Photo of Sheila A. MillarPhoto of Jean-Cyril Walker

In keeping with its 5-year schedule for comparability range updates to the Energy Labeling Rule (Rule), the Federal Trade Commission (FTC) published a Notice of Proposed Rulemaking on May 25, 2022, seeking to revise the Rule to require EnergyGuide labels to update comparability range information on EnergyGuide labels for televisions, refrigerators and freezers, dishwashers, water heaters, room air conditioners (ranges only), clothes washers, furnaces, and pool heaters.

The Rule requires manufacturers to affix EnergyGuide labels to many consumer products and prohibits retailers from removing the labels or making them illegible. EnergyGuide labels must contain three disclosures: a product’s estimated annual energy cost, its energy consumption or energy efficiency rating as determined by Department of Energy (DOE) test procedures, and a comparability range that shows the highest and lowest energy costs or efficiency ratings for all similar models. The FTC periodically updates comparability range and annual energy cost information based on current manufacturer data, pursuant to the Rule. The FTC is now proposing two amendments to the Rule: revising the average energy cost figures based on the national average cost figures published by the DOE and clarifying that manufacturers must use current DOE requirements to determine capacity for room air conditioners.

Manufacturers must display the updated information on product labels 90 days from publication of the final Notice announcing updated ranges for specific products. Manufacturers of room air conditioners will have until October 1, 2022, to give them time to change their packaging to include the updated labels and to coincide with the effective date of EnergyGuide labels for portable air conditioners.

The vote to approve publication of the Notice of Rulemaking in the Federal Register was 3-1. Commissioner Christine S. Wilson dissented, arguing that while the proposed revisions to the Rule are necessary, the Commission “fail(s) to take the opportunity to revisit the Rule’s highly prescriptive requirements,” including the detailed label requirements illustrated in the Notice.

Comments are due by July 11, 2022.

Photo of Sheila A. MillarPhoto of Tracy P. Marshall

The Federal Trade Commission (FTC or Commission) has issued several new proposals or policy statements affecting advertisers recently, including resurrection of its Penalty Offense Authority and an Enforcement Policy Statement Regarding Negative Option Marketing (which we previously reported on here). The FTC is now seeking public feedback on a proposal to enhance and strengthen the FTC’s Guides Concerning the Use of Endorsements and Testimonials in Advertising (the Endorsement Guides) and a review of its .com Disclosures: How to Make Effective Disclosures in Digital Advertising (.com Disclosures Guidance or Guidance).

Proposed Updates to the Endorsement Guides

At an open meeting on May 19, 2022, the FTC voted unanimously to publish a notice in the Federal Register proposing updates to the current Endorsement Guides. The FTC’s proposed updates to the Endorsement Guides, which were first published in 1980 and last revised in 2009, focus on advertisers that post fake positive reviews or delete negative reviews and advertisers whose disclosures fall short. One area of concern identified by the FTC is influencers who are paid, receive free products or services, or have a relationship with a brand but fail to disclose the material connection with the advertiser, in violation of the Endorsement Guides.

In addition to adding more examples to improve understanding of the Endorsement Guides, the FTC’s proposed updates include the following:

  • Expanding the definition of “product” to include brands;
  • Clarifying that marketing and promotional messages, including social media tags, can constitute endorsements;
  • Extending the definition of an “endorser” to cover “fabricated endorsers”;
  • Adding a new section that addresses consumer reviews and clarifies that advertisers should not distort or misrepresent what consumers think of their products;
  • Clarifying that the substantiation requirement covers both express and implied claims;
  • Tightening the definition of “clear and conspicuous” to mean a disclosure that is “difficult to miss … and easily understandable by ordinary consumers”;
  • Clarifying that a material connection can exist regardless of whether an advertiser offers payment or free products to an endorser;
  • Adding a new section that explains the potential liability of intermediaries such as advertising agencies and public relations firms;
  • Clarifying that an advertiser may be liable for an endorser’s deceptive statement even when the endorser is not liable and adding a new section that explains when endorsers can be liable for their statements;
  • Adding a new section regarding endorsements directed to children and emphasizing that “practices which would not ordinarily be questioned in advertisements addressed to adults might be questioned in such cases.” (The FTC will hold a public event on October 19, 2022, to discuss how children perceive online advertising and advertisers’ responsibilities for disclosures to children.)

