Photo of Sheila MillarPhoto of Tracy Marshall

The interagency Kids Online Health and Safety Task Force, which was created last year and is led by the Department of Commerce (through the National Telecommunications and Information Administration) and the Department of Health and Human Services (through the Substance Abuse and Mental Health Services Administration), released a report on protecting minors online, Online Health and Safety for Children and Youth: Best Practices for Families and Guidance for Industry. The report highlights the benefits and harms of digital media to minors’ health, safety, and privacy and provides guidance for parents and industry. It also identifies knowledge gaps and areas for future research.

The report provides ten recommendations for businesses to promote safe practices for children and teens online:

  1. Design age-appropriate experiences.
  2. Make privacy protections for youth the default.
  3. Reduce and remove features that encourage excessive or problematic use.
  4. Limit “likes” and social comparison features for youth by default.
  5. Deploy mechanisms and strategies to counter child sexual exploitation and abuse.
  6. Disclose accurate and comprehensive safety-related information about apps.
  7. Improve systems to identify and address bias and discrimination online.
  8. Use data-driven methods to detect and prevent cyberbullying and other forms of online harassment and abuse.
  9. Provide age-appropriate parental control tools that are easy to understand and use.
  10.  Make data accessible for verified, qualified, and independent research.

The Task Force also advocates for additional efforts at the federal level, including bipartisan legislation to promote accountability for online platforms. Congress has wasted no time advancing legislative efforts to expand protections for minors online, including the introduction of a new version of the Kids Online Safety Act and updates to the Children’s Online Privacy Protection Act (COPPA) 2.0 bill. On July 25, 2024, the Senate invoked cloture on both bills, which will likely proceed to a floor vote next week. These efforts are set against the backdrop of significant developments at the state level, including a challenge to the California Age-Appropriate Design Code Act on First Amendment grounds and a Ninth Circuit decision that COPPA does not preempt state privacy claims. More recently, the U.S. Supreme Court heard oral arguments in two cases involving the constitutionality of laws in Texas and Florida implicating the scope of First Amendment rights of social media platforms. The courts, Congress, state legislatures, and federal agencies are all looking to expand legal protections for kids and teens in the online ecosystem, and changes could affect businesses that do not consider themselves to be in the kid or teen space.

Photo of Katie BondPhoto of Samuel Butler

The FTC recently released Complying with the Made in USA Standard, which further interprets the 2021 Made in USA Labeling Rule and the FTC’s 1997 Enforcement Policy Statement on U.S. Origin Claims.

The new guidance reiterates the FTC’s position that unqualified “Made in the USA” claims require “all or virtually all” U.S. content and processing. In determining whether this standard is met, the FTC considers the percentage of a product’s total costs that come from domestic parts and processing, “how far removed any foreign content is from the finished product,” and “the importance of the foreign content to the product’s form or function.”

The Labeling Rule, which is specific to unqualified “Made in the USA” claims, never actually discusses that last part on “the importance of the foreign content.” However, that concept has long been part of enforcement and closing letters. This new addition to the guidance, thus, should be a welcome reminder to companies, making compliance a little easier.

As the new guidance reiterates, qualified claims like “Made in USA of U.S. and imported parts” may also be used as long as a few requirements are met. First, the product’s “last substantial transformation,” as defined by U.S. Customs standards, must have occurred in the United States. Second, any U.S.-claimed parts or processing must meet the “all or virtually all” standard. Finally, and this is where it gets a little tough, U.S.-claimed parts or processing must be at a level that is either more than “negligible” or, possibly, “significant.”

That last point is a bit unclear, given wording in the new guidance. A longstanding example from prior guidance discusses the parts of a treadmill to demonstrate that the U.S. content must be more than “negligible” – with negligible in that instance being “only three percent of the total cost of all the parts.” The new guidance substantially repeats the example, but with introductory language suggesting the example means that there must be a “significant amount of U.S. content or U.S. processing.” No further information is given on what “significant” might mean.

As with many guidance documents that the FTC has released in recent years, companies are well-advised to be aware of where the FTC appears to be increasing pressure, even if new, stricter stances do not always align well with case law or, as in this case, even the FTC’s own prior guidance.

