Consumer Protection Connection

Consumer Protection
Connection

Sears Seeks to Modify FTC Order on Online Tracking

Posted in Cybersecurity

In 2009, Sears Holding Management settled with the Federal Trade Commission (FTC) over allegations that the company’s online tracking activity exceeded what they told consumers. Now, Sears has submitted a petition requesting that the FTC reopen and modify its settlement order, arguing that changing technology since 2009 has made the order’s definition of “tracking applications” too broad and has put them at a competitive disadvantage.

The 2009 FTC complaint charged that Sears “failed to disclose adequately the scope of consumers’ personal information it collected via a downloadable software application, telling consumers that the software would track their “online browsing,” without telling them that it also collected information from third-party websites consumers visited such as their shopping cart information, online bank statements, and drug prescription records. Sears was required to stop collecting data from participating consumers and to destroy what they’d collected.

Sears now argues that the definition of “tracking application” in the FTC’s order now applies to most software on nearly all platforms, making them “out of step with current market practices without a corresponding benefit in combatting threats to consumer privacy.” The definition of tracking applications is so broad, Sears claims, that it “encompasses all of Sears’ current mobile apps, forcing Sears to handle disclosures differently than other companies with mobile apps and disadvantaging Sears in the marketplace.” Sears claims that modification of the order would allow the retailer to align with current tracking practices used by their competitors.

Public comments may be submitted here until December 8, 2017.

Court Rules on Spectrum Challenge to CPSC Civil Penalty Authority

Posted in Product Safety

The U.S. Consumer Product Safety Commission (CPSC) dispute with Spectrum Brands was resolved in court on September 29, 2017, with both sides able to claim victories of sorts. On the one hand, CPSC was able to obtain a civil penalty for Spectrum’s failure to report and sale of recalled products. On the other, that civil penalty was substantially reduced.

The case arose after Spectrum’s predecessor-in-interest failed to report coffeemaker defects in a timely fashion and sold recalled products in violation of the law. The company’s former subsidiary, Applica Consumer Products, recalled the coffeemakers jointly with the CPSC in 2012. In United States v. Spectrum Brands, Inc., federal district Judge William Conley assessed a civil penalty of $1,936,675 and imposed an injunction on Spectrum requiring it to implement a compliance program to ensure conformance to the Consumer Product Safety Act (CPSA).

The court’s decision relied on a detailed analysis of factors in terms of the timeliness of reporting, the post-recall sale of products, and the imposition of compliance programs. Based on the timing of the failure to report and post-recall sales, the court found that the maximum civil penalty possible was $30.30 million. The company argued that the failure to report had arisen before the Consumer Product Safety Improvement Act of 2008 (CPSIA) increased penalty amounts, but the court earlier concluded that the failure continued until the company reported, and thus found that CPSIA’s civil penalty maximum increase applied.

However, in assessing the penalties, the factors that the court found most persuasive were generally in the company’s favor:

  • The CPSC failed to provide admissible evidence on several points, such as the risk of severe injury, the nature of the defect, and defendant’s actions, sincerity and motives in addressing non-compliance. This reduced the civil penalty amount relative to the maximum.
  • The defendant’s failure to report on time gave rise to per-complaint penalties that the judge increased every six months that the company failed to report. This increased the civil penalty amount.
  • The company’s failure to stop post-recall sales – compounded by a litany of missed opportunities – were particularly egregious, in the court’s view. Thus, the judge levied penalties of $1,000 to $2,000 per unit sold.

In addition, there was lack of evidence that new compliance measures were adopted that would prevent recurrence of the reporting failures, giving the court reason to impose CPSC’s requested injunction.

Very few court decisions reach this stage, so this case will be invaluable in analyzing and preparing for any negotiations with CPSC. The decision reflects one of the very few instances where courts have assessed civil penalties under the CPSA. The assessment of civil penalties indicates that Spectrum was unsuccessful in persuading the court that the failures to report and post-recall sales were minor. At the same time, the relatively low level of penalties, compared with other CPSC penalties that have reached over $15 million, demonstrates that CPSC could not show the judge that the violations were as egregious as it claimed. It also suggests that the agency may not be successful in future if it seeks to pursue higher penalties in courts. The lower penalties here were in part based on the CPSC’s failure to provide key evidence on several points, undermining its case, and that may lead to more specific requests for information from the CPSC legal team in civil penalty cases.

