quick release on the front wheel of the strollers. All purchasers of covered B.O.B. strollers can receive a 20% discount towards purchase of a new stroller. Alternatively, consumers can receive a free replacement thru-bolt or modified quick release mechanism instead of the discount. The remedy offered by Britax is not a recall, and Britax did not admit that the strollers contain a defect or are a substantial product hazard.

The agreement was approved by a vote of 3-2. Two commissioners, Robert Adler and Elliot Kaye, who voted in favor of filing the lawsuit, dissented. In a joint statement, Adler and Kaye argued, among other things, that the remedy offered under the agreement should have been characterized as a “recall.”

The agreement reached between the CPSC and Britax offers a creative solution to the problem of consumer misuse of these strollers. It allows the company to avoid the headaches associated with characterizing a constructive industry response to perceived safety concerns as a “recall” while continuing to allow consumers to operate the stroller safely with no loss to utility or value. The agreement is a welcome sign that the CPSC may be open, where appropriate, to innovative resolutions that advance safety without the undue burdens of a recall.

FTC Releases Cybersecurity Resources for Small Businesses

By Sheila Millar and Tracy Marshall on October 24, 2018 Posted in Cybersecurity, Data Security, Privacy

Small businesses face the same cybersecurity risks as large multinationals but lack a large IT infrastructure to help protect themselves. At the direction of former Federal Trade Commission (FTC) Acting Chairman Maureen Ohlhausen, the FTC launched a new cybersecurity campaign aimed at helping small businesses navigate the ever-evolving cyber landscape, coordinated with the Department of Homeland Security (DHS), the National Institute of Standards and Technology (NIST), and the Small Business Administration (SBA). More information about the program and upcoming events is available at the FTC’s website.

Earlier this year, FTC staff published a report detailing the resources available to help small organizations. FTC staff also held several workshops and a result of feedback, the agency developed a series of modules that cover the following topics: Cybersecurity Basics, Understanding the NIST Cybersecurity Framework, Physical Security, Ransomware, Phishing, Business Email Imposters, Tech Support Scams, Vendor Security, Cyber Insurance, Email Authentication, Hiring a Web Host, and Secure Remote Access.

Implementing security mechanisms that are tailored to an organization’s size and risk exposure can be complex. However, the FTC modules and report provide a useful starting point for smaller businesses looking for practical guidance on handling a range of cybersecurity and data protection matters.

National Privacy Legislation May be on the Horizon

By Sheila Millar and Tracy Marshall on October 1, 2018 Posted in Privacy

The recent passage of the California Consumer Privacy Act (CCPR) earlier this summer and the entry into force of the General Data Protection Regulation (GDPR) last May has put consumer privacy squarely on the national agenda. Now there are signs that government is responding. While a number of privacy bills have been introduced in Congress that never made it out of committee, Senator John Thune (R-SD), the ranking Republican on the Senate Commerce Committee, recently indicated this may be changing. Thune opened a recent hearing of the Committee at which Google, Amazon, Twitter and AT&T commented that both Republicans and Democrats support a national privacy law, but noted: “the question is what shape that law should take.” The companies testifying expressed support for preemptive federal legislation that gives consumers more control over their data and stresses transparency, but avoids a one-size-fits-all approach that might stifle innovation.

In the wake of the hearing, the U.S. Department of Commerce National Telecommunications and Information Administration (NTIA) is now seeking comments on several high-level goals that are intended to protect consumer privacy while encouraging innovation. The strategy outlined in the Request for Comments is “outcome-based” rather than prescriptive and offers seven key objectives:

The collection, use, sharing and storage of personal data should be transparent;
Users should be able to exercise reasonable control over the collection, use, storage, and disclosure of their personal data;
Data minimization principles should apply;
Organizations should ensure safeguards are in place to protect personal data from loss and unauthorized use;
Consumers should have the right to rectify and delete their personal data;
Privacy tools should be flexible enough to encourage innovation while also protecting consumer data;
Organizations should be accountable for data processing activities.

Comments are due to NTIA by October 26, 2018.

A number of trade associations, fearing unduly prescriptive federal legislation or a patchwork of state privacy laws, have also weighed in. The Chamber of Commerce, The Internet Association and other organizations recently published privacy proposals that call for preemptive, process-driven rules, themes that were echoed during the recent Commerce committee hearing. Senator Thune stated that a second hearing will take place starting in early October at which Alastair Mactaggart, the driving force behind the California ballot initiative whose withdrawal resulted in enactment of the CCPA, and European Data Protection Board (EDPB) Chairwoman Andrea Jelinek will testify.

Privacy legislation will likely continue to be a hot topic for the rest of the year, and for the new Congress in January, and we anticipate that state legislatures will also be looking at privacy and data security in 2019.

Agency Comings and Goings

By Sheila Millar, Tracy Marshall and Boaz Green on September 27, 2018 Posted in Data Security, Privacy, Product Safety

This week has seen several significant changes at the Commission level at both the Consumer Product Safety Commission (CPSC) and the Federal Trade Commission (FTC).