Comments are due 60 days after the date of publication of the proposed updates in the Federal Register, which has not occurred as of the date of this posting.

Proposed Updates to the .com Disclosures Guidance

The FTC is also seeking comments on proposed changes to the .com Disclosures Guidance. First issued in 2000 and updated in 2013, the .com Disclosures Guidance focuses on how businesses can evaluate the effectiveness of online disclosures to assure they are clear and conspicuous. The Guidance also includes factors the FTC uses to evaluate whether such disclosures comply with the FTC Act.

In a Request for Comments published on June 3, 2022, FTC staff seek public input on updates to the Guidance. The FTC welcomes comments on any issue but is particularly interested in the following:

  • Issues raised by online technologies, activities, or features, such as sponsored and promoted advertising on social media platforms, advertising content embedded in games, and dark patterns;
  • Whether the current Guidance adequately addresses mobile advertising;
  • Whether further guidance concerning multi-party selling arrangements is needed;
  • Whether the Guidance adequately addresses how to make qualifying disclosures when consumers must navigate multiple webpages to complete purchases;
  • Whether the Guidance should address issues related to advertising that appears in virtual reality or the metaverse;
  • How the guidance on the use of hyperlinks can be made more effective; and
  • What existing guidance is outdated or unnecessary, and what guidance should be clarified, expanded, strengthened, or limited.

Comments on the proposed changes to the .com Disclosures Guidance must be received by August 2, 2022.

Photo of Sheila A. Millar

Nearly a year after she was first nominated, Mary Boyle was confirmed Wednesday to be a Commissioner of the U.S. Consumer Product Safety Commission (CPSC). When she takes office for a term that will run through October 2025, Boyle will bring the Commission to its full five-member strength for the first time since 2019.

Boyle has been at CPSC for more than a decade, serving as an attorney in the Office of General Counsel (OGC), as General Counsel herself, and currently as the agency’s Executive Director. A graduate of Georgetown University and the University of Maryland, Boyle is the second CPSC Executive Director to join the Commission in recent years, following former Chair Elliot Kaye, who served from 2014 to 2021.

Boyle’s nomination had been held up in the Senate Committee on Commerce, Science, & Transportation amid Republicans’ concerns about her role in the agency’s unauthorized disclosures of company and consumer information in 2019 and in staffing of CPSC’s import surveillance operations amid COVID-19 disruptions. The first session of the 117th Congress ended in December 2021 with Boyle’s nomination still in committee. Her nomination was returned to the White House, and President Biden swiftly renominated her in early 2022.

The Commerce Committee failed to report Boyle’s nomination favorably on a 14-14 party-line vote in March. Her nomination was ultimately discharged from committee on May 12 by a straight party-line vote, with Vice President Kamala Harris breaking the 50-50 tie. Republican opposition followed Boyle to the floor with a filibuster that was broken by a 49-47 cloture vote on June 16, 2022. Wednesday’s confirmation vote was 50-48.

Boyle joins Chair Alexander Hoehn-Saric and Commissioner Richard Trumka, Jr., forming a Biden-administration majority on the Commission alongside Trump appointees Dana Baiocco and Peter Feldman. With Boyle’s confirmation, CPSC’s leadership appears set for the next two-plus years. The Commissioners’ terms are as follows:

Biden Consumer Product Safety Commission
Commissioner Term Through
Dana Baiocco (R) 2024
Mary Boyle (D) 2025
Peter Feldman (R) 2026
Alexander Hoehn-Saric (D, Chair) 2027
Richard Trumka, Jr. (D) 2028

 

Photo of Sheila A. MillarPhoto of Tracy P. Marshall

In the continuing absence of Congressional action on a comprehensive U.S. federal privacy law, five states have now enacted their own laws. We previously provided a summary of the California, Virginia, and Colorado laws (available here), and Connecticut and Utah have since enacted new privacy laws. The Connecticut Act Concerning Personal Data Privacy and Online Monitoring (CTDPA) was signed into law on May 10, 2022 and is scheduled to take effect on July 1, 2023. The Utah Consumer Privacy Act (UCPA) was signed into law on March 24, 2022 and is scheduled to take effect on December 31, 2023. The CTDPA and UCPA are similar to the recently enacted Colorado Privacy Act (CPA) and Virginia Consumer Data Protection Act (VCDPA) in many respects, but there are some key differences among these laws and the California Consumer Privacy Act (CCPA), which took effect in 2020 and was amended by the California Privacy Rights Act (CPRA). To help businesses plan for compliance, Keller and Heckman LLP has created a side-by-side comparison of some of the key provisions of each law, along with an overview of some recently introduced federal privacy bills. Click here to read the full article.