California Legislature Passes Cleaning Product Right to Know Act

Posted in Product Safety

The California legislature passed the Cleaning Product Right to Know Act 2017 (SB 258) (the CPRTK Act), which was presented to Governor Jerry Brown on September 19, 2017, after the legislative session adjourned on September 15, 2017. Governor Brown now has until October 15, 2017, to sign or veto the bill. The Act requires manufacturers of cleaning products (defined as products “used primarily for commercial, domestic, or institutional cleaning purposes”) to disclose chemical ingredients and other information on both product labels and product websites, subjecting cleaning supplies to the same transparency requirements of cosmetics and food products. The chemicals required to be listed are intentionally added chemicals that are included on designated lists or, certain fragrance allergens designed under EU regulations. Listings of chemicals on the Proposition 65 are not required until January 1, 2023.

Manufacturers of consumer and institutional air care, automotive, general cleaning, polish and floor maintenance products are already required under the Federal Hazardous Substances Act (FHSA) to provide warnings about hazards, such as flammability, combustibility, or toxicity (dermal, ingestion and inhalation toxicity). Required warnings include statements of principal hazard, which must appear on principal display panels (PDPs), as well as recommended emergency and medical care, and typically requires disclosure of the principal ingredients that may result in a hazard. However, the FHSA does not require a full list of chemical ingredients. California is not the first state with a right-to-know statute. New Jersey passed a similar law in 2013, but required only disclosure of primary ingredients above certain concentrations in the workplace. The CPRTK Act goes further, requiring makers of designated products to list chemicals of concern and most other ingredients on both product labels and websites. And, for the first time, the presence of fragrance allergens must also be disclosed. In addition to the burden the CPRTK Act would place on manufacturers, employers would be required to make safety data sheets available disclosing the contents of workplace cleaning products.

Some major manufacturers have come out in favor of the bill, although others are concerned that mandatory listing of chemical ingredients might undermine basic product safety and risk avoidance information required under the FHSA related to hazards that might be more significant to consumers based on actual use patterns. Several industry groups initially expressed concern over protecting trade secret formulas. Now, the bill does not force manufacturers to list intentionally-added ingredients-including fragrance ingredients-that are protected as confidential business information (CBI). Such protected CBI includes any intentionally-added ingredient that the U.S. Environmental Protection Agency (EPA) has approved for inclusion on the Toxic Substances Control Act (TSCA) Confidential Inventory, or that the manufacturer (or its supplier) claims protection for under the Uniform Trade Secrets Act.

Existing requirements under the Occupational Health and Safety Act (OSH Act) already require employers to share information through safety data sheets on substances in the workplace. This bill would require employers already covered by such requirements to make certain information about designated chemicals available in similar fashion.
The bill has been presented to Governor Jerry Brown for signature, who is expected to sign. If he does not sign or veto by October 15, 2017, it will become law. Once the bill becomes law, manufacturer websites must be updated by January 1, 2020, and product labels by January 1, 2021.

 

FDA Issues Final Guidance on Interoperable Medical Devices

Posted in Connected Products, Product Safety

The U.S. Food and Drug Administration (FDA) finalized its recommendations on September 6, 2017 on how to secure interoperable medical devices’ interactions with other devices and information systems. The FDA’s initial guidance, drafted in January 2016, was designed to help manufacturers develop safe, secure information exchange systems in connected medical devices. The updated guidance incorporates comments received from industry, developers, and the public, and specifically recommends that all manufacturers of electronic medical devices take the following three steps:

  • Design their devices with interoperability as an objective;
  • Conduct appropriate verification, validation and risk management activities; and
  • Clearly specify the relevant functional, performance, and interface characteristics to the user.

The final guidance also clarifies what information on interoperability should be included in premarket submissions, makes recommendations “for appropriate functional, performance, and interface requirements for connected devices to avoid errors and inadequate interoperability, such as differences in units of measure,” and advises designers and manufacturers to “provide information on a product’s functional performance and interface characteristics so that those using it with other devices and systems can do so safely.”

