Photo of Sheila MillarPhoto of Antonia Stamenova-DanchevaPhoto of Anushka N. Rahman

On July 13, 2023, a three-judge Ninth Circuit panel denied Google’s challenge of its earlier decision in Jones v. Google, which held that state privacy law claims in a putative class action are not preempted by the federal Children’s Online Privacy Protection Act (COPPA). The December decision reversed a lower court’s dismissal of the action on the grounds that COPPA preempted identical state law claims. Google petitioned the Ninth Circuit to have the case reheard by the full court, and the panel asked the Federal Trade Commission (FTC) to weigh in on the preemption question. In May, the FTC submitted an amicus brief in support of the Ninth Circuit’s finding that COPPA does not preclude identical state law claims. The panel’s decision affirms its December opinion and amends it to note the FTC’s support. 

Click here to read more.

Photo of Sheila MillarPhoto of Tracy P. Marshall

The Children’s Online Privacy Protection Act Rule (COPPA Rule) requires that online sites and services directed to children under 13 obtain parental consent before collecting or using children’s personal information and lists existing methods for such consent. Now the Federal Trade Commission (FTC) is seeking comments on whether it should expand its parental consent methods to include a potential new mechanism. On July 20, 2023, the FTC published a notice in the Federal Register seeking comments on an application from the Entertainment Software Rating Board (ESRB) and tech companies Yoti and Super Awesome that proposes using facial age estimation technology that analyzes the geometry of the face to confirm a person is an adult. The deadline for comments is August 21, 2023.

To read the full article, click here.

Photo of Sheila MillarPhoto of Ales Bartl

On March 30, 2022, the European Commission (EC) unveiled a proposal for a framework eco-design regulation aimed at creating a policy framework for sustainable products. Among the tools proposed by the EC is the EU Digital Product Passport (DPP), a product-specific data set that would apply nearly to all non-food products sold in the EU and would require disclosure of a vast array of information, much of it currently deemed confidential business information. Through DPPs, both competent authorities and users across the supply chain will have access to information including origin, materials, and sustainability and recyclability, via a scannable QR code. DPPs are intended to promote circularity and economic growth, help consumers make sustainable choices, and improve enforcement. If adopted as envisaged in 2024, the DPP framework would likely enter into force in 2027. In addition to environmental and product safety considerations, intellectual property rights, usefulness of the data, privacy and security are all important issues for affected companies to consider.

To read the full article, click here.

Photo of Sheila MillarPhoto of Tracy P. Marshall

After an extended public comment period, the Federal Trade Commission (FTC) adopted revised Guides Concerning the Use of Endorsements and Testimonials in Advertising (Endorsement Guides) on June 29, 2023. As we previously posted, the FTC voted to publish proposed revisions for public comment in May 2022. The updated Endorsement Guides and companion FAQs, which include 40 new questions, are intended to provide more specific guidance for companies that engage third parties to promote their brands, products, and services, or which encourage consumers or their own employees or agents to do so. The revisions better reflect the ways companies advertise now, and they address issues such as online influencers, social media tools, fake reviews, virtual or fabricated endorsers, and children’s advertising.

To read the full article, click here.

Photo of Peter CraddockPhoto of Fadia Ajmida

What kinds of processing are necessary for the performance or conclusion of a contract?

This is one of the questions the Court of Justice of the European Union (CJEU) was asked to examine in case C-252/21 between Meta Platforms and the German Federal Cartel Office, in which it delivered a judgment on July 4th, 2023.

Before we look at the judgment, it is useful to recall that the General Data Protection Regulation (GDPR) allows the processing of personal data to be based on “contract” as a legal ground (as opposed to e.g., legitimate interests, consent, and others). The European Data Protection Board has repeatedly referred to the need for an “objective link” between that processing and the contractual framework, and a controller must demonstrate such necessity, in accordance with its accountability obligation. 

This case specifically examined the question of whether certain processing activities were effectively justified by “contract” as a legal ground in the context of a provision of an online social media service.

