Photo of Sheila Millar

The Children’s Advertising Review Unit (CARU), a division of BBB National Programs, recently updated its Self-Regulatory Guidelines for Children’s Advertising. Important updates include:

  • To align with the Children’s Online Privacy Protection Act (COPPA), the Guidelines now apply to national advertising primarily directed to children under the age of 13 instead of under 12, regardless of the medium involved.
  • The Guidelines outline criteria used to assess whether a national ad is primarily directed to children.
  • The Guidelines confirm that placement or integration of a product, service, character, or brand in editorial, educational, entertainment, or other non-commercial content is not within scope unless it constitutes an endorsement.
  • The Guidelines respond to the rise of influencer marketing by incorporating principles of the FTC Guidelines on Endorsements and Testimonials.
  • A new section specifies that in-app and in-game advertising may not use unfair, deceptive, or other manipulative tactics to encourage such purchases, and requires that methods for exiting an ad are “clear and conspicuous.” Games and apps with in-game purchases must make clear that such transactions involve real currency.
  • Reflecting the growing societal focus on diversity and inclusion, another new provision of the Guidelines urges advertisers to refrain from depicting or encouraging negative social stereotyping, prejudice, or discrimination.
  • The privacy section of the previous version of the Guidelines has been removed and published separately.

The new Guidelines take effect January 1, 2022.

Photo of Sheila MillarPhoto of Anushka R. Stein

The circular economy. Sustainability. Single-use plastics bans. Marine litter. Microplastics. Climate change. These are only some of the issues driving the demand for more “environmentally friendly” products. In recent years, we have seen a surge in product and raw material innovations designed to improve environmental performance, and companies around the world are pledging to take action to reduce their environmental impact. These product developments and business commitments encourage marketers to differentiate their offerings and operations by making claims that highlight environmental enhancements or benefits.

The uptick in environmental marketing claims is generating increased attention from class action lawyers and regulators, and false advertising claims are one of the fastest-growing areas of litigation in the U.S.  Click here, for a more detailed review of some of the federal, state, local and global developments that advertisers should consider when crafting environmental marketing campaigns.

Photo of Sheila Millar

After more than five months of silence regarding its choices to lead the U.S. Consumer Product Safety Commission (“CPSC”), the Biden Administration has now unveiled all three of its CPSC nominees in less than two weeks, with its July 13 announcement of President Biden’s intent to nominate Richard Trumka, Jr., currently General Counsel and Staff Director at the House Oversight and Investigations Committee’s Subcommittee on Economic and Consumer Policy.

On July 2, the White House had announced it would nominate Alexander Hoehn-Saric, Chief Counsel for Communications and Consumer Protection with the House Energy & Commerce, to be a CPSC Commissioner and the agency’s chairperson, and Mary Boyle, currently CPSC’s Executive Director as a Commissioner, as well.

As we wrote previously, the Commission currently has one vacant seat with another opening this October with Commissioner Elliot Kaye’s departure after his hold-over year, and a third available Commission slot with the end of Acting Chairperson Bob Adler’s term. We assumed that Hoehn-Saric and Boyle would be slotted for the open seat and Kaye’s; the White House has confirmed that assumption with its formal submission of their nominations to the Senate. That means Trumka would be slotted for Adler’s seat. Assuming the three nominees are confirmed, the Commissioners and their terms would be as follows through the current Biden Administration:

Biden Consumer Product Safety Commission
Commissioner Term Through
Dana Baiocco (R) 2024
Mary Boyle (D) if confirmed 2025
Peter Feldman (R) 2026
Alexander Hoehn-Saric (D, Chair) if confirmed 2027
Richard Trumka, Jr. (D) if confirmed 2028

The Senate Committee on Commerce, Science, and Transportation will need to hold one or more hearings to consider the three nominees. With the Senate’s August recess looming, a hearing in the next three weeks seems unlikely, but is possible. A Committee vote on their nominations would come after a hearing, and a floor vote some time after that. With Kaye slated to depart October 27, and Adler expressing a desire to step down rather than stay for a holdover year, we anticipate action this fall on all three nominees.

