Truly Organic? Not Really, Says FTC

By Sheila Millar on October 2, 2019 Posted in Labeling

Many consumers are drawn to products advertised as healthy and natural, and will often pay a premium for organic products, from foods to personal care items to clothing. But the Federal Trade Commission (FTC) takes a dim view of companies that don’t live up to their green promises. Case in point: Miami-based Truly Organic and its CEO, Maxx Appelman, just settled with the FTC for $1.76 million over allegations that the company’s personal care products advertised as “100% organic” were anything but.

Truly Organic sells its products nationwide through its own website and through national chains such as ulta.com, urbanoutfitters.com, and nordstrom.com. According to the FTC complaint, since at least 2015, Miami-based Truly Organic advertised its body washes, lotions, baby, haircare, bath, and cleaning products as “certified organic, “USDA certified organic,” and “Truly Organic.” The company also claimed its products were vegan, despite the presence of animal-derived ingredients such as honey and lactose.

The FTC alleges that some of Truly Organic’s products contain non-organic ingredients that can be organically sourced and that others have non-organic ingredients that the United States Department of Agriculture (USDA) prohibits in organic handling, such as cocamidopropyl betaine and sodium cocosurfactant. Some items, such as the company’s bath bombs and soaps, contain no organic ingredients at all, and were simply sourced as finished products from suppliers that do not sell any organic products. Not one of Truly Organic’s products was ever certified organic by USDA despite claims to the contrary.

This is not the first time Truly Organic found its bath and other products in hot water with regulators. USDA investigated the company in 2016 for supplying goods to third parties that had false “organic” certifications on their labels. USDA staff informed Appelman that he could not represent any Truly Organic products as “USDA Organic” or “Certified Organic,” and issued a Notice of Warning. Although Appelman initially seemed to comply with the USDA warning, the FTC avers that Truly Organic continued to claim on its YouTube channel that its products were “certified organic,” “USDA organic,” and “vegan,” and regularly repackaged and sold items the company knew were not organic. Appelman also engaged in other fraudulent conduct. More than three months after the USDA closed its 2016 investigation, he deleted the name of the legitimately certified company on an organic certification document and replaced it with Truly Organic’s information to falsely substantiate his company’s “certified organic” claims. He also falsified Material Safety Data Sheets and then provided those documents to third parties for use in marketing Truly Organic products.

The stipulated final order not only imposes liability on the company, but on Appelman personally. In addition to the fine, the order bars Truly Organic and Appelman from making any false or unsubstantiated claims that their products are wholly or partially organic; that they use organic ingredients or are certified organic; that they are vegan; or that they have been certified organic by a third party. The stipulated order prohibits Appelman, Truly Organic and their representatives from touting the environmental or health benefits of any good or service unless they support it with competent and reliable scientific evidence.

The Commission approved the settlement unanimously. Commissioner Rohit Chopra – who has been a notable dissenter in some significant orders over the past year – published a separate statement, characterizing the fine and injunctive provisions as a “commonsense resolution” that imposes personal responsibility on the CEO. He called for the FTC “to codify this approach in a Policy Statement addressing unlawful conduct that is dishonest or fraudulent.” Commissioner Chopra added that “[i]n cases involving such conduct, no-money settlements are inadequate, and the Commission should commit itself to exercising its full authority to protect consumers and honest businesses.”

As we have previously noted, the Federal Trade Commission has a low tolerance for greenwashing or unsupported claims interpreted to be beneficial to health. Whether a brand is advertising its products as “all-natural,” containing “zero VOC emissions,” “organic,” or some other express or implied environmental or health claims, it must back it up with competent and reliable scientific testing. There are certainly instances where the debate with regulators involves legitimate discussions about the level and relevance of a company’s technical substantiation, where reasonable minds could differ, but when businesses engage in garden variety fraud of the sort seen in this instance, companies and their officers are likely to be held to account.

What’s Next After Facebook’s Record $5 Billion Fine and Cambridge Analytica?

By Sheila Millar and Tracy Marshall on July 29, 2019 Posted in Advertising, Data Privacy

Facebook is facing some big changes after the Federal Trade Commission (FTC) settled with the social media giant over charges that it violated an earlier consent agreement. The company will pay a penalty of $5 billion, which is not only the biggest privacy fine in history, but also, according to FTC commissioner Noah Phillips, “almost 20 times greater than the largest privacy or data security penalty ever imposed worldwide.”

