Consumer Protection Connection
Keller and Heckman LLP

Consumer Protection
Connection

NIST Solicits Comments on Revised Draft IoT Cybersecurity Device Guidance

By Sheila Millar and Tracy Marshall on Posted in Privacy

On January 7, 2020, the National Institute of Standards and Technology (NIST) released a draft of revised cybersecurity recommendations for IoT devices at both the pre-market and post-market stages. NISTIR 8259, Recommendations for IoT Device Manufacturers: Foundational Activities and Core Device Cybersecurity Capability Baseline, identifies six voluntary steps manufacturers should take to account for security throughout a connected device’s lifecycle. It builds on the agency’s initial IoT guidance released last June, NISTIR 8228, Considerations for Managing Internet of Things (IoT) Cybersecurity and Privacy Risks. Comments on the revised draft are due by February 7, 2020.

NIST explains that the IoT devices in scope for this publication have at least one transducer (sensor or actuator) for interacting directly with the physical world and at least one network interface (e.g., Ethernet, Wi-Fi, Bluetooth, Long Term Evolution [LTE], Zigbee, Ultra-Wideband [UWB]) for interfacing with the digital world.

The draft recommends that manufacturers take four pre-market steps:

  1. Identify expected customers and define expected use cases;
  2. Research customer cybersecurity goals, including device identification, device configuration, data protection, logical access to interfaces, and software and firmware updating;
  3. Determine how to address customer goals; and
  4. Plan for adequate support of customer goals.

NIST advises two additional post-market steps:

  1. Define approaches for communicating to customers; and
  2. Decide what to communicate and how to do it.

NIST recommends that manufacturers consider: cybersecurity risk-related assumptions made during design and development; support and lifespan expectations; the cybersecurity capabilities that a device or manufacturer provides; device composition and capabilities, such as information about the device’s software, firmware, hardware, services, functions, and data types; software and firmware updates; and end-of-life or retirement options. Many of NIST’s recommendations may also help IoT device manufacturers assess security measures related to the safety of a connected consumer product and its operation.

The EU Advocate General Opinion is Out: Standard Contractual Clauses are Valid

By Sheila Millar and Tracy Marshall on Posted in Privacy

Businesses that rely on standard contractual clauses (SSCs) to transfer personal data outside the European Economic Area (EEA) just got good news. The long-awaited decision from the EU Advocate General (AG) is here: SCCs are valid. The AG’s opinion, although non-binding, is significant for the case brought by Austrian privacy activist Max Schrems against Facebook, currently before the European Court of Justice (CJEU), as the CJEU generally follows the AG’s reasoning in its decisions.

By way of background, in 2010 the European Commission issued Decision 2010/87, which adopted SCCs model. SCCs establish three sets of contractual terms intended to protect data transfers from the EEA to certain other countries, including the U.S. Two versions of the SCCs apply to data transfers from the EEA to data controllers outside the EEA, and the transfers of data from the EEA to data processors outside the EEA.

Under the General Data Protection Regulation (GDPR) (like Directive 95/46/EC which preceded its adoption), personal data may only be transferred out of the EEA to a third country if that country ensures an adequate level of data protection. Schrems previously challenged the former U.S./EU Safe Harbor, resulting in a determination that it did not assure adequate protection. The Safe Harbor was then replaced by the current EU-U.S. Privacy Shield. SCCs, the Privacy Shield, and binding corporate rules (BCRs) are currently recognized as options to assure adequacy. In this latest challenge, Schrems argued that Facebook’s SCCs were inadequate, and that SCCs in general offered insufficient protection for data transfers from the EEA to the U.S. Schrems requested that SCCs be suspended, the matter was then referred to the CJEU.

In evaluating Decision 2010/87, the AG concluded that the fact SCCs are not binding on authorities in third countries “does not in itself render that decision invalid.” The opinion goes on to state:

The compatibility of Decision 2010/87 with the Charter depends on whether there are sufficiently sound mechanisms to ensure that transfers based on the standard contractual clauses are suspended or prohibited where those clauses are breached or impossible to honour … that is the case in so far as there is an obligation — placed on the data controllers and, where the latter fail to act, on the supervisory authorities — to suspend or prohibit a transfer when, because of a conflict between the obligations arising under the standard clauses and those imposed by the law of the third country of destination, those clauses cannot be complied with … the analysis of the questions has disclosed nothing to affect the validity of Decision 2010/87.