The CJEU held that this necessity must be demonstrated, and that the criterion is that the processing must be “objectively indispensable.” In its reasoning, however, the CJEU made an unusual factual assessment regarding personalized services – comments that may have far-reaching implications and may create significant uncertainty.

It is worthwhile quoting key excerpts to show the CJEU’s reasoning:

  • “98. […] in order for the processing of personal data to be regarded as necessary for the performance of a contract, within the meaning of that provision, it must be objectively indispensable for a purpose that is integral to the contractual obligation intended for the data subject. The controller must therefore be able to demonstrate how the main subject matter of the contract cannot be achieved if the processing in question does not occur.”
    • This means, in practice, not only that without the processing, the contract could not be performed, but also that internal documentation is required to be able to support the “contract” as a legal ground.
  • “99. The fact that such processing may be referred to in the contract or may be merely useful for the performance of the contract is, in itself, irrelevant in that regard. The decisive factor for the purposes of applying the justification set out in point (b) of the first subparagraph of Article 6(1) of the GDPR is rather that the processing of personal data by the controller must be essential for the proper performance of the contract concluded between the controller and the data subject and, therefore, that there are no workable, less intrusive alternatives.”
    • This suggests that controllers can establish necessity by showing that “less intrusive alternatives” are not workable.

So far, so good. These paragraphs of the CJEU’s judgment show that it is possible to properly justify reliance on “contract” as a legal ground if the service description is not artificial and there are objective reasons to build a service in a particular manner.

However, a little further, the CJEU provides a very significant caveat to this reasoning, by providing its own factual analysis of “personalisation”:

  • “102. As regards, first, the justification based on personalised content, it is important to note that, although such a personalisation is useful to the user, in so far as it enables the user, inter alia, to view content corresponding to a large extent to his or her interests, the fact remains that, subject to verification by the referring court, personalised content does not appear to be necessary in order to offer that user the services of the online social network. Those services may, where appropriate, be provided to the user in the form of an equivalent alternative which does not involve such a personalisation, such that the latter is not objectively indispensable for a purpose that is integral to those services.”
    • The CJEU always makes an assessment of the way in which EU law should be interpreted and it normally uses the facts of the case purely as context, in order to understand the questions asked to it. This particular paragraph contains an opinion on the facts themselves – in the CJEU’s view (and it was likely provided extensive background on the facts), content personalisation is not objectively indispensable to the provision of “the services of the online social network.” It may be difficult for a national judge (mentioned through the wording “subject to verification by the referring court”) to reach an opposite conclusion, though, due to the moral authority of the CJEU. This makes this particular paragraph unusual.

Next to being unusual, this particular paragraph raises significant questions for other controllers who might rely on “contract” in the context of the provision of personalised services. After all, if personalisation of a social media service is not deemed to be objectively indispensable by the CJEU, what is? The statement also appears to contradict the CJEU’s position that the absence of workable and less intrusive alternatives shows necessity: in our experience, businesses (like Meta and all others) do not usually randomly choose to offer a service in a personalised or non-personalised manner; there are normally objective reasons internally for disregarding or moving away from a particular business model. Yet, the CJEU seems to suggest that a non-personalised social media service is, in any event, workable, without any obvious justification for this position. In this context, this particular paragraph appears unfortunate, as it creates, in our view, a risk that supervisory authorities (whether of their own initiative or spurred on by complaints) and courts might consider without apparent justification that a particular alternative that has been disregarded or left behind by a controller (for valid reasons) is in fact workable. This may even happen to controllers who have built a service as a personalised service from the very beginning.

If anything, this ruling shows the need to carefully consider documentation and the justification for using “contract” as a legal ground.

It is available online, in multiple languages.

For any questions on data protection issues or on how to document necessity of processing, reach out to Peter Craddock or any other member of the Keller and Heckman LLP data law team.

Photo of Peter Craddock

Until now, fines by the Belgian Data Protection Authority (BDPA) had, compared to its neighbouring countries (France, Luxembourg, and the Netherlands), appeared on the low side in absolute numbers.