The order requires Facebook to make significant improvements in how it handles data privacy. Key changes include the creation of a privacy subgroup of Facebook’s board of directors to oversee data privacy, submission of quarterly privacy compliance statements that are independently certified by CEO Mark Zuckerberg and Facebook’s compliance officer(s), and a requirement that third parties with access to consumer information comply with the company’s terms, policies, and procedures. The order also mandates that an independent third-party assessor, approved by the FTC, provides quarterly assessments to the new privacy committee of Facebook’s Board.

The fine represents 9% of the company’s 2018 revenue. Critics in Congress and within the FTC’s ranks argued that the penalty barely touched Facebook’s profitability and did not force the company to stop collecting personal data. The two Democrats on the Commission, Rebecca Slaughter and Rohit Chopra, voted against the settlement, expressing the view that the order would not impose discipline on how Facebook treats data and privacy, and that Mark Zuckerberg should be held personally liable.

The FTC also launched an administrative complaint against now-bankrupt Cambridge Analytica (CA) “for its deceptive acts and practices to harvest personal information from Facebook users for political and commercial targeted advertising purposes.” The complaint alleges that CA collected Facebook profile data from 250,000-270,000 U.S. users plus 50-65 million of their Facebook friends without their consent.

The FTC further alleged that CA falsely claimed participation in the EU-U.S. Privacy Shield framework after the company neglected to renew its certification, which expired in May 2018. Under Privacy Shield rules, participants must affirm to the Department of Commerce, which oversees the program, that they will continue to apply the principles to personal information received during the time they participated in Privacy Shield. CA allegedly failed to do so while still claiming on its website that it adhered to Privacy Shield principles. In contrast with the Facebook settlement, the order individually names CA’s CEO, Alexander Nix, and its developer, academic researcher Aleksandr Kogan, for their personal involvement in the collection of Facebook members’ personal data.

Facebook’s privacy issues do not end with the FTC settlement. Facebook will also pay $100 million to the Securities and Exchange Commission (SEC) in a settlement announced on July 24, 2019 over charges that Facebook misled investors, presenting the risk of misuse of user data as hypothetical despite knowing about actual misuse for more than two years. Facebook is still under investigation by European data protection authorities in several member states for privacy violations under the General Data Protection Regulation (GDPR), under which fines can reach 4% of global profits. The FTC is also not done with Facebook; the agency is currently investigating the company for antitrust violations. Meanwhile, financial regulators have expression wariness of Facebook’s announced foray into cryptocurrencies.

Some advocacy groups denounced the settlement as not going far enough. The Electronic Privacy Information Center (EPIC) filed a Motion to Intervene in United States v. Facebook, calling the settlement “not adequate, reasonable, or appropriate.” EPIC claims the settlement would “extinguish more than 26,000 consumer complaints against Facebook that are pending at the FTC,” and asked the court to allow EPIC and other concerned organizations to have a chance to put their views before the FTC before the settlement is finalized.

Facebook still faces a bumpy enforcement road ahead, but the settlement with the FTC will likely have further ripples around the world for all international players. For example, as EU regulators continue their investigation of Facebook and other tech companies for alleged violations of the GDPR, we can expect that the FTC settlement will provide a benchmark they will try to beat to claim the title of “biggest penalty” for privacy violations worldwide. Investments in data privacy and security will continue to be an ever-larger component of corporate compliance programs.

Equifax to Pay Largest-Ever Data Breach Settlement

By Sheila Millar and Tracy Marshall on July 25, 2019 Posted in Advertising, Privacy

The Equifax data breach was one of the most massive data breaches of all time, and it has resulted in the biggest settlement for a data breach to date. After two years of investigations at the state and federal levels, credit reporting agency Equifax has agreed to a $675 million – up to possibly $700 million – settlement that puts to rest complaints from the Federal Trade Commission (FTC) and Consumer Financial Protection Bureau (CFPB), as well as multistate class action litigation.

