Photo of Sheila MillarPhoto of Tracy Marshall

At a press conference on August 11, 2022, the Federal Trade Commission (FTC or Commission) announced an Advance Notice of Proposed Rulemaking (ANPR), which was published, along with a fact sheet, to explore potential new rules governing what the FTC characterizes as prevalent “commercial surveillance” and “lax data security practices.” The FTC issued the ANPR pursuant to its Section 18 authority under the Magnuson-Moss Act, which authorizes the Commission to promulgate, modify, and repeal rules that define with specificity unfair or deceptive acts or practices within the meaning of Section 5(a)(1) of the FTC Act. This broad and complex ANPR was published in the Federal Register on August 22 (87 Fed. Reg. 51273), and comments are due October 21, 2022. The FTC will host a public forum on September 8, 2022, featuring a structured panel discussion and an opportunity for stakeholders to share their views on the ANPR, subject to a two-minute time limit.

What’s Behind the ANPR?

FTC Chair Lina Khan said in a statement that “firms now collect personal data on individuals on a massive scale and in a stunning array of contexts, resulting in an economy that, as one scholar put it, ‘represents probably the most highly surveilled environment in the history of humanity’. This explosion in data collection and retention, meanwhile, has heightened the risks and costs of breaches—with Americans paying the price.” The FTC offers several reasons to justify the proposal. First, the FTC argues that its inability to fine companies for egregious first-time offenses under its Section 5 authority may “insufficiently deter future law violations.” Second, while the FTC can enjoin conduct that violates Section 5, such relief may be inadequate in the context of alleged commercial surveillance and lax data security practices. Third, the FTC argues that even in instances in which it can obtain monetary relief for violations of Section 5, such relief may be difficult to obtain if certain practices do not cause direct financial injury or the harm cannot be quantified. Lastly, the FTC claims that a rule governing commercial surveillance and data security could provide clarity and predictability about the FTC Act’s application to existing and emergent commercial surveillance and data security practices. The vast, unfocused scope of the ANPR should concern any business engaged in data collection from consumers, as virtually all data collection activities could be implicated.

Key Terms

The FTC proposes several specific definitions for purposes of the rule:

  • “Commercial surveillance” is “the collection, aggregation, analysis, retention, transfer, or monetization of consumer data and the direct derivatives of that information. These data include both information that consumers actively provide—say, when they affirmatively register for a service or make a purchase—as well as personal identifiers and other information that companies collect, for example, when a consumer casually browses the web or opens an app.”
  • “Data security” is described as “breach risk mitigation, data management and retention, data minimization, and breach notification and disclosure practices.”
  • “Consumer” “includes businesses and workers, not just individuals “who buy or exchange data for retail goods and services.”

Questions

The FTC has posed a variety of questions – 95 of them – that touch on both advertising and privacy issues. The FTC asks for public feedback generally on “(a) the nature and prevalence of harmful commercial surveillance practices, (b) the balance of costs and countervailing benefits of such practices for consumers and competition, and (c) proposals for protecting consumers from harmful and prevalent commercial surveillance practices.” More specifically, the FTC solicits feedback on subjects with headings ranging from “to what extent do commercial surveillance practices or lax security measures harm consumers?” to “automated decision-making systems.” Of note are a variety of questions pertaining to children and teens, although Section 18(h) of the FTC Act restricted the Commission’s ability to act on the then-pending infamous “kid-vid” proceeding, in which the FTC proposed to ban advertising to younger children, and which earned the FTC the moniker as the “national nanny.” Section 18 also restricts the Commission’s ability to issue rules in “any substantially similar proceeding on the basis of a determination by the Commission that such advertising constitutes an unfair act or practice in or affecting commerce.” This is expected to be a point raised in comments.

Commissioners Phillips and Wilson Dissent

The vote to approve publication of the ANPR was 3-2. Commissioners Noah Phillips and Christine Wilson, voting no, each issued dissenting comments. In a strongly worded statement, Commissioner Phillips, who has since announced that he is leaving the FTC, questioned whether the FTC was overstepping its authority and recasting itself “as a legislature, with virtually limitless rulemaking authority where personal data are concerned.” In addition, Phillips claimed the ANPR was too broad and “provides no notice whatsoever of the scope and parameters of what rule or rules might follow; thereby, undermining the public input and congressional notification processes. It is the wrong approach to rulemaking for privacy and data security.” In her statement, Commissioner Wilson expressed concern that the ANPR could undermine efforts to pass a federal privacy law. She also asserted that elements of the ANPR constituted agency overreach and wandered “far afield of areas for which we have clear evidence of a widespread pattern of unfair or deceptive practices.”