Photo of Sheila A. MillarPhoto of Tracy P. Marshall

Alvaro Bedoya, a Democrat, was confirmed on May 11, 2022, to serve as the fifth Commissioner of the Federal Trade Commission (FTC). With the Senate deadlocked at 50-50 along partisan lines, Vice President Kamala Harris cast the tie-breaking vote. Bedoya replaces former Commissioner Rohit Chopra, who left the FTC last October to lead the Consumer Financial Protection Bureau. Bedoya will serve for a term of seven years (beginning September 26, 2019).

Bedoya founded the Center on Privacy and Technology at Georgetown University Law Center, where he was a Visiting Professor of Law. His academic work centered on privacy law, particularly the effects of facial recognition technology on race and gender. Prior to his tenure at Georgetown, Bedoya served as Chief Counsel of the U.S. Senate Judiciary Subcommittee on Privacy, Technology, and the Law, where he worked on issues relating to mobile location privacy and biometrics, drafted bipartisan legislation to protect victims of sexual assault, and helped draft the USA FREEDOM Act.

Bedoya’s confirmation comes on the heels of a debate in Congress over the Consumer Protection Remedies Act of 2022 (S.4145), which would empower the FTC to seek court orders for restitution, refunds, rescission of contracts, or disgorgement where the FTC believes a company has violated Section 13 of the Federal Trade Commission Act (FTCA).

Section 13(b) of the FTCA allows the FTC to pursue injunctions against ongoing or future violations in court, and for years the FTC had requested – and courts had granted – equitable and monetary relief in the form of refunds or restitution. In April 2021, however, a unanimous Supreme Court held in AMG Capital Management that the clear language of Section 13(b) does not authorize such equitable monetary relief orders. The Consumer Protection Remedies Act would expressly authorize those orders. The FTC does have authority to seek monetary relief under the provisions of Section 19 of the FTCA, but the FTC seeks expanded authority to go directly to court to obtain both monetary and injunctive relief.

Currently, there is no House companion to the Consumer Protection Remedies Act, and some industry groups have raised objections to an expansion of FTC authority.

Photo of Sheila A. MillarPhoto of Anushka N. Rahman

In a complaint dated April 12, 2022, the Federal Trade Commission (FTC) brought its first action under the new Made in USA Labeling Rule (the Rule) against Lithionics Battery LLC (Lithionics) and its owner, Steven Tartaglia, for falsely advertising Lithionics’ lithium-ion batteries as USA-made.

According to the FTC’s complaint, from at least 2018 until at least August 30, 2021, Lithionics advertised its lithium-ion batteries as American-made by labeling its products “Proudly Designed and Built in USA” alongside an image of the American flag. The company repeated similar claims on its social media pages and on its website, where the “Made in USA” link stated that the company’s “battery systems are engineered and manufactured in Clearwater, FL USA …” In addition, the company’s marketing materials included a *chart that emphasized the “‘advantage[s]’ of Lithionics’ battery systems over imported competing products,” when in fact, all Lithionics batteries included foreign sourced lithium-ion cells and “significant other imported components.”

The Rule, which took effect on August 13, 2021, codifies the FTC’s long-established enforcement policy statement on U.S. origin claims. It prohibits companies from labeling products as “Made in USA” (MUSA) unless: (1) “the final assembly or processing of the product occurs in the United States”; (2) “all significant processing that goes into the product occurs in the United States”; and (3) “all or virtually all ingredients or components of the product are made and sourced in the United States.” While the Rule does not impose new responsibilities on businesses, it authorizes the FTC to issue rules relating to MUSA labeling and to seek civil penalties for violations of the Rule’s provisions. It also adds a new partial or full exemption for businesses who can demonstrate that “application of the rule’s requirements to a particular product or class of product is not necessary to prevent the acts or practices to which the rule relates.”