In 2017, Equifax was hacked when it failed to secure its servers, leaving the personal information of 147 million people – including credit card numbers, driver’s license numbers, Social Security numbers, birth dates, and addresses – exposed. As we previously reported, the resulting theft of consumer data resulted in multistate litigation and investigations by Congress, the FTC, and European data protection authorities. A year after the breach, the Government Accountability Office (GAO) released a report on the breach, which found Equifax was using software with a known vulnerability in its online dispute portal that enabled hackers to penetrate the network and acquire personal information. According to the report, the company’s systemic deficits in the areas of identification, detection, segmentation, and data governance led to the breach.

The Order, which was approved by Chief Judge Thomas Thrash Jr. of the U.S. District Court for the Northern District of Georgia on July 22, 2019, requires Equifax to pay at least $175 million in civil penalties to the states, District of Columbia, and Puerto Rico, $300 million to a fund that will provide free credit monitoring services to consumers, and $100 million in fines to the CFPB. Equifax will contribute up to $125 million more to the fund if the initial payment isn’t adequate to compensate consumer losses. Consumers will also receive six free credit reports annually for seven years.

In addition to the payout, Equifax must implement a comprehensive information security program and must designate an employee to oversee it. The company is required to obtain third-party assessments of its information security program every two years, and the FTC can approve the assessor for each two-year assessment period. Equifax also must invest a minimum of $1 billion to improve its data security over the next five years.

In prepared remarks at a press conference on July 22, 2019, FTC chair Joseph Simons used the opportunity to reiterate a point he made previously in testimony to Congress – that the FTC needs greater enforcement powers:

“The [CFPB] and the states were able to obtain civil penalties for this breach by a major financial institution. The FTC could not. The FTC could not, because we do not have civil penalty authority for initial violations of the FTC Act or for violations of the Gramm-Leach-Bliley Safeguards Rule. Fortunately, other agencies were able to fill in the gap – this time. But under different circumstances, future breaches might not always be subject to civil penalties, which sends absolutely the wrong signal regarding deterrence. For this reason, I renew my call for Congress to enact federal data security legislation that gives the FTC authority to seek civil penalties for first-time violations.”

Simons has repeatedly pushed Congress to grant the FTC greater enforcement powers, including the ability to impose fines for violations of federal laws that fall within its jurisdiction. The FTC’s recent willingness to use new tools, such as holding company executives personally liable for data breaches, shows that the FTC is creatively expanding the use of its enforcement arsenal while awaiting Congressional action, at least in some instances. However, the recent Commission vote to fine Facebook $5 billion for violations of a prior consent agreement – a situation where the FTC does have civil penalty authority – did not impose responsibility on Facebook founder Mark Zuckerberg or other senior executives. The failure to do so drew dissents from the two Democrats on the Commission, and the question of senior manager accountability will likely loom larger in future data breach and privacy investigations.

Boaz Green Interviewed by Regulator Watch About the Consumer Product Safety Commission’s Recent Enforcement Actions Against E-Liquids

By Sheila Millar on July 23, 2019 Posted in Regulations

As previously reported on Keller and Heckman’s The Continuum of Risk blog, the Consumer Product Safety Commission (CPSC) recently announced that it considers flow restricted containers for nicotine-containing e-liquids to be required under the Child Nicotine Poisoning Prevention Act of 2015 (CNPPA). Boaz Green was interviewed by Regulator Watch regarding CPSC’s recent enforcement actions, industry’s response, and the options available to companies receiving Notices of Violation from CPSC.

To watch the full interview, click here.

FTC and D-Link Settle Data Security Dispute

By Sheila Millar and Tracy Marshall on July 17, 2019 Posted in Data Privacy

After protracted litigation, the Federal Trade Commission (FTC) entered into a proposed settlement with computer software manufacturer D-Link over charges that the company misrepresented the security of its wireless routers and Internet-connected cameras and failed to take reasonable software testing and remediation measures to protect the devices.

As we previously reported, part of the FTC’s 2017 complaint against D-Link was dismissed by the U.S. District Court for the Northern District of California on three counts, including an allegation that D-Link’s failure to take reasonable security steps was an unfair practice under Section 5 of the FTC Act. According to the court, the FTC did not identify instances where consumers’ financial, medical, or other sensitive personal information was accessed, exposed, or misused and therefore did not meet its burden under Section 5 – a significant ruling that could affect the FTC’s authority to bring future claims under Section 5 unless it establishes actual harm. However, the court allowed three of the FTC’s six claims to go forward, including counts involving D-Link’s alleged misrepresentations that its devices provided adequate data security and that its routers and IP cameras were secure against potential hacking.