The finalized agenda for the FTC’s September 8 public forum is here. This proceeding, as well as the FTC’s October 19 event, “Protecting Kids from Stealth Advertising in Digital Media,” will no doubt generate lively debate.

Photo of Sheila Millar

On August 24, 2022, the Federal Trade Commission (FTC or Commission) submitted a report to the Congressional Committees on Appropriations detailing current resources and personnel dedicated to COPPA enforcement, the number of COPPA violation investigations over the past five years, and the types of relief obtained in completed investigations. The report was submitted in response to a request by Congress under the Consolidated Appropriations Act of 2022.

The FTC report affirms that protecting children’s privacy remains a Commission priority. The COPPA program is served by 9-11 full-time, dedicated staff members; staff from other divisions, such as the Bureau of Consumer Protection’s Division of Privacy and Identity Protection, also work on COPPA issues. Between May 1, 2017 and May 1, 2022, the FTC opened 80 investigations of potential COPPA violations. Over the last five years, the Commission has expanded its remedies, such as requiring WW International/Kurbo to delete its proprietary algorithms, or mandating that Google/YouTube re-review apps on its ad exchange to identify and ban additional child-directed apps and to track which apps and websites have been banned or removed from its platform. Requiring companies to implement a comprehensive privacy program, often subject to periodic, independent monitoring, is an increasingly frequent element in enforcement agreements.

The Commission has also imposed larger fines for COPPA violations. The FTC reports that “in six of the 10 cases alleging violations of COPPA, the Commission obtained a civil penalty of at least $1.5 million,” including a $170 million fine in the Google/YouTube matter, “one of the largest civil penalties ever obtained, worldwide, for a privacy violation.”

The report ends with a plea for additional funding from Congress: “The Commission makes every effort to use its resources efficiently: as noted in recent testimony, ‘for FY 2021, every $1 of the FTC’s cost returned an estimated $36 in FTC-provided benefits to consumers.’ With more resources, however, the FTC could do more.”

On a related note, the FTC has extended its comment period for its upcoming workshop on Protecting Kids From Stealth Advertising in Digital Media to be held October 19, 2022. The new deadline for interested parties to submit comments is now November 18, 2022.

Photo of Peter Craddock

Since it started in May 2018, enforcement of the rules of the General Data Protection Regulation (GDPR) across the EU has revealed various national trends and differences in approach. Yet one difference seems to dwarf all others: the variation in the amount of the fines for GDPR violations. This has led the European Data Protection Board (EDPB) to publish new guidelines in May 2022 on the calculation of administrative fines under the GDPR.

The EDPB’s proposed methodology includes a formula for reaching a “starting amount” for fines, one that can afterward be adapted based on mitigating and aggravating circumstances. This formula is what we included in our GDPR fine calculator, DeFine, available here.

But a new methodology could lead to changes, so we analyzed over 300 fines, notably the top 250 fines on companies with an identifiable turnover. Based on our analysis, Italy has by far imposed the largest number of fines that would be on the “high” end of the scale of the new EDPB methodology, while across all supervisory authorities, fines for companies with a turnover of more than 250 million EUR are overwhelmingly on the “low” end of the scale.

Our key conclusion: if unchanged, this methodology could lead to significantly higher fines in the future. Read our analysis here.

Photo of Sheila MillarPhoto of Anushka R. Stein

In a notice published in the Federal Register on August 8, 2022, U.S. Consumer Product Safety Commission (CPSC) staff announced that the CPSC will hold a workshop on October 13, 2022, to discuss CPSC’s eFiling Program and the Commission’s plans for a joint Beta Pilot Test with U.S. Customs and Border Protection (CBP) (previously announced in the Federal Register on June 10, 2022).

During the test, which runs for six months, 30 to 50 participants will use the Partner Government Agency (PGA) Message Set to electronically file certificate data with CBP. The Beta Pilot is the second test carried out by the agencies to assess eFiling of data from a compliance certificate for regulated consumer products. Its purposes are “to develop and test the IT infrastructure necessary to support a full-scale eFiling requirement, inform CPSC’s pending rulemaking, develop internal procedures to support enforcement, and assist CPSC to target imports more accurately by enhancing targeting of non-compliant trade and facilitating the flow of legitimate trade.”