Examples of guidance documents with similar new stances include the 2023 updated Endorsement Guides, with new stances on “clear and conspicuous,” and the 2022 Health Products Compliance Guidance. (For anyone interested in a deep dive into new, troubling stances in that last guidance, check out the Council for Responsible Nutrition’s petition to the FTC, which Keller and Heckman attorneys helped author.)

Keller and Heckman will continue to monitor developments on FTC guidance, including “Made in USA” standards.

Photo of Sheila MillarPhoto of Tracy Marshall

On June 18, 2024, the California Attorney General (AG) and Los Angeles City Attorney jointly announced that video game developer and publisher Tilting Point Media LLC (Tilting Point) agreed to a $500,000 settlement for violations of the California Consumer Privacy Act (CCPA), Children’s Online Privacy Protection Act (COPPA), and California Unfair Competition Law (UCL) based on the company’s collection and processing of children’s personal information without consent and age-inappropriate advertising to children. The settlement highlights the increased focus by state regulators on the collection and processing of personal information from children and advertising directed to children. To read more, click here.

Photo of Sheila MillarPhoto of Peter L. de la Cruz

Below is an overview of the in-depth Environmental Law Reporter article, “Why Sustainability Needs Antitrust,” authored by Keller and Heckman Senior Counsel Peter de la Cruz and Partner Sheila Millar, published on June 3, 2024.

Governments are promoting sustainability initiatives, including circular economy, recycling, and climate change. The success of those initiatives rests on both individual efforts and increased collaboration. Antitrust asks whether collaboration among competitors will harm competition. Precisely because the social value of sustainability is widely recognized, companies may mistakenly assume that good intent is an antitrust defense. That is not true, even if the action advances government environmental and social policies. 
 
Sustainability and antitrust have laudable goals, but neither precisely answer how their goals are best achieved in any particular situation or identify when past solutions need to be reconsidered for changing circumstances. Sustainability sets more expansive goals for the planet and its people, while antitrust seeks to preserve competition and prevent joint action by private entities that harms competition or manipulates markets. 
 
Globally, countries are taking different approaches, informed by their varying competition laws, market conditions, and histories. However, the probability is low for new legislation in the United States that creates a sustainability exemption from antitrust laws, and the need to act is increasingly urgent. The logical and expedient approach is for businesses to work together to advance sustainability goals consistent with antitrust considerations. Further, ignoring antitrust may lead to less competition and less innovation in the long term, clearly antagonist to sustainability goals. These are not aspirations or academic projections, but realistic objectives based on the authors’ experience in counseling companies and associations seeking to improve their sustainability and ESG performance.

The article demonstrates that antirust:

  • Can help ensure healthy competition in markets relevant to sustainability and avoid harm to competition from standard-setting, certification, and statistical programs that might hinder innovation or unfairly exclude competitors; 
  • Does not consider whether an action promotes or deters sustainability, nor is that a proper role for competition authorities; 
  • Reviews of competitor collaborations need to consider the context and structure of modern markets, as do sustainability evaluations; and 
  • Allows meaningful and constructive joint efforts to promote sustainability. 

Antitrust is not an enemy of sustainability goals, but an essential companion and a helpful analytical tool in finding the optimum balance among sustainability’s goals to maintain modern markets that support competition-driven efficiencies and innovation, which promote consumer choice and truthful commercial communications.

To read more about this topic, please click here for the full article, “Why Sustainability Needs Antitrust,” published in the Environmental Law Reporter on June 3, 2024. If you have questions, please do not hesitate to contact the authors, Peter de la Cruz (delacruz@khlaw.com) and Sheila Millar (millar@khlaw.com).

Photo of Sheila MillarPhoto of Tracy Marshall

As we predicted in our assessment of U.S. advertising and privacy trends in February of this year, states have continued to adopt comprehensive privacy laws during their 2024 legislative sessions. To date, nineteen states (California, Colorado, Connecticut, Delaware, Florida, Indiana, Iowa, Kentucky, Maryland, Minnesota, Montana, Nebraska, New Hampshire, New Jersey, Oregon, Tennessee, Texas, Utah, and Virginia) have enacted comprehensive privacy laws that provide consumers with certain rights regarding their personal data and impose obligations on businesses that process personal data. Another significant privacy law is pending in Vermont. The Kentucky, Maryland, Minnesota, Nebraska, New Hampshire, and New Jersey laws were enacted most recently (in 2024). Five of the state laws are currently effective, and all the laws impose disparate obligations that will certainly complicate compliance for covered entities. Businesses should review the threshold requirements for applicability of each state’s law to determine which laws apply.