CPSC

After several months of stasis, the Senate voted to confirm Peter Feldman as a Commissioner on the CPSC, with a term expiring October 26, 2019. Feldman takes the place of Joseph Mohorovic, who resigned in October 2017. The Senate is also expected to approve Feldman’s nomination for a second term of 7 years shortly, which would expire in 2026.

Feldman, a Republican, will fill out the slate of commissioners at CPSC, giving the Republicans a 3-2 majority at the Commission for the first time since 2006. Acting Chair Ann Marie Buerkle still awaits confirmation as permanent Chair and for another seven-year term since her renomination to both posts by President Trump in January. Buerkle’s term formally ends in October, although she can hold over for one year.

FTC

At the FTC, Christine Wilson was sworn in as commissioner on September 26, 2018, replacing former Acting Chair and Commissioner Maureen Ohlhausen, whose term ended September 25. Ohlhausen worked for the FTC for the better part of 20 years, first as a staffer from 1998-2008 and then as director of the Office of Policy Planning. She was nominated by President Obama in 2012 and confirmed as a commissioner. Ohlhausen became Acting Chair in January 2017 when Edith Ramirez resigned her Chairmanship following the 2016 presidential election. Under Ohlhausen’s leadership, the FTC brought 20 privacy-related actions, including its first case relating to smart toys. In addition, the agency brought or settled over 138 cases that resulted in $300 million in compensation paid to 3.7 million people and refunds to consumers amounting to $6 million.

Wilson, a Republican, previously served at the FTC as Chief of Staff to Chairman Tim Muris during the George W. Bush administration. Prior to her tenure at the FTC, Wilson practiced as an attorney specializing in consumer protection and competition at law firms Kirkland & Ellis LLP and O’Melveny & Myers LLP. Phillips’ term will run until September 2023.

NIST Launches Development of Voluntary Privacy Risk Management Framework

By Sheila Millar and Tracy Marshall on September 13, 2018 Posted in Cybersecurity, Data Security, Privacy

The National Institute of Standards and Technology (NIST) has launched a collaborative effort to develop a voluntary framework that will help organizations manage privacy risks and protect consumer privacy when developing and using innovative technologies. According to NIST, a robust cybersecurity program can help manage risks, but organizations need customizable tools for addressing the challenges posed by an increasingly connected environment. The intent is to “bridge the gaps between privacy professionals and senior executives so that organizations can respond effectively to these challenges without stifling innovation.”

The privacy framework, which will be designed through an open process of stakeholder engagement to provide solutions for a wide range of organizations, is modeled on NIST’s Cybersecurity Framework. Alongside NIST, the National Telecommunications and Information Administration is leading the development of a set of privacy principles in coordination with the International Trade Administration.

Starting in October, NIST will convene a series of workshops to gather input from stakeholders. Organizations that wish to weigh on the direction of the framework can find events here.

FTC Approves ESRB’s Updated COPPA Safe Harbor Program

By Sheila Millar and Tracy Marshall on August 17, 2018 Posted in Data Security, Privacy

The Federal Trade Commission (FTC) approved modifications to the video game industry’s Children’s Online Privacy Protection Act (COPPA) program. Earlier this year, the Entertainment Software Ratings Board (ESRB) proposed several substantive changes intended to take account of recent FTC COPPA rules and guidance.

To receive FTC approval, COPPA safe harbor programs must “implement substantially similar requirements that provide the same or greater protections for children as those contained in the Rule; (2) an effective mandatory mechanism for the independent assessment of the safe harbor program participants’ compliance with the guidelines; and (3) disciplinary actions for noncompliance by safe harbor participants.”

Five NGOs and individuals submitted comments during a public comment period on a number of ESRB’s proposed changes, including amending the definition of “personal information and data,” ensuring that links to privacy statements be prominent and clearly labeled, and clarifying the program’s data minimization requirements. ESRB also revised the program to incorporate FTC enforcement guidance on how voice data was handled. The FTC approval letter noted that ESRB made revisions to address certain objections raised by three of the NGOs.

The Commission vote to approve the changes to ESRB’s COPPA safe harbor program was unanimous.

23 California DAs Obtain $1.5 Million Settlement for Deceptive Biodegradable Claims

By Sheila Millar and JC Walker on August 9, 2018 Posted in Litigation

Environmentally conscious consumers often look for products advertised as “green.” But labeling plastic products as “biodegradable” may land you on the legal compost heap if you can’t meet federal and state regulations governing green marketing. Amazon was just the latest company to find itself in the crosshairs when 23 California district attorneys charged that it violated state law when it marketed and sold products labeled “biodegradable” or “compostable.” Amazon settled the lawsuit for $1.5 million.

Most advertisers interested in degradability and similar claims should be familiar with the requirements in the FTC’s Guides for the Use of Environmental Marketing Claims. Advertisers also need to be aware of 2011 amendments to the California Public Resources Code restricting green claims for plastic products. The California law prohibits businesses from selling plastic goods that are labeled “compostable,” “biodegradable,” “degradable,” or other wording that implies the product will break down in a landfill or other environment, unless the product meets specific standards set forth in the law. There are differences, however, in how the FTC and the state of California view available standards from a substantiation standpoint.