As the AG noted, the current case does not require the CJEU to rule on the lawfulness of the EU-U.S. Privacy Shield framework, which is a separate mechanism for transferring data outside the EEA. Nonetheless, the AG expressed sympathy with a separate argument by Schrems that the Privacy Shield does not offer sufficient safeguards “in the light of the right to respect for private life and the right to an effective remedy.”

These EU decisions are relevant to the current discussion about what a possible framework for federal privacy legislation should look like. As debates about privacy continue, it will be important for policymakers to remember that requirements imposed on businesses to protect key individual privacy rights must be balanced by considering the extent of possible harm to consumers, economic efficiency, innovation, and burdens to all participants in the ecosystem.

FTC Gives Energy Labeling Rule a Facelift

By Sheila Millar, JC Walker and Boaz Green on Posted in Product Safety

The Federal Trade Commission (FTC)’s Energy Labeling Rule has a new look. Following a public comment period, the FTC issued amendments to the Energy Labeling Rule that reorganize the Rule’s product descriptions and categories to make them clearer and simpler for stakeholders to understand and apply. But the FTC’s changes are cosmetic – the agency made no substantive changes to the Rule.

The Rule requires manufacturers to attach yellow EnergyGuide labels to many home appliances and electrical products and prohibits retailers from removing these labels or rendering them illegible. It also directs sellers to post label information on websites and in paper catalogs.

The amendments divide the covered products list into four different groups organized by general product category to make it easier for stakeholders to identify relevant covered products, particularly for categories that contain different product types and exemptions, such as lighting. They also separate labeling requirements into seven sections: one for general layout and formatting requirements and six additional sections containing stand-alone label content requirements for refrigerator products, clothes washers, dishwashers, water heaters, room air conditioners, and pool heaters. Finally, the amendments remove obsolete references and correct minor errors.

The Commission approved publication of the final amendments by a vote of 4-1. Commissioner Christine S. Wilson issued a dissent in which she argued that some of the requirements in the amended Rule were unnecessarily exacting, and that the Commission should consider conducting “a comprehensive review of this Rule with a deregulatory mindset.”

The changes become effective on November 29, 2019.

FTC Publishes Practical Guidance for Influencers

By Sheila Millar and Tracy Marshall on Posted in Advertising

From beauty gurus on Instagram to product reviewers on YouTube, influencers are big business for brands. However, the intentions aren’t always clear when reading the advice of a celebrity fitness trainer who was paid for his endorsement or watching a video of a fashionista who just received a new wardrobe from the clothing company she is promoting. To help clarify when and how influencers need to make disclosures, the Federal Trade Commission (FTC) released Disclosures 101 for Social Media Influencers, a new guide intended to supplement the agency’s Endorsement and Testimonial Guides and 2017 Q&A on endorsements.

The guide and its accompanying video advise on disclosure language, how to disclose in different types of media, and avoiding dishonest claims. They also make important points for companies, such as recognizing that financial relationships are not limited to money and not assuming that social media followers are familiar with a company’s brand relationships.

The FTC has taken action against a number of companies over the last year for inadequate disclosures and posting false reviews, including snack box delivery service Urthbox and supplement manufacturer Nobetes. Just last month, the FTC brought complaints against cosmetics company Sunday Riley for posting fake reviews on Sephora.com and the now-defunct marketing company Devumi for creating fake social media followers.

The FTC continues to provide educational resources to influencers and brands about how to comply with the Endorsement Guides, but does not hesitate to initiate enforcement action where undisclosed endorsements have the potential to deceive consumers. Companies should continue to ensure they and the influencers they work with are familiar with both the Endorsement Guides and Disclosures 101 when working with them on an advertising or marketing campaign.

FTC Says “Stalking” Apps Violate COPPA and the FTC Act

By Sheila Millar and Tracy Marshall on Posted in Privacy

You know that movie where a person thinks they’ve barricaded themselves in their house against a stalker, only to grasp the awful realization that the threat is “coming from inside the house”? Unbeknownst to you, that threat may, in fact, be coming from your smartphone, according to a complaint by the Federal Trade Commission (FTC). The FTC recently took action against developers of three mobile apps that were, according to the Complaint, “designed to run surreptitiously in the background” and “uniquely suited to illegal and dangerous uses.” The Complaint alleged violations of the FTC Act and Children’s Online Privacy Protection Act (COPPA).

