Consumer Protection Connection

Consumer Protection

Sheila Millar Authors Law360 Article “UK’s Proposed Age-Appropriate Data Code Would Be Onerous”

Posted in Data Security

In a recent Law360 article, Sheila Millar discusses a proposal from the British Information Commissioners Office (ICO) that significantly restricts how information society services deemed likely to be accessed by children must handle the data they collect, use, and share. In “UK’s Proposed Age-Appropriate Data Code Would Be Onerous” (July 3), she delves into how the ICO proposal creates potentially onerous burdens on business and conflicts with existing law. To read the full article, click here.

An authority on consumer protection law, Keller and Heckman partner Sheila Millar is a regular contributor to Law360, providing analysis and commentary on privacy, data security, cybersecurity, product safety, and advertising matters.

For more information, contact:
Sheila A. Millar at or +1 202.434.4143

FTC Continues Enforcement of False Privacy Shield Claims

Posted in Privacy

Nearly three years after the EU-U.S. Privacy Shield framework replaced the U.S.-EU Safe Harbor as a mechanism to transfer personal data from the European Union to the United States, the Federal Trade Commission (FTC) continues to monitor companies’ claims regarding participation. As we previously reported, the FTC has taken actions against several companies over the years for stating they were self-certified to the Privacy Shield framework when they either had never joined or when their certification had lapsed. Recently, the FTC settled with background screening company SecurTest, Inc over allegations that the company violated Section 5 of the FTC Act when it falsely claimed participation in the EU-U.S. Privacy Shield and identical Swiss-U.S. Privacy Shield frameworks.

According to the FTC’s complaint, SecurTest applied to the Department of Commerce (DOC) to participate in the Privacy Shield but never completed the process. Under the settlement terms, SecurTest must refrain from misrepresenting its participation in the Privacy Shield or any other privacy program sponsored by a government agency, self-regulatory organization, or standard.

The FTC also sent warning letters to 13 other companies that falsely claimed membership in the U.S.-EU Safe Harbor and U.S.-Swiss Safe Harbor frameworks, which no longer exist, and to two companies that stated they took part in the Asia-Pacific Economic Cooperation (APEC) Cross-Border Privacy Rules system when they didn’t. The FTC’s actions confirm the importance of assuring that claims about participation in the Privacy Shield or any other privacy program are made only when an application has been approved and certifications are current. All references to certification must be promptly deleted from privacy policies and other materials if a certification has lapsed.

In its report to the European Parliament and the Council on the second annual Privacy Shield review conducted last year, the European Commission highlighted actions taken by the DOC and FTC, such as routine monitoring of companies for compliance and enforcement actions, and concluded that the United States continues to ensure that personal data transferred under the Privacy Shield meets EU adequacy criteria. The Commission reported that it will continue to monitor the effectiveness of the program and actions taken by the DOC and FTC. The validity of the Privacy Shield as an international data transfer mechanism will likely remain under scrutiny in both the U.S. and in Europe. But with some 4,000 companies now listed as certified on the DOC’s website, the Privacy Shield program remains a vitally important data transfer mechanism to many U.S. businesses. It is this very importance that means the FTC will continue to closely monitor adherence to assure that those claiming to be certified to the framework indeed meet the Privacy Shield criteria and that the program retains its integrity.

FTC Settles Lax Data Security Charges with Software Seller

Posted in Privacy

The Federal Trade Commission (FTC) entered into a proposed settlement with LightYear Dealer Technologies, LLC (aka DealerBuilt) on June 12, 2019, over allegations of lax consumer privacy protections. While no fines were levied, the order is remarkable for its detailed and extensive requirements governing the company’s future data privacy practices and the FTC’s role in overseeing implementation. The terms include specific instructions for mandatory third-party assessments of the company’s data privacy program using an assessor approved by the FTC, yearly reporting requirements, and imposition of personal responsibility on senior management for compliance with a comprehensive data privacy program.

