FTC Approves ESRB’s Updated COPPA Safe Harbor Program

By Sheila Millar and Tracy Marshall on August 17, 2018 Posted in Data Security, Privacy

The Federal Trade Commission (FTC) approved modifications to the video game industry’s Children’s Online Privacy Protection Act (COPPA) program. Earlier this year, the Entertainment Software Ratings Board (ESRB) proposed several substantive changes intended to take account of recent FTC COPPA rules and guidance.

To receive FTC approval, COPPA safe harbor programs must “implement substantially similar requirements that provide the same or greater protections for children as those contained in the Rule; (2) an effective mandatory mechanism for the independent assessment of the safe harbor program participants’ compliance with the guidelines; and (3) disciplinary actions for noncompliance by safe harbor participants.”

Five NGOs and individuals submitted comments during a public comment period on a number of ESRB’s proposed changes, including amending the definition of “personal information and data,” ensuring that links to privacy statements be prominent and clearly labeled, and clarifying the program’s data minimization requirements. ESRB also revised the program to incorporate FTC enforcement guidance on how voice data was handled. The FTC approval letter noted that ESRB made revisions to address certain objections raised by three of the NGOs.

The Commission vote to approve the changes to ESRB’s COPPA safe harbor program was unanimous.

23 California DAs Obtain $1.5 Million Settlement for Deceptive Biodegradable Claims

By Sheila Millar and JC Walker on August 9, 2018 Posted in Litigation

Environmentally conscious consumers often look for products advertised as “green.” But labeling plastic products as “biodegradable” may land you on the legal compost heap if you can’t meet federal and state regulations governing green marketing. Amazon was just the latest company to find itself in the crosshairs when 23 California district attorneys charged that it violated state law when it marketed and sold products labeled “biodegradable” or “compostable.” Amazon settled the lawsuit for $1.5 million.

Most advertisers interested in degradability and similar claims should be familiar with the requirements in the FTC’s Guides for the Use of Environmental Marketing Claims. Advertisers also need to be aware of 2011 amendments to the California Public Resources Code restricting green claims for plastic products. The California law prohibits businesses from selling plastic goods that are labeled “compostable,” “biodegradable,” “degradable,” or other wording that implies the product will break down in a landfill or other environment, unless the product meets specific standards set forth in the law. There are differences, however, in how the FTC and the state of California view available standards from a substantiation standpoint.

Under the settlement, Amazon is prohibited from selling plastic products labeled as “biodegradable” or “compostable” if the product has not been certified as such in accordance with California’s requirements. In addition, the company will pay CalRecycle, the state agency responsible for recycling, $50,000 to test plastic products that are advertised as compostable or degradable.

California has shown itself to be an aggressive enforcer against misleading green marketing claims. In the last few years, the state has pursed legal action against several companies for alleged deceptive green labeling, settling claims against ENSO Plastics in 2013 with an $18,000 fine, and obtaining agreed-to penalties of $27,000 and $940,000 against Overstock.com and Walmart, respectively, in 2017. It is worth noting that any penalties received under the California law go directly to the jurisdiction that brings suit, providing DAs with an incentive to pursue degradable and compostable claims.

Any advertiser interested in developing and marketing products that are degradable or compostable should pay special attention to the requirements of both federal and state laws since they do not always align. In particular, it is essential for businesses to fully understand the nuances of FTC guidance and California law in assessing how they substantiate their claims.

California Company Settles with FTC over Alleged Privacy Shield Misrepresentations

By Sheila Millar and Tracy Marshall on July 16, 2018 Posted in Data Security, Privacy

If a company claims to be certified under the EU-U.S. Privacy Shield framework when it hasn’t even completed the paperwork, the Federal Trade Commission (FTC) isn’t likely to let it slide. ReadyTech, a California-based online training services company, made such a claim on its website, in violation of the FTC Act’s prohibition against deceptive acts or practices, according to the FTC’s complaint against the company.

The Privacy Shield is one of the approved mechanisms through which U.S. companies can lawfully transfer personal data from the EU to the U.S. in compliance with the EU General Data Protection Regulation (GDPR). ReadyTech stated on its website that it was “in the process of certifying that we comply with the U.S. – E.U. Privacy Shield framework as set forth by the U.S. Department of Commerce regarding the collection, use, and retention of personal data from European Union member countries.” However, according to the FTC, while the company initiated the process of self-certifying to the U.S. Department of Commerce in 2016, it was never completed.