Under the proposed stipulated order, Lithionics and its owner would have to pay a civil penalty of $105,319.56, which an FTC press release explains is equivalent to three times Lithionics’ profits from its illegal activities. The company is required to notify affected consumers that the batteries they purchased were not in fact USA-made and is barred from claiming, expressly or impliedly, that its products are MUSA unless it can prove that those products meet the Rule’s three requirements for such assertions. In the case of partial MUSA claims, the company must ensure that a clear and conspicuous qualification “appears immediately adjacent to the representation that accurately conveys the extent to which the product contains foreign parts, ingredients or components, and/or processing.” For “Assembled in USA” type claims, the company would need proof that “the product is last substantially transformed in the United States, the product’s principal assembly takes place in the United States, and United States assembly operations are substantial.”

Although the case against Lithionics and its owner is the first since the FTC finalized the Rule, the prohibitions under the proposed stipulated order are similar to those imposed under orders the Commission previously issued to other companies for false MUSA claims (see, for example, the FTC’s Decision and Order In the Matter of Sandpiper of California, Inc. and Pipergear USA, Inc.). Where this stipulated order differs is the civil penalty. Over the past six months, the Commission has revived and expanded its Penalty Offense Authority under Section 5(m)(1)(B) of the FTC Act to support settlement amounts. Under the Penalty Offense Authority, companies could face civil penalties of up to $46,517 per violation. While the proposed penalty in this case is much lower than the millions that have been assessed against other companies for false or misleading marketing claims, this enforcement action demonstrates the FTC’s ongoing commitment to cracking down on false MUSA claims. Companies should consider themselves on notice that the FTC can and will enforce against false MUSA claims, and the penalties can be significant.

All case documents are available here (*Exhibit D with chart referred to above was omitted).

Photo of Sheila A. MillarPhoto of Tracy P. Marshall

As cyberattacks from a myriad of sources continue to proliferate and target organizations of all types and sizes, the Cybersecurity and Infrastructure Security Agency (CISA) continues to update its Shield’s Up webpage with specific cybersecurity guidance for organizations, CEOs, business leaders, and individuals. The stated goal is to “reduce the likelihood of a damaging cyber intrusion, ensure that cybersecurity/IT personnel identify and quickly assess any unexpected or unusual network behavior, ensure that the organization is prepared to respond if an intrusion occurs, and maximize the organization’s resilience to a destructive cyber incident.” CISA offers recommendations for responding to all types of cyber incidents, including ransomware attacks, and for improving cyber hygiene.

The Shields Up webpage also provides cybersecurity news updates, useful background materials, and free cybersecurity services and tools from government partners and industry. The Shield’s Up program serves as a helpful reminder to both large and small organizations on how to prepare for, respond to, and mitigate the effects of cyberattacks.

Photo of Sheila A. MillarPhoto of Tracy P. MarshallPhoto of Peter Craddock

After the EU-U.S. Privacy Shield was rendered invalid by the Court of Justice of the European Union (CJEU) in July 2020, and following a prior challenge to the U.S.-EU Safe Harbor, many businesses operating on both sides of the pond scrambled to find other ways to protect data flows between the EU and U.S. that meet the EU General Data Privacy Regulation (GDPR) adequacy standards. Now it appears that a replacement is finally on the horizon. On March 25, 2022, the White House announced that the U.S. and EU have committed to a new Trans-Atlantic Data Privacy Framework (Framework) to facilitate data flows from the EU to the United States and address concerns raised by the CJEU when it struck down the European Commission’s adequacy decision underlying the EU-U.S. Privacy Shield Framework in 2020.

Having worked through two prior frameworks that both governments previously supported, businesses are asking if the new Framework can solve the difficulties that undermined its predecessors. According to the White House press release, the Framework will address the CJEU’s concern in Schrems II, in which the court held that U.S. surveillance activities left EU citizens without a judicial remedy for potential privacy violations by the U.S. government. The new Framework pledges to “strengthen the privacy and civil liberties safeguards governing U.S. signals intelligence activities; establish a new redress mechanism with independent and binding authority; and enhance its existing rigorous and layered oversight of signals intelligence activities.”