The FTC’s complaint alleges that DealerBuilt, which licenses its LightYear software management system to car dealerships across the United States, collected and stored a massive amount of personal data but failed to provide reasonable data privacy protections for it. The company’s customers include some of the country’s largest Ford and Honda dealerships. DealerBuilt customers have the option either to license LightYear and use their own server or use DealerBuilt’s backup service, which stores customer data on DealerBuilt’s servers. The FTC alleged that personal information of millions of consumers was left exposed when a hacker gained access to unencrypted data stored in DealerBuilt’s customer backup database in October 2016. The hacker downloaded the personal information of some 69,000 consumers, including Social Security numbers, driver’s license numbers, and payroll details.

Among the additional claims alleged by the FTC are that DealerBuilt failed to:

  • Implement or maintain a written data security policy and reasonable data security guidance or training for employees or third-party contractors;
  • Assess the risks to the personal information stored on its network, such as by conducting periodic risk assessments or performing vulnerability and penetration testing of the network;
  • Use readily available security measures to monitor its systems and assets;
  • Impose reasonable data access controls, such as restricting inbound connections to known IP addresses, and requiring authentication to access backup databases;
  • Encrypt consumers’ personal information and put in place a reasonable process to select, install, secure, and inventory devices with access to personal information.

Under the terms of the proposed settlement, DealerBuilt is banned from “transferring, selling, sharing, collecting, maintaining, or storing personal information unless it implements and maintains a comprehensive information security program” that is subject to third-party assessments every two years. Unusually, the order also gives the Commission authority to approve the assessor every two years, and it requires that the assessor present detailed evidence that supports its conclusions via “independent sampling, employee interviews, and document review.” Senior management is obliged to certify that DealerBuilt has established, implemented, and maintained the requirements of the order; is not aware of any material noncompliance that has not been (a) corrected or (b) disclosed to the Commission; and that certification “is based on the personal knowledge of the senior corporate manager, senior officer, or subject matter experts upon whom the senior corporate manager or senior officer reasonably relies in making the certification.”

The DealerBuilt settlement reflects “additional and significant improvements to the FTC’s data security orders that will further protect consumers and deter lax security practices,” according to Chairman Joe Simons. By imposing responsibility for compliance on senior executives for the second time in the last month, the DealerBuilt order signals an increased willingness on the part of Commissioners to impose deterrents as well as detailed mandates on companies that do not provide a reasonable level of data security for their customers’ personal information, and the growing role that management accountability is playing in privacy and security cases.

E-Vapor Industry Coalition Formally Opposes CPSC Novel Interpretation of CNPPA that Immediately Requires Flow-Restricted Packaging for E-Liquids

Posted in Product Safety

As previously reported on Keller and Heckman’s “The Continuum of Risk” blog, earlier this year, the U.S. Consumer Product Safety Commission (CPSC) announced that it was now reading the Child Nicotine Poisoning Prevention Act (CNPPA) to require nicotine e-liquid bottles to meet the “restricted flow requirement” in 16 C.F.R. § 1700.15(d), in addition to having child-resistant closures. A wave of enforcement actions soon followed. CPSC issued Notices of Violations to numerous e-liquid companies alleging that e-liquid bottles (specifically glass bottles) without flow restrictors rendered the e-liquid a “misbranded hazardous substance” pursuant to section 2(p) of the Federal Hazardous Substances Act (FHSA). CPSC ordered these companies to initiate a number of “corrective actions,” including to immediately stop sale and distribution, notify all known retailers and consumers, and destroy and dispose of returned units and any remaining inventory. Such actions may drive companies, including many small businesses that make up the backbone of the vapor industry, out of the market.

In response to CPSC’s demands for immediate action, a coalition of national and state vapor trade associations (the “E-Vapor Coalition”) came together to express their strong opposition to CPSC’s new reading of the CNPPA. In a letter to the CPSC Acting Chair and Commissioners, the E-Vapor Coalition lays out in detail the flaws in the CPSC’s new reading of the statute, which neither the plain language nor the legislative history support. Moreover, this recent interpretation is inconsistent with three years of previous guidance from the Commission. The E-Vapor Coalition letter also raises concerns about flaws in CPSC’s hastily drafted testing protocol for flow restrictors, which appear to be suitable only for testing plastic packaging. The letter also highlights the potential conflict with the Food and Drug Administration (FDA) rules prohibiting changes to e-liquid packaging without FDA premarket approval.