Photo of Sheila MillarPhoto of Jean-Cyril Walker

Goods advertised as “Made in the USA” (MUSA) are potential money-makers for manufacturers tapping into the market of consumers who seek home-grown products. In recent years, however, the Federal Trade Commission (FTC) has investigated companies that deceptively marketed their goods as American-made, sending out warning letters, closing out investigations of companies that quickly change their advertising, and initiating more forceful enforcement action against advertisers who cannot substantiate MUSA claims. The FTC now has an additional legal basis for these investigations: a new rule that requires business making unqualified MUSA claims on their labels to prove their products are “all or virtually all” sourced and manufactured in America – or potentially pay hefty fines.

The Made in USA Labeling Rule (The Rule) codifies the Commission’s Decisions and Orders and its Enforcement Policy Statement on U.S. Origin Claims. It applies to all labels, whether they appear on product packaging or online, and includes mail order catalogs or mail order promotional materials that include a seal, mark, tag, or stamp declaring goods are “Made in the United States.”

Under the Rule, companies are barred from making unqualified MUSA claims unless they can establish that:

  • Final assembly or processing of the product occurs in the United States;
  • Significant processing that goes into the product occurs in the United States; and
  • All or virtually all ingredients or components of the product are made and sourced in the United States.

The Rule provides an exemption for companies that can show their unqualified MUA claims are not deceptive. This isn’t a new concept. However, it also empowers the FTC to pursue civil penalties of up to $43,280 per violation against companies that make false MUSA claims.

The vote to approve the Final Rule was 3-2. Voting in favor, Commissioners Rohit Chopra, Rebecca Kelly Slaughter, and Chair Lina Khan issued a statement praising the action, which is consistent with a 1994 statute codified in 15 U.S.C. § 45(a). The Rule reflects longstanding guidance and legal precedent without imposing new obligations on businesses. The three Commissioners applauded the “broader range of remedies including the ability to seek redress, damages, penalties, and other relief from those who lie about a Made in USA label” authorized by the Rule. Commissioner Christine S. Wilson dissented, saying that the Rule is overbroad and “could be read to cover all advertising, not just labeling.” She argued that the rule thereby exceeds the FTC’s statutory authority. She added: “The Supreme Court’s recent decision in AMG  has eliminated the FTC’s ability to seek equitable monetary relief under Section 13(b) of the FTC Act to compensate consumers. Thus, the temptation to test the limits of our remaining sources of authority is strong.”

In addition to its authority under the Rule, the FTC will continue to pursue deceptive MUSA advertising claims via its authority under Section 5 of the FTC Act.

One thing has been clear across several different administrations: false MUSA claims are a concern to regulators and will continue to garner enforcement attention. Companies that wish to label and/or advertise products as U.S.-made should make sure they understand the Rule as well as advertising basics, and confirm that they can substantiate express or implied MUSA claims on packaging, labeling, and advertising. False claims on labels could trigger civil penalties.

Photo of Sheila MillarPhoto of Tracy Marshall

On June 4, 2021, the European Commission adopted  a new set of standard contractual clauses (SCCs) governing exchanges of personal data between data controllers and data processors and transfers of personal data from the EU to the U.S. or other countries that are not deemed to ensure adequate protection for personal data. The revised SCCs reflect new requirements for the protection of personal data under the EU General Data Protection Regulation (GDPR) and take account of the July 2020 judgment of the Court of Justice of the European Union (CJEU) in Schrems II that declared the EU-U.S. Privacy Shield framework for data transfers invalid and stipulated stricter requirements for transfers of personal data based on SCCs.

The new SCCs are designed to reflect the growing complexities of cross-border data processing and digital supply chains by offering a more flexible, if more stringent, approach that adds additional scenarios under which personal data is transferred. The new SCCs enter into force on September 27, 2021 for new contracts. There is an 18-month transition period for existing contracts based on previous sets of SCCs. The old SCCs should be replaced by the new version by December 27, 2022.