Under the proposed Order, D-Link must develop, implement, and maintain a comprehensive software security program that is audited by an independent third-party assessor every two years for 10 years. The Order also bars D-Link from selling, distributing, or hosting its IP camera set-up wizard software on its website. The FTC reserved the right to approve a third-party compliance auditor, a measure the agency is now using more routinely in settlement orders.

The FTC filed the proposed settlement with the court on July 2, 2019, to be approved and signed by a district court judge.

UK ICO Proposes GDPR Fines for British Airways and Marriott Data Breaches

By Sheila Millar and Tracy Marshall on July 11, 2019 Posted in Data Security

Earlier this week, the UK Information Commissioner’s Office (ICO) announced its intent to fine British Airways £183,390 million ($230 million) and its intent to fine Marriott International more than £99 million ($123 million) for violations of the General Data Protection Regulation (GDPR) arising out of data breaches. The ICO investigated the breaches as the lead supervisory authority under the GDPR “one stop shop” enforcement mechanism. Both companies have an opportunity to comment on the ICO’s proposals, and other EU Member State data protection authorities (DPAs) have an opportunity to comment before the ICO renders a final decision.

British Airways announced a data breach in September 2018 affecting personal information for approximately 500,000 customers after hackers installed malware on British Airway’s website that directed customers to a fraudulent site where personal information was accessed. According to a July 8, 2019 ICO statement, “a variety of information was compromised by poor security arrangements at the company, including log in, payment card, and travel booking details as well as name and address information.” The ICO’s proposed fine – the highest for a data breach under the GDPR to date – represents approximately 1.5% of the airline’s annual revenue, which is not as high as the GDPR’s ceiling of 4% of yearly turnover.

In November 2018, Marriott notified the ICO of a data breach affecting its subsidiary Starwood, which reportedly compromised personal information for approximately 339 million guests. Marriott acquired Starwood in 2016, but the breach was believed to have occurred in 2014 and was not discovered until 2018. In a July 9, 2019 ICO statement announcing the proposed fine, the Information Commissioner stressed the importance of performing sufficient data protection due diligence as part of a corporate acquisition.

The ICO is proving to be an activist data protection authority under the GDPR, but it is not the only member state DPA to flex its enforcement muscles. In January, the French DPA fined Google $57 million for the “misuse of personal data” of its users. The Irish DPA is currently investigating Facebook’s data security practices after a massive data breach affecting 50 million accounts occurred in September 2018, and the social media giant’s fine could reach around $1.63 billion should the maximum penalty be imposed. The two significant fines proposed by the UK ICO for the British Airways and Marriott data breaches indicate that DPAs are looking beyond social media companies and tech giants when potential compliance violations are identified, especially in the wake of a data breach.

Article 33 of the GDPR requires controllers to notify the supervisory authority “without undue delay and, where feasible, not later than 72 hours after having become aware of it…unless the personal data breach is unlikely to result in a risk to the rights and freedoms of natural persons.” Some DPAs have stressed the need for companies to evaluate this harms-based threshold for filings. The fines may result in increasing the number of reports of possible data breaches to DPAs as companies conservatively elect to report, but companies must consider applicable reporting obligations in other jurisdictions, recognizing that any breach notification can trigger an investigation of a company’s security practices by relevant regulators.

Breach notification in the United States remains complicated because the reporting thresholds are not consistent, as our state data breach notification resource indicates. It remains critical for companies to establish sound data security, breach identification, breach management, and breach reporting procedures consistent with not only the GDPR, but all applicable laws where they operate.

FTC Continues Enforcement of False Privacy Shield Claims

By Sheila Millar and Tracy Marshall on June 20, 2019 Posted in Privacy

Nearly three years after the EU-U.S. Privacy Shield framework replaced the U.S.-EU Safe Harbor as a mechanism to transfer personal data from the European Union to the United States, the Federal Trade Commission (FTC) continues to monitor companies’ claims regarding participation. As we previously reported, the FTC has taken actions against several companies over the years for stating they were self-certified to the Privacy Shield framework when they either had never joined or when their certification had lapsed. Recently, the FTC settled with background screening company SecurTest, Inc over allegations that the company violated Section 5 of the FTC Act when it falsely claimed participation in the EU-U.S. Privacy Shield and identical Swiss-U.S. Privacy Shield frameworks.