As the E-Vapor Coalition letter points out, while industry disagrees that the CNPPA requires flow restrictors as part of its special packaging requirements, or that packages without flow restrictors are “misbranded hazardous substances,” coalition members share CPSC’s desire to safeguard children from potential hazards of accidental ingestion of nicotine-containing e-liquids. While instances of accidental ingestion are fortunately extraordinarily rare, the E-Vapor Coalition does not object to an orderly transition to restricted flow packaging, in coordination with FDA. It is vital that this be done in a manner that will not unduly burden manufacturers, distributors and retailers, or deprive adult consumers of less risky alternatives to combustible tobacco by forcing existing producers who switch to flow-restricted packaging to seek pre-market authorization from FDA. Associations comprising the E-Vapor Coalition and their respective members look forward to working with both CPSC and FDA to achieve these goals.

To keep track of CPSC’s latest guidelines for liquid nicotine containers, see its Liquid Nicotine Packaging Business Guidance website.

If you have any questions regarding CPSC requirements, contact Sheila Millar ( or Boaz Green ( For more information about our Product Safety Practice in general, visit For more information about our Tobacco and E-Vapor Practice, contact Azim Chowdhury ( and visit

Will NAS Report Prompt CPSC to Reconsider OFR Stance?

Posted in Product Safety
U.S. Consumer Product Safety Commission

In 2015, a group of NGOs filed a petition with the U.S. Consumer Product Safety Commission (CPSC), asking CPSC to ban additive, non-polymeric organohalogen flame retardants (OFRs) in four product categories: infant, toddler, or children’s products; upholstered furniture; mattresses; and plastic electronics’ casings. The petitioners argued that the entire chemical class is toxic and poses a risk to consumers and that the CPSC should ban them under the Federal Hazardous Substances Act (FHSA). However, a new report report from the National Academies of Sciences, Engineering, and Medicine (NAS) offers the latest scientific assessment: OFRs “cannot be treated as a single class for hazard assessment although they can be divided into subclasses based on chemical structure, physical and chemical properties, and predicted biologic activity.”

As we previously reported in 2015, after reviewing the petition and evaluating the available data, CPSC staff submitted a detailed briefing package to the Commission recommending that it deny the petition for lack of evidence. The FHSA does require evidence-based rules as a statutory matter (15 U.S.C. §1262(f)-(i)). However, the Commission majority rejected staff’s recommendation to deny the petition. A majority of Commissioners instead initiated a rulemaking and attempted to overcome staff’s objection by proposing a chronic hazard advisory panel, or CHAP, to study OFRs as a class and make recommendations for rulemaking. A majority of the Commission also voted to issue “non-binding guidance,” warning consumers about the hazards it believed may be associated with OFRs.

The NAS was asked to first develop a scoping plan for the OFR CHAP to assess the potential hazards of some or all OFRs. This report concludes the first step in this process.

Rulemaking under the FHSA must be science-based, but, as the NAS report notes, evaluating chemicals one by one is a common frustration for scientists:

One of the biggest challenges for the risk-assessment community is how to move from traditional chemical-by-chemical approach to analyses that evaluate multiple chemicals together. The primary problems with this approach are that chemicals on which data is insufficient are typically treated as not hazardous, that untested chemicals are often substituted for hazardous chemicals, and that cumulative exposure and risk are often ignored … the number of chemicals in use today demands a new approach to risk assessment, and the class approach is a scientifically viable one.

Thus, while NAS felt that grouping chemicals by class may be appropriate in certain circumstances, the groupings must make sense based on chemical structure, function, and other factors.