Workshop topics will include:

  • CPSC’s Enforcement at the Ports
    • CPSC and CBP Collaboration Overview
    • CPSC Targeting of Imported Products
  • CPSC’s Certificate Requirements
    • Statutory and Regulatory Requirements
    • Enforcement Efforts
    • Certificate Study
  • Overview of CPSC eFiling Program
    • Improved Enforcement/Facilitation of Legitimate Trade—Alpha Pilot
    • Beta Pilot Test Requirements
  • CPSC Procedures
    • CPSC’s Product Registry
  • CBP Procedures
    • CPSC’s draft Customs and Trade Automated Interface Requirements (CATAIR)
    • CPSC’s Risk Assessment Methodology (RAM) System and Use of Risk Scores for Enforcement
  • Third-Party Involvement in Certificate and eFiling Requirements
    • Role of brokers in meeting CPSC’s PGA Message Set requirement
    • Role of laboratories in meeting CPSC’s certificate requirement
  • Import Issues for eFiling
    • eCommerce
    • De minimis shipments
    • Direct-to-consumer shipments
    • International Mail Facilities
    • Foreign Trade Zones
    • Filing deadlines for different modes of transport

The October 13 workshop will be held from 9 a.m. to 4 p.m. ET both virtually and in person at the CPSC’s headquarters in Bethesda, MD. Interested parties must register by Thursday, October 6, 2022. Comments may be submitted following the workshop until November 11, 2022.

Photo of Sheila MillarPhoto of Anushka R. Stein

Two recent Senate bills show that Congress is working to improve the nation’s patchwork of recycling laws. On July 28, 2022, the Senate voted unanimously to pass The Recycling Infrastructure and Accessibility Act of 2022 (RIAA) and The Recycling and Composting Accountability Act (RCAA). The first of these directs the U.S. Environmental Protection Agency (EPA) to establish a pilot grant project to fund recycling projects at the local and state level, while the latter aims to improve EPA reporting on recycling and composting.

The RIAA, introduced by Senator Shelley Moore Capito (R-WV), charges the EPA with establishing a pilot grant program to fund eligible state, local, Native, or public-private partnership projects “that will significantly improve accessibility to recycling systems through investments in infrastructure in underserved communities through the use of a hub-and-spoke model for recycling infrastructure development.” The RCAA, introduced by Senator Tom Carper (D-DE), directs the EPA to track and publish data on recycling and composting rates across the country. The information would be used to help improve performance and influence future projects, including a potential national composting strategy.

The two bills demonstrate that expanding the recycling and composting infrastructure remains a Congressional priority. The proposed legislation enjoys not only broad bipartisan support but has garnered widespread support from industry.

Photo of Sheila MillarPhoto of Tracy MarshallPhoto of Peter Craddock

On May 12, 2022, the European Data Protection Board published guidelines with a methodology for calculating fines for violations of the General Data Protection Regulation (GDPR). These guidelines were subject to a public consultation until June 27, 2022.

Because these guidelines are likely to have an influence on future decisions by data protection authorities in the European Union, Keller and Heckman LLP has developed DeFine, a GDPR fine calculator tool based on that methodology. It is accessible online and free of charge here.

While we hope that organizations will not need to use DeFine too often in dealing with regulators, it may serve as an internal company awareness-raising mechanism to enhance understanding of data privacy risks.

Feel free to reach out to the creator, Peter Craddock, or to any other Keller and Heckman LLP contact if you have any questions or suggestions, would like to share feedback on DeFine, or require assistance on data privacy or security.

Photo of Sheila MillarPhoto of Tracy Marshall

As we previously reported, the Federal Trade Commission (FTC) seeks comments on proposed updates to its Guides Concerning the Use of Endorsements and Testimonials in Advertising (Endorsement Guides). The FTC’s notice was published in the Federal Register on July 26, 2022 (87 Fed. Reg. 44288), and comments must be received by September 26, 2022.

The Endorsement Guides are intended to help businesses ensure that their advertising testimonials and endorsements are not deceptive or misleading and that material connections between endorsers and companies are disclosed. As we discussed earlier, the FTC’s proposed updates to the Endorsement Guides focus on advertisers that post fake positive reviews or delete negative reviews and advertisers whose disclosures fall short. The changes would also add, among other things, more illustrative examples to help clarify the Guides’ provisions and new sections on endorsements and consumer reviews.

Additionally, the FTC proposes adding a new, very general provision regarding children, namely, that “[p]ractices which would not ordinarily be questioned in advertisements directed to adults might be questioned” if they are directed to children. However, the preamble supplements this by noting that the FTC suggested a similar provision in 1972 (after the kid-vid proceeding) but withdrew it in 1976. Now, the FTC suggests that “even as more evidence is gathered about the effects of children’s advertising, there is ample basis to recognize that children may react differently than adults to endorsements in advertising or to related disclosures.” Chair Lina Khan’s statement notes that the FTC currently lacks the full evidentiary basis to support specific guidance or propose best practices, and she pointed to the planned October 19, 2022 workshop, “Protecting Kids from Stealth Advertising in Digital Media,” as a vehicle to obtain more information. (The comment deadline was July 18).