The FTC Complaint

Marketed as tools for parents to monitor their children and for employers to monitor employees, three mobile apps operated by Retina-X Studios – MobileSpy, TeenShield, and PhoneSheriff – tracked location and mobile device use, but without a user’s knowledge or consent. The apps collected text messages, call history GPS locations, photos, contact lists, browser history, and other information. According to the FTC, the information collected was not properly secured, despite the company’s promises to the contrary. Even after hackers penetrated the company’s cloud storage account twice in a one-year period, leading to the exposure of personal information, the company’s privacy policies insisted that “Your private information is safe with us.” The company also allegedly outsourced much of its product development and maintenance to third parties without sufficient oversight, such as conducting security testing on the apps.

Retina-X’s privacy protections were also allegedly lacking, and, in some instances, allowed users to flout protections designed to alert them about tracking. Default settings in the apps used an icon to inform users that they were being monitored, but the company provided purchasers with instructions on how to turn this feature off, leaving device users who installed the app in the dark about the fact that they were being tracked. The FTC also claimed the company took no steps to validate that the apps were only used to monitor children and employees. Another serious concern prompting the FTC to act was the possibility that domestic abusers and other stalkers could access a device where the app was installed and emotionally and physically abuse an unwitting victim.

The Order

The proposed consent order requires Retina-X and its principal to delete all data collected from the “stalking apps,” prohibits them from misrepresenting their privacy and security practices, and bans them from selling, promoting, or distributing monitoring apps or services that require circumventing the manufacturer’s security protections. The homepage of any website advertising the apps must clearly and conspicuously state that the apps may only be used for legitimate and lawful purposes by authorized users, and the company must obtain express written confirmation from purchasers that they will only use the app for legitimate and lawful purposes, such as a parent monitoring a child, an employer monitoring an employee who has consented, or an adult monitoring another adult who has consented.

Similar to other FTC Orders, Retina-X is required to implement and maintain a comprehensive information security program and obtain third-party assessments of its security program every two years by an assessor the FTC may approve. The company must designate a senior corporate manager to administer the security program and certify compliance annually.

While these security obligations are now standard in FTC consent agreements, this is the first time the FTC has brought a case against monitoring apps. It comes on the heels of the FTC’s COPPA Rule workshop that explored possible updates to the COPPA Rule to address changes in technology. This action establishes that COPPA and Section 5 of the FTC Act give the FTC authority to take action against app developers that circumvent security measures. The FTC has made it clear that safeguarding consumers from potential emotional or physical threats made possible through the surreptitious installation of a stalking app is just as important as protecting them from risks of identity theft and similar harms associated with privacy and security failures.

Reevaluating the COPPA Rule

By Sheila Millar on Posted in Privacy

In the two decades following the enactment of the Children’s Online Privacy Protection (COPPA) Rule, technological developments have changed the online landscape considerably. Recognizing this, the Federal Trade Commission (FTC) held a public workshop on October 7, 2019, to discuss whether, given the proliferation of smart devices, video games, online channels, and EdTech, the Rule, which was last updated in 2013, needs further revision.

The Rule requires certain website operators to obtain parental permission to collect, use, or disclose personal information of children under 13. It applies to operators who target children or who have actual knowledge that children are using their website. FTC Commissioner Christine Wilson, who opened the first session, made clear that the FTC is taking an expansive view of the responsibilities of online platform operators under COPPA. Referring to the recent $170 million fine against YouTube and Google, she noted that platform operators are now “on notice regarding their obligations under COPPA. Specifically, if those operators gain knowledge that user-generated content on their platforms is directed at children, they must comply with COPPA if they collect personal information from viewers of that content … even if the operator does not view its target demographic as children under 13.” Commissioner Noah Phillips emphasized the importance of making sure that any Rule changes are consistent with the statutory directives from Congress and remaining mindful of the potential implications for competition.