Last year we carried out an analysis of over 300 fines related to (alleged) infringements of the General Data Protection Regulation (GDPR), including the top 250 fines imposed on companies with an identified or identifiable turnover, and Belgium appeared in 18th position among EU data protection authorities when comparing the average of the fines examined.

A judgment of 14 June 2023 of the Belgian Market Court (the division of the Court of Appeal of Brussels) may have the indirect effect of significantly changing this.

That judgment followed an appeal by a controller (in this case, bpost, the largest Belgian postal services company) against a 10.000 EUR fine. The Market Court has often overruled decisions by the Belgian Data Protection Authority on procedural grounds, as well as on the merits, i.e., the actual assessment of allegations of infringements, but in this particular case, it confirmed the Belgian Data Protection Authority’s decision in those respects.

It nevertheless decided to follow the controller’s arguments that the fine itself was not properly justified and reduced the fine to a symbolic Euro.

Preliminary point: do GDPR fines have to be paid even pending an appeal?

In Belgium, the tax authorities are the ones who send a request for payment to a controller or processor fined by the Belgian Data Protection Authority, and the procedure they follow is wholly separate from the appeals process.

In addition, the law instituting the Belgian Data Protection Authority does not foresee an automatic stay of enforcement in case of an appeal. Since a Market Court judgment that we obtained in September 2020, it is nevertheless possible to obtain a stay of enforcement, including the payment of fines, while an appeal against a Belgian Data Protection Authority is pending, but the Market Court has refined its approach over the years and imposes strict conditions.

In this particular case, the text of the Market Court judgment shows that the fine was paid, and reimbursement was requested.

Why was the fine reduced, and what was the Market Court’s reasoning?

The Market Court explains its reasoning as follows in its judgment (rough translation from the original Dutch):

“The Market Court tries to detect which methodology the Litigation Chamber [of the BDPA] applies that allows it to render objective the choice of sanction, including the number of possible fines.

The Market Court agrees with [the relevant controller] that the Litigation Chamber has in a manifestly insufficient manner taken into account, in the determination of the amount of the fine, the specific situation and context […] and the following mitigating circumstances.”

The Market Court goes on to list a range of circumstances that should have been taken into account when assessing the fine, including the fact that the Data Protection Officer’s advice had been sought and the fact that no damages were claimed by data subjects.

Based on that, the Market Court says that the data protection fine is not “properly” justified, from a factual perspective or from a legal perspective.

What does this mean for the future – a new methodology for GDPR fines?

The Litigation Chamber of the Belgian Data Protection Authority has, over time, improved its decision-making process to take into account all of the criticisms from the Market Court, with more detailed decisions and a more balanced process as a result.

In this case, because the Market Court said that it was “[trying] to detect” which methodology was used and that the fine itself was not “properly” justified, it is likely that the Belgian Data Protection Authority will reflect on how to improve the clarity of its methodology for determining which sanction to apply and for determining the amount of a fine.

This could easily be achieved in two ways: by publishing its current methodology or by adopting one that is already public. One like the one finalised on 24 May 2023 by the European Data Protection Board (EDPB), the group of all supervisory authorities within the European Union.

What is the EDPB fining methodology?

The EDPB issues recommendations and guidelines, as well as binding decisions in cross-border cases where there is a disagreement among the supervisory authorities involved in a case.

In its Guidelines 04/2022 on the calculation of administrative fines under the GDPR, as finalised in May 2023, the EDPB proposed the following methodology for calculating GDPR fines:

  1. Identification of the processing operations in the case and evaluation of the application of Article 83(3) GDPR
  2. Identification of the starting point for further calculation of the amount of the fine (by evaluating the classification of the infringement in the GDPR, evaluating the seriousness of the infringement in light of the circumstances of the case, and evaluating the turnover of the undertaking)
  3. Evaluation of aggravating and mitigating circumstances related to past or present behaviour of the controller/processor, and increasing or decreasing the fine accordingly
  4. Identification of the relevant legal maximums for the different infringements (increases applied in previous or next steps cannot exceed this maximum amount)
  5. Analysis of whether the calculated final amount meets the requirements of effectiveness, dissuasiveness, and proportionality, and adjusting the fine accordingly (without exceeding the relevant legal maximum)

Step 2, in particular, takes the form of a mathematical formula – we published DeFine, a tool to help use the 2022 version of the formula (when the guidelines were still merely subject to public consultation and not yet finalised). We will be updating it in the coming weeks to take into account some increases that the finalisation in 2023 has brought with it.