NAS first studied whether OFRs could be treated as a single class “by identifying known OFRs and other structurally related organohalogen compounds.” OFRs cannot be lumped into a single category for hazard assessment, the NAS report says, since OFRs cannot be distinguished from other physically similar chemicals. In addition, OFRs do not have a common chemical structure or predicted biologic activity and therefore cannot be treated as a single class. However, they can be assessed and regulated on the basis of shared properties into groups. In this case, the NAS identified 14 subclasses of OFRs that may be evaluated as separate groups, but rejected the premise that all OFRs should be treated identically.

The thoughtful approach of the NAS report reflects a welcome return to a focus on facts and science as the underpinning of potential chemical regulation, as required under the FHSA. The report should be thoroughly evaluated by CPSC staff and Commissioners before proceeding with a CHAP. The NAS report’s findings confirm CPSC staff’s earlier view that the available science they reviewed several years ago still does not support viewing all OFRs as a single class. From this perspective, it would be appropriate for the current Commission to review and consider rescinding its previous OFR guidance.

Website Hacks Result in FTC Actions for Lax Security

Posted in Privacy

After hacks of two websites, and, resulted in the compromise of personal information for millions of users – including, in the case of i-Dressup, hundreds of thousands of children under 13 – the Federal Trade Commission (FTC) issued complaints against the websites and their operators for lax security and other privacy violations. Notably, in addition to requiring beefed-up security and third-party monitoring programs in the settlement agreements, all five FTC Commissioners took the additional step of holding senior management personally responsible for data security in the future. In a separate statement, the Commissioners wrote:

The orders obtained in these matters contain strong injunctive provisions, including new requirements that go beyond requirements from previous data security orders. For example, the orders include requirements that a senior officer provide annual       certifications of compliance to the Commission, and explicit provisions prohibiting the defendants from making misrepresentations to the third parties conducting assessments of their data security programs.

i-Dressup allows users to design their own virtual outfits and try on different looks. The FTC complaint against i-Dressup claims the website and its operators violated the Children’s Online Privacy Protection Act (COPPA) on several grounds: (1) failing to provide reasonable security, which resulted in a hacker stealing the personal information of 2.1 million users, including 245,000 children; (2) failing to obtain parental consent before collecting personal information from children under 13; and 3) continuing to collect children’s personal information even when parents refused to give consent.

ClixSense pays users to view ads and take online surveys. Users who registered with the site were required to provide personal information, including names, addresses, passwords, user names, and (in some cases) Social Security numbers. Despite assurances that “ClixSense utilizes the latest security and encryption techniques to ensure the security of your account information,” the FTC complaint charges that the company failed to protect the website from commonly known or reasonably foreseeable vulnerabilities and attacks from third parties and failed to perform vulnerability and penetration testing. This lax security led to a data breach in September 2017 in which hackers downloaded the personal information of 6.6 million users worldwide. The hackers then published and offered for sale the personal information of 2.7 million users, including names and addresses, user names, passwords, email addresses, and Social Security numbers.

Under iDressup’s agreement with the FTC, the company will pay $35,000 in civil penalties and is required to implement a comprehensive data security program that is subject to independent third-party monitoring. Under its settlement with the FTC, ClixSense’s owner is barred from misrepresenting the company’s security and data collection practices, and like iDressup, must also implement a comprehensive information security program that is subject to independent monitoring.

Imposing personal responsibility on senior management demonstrates the seriousness with which the FTC views data privacy and data security obligations. The Commissioners’ statement ends with a presage for the future: “the announcements today reflect the beginning of our thinking, but we anticipate further refinements, and these orders may not reflect the approach that we intend to use in every data security enforcement action going forward.” Online businesses, take note.

EDPB Advises on Overlap Between the ePrivacy Directive and GDPR

Posted in Privacy

The European Data Protection Board (EDPB) has weighed in on the interplay between the General Data Protection Regulation (GDPR) and the ePrivacy Directive in response to questions from the Belgian Data Protection Authority (DPA). Addressing how and when each set of rules applies to processing data, the EDPB stated that “these questions concern a matter of general application of the GDPR, as there is a clear need for a consistent interpretation among data protection authorities on the boundaries of their competences, tasks and powers.”