According to the FTC’s complaint, SecurTest applied to the Department of Commerce (DOC) to participate in the Privacy Shield but never completed the process. Under the settlement terms, SecurTest must refrain from misrepresenting its participation in the Privacy Shield or any other privacy program sponsored by a government agency, self-regulatory organization, or standard.

The FTC also sent warning letters to 13 other companies that falsely claimed membership in the U.S.-EU Safe Harbor and U.S.-Swiss Safe Harbor frameworks, which no longer exist, and to two companies that stated they took part in the Asia-Pacific Economic Cooperation (APEC) Cross-Border Privacy Rules system when they didn’t. The FTC’s actions confirm the importance of assuring that claims about participation in the Privacy Shield or any other privacy program are made only when an application has been approved and certifications are current. All references to certification must be promptly deleted from privacy policies and other materials if a certification has lapsed.

In its report to the European Parliament and the Council on the second annual Privacy Shield review conducted last year, the European Commission highlighted actions taken by the DOC and FTC, such as routine monitoring of companies for compliance and enforcement actions, and concluded that the United States continues to ensure that personal data transferred under the Privacy Shield meets EU adequacy criteria. The Commission reported that it will continue to monitor the effectiveness of the program and actions taken by the DOC and FTC. The validity of the Privacy Shield as an international data transfer mechanism will likely remain under scrutiny in both the U.S. and in Europe. But with some 4,000 companies now listed as certified on the DOC’s website, the Privacy Shield program remains a vitally important data transfer mechanism to many U.S. businesses. It is this very importance that means the FTC will continue to closely monitor adherence to assure that those claiming to be certified to the framework indeed meet the Privacy Shield criteria and that the program retains its integrity.

FTC Settles Lax Data Security Charges with Software Seller

By Sheila Millar and Tracy Marshall on June 17, 2019 Posted in Privacy

The Federal Trade Commission (FTC) entered into a proposed settlement with LightYear Dealer Technologies, LLC (aka DealerBuilt) on June 12, 2019, over allegations of lax consumer privacy protections. While no fines were levied, the order is remarkable for its detailed and extensive requirements governing the company’s future data privacy practices and the FTC’s role in overseeing implementation. The terms include specific instructions for mandatory third-party assessments of the company’s data privacy program using an assessor approved by the FTC, yearly reporting requirements, and imposition of personal responsibility on senior management for compliance with a comprehensive data privacy program.

The FTC’s complaint alleges that DealerBuilt, which licenses its LightYear software management system to car dealerships across the United States, collected and stored a massive amount of personal data but failed to provide reasonable data privacy protections for it. The company’s customers include some of the country’s largest Ford and Honda dealerships. DealerBuilt customers have the option either to license LightYear and use their own server or use DealerBuilt’s backup service, which stores customer data on DealerBuilt’s servers. The FTC alleged that personal information of millions of consumers was left exposed when a hacker gained access to unencrypted data stored in DealerBuilt’s customer backup database in October 2016. The hacker downloaded the personal information of some 69,000 consumers, including Social Security numbers, driver’s license numbers, and payroll details.

Among the additional claims alleged by the FTC are that DealerBuilt failed to:

Implement or maintain a written data security policy and reasonable data security guidance or training for employees or third-party contractors;
Assess the risks to the personal information stored on its network, such as by conducting periodic risk assessments or performing vulnerability and penetration testing of the network;
Use readily available security measures to monitor its systems and assets;
Impose reasonable data access controls, such as restricting inbound connections to known IP addresses, and requiring authentication to access backup databases;
Encrypt consumers’ personal information and put in place a reasonable process to select, install, secure, and inventory devices with access to personal information.