Based on our aforementioned assessment of GDPR fines, use of this methodology would likely lead, throughout the European Union, to higher GDPR fines, purely because the percentages for the “starting point” of the calculation are already higher than those applied in practice by supervisory authorities.

In practice, therefore, adoption of the EDPB methodology would likely trigger (much) higher GDPR fines in Belgium.

Would this not happen anyway?

Since the adoption of the finalised EDPB guidelines, the Belgian Data Protection Authority has already referenced them in a recent decision (available in French) when assessing which mitigating and aggravating circumstances must be taken into account. It is, therefore, already possible that in future fining decisions, the Belgian Data Protection Authority would, in any event, have applied the EDPB fining methodology.

In that context, the Market Court judgment of 14 June 2023 may end up being an additional trigger that accelerates adoption by the Belgian Data Protection Authority of the EDPB fining methodology.

What should I do if my company or organisation is under investigation?

In practice, organisations facing regulatory investigations regarding alleged GDPR infringements – in Belgium or elsewhere – always have to prepare their legal defence well, and the adoption of a new methodology (or publication of an existing one) merely reinforces the need to ensure that you have a team to support you, both internally (in-house legal team, data protection specialists, product teams, communication team) and externally (external legal counsel) in handling such an investigation.

And make sure that you are prepared to challenge the newly adopted methodology, too!

In that context, if you require any assistance in that respect or for any data governance, AI governance, or technology law issues, reach out to Peter Craddock or our Data & Tech team.

Where can I find the new judgment of the Market Court?

The Market Court judgment of 14 June 2023 is available online in Dutch.

Photo of Sheila MillarPhoto of Anushka N. Rahman

On May 23, 2023, the U.S. Federal Trade Commission (FTC) held a public workshop to examine recyclable claims as part of its review of the Guides for the Use of Environmental Marketing Claims (Green Guides). The workshop was split into three panels, discussing current trends, consumer perception, and potential updates to the Commission’s current guidance on recyclable claims.

While recyclable claims for aluminum, paper, glass, and plastics were all discussed during the workshop, the bulk of the discussion focused on the recycling of plastic waste. Panelists addressed several topics, including the following:

  • Should the “substantial majority” basis for an unqualified recyclable claim be changed?
  • Should ability to be recycled or actual reprocessing be considered?
  • Should the Green Guides recognize advanced recycling technologies for plastics?
  • What is the role of the resin identification code (RIC)?
  • Should the FTC engage in a rulemaking to create federal requirements for recyclable claims?

It remains to be seen if information from the workshop will result in changes to the Green Guides or if the FTC elects to initiate a rulemaking to make the Guides binding, but the latter seems unlikely. We provide more details regarding topics discussed during the workshop here.

Photo of Sheila MillarPhoto of Antonia Stamenova-DanchevaPhoto of Anushka N. Rahman

On May 3, 2023, the U.S. Consumer Product Safety Commission (CPSC) issued a provisional order with a $15.8 million civil penalty against Wisconsin-based Generac Power Systems, Inc. (Generac) over charges that for more than two years, Generac failed to report serious hazards caused by some of its portable generators. According to the CPSC, from October 2018 to 2020, Generac was aware of defects in 32 models of its portable generators. During that time and prior to Generac reporting to the CPSC in 2020, five consumers reported suffering finger amputations caused by unlocked handles on the generators. On July 29, 2021, a recall of the portable generators was jointly announced by the company and CPSC.