Connected medical devices can offer patients enhanced functionality and a better user experience. They can also help to optimize health outcomes and reduce costs. However, care must be taken to assure that all relevant safety and usability concerns are addressed. The FDA’s updated guidance is geared toward helping manufacturers maximize the safety and security of connected medical devices and to ensure that operating and interface requirements are transparent.

Trump Administration Sets Stage for Republican Majority at CPSC

Posted in Product Safety, Regulations

Having previously nominated Acting Chairman Ann Marie Buerkle to serve as the permanent chair, and with Senate Commerce Committee hearings held on her confirmation on September 27, 2017, President Trump has nominated lawyer Dana Baiocco to serve a commissioner on the U.S. Consumer Product Safety Commission (CPSC). Baiocco would serve for a standard 7-year term beginning October 27, 2017. If confirmed, Baiocco would replace Commissioner Marietta Robinson, an Obama appointee whose term expires in October. Currently 3 out of 5 commissioners are Democrats.

Although Commissioner Robinson’s term ends in October, she can continue to serve for up to an additional year before she must vacate her seat, until a replacement is sworn in. Historically, commissioners’ seats were vacant for extended periods before new nominees filled them. Indeed, for most of the CPSC’s existence, Congress funded only three of the five statutory seats. That Robinson’s seat will be filled more quickly than usual signals the White House’s intent to establish a 3-to-2 Republican majority at the agency before year’s end.

Earlier this year, Elliot Kaye was one of the last Obama-era holdouts to step down from a chairman’s role, giving Trump the seat to fill. He was replaced by current Acting Chairman Ann Marie Buerkle, whose nomination to serve as Chairman was considered by the Senate Commerce Committee in a hearing on September 27, 2017, and is scheduled to be voted on by the Committee on Wednesday, October 4. Baiocco’s nomination further demonstrates the Trump Administration’s interest in the independent agency.

Baiocco was one of the founding partners of law firm Jones Day’s Boston office, which opened in 2011, after joining the firm in 1998 and becoming a partner in 2007. She has represented manufacturers and airlines in a range of defensive litigation. Prior to her tenure at Jones Day, Baiocco served as a law clerk to Judge Gustave Diamond, a federal district judge in Pennsylvania, from 1996 to 1998. She is a member of the Pennsylvania and Massachusetts Bar Associations, served as the chairwoman of the Pennsylvania Bar Association House of Delegates from 2009 to 2011, and served on its board of governors.

FTC Streamlines its Fur, Textile and Wool Labeling Filing Process

Posted in Labeling, Regulations

Continuing Acting Chair Maureen K. Ohlhausen’s regulatory reform agenda, the Federal Trade Commission (FTC) has updated its website at  RN.FTC.GOV to allow real-time electronic filings of requests to obtain, update, or cancel registered identification numbers (RN) under the Fur, Textile and Wool Labeling Rules. The new web-based process is intended to streamline applications from businesses and speed up FTC responses. The FTC’s website at has been updated to allow “real-time data validation for applicants and alert them to possible errors to avoid unnecessary delays.”

Under the current rules, most clothing and textile and fur products must have a label that identifies the manufacturer or other business responsible for marketing or handling the item. The updated RN system means that businesses can avoid putting long company names on labels.

The FTC advises businesses with RN numbers to visit the site and verify that their information is accurate.

First FTC Complaint Against Social Media Influencers Settles

Posted in Regulations

When two celebrity gamers endorsed an online lotto service, they didn’t gamble on the Federal Trade Commission’s (FTC) insistence they tell their fans they actually owned the business they were promoting. Now, Trevor Martin and Thomas Cassell, and their company, CSGO Lotto, Inc., have settled charges of deceptive advertising. This is the first case the FTC has brought against social media influencers individually.

Martin and Cassell are known to millions of online gamers on YouTube as “TmarTn” and “Syndicate Project.” According to the FTC complaint, from 2015, Martin and Cassell operated and advertised the csglotto.com website. The men uploaded videos to the social media site which showed them playing—and winning—on a gaming site called CSGO Lotto. When Martin and Cassell had major windfalls on CSGC Lotto, they would post new videos that promised to tell viewers how they, too, could also “win big” on the site. However, the gaming superstars neglected to tell their fans two important facts: (1) they jointly owned the company that ran the game, and (2) other celebrity endorsers on social media were also paid for to flack CSGC Lotto.