Key provisions of the new SCCs include:

Types of data transfers

The new SCCs provide different “modules” to address transfers of personal data in four scenarios. As with previous sets of SCCs, the new SCCs cover controller to controller transfers (Module One) and controller to processor transfers (Module Two). For the first time, the European Commission has also addressed processor to controller transfers (Module Three) and processor to processor transfers (Module Four).

Compliance with Schrems II

The CJEU’s decision in Schrems II upheld the validity of SCCs, but the court ruled that organizations must warrant that third countries to which data is exported provide adequate protection for personal data transfers under EU law. Organizations that cannot comply with this requirement must either introduce additional safeguards or cancel transfers.

The new SCCs appear to address this issue by allowing organizations to take a risk-based approach that assesses the state of the art, implementation costs, the nature, scope, context, and purpose(s) of processing, and whether public authorities are likely to access the personal data being transferred. The clauses include notification obligations to the data exporter, and, where possible, the data subject, of a legally binding request from a public authority for personal data. Because the Schrems II decision focused on disclosure of personal data of EU residents to the U.S. government, these clauses may be particularly significant for companies facing demands from a variety of U.S. agencies for such data.

Sensitive Data

Where a transfer involves “sensitive” personal data as defined under EU law (i.e., data revealing racial or ethnic origin, political opinions, religious or philosophical beliefs, or trade union membership, genetic data, or biometric data for the purpose of uniquely identifying a natural person, data concerning health or a person’s sex life or sexual orientation, or data relating to criminal convictions or offences) the data importer must apply special restrictions or adopt safeguards appropriate to the specific risk involved, such as restricting who can access personal data, adopting added security measures (such as pseudonymization), or other measures.

Onward transfers

Onward transfers to additional recipients in third countries are allowed only if:

  • The onward transfer is to a country with adequate safeguards in place for the protection of personal data or the third party otherwise ensures appropriate safeguards; or
  • The onward transfer is necessary for the establishment, exercise, or defense of legal claims in administrative, regulatory, or judicial proceedings or is necessary to protect the vital interests of the data subject or of another natural person.

“Docking clause”

More than two parties can now sign onto to a single contract pertaining to data transfers at any time during its term.

Recordkeeping

Data importers are required to document their processing activities and inform data exporters if they become unable to comply with the SCCs. Data exporters must document that they used reasonable efforts to ensure that data importers are able to comply with the new contractual clauses.

***

Global businesses as well as policymakers have a strong interest in making certain that personal data can be freely transferred and that the data is appropriately protected. The European Commission’s decision should help ensure that SCCs remain a tool for businesses to meet their GDPR obligations in today’s complex world.

Photo of Sheila Millar

After more than five months of eager anticipation, the CPSC community finally knows who will be leading the agency, assuming confirmations go as smoothly as expected. President Biden announced on July 2, 2021 that he will nominate Alexander Hoehn-Saric for Chair and a seat on the Commission. Hoehn-Saric is currently Chief Counsel to the House Consumer Protection & Commerce Subcommittee, the arm of the House Energy & Commerce Committee that has oversight of CPSC.

Biden has also nominated Mary Boyle for a seat on the Commission. Boyle has been a longtime CPSC career staffer, currently serving as the agency’s Executive Director after years in the Office of General Counsel that included a term as General Counsel.

Currently, one spot on the five-member body is open as well as the Chairmanship. Current Acting Chair Bob Adler’s term is set to end in October; he can hold over for up to a year if no replacement is confirmed for his seat, although he has expressed a desire to leave the agency when his term ends this year. Commissioner and former Chair Elliot Kaye is already in his holdover year and will leave the agency no later than October unless he is renominated and confirmed. We understand Hoehn-Saric and Boyle will be nominated for the open seat and Commissioner Kaye’s slot, leaving Commissioner Adler to remain as Commissioner while the White House selects a third nominee.