The White House gives several examples of how the Framework will address the CJEU’s focus on “surveillance” by the U.S. government, namely:

  • Signals intelligence collection may be undertaken only where necessary to advance legitimate national security objectives and must not disproportionately impact the protection of individual privacy and civil liberties;
  • EU individuals may seek redress from a new multi-layer redress mechanism that includes an independent Data Protection Review Court that would consist of individuals chosen from outside the U.S. Government who would have full authority to adjudicate claims and direct remedial measures as needed; and
  • U.S. intelligence agencies will adopt procedures to ensure effective oversight of new privacy and civil liberties standards.

The Framework’s commitments appear to be a step towards addressing issues raised in the Schrems II decision, and the additional redress mechanisms outlined by the White House provide an independent means for EU residents to raise privacy concerns. However, because details are not yet available, businesses face uncertainty as to whether there will be challenges to the new Framework. To complicate matters, the recent Supreme Court case FBI v. Fazaga granted the U.S. government greater leeway in invoking the state secrets privilege, making it more difficult for both U.S. and EU citizens to challenge surveillance intrusions by the U.S. government in American courts. The interplay between the rights described in the White House press release about the new Framework and U.S. legal precedent requires further analysis.

For the time being, businesses that transfer data between the EU and U.S. can continue using the “adequacy” method they currently employ, provided they take into account the Schrems II judgment and the European Data Protection Board’s recommendations on supplementary measures. The Danish Data Protection Agency has already stressed that the new Framework is still just an agreement in principle and current transfer justification requirements still apply.

For assistance on options to transfer data between the EU and U.S., please contact our Privacy and Data Security team.

Photo of Sheila A. MillarPhoto of Tracy P. Marshall

In 2014, with childhood obesity on the rise in the United States, tech company Kurbo, Ltd. (Kurbo) marketed a free app for kids that, according to the company, was “designed to help kids and teens ages 8-17 reach a healthier weight.” When WW International (WW) (formerly Weight Watchers) acquired Kurbo in 2018, the app was rebranded “Kurbo by WW,” and WW continued to market the app to children as young as eight. But according to the Federal Trade Commission (FTC), Kurbo’s privacy practices were not exactly child-friendly, even if its app was. The FTC’s complaint, filed by the Department of Justice (DOJ) last month, claims that WW’s notice, data collection, and data retention practices violated the Children’s Online Privacy Protection Act Rule (COPPA Rule). WW and Kurbo, under a stipulated order, agreed to pay a $1.5 million civil penalty in addition to complying with a range of injunctive provisions. These provisions include, but are not limited to, deleting all personal information of children whose parents did not provide verifiable parental consent in a specified timeframe, and deleting “Affected Work Product” (defined in the order to include any models or algorithms developed in whole or in part using children’s personal information collected through the Kurbo Program).

Complaint Background

The COPPA Rule applies to any operator of a commercial website or online service directed to children that collects, uses, and/or discloses personal information from children and to any operator of a commercial website or online service that has actual knowledge that it collects, uses, and/or discloses personal information from children. Operators must notify parents and obtain their consent before collecting, using, or disclosing personal information from children under 13.

The complaint states that children enrolled in the Kurbo app by signing up through the app or having a parent do it on their behalf. Once on Kurbo, users could enter personal information such as height, weight, and age, and the app then tracked their weight, food consumption, and exercise. However, the FTC alleges that Kurbo’s age gate was porous, requiring no verification process to establish that children who affirmed they were over 13 were the age they claimed to be or that users asserting they were parents were indeed parents. In fact, the complaint alleges that the registration area featured a “tip-off” screen that gave visitors just two choices for registration: the “I’m a parent” option or the “I’m at least 13” option. Visitors saw the legend, “Per U.S. law, a child under 13 must sign up through a parent” on the registration page featuring these choices. In fact, thousands of users who indicated that they were at least 13 were younger and were able to change their information and falsify their real age. Users who lied about their age or who falsely claimed to be parents were able to continue to use the app. In 2020, after a warning from the FTC, Kurbo implemented a registration screen that removed the legend and the “at least 13” option. However, the new process failed to provide verification measures to establish that users claiming to be parents were indeed parents.