Under the terms of the settlement, Martin and Cassell are required to “clearly and conspicuously disclose any material connections” with anyone promoting their products or services. They must also establish and maintain a system to monitor and review endorsers having material connections to their services and products, and are barred from misrepresenting their endorsers’ impartiality.

It was just a matter of time before the FTC began to crack down on actual endorsers who fail to disclose that they get paid to promote products and services on social media. Earlier this year, the FTC sent letters to 90 marketers and influencers warning them to “clearly and conspicuously disclose their relationships … when promoting or endorsing products through social media.” FTC staff sent additional warning letters to 21 social media influencers it contacted earlier this year regarding their Instagram posts, reminding them of their obligations to transparency and demanding responses to specific questions about their relationships with companies whose products they are promoting.

FTC Acting Chairman Maureen Ohlhausen commented: “Consumers need to know when social media influencers are being paid or have any other material connection to the brands endorsed in their posts. This action, the FTC’s first against individual influencers, should send a message that such connections must be clearly disclosed so consumers can make informed purchasing decisions.”

In addition, the FTC issued updated staff guidance that includes “specific questions social media influencers and marketers may have about whether and how to disclose material connections in their posts,” including tagging, Instagram and Snapchat disclosures, and where such disclosures need to be made.

Many advertisers have social media policies in place to ensure they comply with material disclosure rules, but it can be challenging to police all influencers. The FTC has now let social media influencers know it’s game on: endorsers themselves may be targets of enforcement action if they fail to disclose their relationship with the brands they are promoting.

Dietary Supplement Company and its Endorsers Settle with FTC Over Deceptive Marketing Claims

Posted in Advertising

Remember those ads from the 80s where an actor would start a medicine endorsement with the disclaimer: “I’m not a doctor, but I play one on TV”? A recent Federal Trade Commission (FTC) settlement order relating to the marketing of the dietary supplements CogniPrin and FlexiPrin is a good reminder about the importance of using clear and conspicuous disclosures in advertising and ensuring that health-related claims are supported by competent and reliable scientific evidence.

Last February, the FTC and the Maine Attorney General filed a joint complaint against nine defendants for allegedly making false and misleading claims related to the dietary supplements CogniPrion and FlexiPrin that were not backed by reliable scientific evidence. The complaint also alleged that print and Internet ads featured fake testimonials about the products, radio ads gave the impression that they were educational segments rather than advertorials, one of the company’s expert endorsers failed to examine the products and disclose that he received a percentage of sales revenue, and the ads failed to disclose material conditions relating to a “free trial” period.

Six of the defendants settled with the FTC and the Maine Attorney General in March, and the remaining three (the marketing company, its owner, and its expert endorser) entered into a settlement on August 23. The most recent settlement order imposes a $6.5 million fine and prohibits the defendants from making health-related claims that are not supported by “randomized, double-blind, and placebo-controlled” testing. In addition, the defendants are required to disclose whether their endorsers receive compensation, and customers must give express consent before being enrolled in continuity programs.

The FTC has warned marketers and influencers about their obligation to clearly and conspicuously disclose their relationships when endorsing products, and has filed complaints against a number of businesses for lack of adequate endorsement disclosures. In addition, as we previously reported, the FTC recently sent warning letters to several influencers advising them about their obligations.  As the recent settlements over the marketing of CogniPrin and FlexiPrin make clear, marketers should also ensure that all material terms of their offers are clearly and conspicuously disclosed and that any health-related claims are backed by reliable scientific evidence. Companies that fail to do so may find themselves subject to some strong medicine from the FTC.

FTC Green Lights TRUSTe’s Proposed Safe Harbor Program Modifications

Posted in Data Security

The Federal Trade Commission (FTC) has approved changes TRUSTe proposed to its safe harbor program several months ago under the Children’s Online Privacy Protection Act (COPPA) Rule. The approved modifications include a new requirement that program participants conduct an annual internal assessment of third-parties’ collection of personal information from children on their websites or online services by checking for tracking technologies. Other changes include: TRUSTe’s program requirements are now referred to as “Children’s Privacy Certification Standards; the use of “seal” rather than “trustmark” and “Privacy Notice” in place of “Privacy Statement; additional data security requirements; and personnel training requirements for participating businesses. TRUSTe claims its new rules “meet or exceed COPPA requirements” and by approving the revisions, the FTC agreed.