As part of the settlement, ReadyTech is prohibited from misrepresenting its participation in any privacy or security program sponsored by a government agency or any self-regulatory or standard-setting organization. It also must comply with standard reporting and compliance requirements.

This is the FTC’s fourth case enforcing misrepresentations regarding participation in the Privacy Shield since the framework became operational two years ago, and the FTC brought similar enforcement actions under the old U.S.-EU Safe Harbor Framework (the Privacy Shield’s predecessor). The action against ReadyTech serves as a reminder to businesses to not only avoid misrepresenting their participation in privacy and data security frameworks, but also to take steps to ensure more generally that their practices are aligned with their privacy commitments.

The FTC actively enforces privacy and data security violations through its authority under Section 5 of the FTC Act, such as a failure to disclose certain practices in online privacy statements, a failure to follow stated practices, or materially and retroactively changing how personal data is handled without consent from affected consumers. The FTC pays special attention to possible violations of the Privacy Shield. The Privacy Shield, like the Safe Harbor before it, is viewed by businesses as a critical vehicle for companies to comply with cross-border data transfer obligations under EU privacy laws. Because privacy advocates and some regulators continue to criticize the Privacy Shield’s self-regulatory approach for meeting EU requirements, it is especially important that the FTC polices compliance to maintain the integrity of the program.

Companies that operate globally must be mindful of their obligations to meet their privacy commitments to comply with the FTC Act as well as with the new EU GDPR and other international data protection laws.

State Data Breach Notification Laws – Overview of Requirements for Responding to a Data Breach – Updated July 2018

By Sheila Millar and Tracy Marshall on July 10, 2018 Posted in Data Security, Privacy

With the ever-changing complexity of state data breach notification laws, companies facing a data breach need resources that will help them understand the issues. This summary provides an overview of the similarities and differences in data breach laws adopted in the 50 United States and the District of Columbia and includes laws enacted since our last update. Alabama and South Dakota became the last states to adopt breach notification laws, which took effect on May 1, 2018 and July 1, 2018, respectively. As a practical matter, most companies that experience a breach will be required to comply with all or several state laws depending on where the data subjects reside, and international data breach notification laws may also apply.

Because privacy is a politically popular topic for legislators, laws continue to evolve and change. It is important to confirm that no changes have been made to relevant laws whenever you experience a data breach. While this summary focuses on data breach notification obligations, many state laws also impose specific data security requirements for companies that handle personal information, which should also be consulted.

This summary is intended to provide general information about applicable laws, and does not constitute legal advice regarding specific facts or circumstances.

To download a copy, click here.

For more information on privacy and data security matters, please contact us:

Sheila Millar (+1 202.434.4143, millar@khlaw.com)

Tracy Marshall (+1 202.434.4234, marshall@khlaw.com)

CPSC Releases Revised Draft Age Appropriate Guidelines for Consumer Products

By Sheila Millar on April 2, 2018 Posted in Product Safety, Regulations

The U.S. Consumer Product Safety Commission (CPSC) announced potential changes to its 2002 Age Determination Guidelines Relating Children’s Ages to Toy Characteristics and Play Behavior (2002 Guidelines). The new draft guidance, titled Guidelines for Determining Age Appropriateness of Toys (Draft 2018 Guidelines), “addresses toys that have come onto the market since the last update and provides changes to the recommended age group for certain classic toys.” The plan to issue a Federal Register notice was announced at the International Consumer Product Health and Safety Organization (ICHPSO) conference in February 2018, and the updated draft was formally published on March 27, 2018. Congress specifically made the 2002 version of the guidelines one of four key factors for determining whether a consumer product is a children’s product, so this proposed set of changes will affect the children’s product industry.

The Draft 2018 Guidelines have been updated to take account of new toys that have come onto the market since 2002, changes in consumer purchasing behavior, and children’s access to toys. The Draft also reassesses the 2002 Guidelines’ age determinations based on a broad literature review, parent toy survey, and observational study of 243 children, ages 1 to 8 years old, and their parents across four age brackets: 1 to 1.5 years old; 1.6 to 2 years old; 3 to 5 years old; and 6 to 8 years old. The guidelines contain four levels, each representing an increasing level of detail: play categories; toy subcategories; age groups; and toy characteristics. The agency staff’s draft revisions were developed with input from the Child and Family Research Section staff at the National Institute of Child Health and Human Development (NICHD) within the National Institutes of Health (NIH).