CPSC Commissioners serve for fixed terms regardless of confirmation dates. As a result, whoever takes the open seat would have a term running through 2025, whoever takes Commissioner Kaye’s seat would serve through 2027, and whoever takes Commissioner Adler’s seat would serve through 2028. The two Republican Commissioners, Dana Baiocco and Peter Feldman, have terms that run to 2024 and 2026, respectively. CPSC is allowed no more than three Commissioners from the same political party. With two Republicans already serving and a remaining seat to fill, President Biden has an opportunity to add another Democrat to round out a full complement of Commissioners.

Photo of Sheila Millar

After completing its review of testing and labeling regulations for children’s products, staff of the Consumer Product Safety Commission (CPSC) recommended leaving the current product testing and component part testing regulations as is. The CPSC carried out this review of the “Testing and Labeling Regulations Pertaining to Product Certification of Children’s Products, Including Reliance on Component Part Testing” (testing rule) under section 610 of the Regulatory Flexibility Act (RFA), which requires a review 10 years after publication for any rule that has a significant impact on a substantial number of small businesses. Along with 16 C.F.R. part 1109, “Conditions and Requirements for Relying on Component Part Testing or Certification, or Another Party’s Finished Product Certification, to Meet Testing and Certification Requirements” (component part testing rule), the testing rule was up for review this year, as both rules do have a significant impact on many small businesses.

The testing rule lays out rules and standards for manufacturers to follow in obtaining third party testing for children’s products periodically and when there has been a material change in a product’s design or manufacturing process. It also specifies how products may be labeled to indicate compliance with Section 14 of the Consumer Product Safety Act (CPSA). The component part testing rule specifies how manufacturers can use third party tests of component parts of products to certify the compliance of the finished product. The component part testing rule was intended to reduce the costs and other burdens of testing finished children’s products.

Section 610 requires agencies to consider five factors in reviewing rules to minimize any significant economic impact of the rule on small entities:

  1. The continued need for the rule;
  2. The nature of complaints or comments received concerning the rule from the public;
  3. The complexity of the rule;
  4. The extent to which the rule overlaps, duplicates, or conflicts with other Federal rules, and, to the extent feasible, with State and local governmental rules; and
  5. The length of time since the rule has been evaluated or the degree to which technology, economic conditions, or other factors have changed in the area affected by the rule.

Following an analysis of the feedback received by staff during the 60-day public comment period and after considering the five factors, the CPSC concluded that no changes to the testing and component part testing rules were warranted at this time. The Commission acknowledged that the costs of third-party testing for compliance certification still pose significant costs on some small businesses, but rejected requests for test burden relief, such as reducing the required frequency of periodic testing or revising the definition of small batch manufacturer, as either inconsistent with ensuring compliance or precluded by statute. The CPSC did note that additional guidance on using the component part testing rule could help small businesses use the rule to reduce their costs. Input from children’s product companies on that point may be useful in developing approaches that achieve both compliance and cost reduction goals.

To learn more about current product safety issues and regulatory considerations for connected devices, register now for our free webinar: Product Safety and Regulation of Connected Products, June 24 at noon.

Photo of Sheila Millar

The Federal Trade Commission (FTC) and the Food and Drug Administration (FDA) recently sent warning letters to five dietary supplement companies– LeRoche Benicoeur/ConceiveEasy; EU Natural Inc.; Fertility Nutraceuticals LLC; SAL NATURE LLC/FertilHerb; and NS Products, Inc. – warning them that advertising their products as treatments that could cure or treat infertility without substantiating evidence violates the FTC Act. Such claims also subject the products to FDA scrutiny as drugs under the Federal Food, Drug, and Cosmetic Act, which prohibits the introduction or sale of new drugs into interstate commerce without prior FDA approval. In each case, the agencies asserted that the companies promoted their products as able to “cure, treat, mitigate, or prevent disease.” Such assertions “establish that the product is a drug under section 201(g)(1)(B) of the Federal Food, Drug, and Cosmetic Act because it is intended for use in the cure, mitigation, treatment, or prevention of disease” and require FDA approval even if they are labeled as dietary supplements.