Kurbo’s notice of data collection and data retention practices also fell short. The COPPA Rule requires an operator to “post a prominent and clearly labeled link to an online notice of its information practices with regard to children on the home or landing page or screen of its Web site or online service, and, at each area of the Web site or online service where personal information is collected from children.” But beginning in November 2019, Kurbo’s notice at registration was buried in a list of hyperlinks that parents were not required to click through, and the notice failed to list all the categories of information the app collected from children. Further, Kurbo did not comply with the COPPA Rule’s mandate to keep children’s personal information only as long as reasonably necessary for the purpose it was collected and then to delete it. Instead, the company held on to personal information indefinitely unless parents specifically requested its removal.

Stipulated Order

In addition to imposing a $1.5 million civil penalty, the order, which was approved by the court on March 3, 2022, requires WW and Kurbo to:

  • Refrain from disclosing, using, or benefitting from children’s personal information collected in violation of the COPPA Rule;
  • Delete all personal information Kurbo collected in violation of the COPPA Rule within 30 days;
  • Provide a written statement to the FTC that details Kurbo’s process for providing notice and seeking verifiable parental consent;
  • Destroy all affected work product derived from improperly collecting children’s personal information and confirm to the FTC that deletion has been carried out;
  • Delete all children’s personal information collected within one year of the user’s last activity on the app; and
  • Create and follow a retention schedule that states the purpose for which children’s personal information is collected, the specific business need for retaining such information, and criteria for deletion, including a set timeframe no longer than one year.

Implications of the Order

Following the U.S. Supreme Court’s decision in AMG Capital Management, LLC v. Federal Trade Commission, which halted the FTC’s ability to use its Section 13(b) authority to seek monetary penalties for violations of the FTC Act, the FTC has been pushing Congress to grant it greater enforcement powers. In the meantime, the FTC has used other enforcement tools, including the recent resurrection of the agency’s long-dormant Penalty Offense Authority under Section 5(m)(1)(B) of the FTC Act and a renewed willingness to use algorithmic disgorgement (which the FTC first applied in the 2019 Cambridge Analytica case).

Algorithmic disgorgement involves “requir[ing] violators to disgorge not only the ill-gotten data, but also the benefits—here, the algorithms—generated from that data,” as then-Acting FTC Chair Rebecca Kelly Slaughter stated in a speech last year. This order appears to be the first time algorithmic disgorgement was applied by the Commission in an enforcement action under COPPA.

Children’s privacy issues continue to attract the attention of the FTC and lawmakers at both federal and state levels. Companies that collect children’s personal information should be careful to ensure that their privacy policies and practices fully conform to the COPPA Rule.

Photo of Peter Craddock

“Dark patterns” – social media platform interfaces that can lead users to make unintended and potentially harmful decisions regarding the processing of their personal data – are a subject of increasing scrutiny in the EU. New guidelines of the European Data Protection Board (EDPB) on “dark patterns in social media platform interfaces” confirm the focus of EU authorities on such practices. The guidelines contain lessons for all websites and applications. The bad news for marketers: the EDPB doesn’t always like it when dry legal language is made catchier or dull interfaces more enticing.

To illustrate, in a section of the guidelines regarding the selection of an account profile photo, the EDPB considers the example of a “help/information” prompt saying “No need to go to the hairdresser’s first. Just pick a photo that says ‘this is me.’” According to the EDPB, such a practice “can impact the final decision made by users who initially decided not to share a picture for their account” and thus makes consent invalid under the General Data Protection Regulation (GDPR). In another example, the EDPB criticises a cookie banner with a humourous link to a bakery’s cookie recipe that incidentally says “we also use cookies,” stating that “users might think they just dismiss a funny message about cookies as a baked snack and not consider the technical meaning of the term ‘cookies.’” The EDPB even suggests that the data minimisation principle, and not security concerns, should ultimately guide an organisation’s choice of which two-factor authentication method to use.

Do these new guidelines reflect privacy paranoia or common sense? The answer should lie somewhere in between, but the whole document (64 pages long) in our view suggests an overly strict approach, one that we hope will move closer to common sense as a result of a newly started public consultation process.

Click here for our analysis of what useful lessons – or warnings – can be drawn from the EDPB’s new guidelines.