The 2018 Draft Guidelines make age-grade recommendations for new products, such as play touchscreen phones, suction cup building pieces, wooden trains with magnetic pieces, and magnetic puzzles. The 2018 Draft Guidelines also recommend changes for a variety of toys, including microscopes, colorful wooden blocks, large basketball hoops, and toy cameras with viewfinder function. Other revisions include recommended testing changes, such as shifting existing small parts or use-and-abuse testing requirements based on age grades that are different from the 2002 Guidelines.

CPSC staff explains that “many toy-related injuries could be prevented by age-labeling products for the age group for whom they are intended. Providing the consumer product toy industry with better age-grading guidance, and describing how these principles can be applied to their products, can help reduce product-related incidents and reduce costly compliance and enforcement actions.”

The CPSC’s Age Determination Guidelines play an important role in determining not just the suitability of toys for children in different age ranges, but also which safety requirements apply to a particular toy. Interested stakeholders should carefully review the updated Draft 2018 Guidelines with a view to identifying whether the CPSC and NIH staff’s assessments, evaluations, and test results match their information and experience. Focus group testing and evaluations from manufacturers, industry groups, or other outside groups could help improve and inform CPSC staff’s conclusions.

Comments on the Draft 2018 Guidelines may be submitted here until June 11, 2018.

CPSC Sues to Force Jogging-Stroller Recall

By Sheila Millar on March 6, 2018 Posted in Product Safety

The U.S. Consumer Product Safety Commission’s (CPSC) first lawsuit of 2018 is against the maker of popular lines of jogging strollers, Britax Child Safety, Inc. The complaint, to be heard in administrative proceedings, concern’s Britax’s B.O.B. jogging strollers. The company and its 2011 merger partner, B.O.B. Trailers, Inc., have been importing and distributing the strollers since 1997. At issue are about 493,000 jogging strollers imported and distributed between December 2011 and September 2015. They include a range of single- and double-seated models.

Detaching front wheels are the central issue of the case. CPSC takes the view that the three-wheeled stroller models can operate when the front wheel is not properly secured, leading to the front wheel detaching when the stroller is moving, which in turn causes the stroller to stop and tip over. The CPSC’s position is that the detachment issue reflects a design defect. The company argues that improper use, rather than any design flaw, is the cause of the problem, saying: “the[ detachments] involve an improperly secured quick[-]release mechanism … or jogging with the swivel wheel unlocked.”

According to the agency’s press release, it has received about 200 complaints about wheels coming off the stroller since 2012, with reports of 50 injuries to children and 40 to adults, including head and teeth injuries, bruises, torn ligaments, and cuts.

When CPSC asked the company to conduct a recall, the company refused, arguing that misuse rather than any defect in the product was the cause. By a 3-to-1 vote, a majority of CPSC Commissioners approved filing an administrative complaint seeking to compel Britax to recall the strollers, inform the public of the defect, and offer a remedy in the form of repair, replacement, or refund.

Britax has been willing to conduct recalls with CPSC before. In 2011, for example, the company jointly recalled its B-Nimble strollers over a risk of brake failure. It conducted other recalls with CPSC in 2014, 2016, and 2017. Notably, although CPSC has been receiving complaints about wheel detachment since 2012, only now has the agency attempted to force a recall. The company’s refusal to conduct a recall in this situation suggests its conviction that user error is to blame, a point emphasized in the company’s statement: “While we respect the CPSC and its mission, we cannot agree to recall a product that is not defective.”

Questions of safety and user misuse are complicated and necessarily involve subjective judgments. Additionally, hazards that appear clear in hindsight are often hazy at the outset. It is common for reasonable people, including safety experts inside and outside government, to disagree about what constitutes a safety hazard, the scope of a company’s responsibility for improper installation or misuse of a product by consumers, and about what constitutes an acceptable degree of risk.

Although administrative and judicial lawsuits to force recalls have been exceedingly rare for CPSC, the agency has initiated several in recent years. These include suits to force recalls and to recover civil penalties from companies who were allegedly late in reporting substantial product hazards. The Britax suit represents a continuation of this hard-charging enforcement effort. Further, it suggests the willingness of a majority of commissioners to support pursuing administrative remedies when companies disagree with agency conclusions. Companies working with CPSC on potential safety issues should bear this in mind as they work on joint solutions, just as they should remember that the agency’s jurisdiction extends to products that fail to comply with a regulatory requirement, pose an unreasonable risk of serious injury or death, or contains a defect that poses a substantial risk of harm.