The ePrivacy Directive, also known as the “cookie directive,” governs electronic communications whether or not they contain personal data. The GDPR, which took effect nearly a year ago, regulates the collection and protection of personal data of EU residents.

The EDPB’s Opinion on the interplay between the ePrivacy Directive and the General Data Protection Regulation, adopted on March 12, examines three circumstances:

  1. Where there is no interplay between the GDPR and the ePrivacy Directive because the matter falls outside of the scope of the GDPR;
  2. Where there is no interplay between the GDPR and the ePrivacy Directive because the matter falls outside of the scope of the ePrivacy Directive; and
  3. Where there is an interplay between the GDPR and the ePrivacy Directive because the processing triggers the material scope of both the GDPR and the ePrivacy Directive.

The opinion states that “although an overlap in material scope exists between the ePrivacy Directive and the GDPR, this does not necessarily lead to a conflict between the rules.” However, it does identify the circumstances in which one set of rules will prevail over the other and the competence and task of DPAs in relation to those circumstances:

  • Where “special rules” of the ePrivacy Directive apply (e.g., the requirement for processors to get consent before using cookies under article 5(3)), the ePrivacy Directive trumps GDPR;
  • In all other cases, where the processing of personal data is not specifically governed by the ePrivacy Directive (or where the ePrivacy Directive does not contain a “special rule”), GDPR takes precedence;
  • The powers of DPAs to oversee data processing under the GDPR are not affected by the ePrivacy Directive “special rules”; and
  • When processing personal data falls under both the GDPR and ePrivacy Directive, DPAs may take into account the provisions of the ePrivacy Directive if the violation also breaches national law implementing the ePrivacy Directive.

On a related note, the EDPB also called on the European legislators to finalize the ePrivacy Regulation to replace the ePrivacy Directive. If enacted, the ePrivacy Regulation would take direct effect without necessitating new implementing legislation in Member States. The EDPB’s statement urges that a new ePrivacy Regulation build on existing protections and complement the GDPR.

FTC Continues Focus on “Made in America” Claims

Posted in Advertising

Making the same false country-of-origin claims that initially resulted in a Federal Trade Commission (FTC) consent order is a good way to land a company with substantial civil penalties and corrective advertising obligations. iSpring Water Systems LLC found this out the hard way. Instead of complying with its earlier promise not to falsely advertise its products as made in the USA, the water filtration systems company breached a 2017 administrative order. iSpring is now on the hook for $110,000 in civil penalties.

Sold online and in major retailers, iSpring water filtration systems were marketed as “Designed and crafted in USA” and “Proudly Built in the USA.” The problem with this advertising, however, is that the product was actually being manufactured in China. In 2017, the company settled an FTC complaint, agreeing not to make such claims unless it could provide evidence that all significant processing was USA-based and that nearly all components were made here. That promise went down the drain.

The proposed settlement contains an admission of liability after the company’s owner and officer admitted falsely advertising that the filtration systems were USA-made In addition to paying the civil penalty, the new order imposes a corrective advertising remedy: iSpring must identify and notify all consumers who purchased iSpring products between March 10, 2018 and July 15, 2018 that the company made misleading claims about country of origin. This is the type of corrective advertising remedy used in a series of false “VOC-free” claims we previously described.  The company is also required to submit to compliance reporting and monitoring for 20 years.

The FTC also approved final consent orders in two other “Made in America” cases we reported on last year, involving hockey puck manufacturer Patriot Puck and recreational gear companies Sandpiper and PiperGear USA, Inc.

The orders prohibit Patriot Puck, Sandpiper and Piper from making misleading or deceptive Made in the USA statements. To make a “Made in the USA” claim the advertiser must show that:

  • The product’s final assembly or processing occurs in the United States, all significant processing occurs in the United States, and all or virtually all ingredients or components of the product are made and sourced in the United States; or
  • A clear and conspicuous qualification appears immediately adjacent to the representation that accurately conveys the extent to which the product contains foreign parts, ingredients or components, and/or processing. To make an “Assembled in the USA” claim the advertiser must show that the product is last substantially transformed in the United States, its principal assembly takes place in the United States, and its U.S. assembly operations are substantial.