It will be important for businesses to weigh in on all aspects of the FTC’s proposals.

Photo of Sheila MillarPhoto of Anushka R. Stein

Following its report to Congress in 2021 on what it characterized as unlawful repair restrictions, Nixing the Fix, the Federal Trade Commission (FTC or Commission) announced that it would prioritize investigations into limits on consumer repair rights pursuant to its authority under the Magnuson-Moss Warranty Act (Warranty Act) and Section 5 of the FTC Act. In its subsequent Policy Statement on Repair Restrictions Imposed by Manufacturers and Sellers, the FTC explained that “restricting consumers and businesses from choosing how they repair products can substantially increase the total cost of repairs, generate harmful electronic waste, and unnecessarily increase wait times for repairs.” With three successive enforcement actions, the FTC has signaled that it means business. Companies that restrict consumers’ right to repair goods at the servicer or supplier of their choice may well find themselves the target of an FTC complaint, as Harley-Davidson, Westinghouse, and Weber Stephens recently discovered.

On June 23, 2022, the FTC announced that it had brought a complaint against motorcycle icon Harley-Davidson Motor Company (Harley-Davidson) and generator manufacturer Westinghouse Outdoor Power Equipment/MWE Investments, LLC (MWE). Shortly thereafter, on July 7, 2022, the Commission brought a third complaint on similar grounds against grill company Weber-Stephens (Weber). In each case, the FTC alleged that the company imposed illegal stipulations on consumer repair rights in violation of the Warranty Act § 2302(c), which prohibits a warrantor “from conditioning a warranty for a consumer product that costs more than $5 on the consumer’s use of an article or a service, other than an article or a service provided without charge, which is identified by brand, trade, or corporate name, unless the warrantor applies for and receives a waiver from the Commission.” The FTC also charged the companies with deceptive conduct for representing that their warranties were conditioned on the use of brand products or services in violation of Section 5 of the FTC Act.

Harley Davidson and Westinghouse/MWE Investments

The FTC’s complaint against Harley-Davidson alleges that the company conditions its warranty on the use of genuine Harley-Davidson parts and accessories, in violation of the Warranty Act. For instance, the company’s 2021 warranty tells customers to “insist that your authorized Harley-Davidson dealer uses only genuine Harley-Davidson replacement parts and accessories to keep your Harley-Davidson motorcycle and its limited warranty intact.” The FTC also charged Harley-Davidson with failing to fully explain what is covered or excluded from its warranty, which instead instructs customers to “see an authorized Harley-Davidson dealer for details.”

The FTC complaint against Westinghouse licensor and manufacturer MWE alleges that the company conditioned its warranty for electric and gas generators on using Westinghouse suppliers and service providers for repairs. MWE’s warranty for portable generators, for example, excludes “portable generators that utilize non-MWE Investments, LLC replacement parts” and “products that are altered or modified in a manner not authorized in writing by MWE Investments, LLC.”

The Harley-Davidson consent order and MWE consent order are nearly identical and require each company to cease conditioning warranties on a customer’s use of parts or services affiliated with the brand (unless the parts or services are provided free of charge or the company has been granted a waiver by the FTC under 15 U.S.C. § 2303(c)). The orders require both companies to disclose clearly and conspicuously in their warranties the following statement: “Except as described in ____, taking your products to be serviced by a repair shop that is not affiliated with [company name] will not void this warranty and using third-party parts will not void this warranty.” The companies must notify customers, dealers, and service providers of the revised warranty and publish it on their websites. Further, Harley-Davidson must provide a “clear description and identification of products, or parts, or characteristics, or components or properties covered by the warranty and where necessary for clarification, excluded from the warranty.”

The order does, however, make clear that certain types of product damage to Harley-Davidson vehicles caused by third-party parts or servicers can be excluded from the “warranty coverage for defects or damage caused by unauthorized parts, service, or use of the vehicle, including defects or damage caused by use of aftermarket parts or use of the vehicle for racing or competition, and denial of coverage may be based on installation of parts designed for unauthorized uses of the vehicle, such as a trailer hitch.” The company may also, pursuant to a 2017 Consent Decree between Harley-Davidson and the Environmental Protection Agency, “exclude warranty coverage and deny all warranty claims for functional defects of powertrain components for any Harley-Davidson motorcycle registered in the United States if the vehicle was tuned using a tuning product not covered by a California Air and Resources Board Executive Order.” Importantly, these exclusions allow the company to protect the safety and roadworthiness of their motorcycles and to meet environmental regulatory requirements.