Online Talent Company Settles with FTC Over Alleged COPPA Violations

By Sheila Millar and Tracy Marshall on February 9, 2018 Posted in Data Security, Privacy

Online talent search company Explore Talent just landed in the spotlight of the Federal Trade Commission (FTC). The Vegas-based company was charged with violating the Children’s Online Privacy Protection Act (COPPA), which requires that companies collecting information online must obtain informed, verifiable parental consent before collecting any information from a child under 13. The company also allegedly violated the FTC Act by deceiving paying customers into thinking they were getting access to specific roles and casting agents when they weren’t.

Explore Talent – aka Prime Sites, Inc. – promotes itself as the world’s largest talent resource, claiming to provide actors, models, and other performers with information on auditions and access to casting agencies. The site contends to have over 10 million members – more than one hundred thousand of whom are registered as children under the age of 13. Per the FTC, the site violated COPPA on several grounds:

To use the site, customers, including children under age 13, were required to create an account by submitting personal information including names, photos, email addresses, telephone numbers, and mailing addresses. This information was made publicly available, including to adults registered on the site (who could then send private messages to children) as well as to non-registered adult users, without parents’ knowledge or consent.
Explore Talent had a privacy policy available by a hyperlink buried in fine print at the bottom of its homepage. The policy stated that children under 13 must have their profile created by a legal guardian, but the company took no steps to verify who submitted children’s profiles.
Despite Explore Talent’s assurance that it did not knowingly collect personal information from children under the age of 13, the site “disclosed children’s personal information without accurately describing its collection, use, or disclosure practices, and without notifying or obtaining consent from the children’s parents.”

Acting FTC Chair Maureen Ohlhausen said “Explore Talent collected the personal information of more than 100,000 children, but failed to adhere to the safeguards required by law. Today’s settlement provides strong relief for consumers and will help ensure children are protected going forward.”

In addition, the FTC alleged that Explore Talent misled customers over its “pro membership” benefits in violation of the FTC Act. Although initial membership to the site was free, access to specific jobs and casting calls required an upgrade to “pro membership” costing $39.99 a month. And, according to the FTC, the advertised jobs did not, in fact, exist.

The settlement with the FTC requires Explore Talent to pay a $500,000 civil penalty, to be suspended upon payment of $235,000. The company is required to abide by COPPA, is prohibited from using or disclosing children’s personal information, and must delete the information it has collected from children. The company is also forbidden from making false representations about its services, including telling customers they have been chosen for a role in an upcoming film or that they have attracted the interest of casting directors.

The FTC recently updated its COPPA compliance guidance, which offers advice on COPPA-compliant privacy policies, how to get verifiable consent from parents in different circumstances, and exceptions to the COPPA rules. Following on the heels of the FTC’s settlement with Vtech, this is the second COPPA compliance action to date in 2018. Any online service provider who deals with kids need to ensure they understand and comply with COPPA, or they may find it’s lights, camera, FTC action!

European Court of Justice Throws Out Class Action in Latest Schrems Battle

By Sheila Millar and Tracy Marshall on February 7, 2018 Posted in Data Security, Privacy

In the latest round of the ongoing battle between Austrian privacy activist Max Schrems and Facebook, the European Court of Justice (CJEU) ruled that Schrems did not have standing to bring claims on behalf of Austrian consumers over Facebook’s alleged violations of users’ privacy rights. The court did, however, allow for Schrems to continue with the lawsuit as an individual.

In 2014, Schrems sued Facebook in local court in Vienna over alleged consumer privacy violations. He brought the complaint both as an individual and as a collective action on behalf of 25,000 Facebook users worldwide. Facebook’s global headquarters are based in Ireland, and the company argued against Schrems’ standing to sue on two grounds: (1) Schrems, who uses Facebook to promote his books and events, has a professional interest in the case therefore cannot be regarded as a “consumer” under European consumer protection law; and (2) Facebook is not located in Schrems’ home country. These questions were referred to the European Court of Justice by the Supreme Court of Austria.

The CJEU’s decision on the first issue follows the Advocate General’s opinion in November 2017. On the second point, however, the CJEU ruled that consumer privilege applies “only to an action brought by a consumer against the other party to the contract,” so Facebook users cannot assign their claims to other citizens outside their home countries.