Under the terms of the proposed settlement, DealerBuilt is banned from “transferring, selling, sharing, collecting, maintaining, or storing personal information unless it implements and maintains a comprehensive information security program” that is subject to third-party assessments every two years. Unusually, the order also gives the Commission authority to approve the assessor every two years, and it requires that the assessor present detailed evidence that supports its conclusions via “independent sampling, employee interviews, and document review.” Senior management is obliged to certify that DealerBuilt has established, implemented, and maintained the requirements of the order; is not aware of any material noncompliance that has not been (a) corrected or (b) disclosed to the Commission; and that certification “is based on the personal knowledge of the senior corporate manager, senior officer, or subject matter experts upon whom the senior corporate manager or senior officer reasonably relies in making the certification.”

The DealerBuilt settlement reflects “additional and significant improvements to the FTC’s data security orders that will further protect consumers and deter lax security practices,” according to Chairman Joe Simons. By imposing responsibility for compliance on senior executives for the second time in the last month, the DealerBuilt order signals an increased willingness on the part of Commissioners to impose deterrents as well as detailed mandates on companies that do not provide a reasonable level of data security for their customers’ personal information, and the growing role that management accountability is playing in privacy and security cases.

E-Vapor Industry Coalition Formally Opposes CPSC Novel Interpretation of CNPPA that Immediately Requires Flow-Restricted Packaging for E-Liquids

By Azim Chowdhury, Sheila Millar and Boaz Green on June 13, 2019 Posted in Product Safety

As previously reported on Keller and Heckman’s “The Continuum of Risk” blog, earlier this year, the U.S. Consumer Product Safety Commission (CPSC) announced that it was now reading the Child Nicotine Poisoning Prevention Act (CNPPA) to require nicotine e-liquid bottles to meet the “restricted flow requirement” in 16 C.F.R. § 1700.15(d), in addition to having child-resistant closures. A wave of enforcement actions soon followed. CPSC issued Notices of Violations to numerous e-liquid companies alleging that e-liquid bottles (specifically glass bottles) without flow restrictors rendered the e-liquid a “misbranded hazardous substance” pursuant to section 2(p) of the Federal Hazardous Substances Act (FHSA). CPSC ordered these companies to initiate a number of “corrective actions,” including to immediately stop sale and distribution, notify all known retailers and consumers, and destroy and dispose of returned units and any remaining inventory. Such actions may drive companies, including many small businesses that make up the backbone of the vapor industry, out of the market.

In response to CPSC’s demands for immediate action, a coalition of national and state vapor trade associations (the “E-Vapor Coalition”) came together to express their strong opposition to CPSC’s new reading of the CNPPA. In a letter to the CPSC Acting Chair and Commissioners, the E-Vapor Coalition lays out in detail the flaws in the CPSC’s new reading of the statute, which neither the plain language nor the legislative history support. Moreover, this recent interpretation is inconsistent with three years of previous guidance from the Commission. The E-Vapor Coalition letter also raises concerns about flaws in CPSC’s hastily drafted testing protocol for flow restrictors, which appear to be suitable only for testing plastic packaging. The letter also highlights the potential conflict with the Food and Drug Administration (FDA) rules prohibiting changes to e-liquid packaging without FDA premarket approval.

As the E-Vapor Coalition letter points out, while industry disagrees that the CNPPA requires flow restrictors as part of its special packaging requirements, or that packages without flow restrictors are “misbranded hazardous substances,” coalition members share CPSC’s desire to safeguard children from potential hazards of accidental ingestion of nicotine-containing e-liquids. While instances of accidental ingestion are fortunately extraordinarily rare, the E-Vapor Coalition does not object to an orderly transition to restricted flow packaging, in coordination with FDA. It is vital that this be done in a manner that will not unduly burden manufacturers, distributors and retailers, or deprive adult consumers of less risky alternatives to combustible tobacco by forcing existing producers who switch to flow-restricted packaging to seek pre-market authorization from FDA. Associations comprising the E-Vapor Coalition and their respective members look forward to working with both CPSC and FDA to achieve these goals.

To keep track of CPSC’s latest guidelines for liquid nicotine containers, see its Liquid Nicotine Packaging Business Guidance website.

If you have any questions regarding CPSC requirements, contact Sheila Millar (millar@khlaw.com) or Boaz Green (green@khlaw.com). For more information about our Product Safety Practice in general, visit https://www.khlaw.com/Product-Safety. For more information about our Tobacco and E-Vapor Practice, contact Azim Chowdhury (chowdhury@khlaw.com) and visit https://www.khlaw.com/evapor.