Under the settlement, Amazon is prohibited from selling plastic products labeled as “biodegradable” or “compostable” if the product has not been certified as such in accordance with California’s requirements. In addition, the company will pay CalRecycle, the state agency responsible for recycling, $50,000 to test plastic products that are advertised as compostable or degradable.

California has shown itself to be an aggressive enforcer against misleading green marketing claims. In the last few years, the state has pursed legal action against several companies for alleged deceptive green labeling, settling claims against ENSO Plastics in 2013 with an $18,000 fine, and obtaining agreed-to penalties of $27,000 and $940,000 against Overstock.com and Walmart, respectively, in 2017. It is worth noting that any penalties received under the California law go directly to the jurisdiction that brings suit, providing DAs with an incentive to pursue degradable and compostable claims.

Any advertiser interested in developing and marketing products that are degradable or compostable should pay special attention to the requirements of both federal and state laws since they do not always align. In particular, it is essential for businesses to fully understand the nuances of FTC guidance and California law in assessing how they substantiate their claims.

California Company Settles with FTC over Alleged Privacy Shield Misrepresentations

By Sheila Millar and Tracy Marshall on July 16, 2018 Posted in Data Security, Privacy

If a company claims to be certified under the EU-U.S. Privacy Shield framework when it hasn’t even completed the paperwork, the Federal Trade Commission (FTC) isn’t likely to let it slide. ReadyTech, a California-based online training services company, made such a claim on its website, in violation of the FTC Act’s prohibition against deceptive acts or practices, according to the FTC’s complaint against the company.

The Privacy Shield is one of the approved mechanisms through which U.S. companies can lawfully transfer personal data from the EU to the U.S. in compliance with the EU General Data Protection Regulation (GDPR). ReadyTech stated on its website that it was “in the process of certifying that we comply with the U.S. – E.U. Privacy Shield framework as set forth by the U.S. Department of Commerce regarding the collection, use, and retention of personal data from European Union member countries.” However, according to the FTC, while the company initiated the process of self-certifying to the U.S. Department of Commerce in 2016, it was never completed.

As part of the settlement, ReadyTech is prohibited from misrepresenting its participation in any privacy or security program sponsored by a government agency or any self-regulatory or standard-setting organization. It also must comply with standard reporting and compliance requirements.

This is the FTC’s fourth case enforcing misrepresentations regarding participation in the Privacy Shield since the framework became operational two years ago, and the FTC brought similar enforcement actions under the old U.S.-EU Safe Harbor Framework (the Privacy Shield’s predecessor). The action against ReadyTech serves as a reminder to businesses to not only avoid misrepresenting their participation in privacy and data security frameworks, but also to take steps to ensure more generally that their practices are aligned with their privacy commitments.

The FTC actively enforces privacy and data security violations through its authority under Section 5 of the FTC Act, such as a failure to disclose certain practices in online privacy statements, a failure to follow stated practices, or materially and retroactively changing how personal data is handled without consent from affected consumers. The FTC pays special attention to possible violations of the Privacy Shield. The Privacy Shield, like the Safe Harbor before it, is viewed by businesses as a critical vehicle for companies to comply with cross-border data transfer obligations under EU privacy laws. Because privacy advocates and some regulators continue to criticize the Privacy Shield’s self-regulatory approach for meeting EU requirements, it is especially important that the FTC polices compliance to maintain the integrity of the program.

Companies that operate globally must be mindful of their obligations to meet their privacy commitments to comply with the FTC Act as well as with the new EU GDPR and other international data protection laws.

State Data Breach Notification Laws – Overview of Requirements for Responding to a Data Breach – Updated July 2018

By Sheila Millar and Tracy Marshall on July 10, 2018 Posted in Data Security, Privacy

With the ever-changing complexity of state data breach notification laws, companies facing a data breach need resources that will help them understand the issues. This summary provides an overview of the similarities and differences in data breach laws adopted in the 50 United States and the District of Columbia and includes laws enacted since our last update. Alabama and South Dakota became the last states to adopt breach notification laws, which took effect on May 1, 2018 and July 1, 2018, respectively. As a practical matter, most companies that experience a breach will be required to comply with all or several state laws depending on where the data subjects reside, and international data breach notification laws may also apply.

Because privacy is a politically popular topic for legislators, laws continue to evolve and change. It is important to confirm that no changes have been made to relevant laws whenever you experience a data breach. While this summary focuses on data breach notification obligations, many state laws also impose specific data security requirements for companies that handle personal information, which should also be consulted.

This summary is intended to provide general information about applicable laws, and does not constitute legal advice regarding specific facts or circumstances.

To download a copy, click here.

For more information on privacy and data security matters, please contact us:

Sheila Millar (+1 202.434.4143, millar@khlaw.com)

Tracy Marshall (+1 202.434.4234, marshall@khlaw.com)