The FTC continues to target companies that make misleading or unsubstantiated Made in the USA claims. Businesses making US-origin claims  would do well to consult the FTC’s Enforcement Policy Statement on U.S. Origin Claims to avoid winding up in hot water with the Commission.

FTC’s 2018 Data Privacy and Security Update Highlights Enforcement

Posted in Cybersecurity, Data Security, Enforcement

The Federal Trade Commission (FTC) recently released its annual report highlighting its work on privacy and data security during 2018. The FTC initiated five enforcement actions arising out of data breaches and nine data privacy enforcement actions in 2018, including cases against online payment system Venmo and mobile phone maker BLU for misrepresenting their privacy protections and providing inadequate security. One of the most high-profile enforcement actions of 2018 was the FTC’s expanded settlement with Uber, which stemmed from a major data breach in 2016 that the company failed to report for over a year. The FTC also launched an investigation into whether Facebook violated its consent decree with the agency when it shared the personal information of its users with political research firm Cambridge Analytica.

On children’s privacy issues, the FTC settled with two companies for violations of the Children’s Online Privacy Protection Act (COPPA), including the agency’s first case involving connected toys, against toy manufacturer VTech, and another case against talent agency Explore Talent. The FTC alleged that both companies failed to obtain parental consent before collecting personal information from hundreds of thousands of children under 13 and failed to provide the required notice of their privacy policies. The FTC also sent letters to two watch manufacturers, Gator Group Co., Ltd. and Tinitell, Inc., warning them that their children’s smart watches must comply with COPPA. The agency alleged that the companies failed to provide proper notice about their personal information collection practices and obtain verifiable parental consent before collecting personal information of children under 13.

In November of last year, the FTC launched a series of public hearings on Competition and Consumer Protection in the 21st Century which are ongoing and examine the intersection of big data, privacy, and competition. The FTC also held its third annual PrivacyCon, which brings together a range of stakeholders to discuss trends and developments in consumer privacy and security.

On the policy front, several FTC commissioners testified before the Senate Commerce Subcommittee on Consumer Protection, Product Safety, Insurance, and Data Security, the House Energy and Commerce Subcommittee on Digital Commerce and Consumer Protection, and the Senate Banking, Housing and Urban Affairs Committee. Recurrent themes in their testimony included a push for greater rulemaking and enforcement powers for the FTC and the need for national data privacy legislation. FTC staff submitted a comment to the Consumer Product Safety Commission (CPSC) on the potential safety risks and hazards related to connected consumer products in which the FTC which recommended that: (1) CPSC consider how companies might better communicate with customers regarding notifications and recalls for Internet of Things (IoT) devices; (2) CPSC’s approach should be technology-neutral and flexible; and (3) any certification requirements for IoT devices should require manufacturers to publicly set forth the standards to which they adhere.

With COPPA under review following the recent introduction of a bill to modify its provisions and the debate over national privacy and data security legislation raising the possibility of greater FTC powers, 2019 is shaping up to be a very busy year for the agency.

Significant Changes Ahead for COPPA?

Posted in Cybersecurity, Privacy

As expected, 2019 is shaping up to be the year for privacy reforms, including possible amendments to the 20-year old Children’s Online Privacy Protection Act (COPPA). Senators Edward Markey (D-Mass) and Josh Hawley (R-MO) have introduced legislation that would expand COPPA’s scope to offer new protections to minors age 13-15, establish new limitations on collecting personal information on children and minors, and create a new division within the Federal Trade Commission (FTC) charged with overseeing marketing directed at children and minors, among other things.

For insight into the COPPA Amendments see Keller and Heckman’s March 25, 2019 Client Alert “Senators Markey and Hawley Introduce Bill to Expand COPPA” authored by Privacy Partners Sheila Millar and Tracy Marshall.

Consumer Protection Connection

We and our analytics and advertising providers may use cookies and similar technologies to enhance the browsing experience, facilitate sharing of content, and generate statistics about use of the website. For more information or to change your preferences, click here.

I Agree