For example, NS Products promises on their website that by using their NaturaCure supplement “You will get pregnant very fast and give birth to healthy children regardless of . . . how severe or chronic your infertility disorder.” Similarly, Fertility Nutraceuticals assured customers that their CONFLAM Forte supplements are “[W]ell suited for women with infertility, a history of implantation failure, chemical pregnancies and miscarriages or with known inflammatory conditions, like obesity, polycystic ovary syndrome (PCOS), severe allergies and autoimmune conditions” and were the “best fertility supplements to boost your chance of pregnancy or improve your IVF success rate.”

Warning letters have been an important tool the agencies have used during the COVID-19 pandemic to address COVID treatment claims. Claims that a product can treat a medical condition, whether it involves infertility, a virus, or something else, must be substantiated by competent and reliable scientific evidence and comply with applicable registration or other regulatory obligations or face some potentially expensive consequences in the form of civil penalties or other enforcement actions.

Photo of Sheila MillarPhoto of Tracy Marshall

The Federal Trade Commission (FTC) has released the final agenda for its first workshop on the use of “dark patterns” online, Bringing Dark Patterns to Light: An FTC Workshop, which will be held virtually on April 29, 2021. The workshop will explore how to define “dark patterns,” their prevalence, possible harms (including to vulnerable groups) and potential solutions, among other things. The agency is also soliciting comments on relevant issues (see our earlier post for a list of topics).

The issue is receiving broader attention on the policy front. The FTC workshop provides an opportunity to explore the issues in more detail, and interested parties are encouraged to submit comments.

Photo of Sheila MillarPhoto of Tracy Marshall

The long trudge towards final regulations implementing the California Consumer Privacy Act (CCPA) continues. In December of last year, the California Attorney General issued a fourth set of proposed regulations. These additions were approved by the California Office of Administrative Law (OAL) on March 15, 2021 and took effect immediately. Here are the key changes businesses should know about.

New “Do Not Sell” Icon

The new regulations offer a voluntary opt-out icon that may be used in addition to (but not in place of) posting the notice of a California consumer’s right to opt-out of the sale of personal information.

Businesses must post the notice of right to opt-out on the webpage that consumers are directed to after clicking on the “Do Not Sell My Personal Information” link on their homepage (or landing page/menu in the case of mobile apps).

Businesses Must Streamline the Opt-Out Request Process

Businesses must ensure that their notices of the right to opt-out use simple language, are easy for consumers to understand, and require minimal steps to complete. Businesses cannot require consumers to click through or listen to reasons why they should not submit a request to opt-out, provide personal information that is not necessary to implement the request, or search or scroll through a privacy policy, similar document, or webpage to submit a request to opt-out.

Offline Opt-Out Notices

Businesses that collect personal information from consumers offline must also inform consumers by an offline method of their right to opt-out, as follows:

  • Businesses that collect personal information from consumers in a physical location may inform consumers of their right to opt-out via paper forms or signage
  • Businesses may inform consumers of their right to opt-out during a phone call in which the business collects personal information

In both scenarios, businesses must tell consumers where to find the opt-out information online.

Authorized Agents

California residents are permitted to use authorized agents to submit requests to know or to delete their personal information. The new regulations clarify that businesses may require consumers to prove that an agent has permission to submit the request and to verify their own identity directly with the business.

California Privacy Protection Agency Board Appointments

While the state continues to fine-tune the CCPA regulations – and application of the CCPA to employee information remains deferred until 2022 – the clock is already ticking on the newest iteration of California’s privacy law, the California Privacy Rights Act (CPRA). Although CPRA does not take effect until 2023, the ballot initiative directed establishment of the California Privacy Protection Agency (CPPA) in advance of the effective date. Governor Gavin Newsom, in conjunction with state officials, has appointed the first slate of CPPA members.

With the enactment of the Virginia Consumer Data Protection Act, and with other states also considering privacy legislation, the U.S. landscape is quickly becoming more confusing for consumers and businesses alike.