Weber-Stephens

As with Harley-Davidson and MWE, the FTC complaint against Weber charges the company with improperly conditioning warranties on a customer’s use of the company’s servicers and parts. The Weber consent order, like the Harley-Davidson and MWE orders, prohibits the company from imposing warranties that require customers to use the company’s parts and services and requires it to inform purchasers of its gas or electric grills that “using third-party parts will not void this warranty.”

Commission Approval

The Commission vote to issue the administrative complaint and to accept the consent agreement was in each case unanimous. FTC Chair Lina Khan and Commissioner Rebecca Slaughter released a joint statement following the Harley-Davidson and MWE orders in which they noted that “the consent orders obtained in these matters bar both manufacturers from continuing the unlawful tying of their warranties to the use of authorized service or parts and prohibit them from misrepresenting any material facts about the warranty. Importantly, the firms are also required to note clearly and conspicuously in public statements that using third-party parts or repair services will not void the warranty. They must also provide customers with clear notice alerting them of the change.”

Imposition of warranty limits on a consumer’s right to repair is a priority issue for the Commission. For some types of products, unauthorized service or installation of unauthorized parts could create potential safety concerns that will have to be carefully evaluated. Businesses should examine their warranties thoroughly for compliance with the Warranty Act requirements and consider the need to seek a waiver or to consider other options.

Photo of Sheila MillarPhoto of Tracy Marshall

On July 8, 2022, the California Privacy Protection Agency (Agency) announced the start of the formal rulemaking process to adopt proposed regulations implementing the California Privacy Rights Act (CPRA), which amends and expands the California Consumer Privacy Act (CCPA).

The CCPA entered into force on January 1, 2020; most of the CPRA’s provisions become effective on January 1, 2023, with a look-back to January 2022.

The Agency was created and granted rulemaking authority via a provision in the CPRA. On May 5, 2022, the California Office of Administrative Law approved the transfer of existing CCPA regulations to the Agency’s jurisdiction; these proposed regulations will be the Agency’s first rulemaking.

The proposed CPRA regulations (1) update existing CCPA regulations to harmonize them with CPRA; (2) operationalize new rights and concepts introduced by the CPRA; and (3) reorganize and consolidate requirements to make the regulations easier to follow and understand.

Public hearings on the proposed regulations and received comments are slated for August 24 and August 25, 2022, at 9:00 am PDT, during which the Agency will hear comments from interested parties. Written comments must be submitted by August 23.

Photo of Sheila MillarPhoto of Jean-Cyril Walker

In keeping with its 5-year schedule for comparability range updates to the Energy Labeling Rule (Rule), the Federal Trade Commission (FTC) published a Notice of Proposed Rulemaking on May 25, 2022, seeking to revise the Rule to require EnergyGuide labels to update comparability range information on EnergyGuide labels for televisions, refrigerators and freezers, dishwashers, water heaters, room air conditioners (ranges only), clothes washers, furnaces, and pool heaters.

The Rule requires manufacturers to affix EnergyGuide labels to many consumer products and prohibits retailers from removing the labels or making them illegible. EnergyGuide labels must contain three disclosures: a product’s estimated annual energy cost, its energy consumption or energy efficiency rating as determined by Department of Energy (DOE) test procedures, and a comparability range that shows the highest and lowest energy costs or efficiency ratings for all similar models. The FTC periodically updates comparability range and annual energy cost information based on current manufacturer data, pursuant to the Rule. The FTC is now proposing two amendments to the Rule: revising the average energy cost figures based on the national average cost figures published by the DOE and clarifying that manufacturers must use current DOE requirements to determine capacity for room air conditioners.

Manufacturers must display the updated information on product labels 90 days from publication of the final Notice announcing updated ranges for specific products. Manufacturers of room air conditioners will have until October 1, 2022, to give them time to change their packaging to include the updated labels and to coincide with the effective date of EnergyGuide labels for portable air conditioners.

The vote to approve publication of the Notice of Rulemaking in the Federal Register was 3-1. Commissioner Christine S. Wilson dissented, arguing that while the proposed revisions to the Rule are necessary, the Commission “fail(s) to take the opportunity to revisit the Rule’s highly prescriptive requirements,” including the detailed label requirements illustrated in the Notice.

Comments are due by July 11, 2022.