Although the European Commission recommended in 2013 that member states introduce a collective redress mechanism, nine countries have yet to do so. However, this will change in May, when the new General Data Protection Regulation (GDPR) takes effect. Article 80 of the GDPR states that data subjects “shall have the right to mandate a not-for-profit body, organisation or association …. to lodge the complaint on his or her behalf.” It is no surprise that Max Schrems has already founded his own NGO specifically for this purpose. In addition, EU Justice Commissioner Vera Jourova announced at a conference last September that the Commission will be proposing new legislation in March 2018 (now expected in April) to provide collective redress.

While the Schrems challenge now returns to the Supreme Court of Austria, the EU data privacy landscape may soon become more litigious.

ICC Launches Free E-Course on Responsible Marketing and Advertising

By Sheila Millar on February 5, 2018 Posted in Advertising

The International Chamber of Commerce (ICC) Commission on Marketing and Advertising has launched a free, two-hour interactive ethical marketing and advertising course designed to help companies and other stakeholders apply the fundamental principles of the ICC Marketing Code. Created in conjunction with the ICC Academy and modeled on a program developed by international business school INSEAD, the course aims to provide participants with practical guidance on producing responsible marketing communications.

The ICC code was developed in broad consultation with industry and marketing experts and is the global gold standard for ethical communications. It is used by more than 35 countries worldwide to create self-regulatory marketing programs and is updated regularly. The e-course provides a grounding in ICC basics of responsible advertising, and offers case studies and best practices in online marketing and advertising.

Marketing communications touch many areas of business communications. In an increasingly global marketing environment, a harmonized global code of marketing communication practice helps to enhance consumer trust and reduce regulatory differences. In addition to helping build brand loyalty, marketing communications that adhere to the ICC’s ethical marketing standards can reduce compliance and reputational risk at the same time.

Senate Bill Would Give FTC Enforcement Power Over Credit Bureaus

By Sheila Millar and Tracy Marshall on January 17, 2018 Posted in Data Security

In response to the Equifax data breach last September, when hackers gained access to the personal information of 143 million consumers, Senators Elizabeth Warren (D-MA) and Mark Warner (D-VA) have introduced a bill, The Data Breach Prevention and Compensation Act of 2018, that would ultimately impose security obligations on credit reporting agencies (CRAs). The bill would expand the Federal Trade Commission (FTC)’s authority, establishing a new Director and Office of Cybersecurity with power to promulgate cybersecurity regulations and conduct cybersecurity investigations at CRAs that earn more than $7 million a year from the sale of consumer information. The Equifax breach prompted a flurry of legislation, but if passed, this bill would be the first to create data security standards for the credit reporting industry.

Both Warren and Warner have been active in attempting to rein in CRAs since the Equifax hack. Warner, a former tech executive who is vice chairman of the Senate Select Intelligence Committee, issued a statement in the wake of the Equifax breach in which he questioned “whether Congress should not only create a uniform data breach notification standard, but also whether Congress needs to rethink data protection policies.” Warner also wrote a letter to the FTC in September 2017, asking for an investigation into Equifax’s cybersecurity practices. Warren, who helped establish the Consumer Financial Protection Bureau, introduced (ultimately unsuccessful) legislation that would allow consumers to freeze their credit on demand and at no cost.

One of the most notable aspects of the bill is the power it gives to the FTC to impose massive fines for security breaches and reporting violations. CRAs would be subject to mandatory strict liability penalties for breaches involving consumer data. Violators would be required to pay $100 per consumer for data security breaches plus $50 for each piece of personal information compromised. This amount would be doubled and the maximum penalty increased to 75% of the CRA’s gross revenue for particularly egregious security lapses, failure to comply with the FTC’s data security standards, or failure to timely notify the agency of a breach. In addition, the bill requires the FTC to use 50% of each fine to compensate consumers.

The bill also contains stringent reporting requirements for CRAs, including a mandate to report breaches to the FTC within 10 days. CRAs would also be obligated to share detailed information concerning their security practices with the Commission, including their asset management, network management, and monitoring. A CRA must further create and maintain documentation demonstrating that it “is employing reasonable technical measures and corporate governance processes for continuous monitoring of data, intrusion detection, and continuous evaluation” of its security processes.

The FTC has initiated many enforcement actions for security failures under its existing authority, and multiple agencies, including the National Institute of Standards and Technology (NIST) have focused on developing risk management approaches to manage security. The bill itself appears to acknowledge the absence of any current generally recognized measures for evaluating, testing, and measuring the data security practices of CRAs, as it calls for a consultation on this point. The legislation appears unlikely to advance in the Senate.