The workshop presented an important opportunity for diverse stakeholders to respond to the questions in the FTC’s Request for Comments and to address the costs and benefits of legal and technical approaches to protecting children’s privacy online. Four panels made up of representatives from business, academia, government, and consumer groups discussed a broad range of topics, including behavioral advertising, EdTech, and third-party content. Business representatives raised the issue of conflicting privacy laws, noting that COPPA, the soon-to-be-enacted California Consumer Privacy Act, and the GDPR, vary on age limits and other requirements. Advocacy groups encouraged the FTC to use its authority under Section 6 (b) of the FTC Act to get more information from companies about how they collect and use children’s data.

Changes to the COPPA Rule and its enforcement could have far-reaching implications for companies, even those that do not make children’s products or content. Given the importance of stakeholder input, and in response to requests, the FTC has extended the deadline for comments until December 9, 2019. Comments can be submitted here.

Truly Organic? Not Really, Says FTC

By Sheila Millar on Posted in Labeling

Many consumers are drawn to products advertised as healthy and natural, and will often pay a premium for organic products, from foods to personal care items to clothing. But the Federal Trade Commission (FTC) takes a dim view of companies that don’t live up to their green promises. Case in point: Miami-based Truly Organic and its CEO, Maxx Appelman, just settled with the FTC for $1.76 million over allegations that the company’s personal care products advertised as “100% organic” were anything but.

Truly Organic sells its products nationwide through its own website and through national chains such as ulta.com, urbanoutfitters.com, and nordstrom.com. According to the FTC complaint, since at least 2015, Miami-based Truly Organic advertised its body washes, lotions, baby, haircare, bath, and cleaning products as “certified organic, “USDA certified organic,” and “Truly Organic.” The company also claimed its products were vegan, despite the presence of animal-derived ingredients such as honey and lactose.

The FTC alleges that some of Truly Organic’s products contain non-organic ingredients that can be organically sourced and that others have non-organic ingredients that the United States Department of Agriculture (USDA) prohibits in organic handling, such as cocamidopropyl betaine and sodium cocosurfactant. Some items, such as the company’s bath bombs and soaps, contain no organic ingredients at all, and were simply sourced as finished products from suppliers that do not sell any organic products. Not one of Truly Organic’s products was ever certified organic by USDA despite claims to the contrary.

This is not the first time Truly Organic found its bath and other products in hot water with regulators. USDA investigated the company in 2016 for supplying goods to third parties that had false “organic” certifications on their labels. USDA staff informed Appelman that he could not represent any Truly Organic products as “USDA Organic” or “Certified Organic,” and issued a Notice of Warning. Although Appelman initially seemed to comply with the USDA warning, the FTC avers that Truly Organic continued to claim on its YouTube channel that its products were “certified organic,” “USDA organic,” and “vegan,” and regularly repackaged and sold items the company knew were not organic. Appelman also engaged in other fraudulent conduct. More than three months after the USDA closed its 2016 investigation, he deleted the name of the legitimately certified company on an organic certification document and replaced it with Truly Organic’s information to falsely substantiate his company’s “certified organic” claims. He also falsified Material Safety Data Sheets and then provided those documents to third parties for use in marketing Truly Organic products.

The stipulated final order not only imposes liability on the company, but on Appelman personally. In addition to the fine, the order bars Truly Organic and Appelman from making any false or unsubstantiated claims that their products are wholly or partially organic; that they use organic ingredients or are certified organic; that they are vegan; or that they have been certified organic by a third party. The stipulated order prohibits Appelman, Truly Organic and their representatives from touting the environmental or health benefits of any good or service unless they support it with competent and reliable scientific evidence.

The Commission approved the settlement unanimously. Commissioner Rohit Chopra – who has been a notable dissenter in some significant orders over the past year – published a separate statement, characterizing the fine and injunctive provisions as a “commonsense resolution” that imposes personal responsibility on the CEO. He called for the FTC “to codify this approach in a Policy Statement addressing unlawful conduct that is dishonest or fraudulent.” Commissioner Chopra added that “[i]n cases involving such conduct, no-money settlements are inadequate, and the Commission should commit itself to exercising its full authority to protect consumers and honest businesses.”