The COPPA Rule requires that operators of commercial websites and online services directed to children under the age of 13 must post comprehensive privacy policies on their sites, notify parents about their information practices, and obtain parental consent before collecting, using, or disclosing any personal information from children under the age of 13. TRUSTe manages an approved safe harbor program intended to ensure that online businesses are complying with COPPA rules.

In its role as a safe harbor operator under COPPA, TRUSTe is required to carry out annual reviews of website operators’ policies, practices, and representations. TRUSTe proposed the changes following a settlement earlier this year with the New York Attorney General over allegations that the company did not adequately assess whether companies certified under its program allowed third parties to track children at participant sites.

Cybersecurity Update

Posted in Cybersecurity

As connected products are increasingly integrated into everyday life, measures to address the security of Internet of Things (IoT) devices continue to evolve. Some of the latest initiatives include the following.

NTIA issues guidance on cybersecurity communications
Last month, as part of an ongoing multi-stakeholder initiative, a working group of the National Telecommunications and Information Administration (NTIA) issued guidance to help IoT manufacturers more effectively communicate cybersecurity and privacy information to consumers. The working group considered guidance from other agencies, including the Federal Trade Commission and Department of Homeland Security, nonprofits, and industry.

The NTIA document, Communicating IoT Device Security Update Capability to Improve Transparency for Consumers, focuses on “key elements” for manufacturers to consider communicating to consumers prior to purchase, which are crucial for transparency and informed choice. They include informing consumers upfront whether their devices will receive security updates, how updates will be communicated (e.g., will they update automatically?), and when updates will end. NTIA also recommends addressing how users are notified about security updates; what happens when a device no longer receives update support; how the manufacturer secures updates; any costs for consumers to keep their devices current once updates end; and when or whether a device ceases to operate or loses functionality when security support ends, or whether users bear the risk of operating the device once security updates end.

The guidance emphasizes that updates and patches do not offer complete device protection and are not the sole security measures that IoT manufacturers and consumers should take. Thus, while the guidance provides a useful roadmap for IoT manufacturers, companies may wish to consider advising on additional security practices and policies that apply to the device and prudent steps for consumers to take to maintain device security, such as password management. The recent focus on communicating about IoT updates and patches appears to stem from the recognition that IoT devices are powered by software, and that software is updated and replaced, sometimes frequently.

Internet of Things (IoT) Cybersecurity Improvement Act of 2017
On August 1, Senate Cybersecurity Caucus co-chairs Mark Warner (D-VA) and Cory Gardner (R-CO) introduced a bill to provide minimum cybersecurity operational standards for connected products purchased by federal agencies. Per Senator Gardner, the Internet of Things (IoT) Cybersecurity Improvement Act of 2017 would “ensure the federal government leads by example and purchases devices that meet basic requirements to prevent hackers from penetrating our government systems.” The bill would require agencies to include a clause in procurement contracts requiring suppliers of connected products to meet basic industry-wide cybersecurity standards. Suppliers would be obliged to provide written certification that devices do not contain any known security vulnerabilities or defects, and allow for patching of security updates. In addition, connected devices would be prohibited from including hard-coded passwords, which can provide a back door for malware.

Although this bill would apply only to connected products purchased by the federal government, federal procurement standards are often mirrored by state procurement officials and can find their way into other specifications as well.

ANSI introduces first independent cybersecurity standard
Another development affecting cybersecurity of connected products is the finalization of the first independent standard for IoT device cybersecurity. The American National Standards Institute (ANSI) introduced UL 2900-1, General Requirements for Software Cybersecurity for Network-Connectable Products, on July 5. Developed as part of UL’s Cybersecurity Assurance Program, the UL 2900 series applies established security design principles to measurable criteria to assess vulnerabilities of connected products. UL 2900 has been recognized by the Food and Drug Administration, which is expected to formally announce its adoption in the next Federal Register notice.

As cybersecurity standards, guidelines, and proposed regulations for IoT devices proliferate, it is important to remember that the specific security measures adopted must be relevant to the type of information collected by a particular IoT device, including the potential sensitivity of that data.

.
Consumer Protection Connection