At the federal level, Senate Committee on Commerce, Science, and Transportation Chair Maria Cantwell (D-WA) and House Energy and Commerce Committee Chair Cathy McMorris Rodgers (R-WA) unveiled new federal legislation, the American Privacy Rights Act (APRA or Act), in April, and the bill was formally introduced on May 21, 2024. From a business perspective, APRA’s restrictive definitions, weak preemption clause, and private right of action fail to strike the right balance needed in a national privacy framework. Consumer advocates, on the other hand, prefer a federal law that serves as a floor so states can adopt additional requirements and restrictions.

To review our summary of key similarities and key differences in the state privacy laws that have been enacted to date in 2024 and APRA, click here.

Photo of Sheila MillarPhoto of Tracy MarshallPhoto of Liam Fulling

As expected, Congress’ renewed focus on expanding protections for minors online has resulted in legislative developments that attempt to mitigate harms while adhering to the Constitution’s free speech and preemption parameters. Last month, updates to both the Kids Online Safety Act (KOSA) and the Children’s Online Privacy Protection Act (COPPA) 2.0 bills were released with increased support from Congressional members, but scrutiny of their legality and scope abounds.

In our article Children’s Online Privacy: KOSA and COPPA Updates, we provide information on the latest modifications made to KOSA, which now includes a reasonable care standard and less enforcement power afforded to State Attorneys General, among other things. We also explain how COPPA 2.0 expands upon existing protections for minors online by covering all minors under the age of 17 and including platforms that are “reasonably likely” to be used by minors under its umbrella.

We then explain how these proposed bills include similar infirmities to recent state legislation that has been met with judicial pushback. The California Age-Appropriate Design Code Act (CAADCA) was found to be likely violative of the First Amendment and is currently awaiting further judicial review, and state social media laws in Florida and Texas were appealed all the way to the Supreme Court on claims that they were violative of social media companies’ First Amendment rights.

The bottom line is that the courts will have just as much influence establishing legal parameters for the protection of kids and teens in the online ecosystem as state legislatures, Congress, and federal agencies.

To access Children’s Online Privacy: KOSA and COPPA Updates, click here.

To access the compendium 2023 U.S. Advertising and Privacy Trends and 2024 Forecast: Focus on Kids and Teens, click here.

Photo of Sheila MillarPhoto of Tracy Marshall

During 2023, legislative, congressional, and executive actions aimed at protecting children and teens online took center stage. Such actions included: legislative attempts to raise the age of a “child” at both the federal and state levels for advertising and privacy purposes; bans on behavioral advertising targeting minors; efforts to restrict access to social media by minors; First Amendment legal challenges; and the Federal Trade Commission’s (FTC) long-awaited proposed changes to the Children’s Online Privacy Protection Act (COPPA) Rule.

Over the last few years, we have reported on regulatory, legal, and voluntary initiatives aimed at expanding protections for minors online, from calls by advocates for the FTC to up-age COPPA, federal and state restrictions on targeted advertising directed at children and teens, and debates about the scope of COPPA preemption, to friction between First Amendment rights and the public policy objectives around protecting minors from certain types of content online. In 2024, we expect that policy and legal actions related to advertising and privacy will continue to focus on protecting children and teens.

In our article 2023 U.S. Advertising and Privacy Trends and 2024 Forecast: Focus on Kids and Teens, we provide a historical look at children’s privacy, beginning with how different jurisdictions and agencies define the age of a “child.” We dive into federal and state legislation and discuss the plethora of bills surrounding this highly debated topic, which affect online services, social media platforms, and other businesses targeting U.S. audiences. COPPA was the first children’s privacy law anywhere, and the FTC has brought many enforcement actions, but a debate regarding how to safeguard all minors online that was once thought settled continues. This has led to increasing calls to “up-age” the definition of “child” to cover all minors under 16 or 18.  We highlight the federal and state legislative landscape, key proposals in the FTC’s COPPA Notice of Proposed Rulemaking, and current litigation. This includes preemption, First Amendment decisions, and recent suits targeting online platforms such as Meta, TikTok, and YouTube, alleging that social media companies harm children and teens, physically and mentally, through addictive algorithms that expose them to inappropriate content. We end with our take on the year to come, which promises to involve ongoing constitutional, legal, and policy questions likely to affect a broad swath of businesses.