As we have previously noted, the Federal Trade Commission has a low tolerance for greenwashing or unsupported claims interpreted to be beneficial to health. Whether a brand is advertising its products as “all-natural,” containing “zero VOC emissions,” “organic,” or some other express or implied environmental or health claims, it must back it up with competent and reliable scientific testing. There are certainly instances where the debate with regulators involves legitimate discussions about the level and relevance of a company’s technical substantiation, where reasonable minds could differ, but when businesses engage in garden variety fraud of the sort seen in this instance, companies and their officers are likely to be held to account.

What’s Next After Facebook’s Record $5 Billion Fine and Cambridge Analytica?

By Sheila Millar and Tracy Marshall on Posted in Advertising, Data Privacy

Facebook is facing some big changes after the Federal Trade Commission (FTC) settled with the social media giant over charges that it violated an earlier consent agreement. The company will pay a penalty of $5 billion, which is not only the biggest privacy fine in history, but also, according to FTC commissioner Noah Phillips, “almost 20 times greater than the largest privacy or data security penalty ever imposed worldwide.”

The order requires Facebook to make significant improvements in how it handles data privacy. Key changes include the creation of a privacy subgroup of Facebook’s board of directors to oversee data privacy, submission of quarterly privacy compliance statements that are independently certified by CEO Mark Zuckerberg and Facebook’s compliance officer(s), and a requirement that third parties with access to consumer information comply with the company’s terms, policies, and procedures. The order also mandates that an independent third-party assessor, approved by the FTC, provides quarterly assessments to the new privacy committee of Facebook’s Board.

The fine represents 9% of the company’s 2018 revenue. Critics in Congress and within the FTC’s ranks argued that the penalty barely touched Facebook’s profitability and did not force the company to stop collecting personal data. The two Democrats on the Commission, Rebecca Slaughter and Rohit Chopra, voted against the settlement, expressing the view that the order would not impose discipline on how Facebook treats data and privacy, and that Mark Zuckerberg should be held personally liable.

The FTC also launched an administrative complaint against now-bankrupt Cambridge Analytica (CA) “for its deceptive acts and practices to harvest personal information from Facebook users for political and commercial targeted advertising purposes.” The complaint alleges that CA collected Facebook profile data from 250,000-270,000 U.S. users plus 50-65 million of their Facebook friends without their consent.

The FTC further alleged that CA falsely claimed participation in the EU-U.S. Privacy Shield framework after the company neglected to renew its certification, which expired in May 2018. Under Privacy Shield rules, participants must affirm to the Department of Commerce, which oversees the program, that they will continue to apply the principles to personal information received during the time they participated in Privacy Shield. CA allegedly failed to do so while still claiming on its website that it adhered to Privacy Shield principles. In contrast with the Facebook settlement, the order individually names CA’s CEO, Alexander Nix, and its developer, academic researcher Aleksandr Kogan, for their personal involvement in the collection of Facebook members’ personal data.

Facebook’s privacy issues do not end with the FTC settlement. Facebook will also pay $100 million to the Securities and Exchange Commission (SEC) in a settlement announced on July 24, 2019 over charges that Facebook misled investors, presenting the risk of misuse of user data as hypothetical despite knowing about actual misuse for more than two years. Facebook is still under investigation by European data protection authorities in several member states for privacy violations under the General Data Protection Regulation (GDPR), under which fines can reach 4% of global profits. The FTC is also not done with Facebook; the agency is currently investigating the company for antitrust violations. Meanwhile, financial regulators have expression wariness of Facebook’s announced foray into cryptocurrencies.

Some advocacy groups denounced the settlement as not going far enough. The Electronic Privacy Information Center (EPIC) filed a Motion to Intervene in United States v. Facebook, calling the settlement “not adequate, reasonable, or appropriate.” EPIC claims the settlement would “extinguish more than 26,000 consumer complaints against Facebook that are pending at the FTC,” and asked the court to allow EPIC and other concerned organizations to have a chance to put their views before the FTC before the settlement is finalized.

Facebook still faces a bumpy enforcement road ahead, but the settlement with the FTC will likely have further ripples around the world for all international players. For example, as EU regulators continue their investigation of Facebook and other tech companies for alleged violations of the GDPR, we can expect that the FTC settlement will provide a benchmark they will try to beat to claim the title of “biggest penalty” for privacy violations worldwide. Investments in data privacy and security will continue to be an ever-larger component of corporate compliance programs.