To access the compendium 2023 U.S. Advertising and Privacy Trends and 2024 Forecast: Focus on Kids and Teens, click here.

Photo of Peter Craddock

Keller and Heckman has submitted comments to the European Data Protection Board (EDPB) in the context of a public consultation on their draft guidelines 2/2023 on the Technical Scope of Art. 5(3) of ePrivacy Directive, on behalf of various organisations that wished to contribute in a meaningful manner without drawing attention to their identity.

What guidelines?

Based on the EDPB’s proposed guidelines, Article 5(3) of the ePrivacy Directive (ePD), commonly called the “cookie rule,” would be extended to cover not only cookies and similar active storage of, and active access to, information on a user’s device (e.g., phone, computer, home router), but also nearly any interaction with a computer or network (such as the automatic transmission of information to a web server when accessing a webpage, or the ephemeral storage that a computer generates for any website or application being loaded, purely in order to be able to run it).

Keller and Heckman Partner Peter Craddock (heading our EU Data & Technology law practice) has published several leading articles on the topic (see, for instance, the summary on “Why every company with digital activities should comment on the EDPB’s new ePrivacy guidelines,” and more in-depth articles published on LinkedIn), and several organisations have shared their concerns that the EDPB’s proposed guidelines could lead to turbocharged consent banners and could neuter various validation techniques that are notably critical for fighting fraud and ensuring compliance.

Requests brought forward in the submissions filed

The relevant organisations’ requests can be summarised as follows:

  • Re-evaluating the EDPB’s authority to adopt those (proposed) guidelines and (i) restricting them to only the material and territorial scope of the General Data Protection Regulation (GDPR) or (ii) transforming them into mere recommendations, ideally with also the support of all competent regulators;
  • Restricting the scope of the notions of “access” and “storage” under Art. 5(3) of the ePrivacy Directive to active storage specifically directed by the entity to whom the obligations under that provision apply, and active access to terminal equipment on the initiative of such entity;
  • Providing guidance on how the consent exemptions would apply, based on the EDPB’s (thus adapted) understanding of the notions of “access” and “storage,” and in particular on the scope of the “service” consent exemption to provide greater legal certainty, notably as regards to (i) “access” or “storage” that is statutorily authorised or required for the activities of the relevant service provider and (ii) activities that underlie a service, from its conception all the way to actual provision of the service to a given user, as well as the reuse of lessons from a given user’s interaction in order to improve the service for a subsequent user
  • In relation to consent, confirming that (i) organisations are permitted to bundle a broad range of technologies covered by Art. 5(3) ePD together into one or more simple terms in any consent request form, without this affecting the validity of any consent given, and that (ii) any such bundling of technologies further to an expansion of the scope of Art. 5(3) ePD (compared to the most recent guidance of authorities) does not negate any consent given beforehand

You can view the submissions in question here. The EDPB should also soon make them available through their public consultation page here.

Photo of Sheila MillarPhoto of Antonia Stamenova-Dancheva

The Consumer Product Safety Commission (CPSC or Agency) recently published a Supplemental Notice of Proposed Rulemaking (SNPR) (88 Fed. Reg. 85760 (December 8, 2023)) to revise the existing rule on Certificates of Compliance (CoC or certificates), 16 CFR § 1110 (Rule 1110). The last time CPSC proposed changes to Rule 1110 was in 2013, when the Agency received more than 500 comments responding to its Notice of Proposed Rulemaking (2013 NPR), many voicing specific legal and other objections to the proposed changes. A decade later, CPSC is reviving the CoC rulemaking process. This SNPR proposes a number of significant changes to Rule 1110, including the addition of an electronic filing (eFiling) requirement for all imported CPSC-regulated products or substances, an expanded definition of “importer” to include the importer of record and certain other entities, and new CoC content and recordkeeping requirements. 

Given the staggering number of imported consumer products and the expansive scope of proposed changes, the SNPR warrants close attention by anyone making CPSC-regulated products abroad for distribution in the United States or direct shipments to U.S. consumers. Comments are due February 6, 2024. Read more here.