Equifax to Pay Largest-Ever Data Breach Settlement

By Sheila Millar and Tracy Marshall on Posted in Advertising, Privacy

The Equifax data breach was one of the most massive data breaches of all time, and it has resulted in the biggest settlement for a data breach to date. After two years of investigations at the state and federal levels, credit reporting agency Equifax has agreed to a $675 million – up to possibly $700 million – settlement that puts to rest complaints from the Federal Trade Commission (FTC) and Consumer Financial Protection Bureau (CFPB), as well as multistate class action litigation.

In 2017, Equifax was hacked when it failed to secure its servers, leaving the personal information of 147 million people – including credit card numbers, driver’s license numbers, Social Security numbers, birth dates, and addresses – exposed. As we previously reported, the resulting theft of consumer data resulted in multistate litigation and investigations by Congress, the FTC, and European data protection authorities. A year after the breach, the Government Accountability Office (GAO) released a report on the breach, which found Equifax was using software with a known vulnerability in its online dispute portal that enabled hackers to penetrate the network and acquire personal information. According to the report, the company’s systemic deficits in the areas of identification, detection, segmentation, and data governance led to the breach.

The Order, which was approved by Chief Judge Thomas Thrash Jr. of the U.S. District Court for the Northern District of Georgia on July 22, 2019, requires Equifax to pay at least $175 million in civil penalties to the states, District of Columbia, and Puerto Rico, $300 million to a fund that will provide free credit monitoring services to consumers, and $100 million in fines to the CFPB. Equifax will contribute up to $125 million more to the fund if the initial payment isn’t adequate to compensate consumer losses. Consumers will also receive six free credit reports annually for seven years.

In addition to the payout, Equifax must implement a comprehensive information security program and must designate an employee to oversee it. The company is required to obtain third-party assessments of its information security program every two years, and the FTC can approve the assessor for each two-year assessment period. Equifax also must invest a minimum of $1 billion to improve its data security over the next five years.

In prepared remarks at a press conference on July 22, 2019, FTC chair Joseph Simons used the opportunity to reiterate a point he made previously in testimony to Congress – that the FTC needs greater enforcement powers:

“The [CFPB] and the states were able to obtain civil penalties for this breach by a major financial institution. The FTC could not. The FTC could not, because we do not have civil penalty authority for initial violations of the FTC Act or for violations of the Gramm-Leach-Bliley Safeguards Rule. Fortunately, other agencies were able to fill in the gap – this time. But under different circumstances, future breaches might not always be subject to civil penalties, which sends absolutely the wrong signal regarding deterrence. For this reason, I renew my call for Congress to enact federal data security legislation that gives the FTC authority to seek civil penalties for first-time violations.”

Simons has repeatedly pushed Congress to grant the FTC greater enforcement powers, including the ability to impose fines for violations of federal laws that fall within its jurisdiction. The FTC’s recent willingness to use new tools, such as holding company executives personally liable for data breaches, shows that the FTC is creatively expanding the use of its enforcement arsenal while awaiting Congressional action, at least in some instances. However, the recent Commission vote to fine Facebook $5 billion for violations of a prior consent agreement – a situation where the FTC does have civil penalty authority – did not impose responsibility on Facebook founder Mark Zuckerberg or other senior executives. The failure to do so drew dissents from the two Democrats on the Commission, and the question of senior manager accountability will likely loom larger in future data breach and privacy investigations.

Boaz Green Interviewed by Regulator Watch About the Consumer Product Safety Commission’s Recent Enforcement Actions Against E-Liquids

By Sheila Millar on Posted in Regulations

As previously reported on Keller and Heckman’s The Continuum of Risk blog, the Consumer Product Safety Commission (CPSC) recently announced that it considers flow restricted containers for nicotine-containing e-liquids to be required under the Child Nicotine Poisoning Prevention Act of 2015 (CNPPA). Boaz Green was interviewed by Regulator Watch regarding CPSC’s recent enforcement actions, industry’s response, and the options available to companies receiving Notices of Violation from CPSC.

To watch the full interview, click here.

.
Consumer Protection Connection

We and our analytics and advertising providers may use cookies and similar technologies to enhance the browsing experience, facilitate sharing of content, and generate statistics about use of the website. For more information or to change your preferences, click here.

I Agree