Section 15(b) of the Consumer Product Safety Act (CSPA) requires manufacturers of consumer products to report to the CPSC defects that could create a substantial product hazard. Section 19 of CSPA makes it illegal to delay such reporting, and companies who fail to comply can be liable for both civil and criminal penalties. In addition to the fine, the settlement agreement requires Generac to implement and maintain a detailed compliance program and system of internal controls to ensure compliance with CSPA. Generac must report to CPSC annually for three years on the actions the company has taken to ensure compliance and must retain CPSC compliance-related records for at least five years. The Commission vote to approve the provisional settlement agreement was 4-0, despite disagreement among commissioners over the penalty amount.

Commissioner Richard Trumka warned that “this Commission will use every tool at its disposal to stop bad actors from harming consumers, including maximum civil penalties and, where warranted, criminal referrals.” He was joined in his support for the penalty amount by Chair Alexander Hoehn-Saric and Commissioner Mary Boyle. Commissioner Peter Feldman, while also voting to approve the settlement, disagreed with the amount of the penalty, which was close to the maximum statutory amount ($120,000 for each violation, and $17,150,000 for any related series of violations). He suggested that imposing the maximum fine in failure-to-report cases should be reserved for cases “where a product hazard results in death, poses a significant risk of death from incidents such as fires, or where there are aggravating factors such as a history of misconduct by the company’s senior management.” Commissioner Feldman also voiced concern about what he considers is a lack of consistency in CPSC’s civil penalty structure. He noted that the case did not involve fatalities, and Generac was a first-time offender. He wrote, “A reasonable reading of the evidence in this case could support a conclusion that the initial reporting delay was born out of a failure to appreciate the nature of the hazard rather than a concealment of the problem from CPSC.”

Indeed, CPSC’s penalty calculus has remained somewhat of a mystery in recent failure-to-report cases. For example, on January 25, 2022, CPSC issued a provisional order fining fitness equipment manufacturer Core $6.5 million for failing to immediately disclose 55 incidents tied to defects in Core’s cable crossover machines between 2012 and 2017. While 11 of those injuries involved head lacerations, none resulted in death. More than five months later, on July 5, 2022, the CPSC issued a provisional order fining portable fan and heater maker Vornado $7.5 million – less than half of Generac’s civil penalty – after Vornado did not immediately notify the CPSC of multiple consumer reports of overheating and fire involving their VH101 Personal Vortex electric space heater, including one fire that allegedly resulted in the death of a 90-year-old man.

One possible explanation for CPSC’s decision to seek a much higher (and near maximum) penalty in the Generac matter is that the Commission is making good on Chair Hoehn-Saric’s warning following the Vornado settlement that “while the penalty announced today is significant, companies should be on notice that the agency will be even more aggressive in the future.” Facts, of course, do vary, and there is considerable subjectivity in decisions about whether a product has a “defect” that could create a potential safety risk. The stakes involved in these decisions, however, appear to be increasing.

Photo of Sheila Millar

The FTC has said it numerous times: If your products – including their components – are not actually “all or virtually all” made in America, marketers should not label them as “Made in USA (MUSA).” The FTC’s latest enforcement action for false MUSA advertising against North Carolina-based motocross and ATV parts company, Cycra, is a reminder of just how seriously the FTC takes failures to comply with its 2021 Made in USA Labeling Rule (MUSA Rule). It’s also a reminder that words matter.

The FTC’s complaint, announced on April 18, 2023, states that since 2019 to at least May 31, 2022, Cycra claimed in its online marketing and on its packaging that its products are made in the U.S. The company’s website and social media accounts featured ads stating: “Proudly designed, developed and manufactured in Lexington, North Carolina,” “Proudly made in the USA,” and “Made in the USA.” On its packaging, Cycra labeled more than 150 products with the words “Made in the USA” alongside an image of the U.S. flag. In reality, however, according to the FTC, Cycra routinely used components imported from Asia and Europe, and on at least two occasions, U.S. Customs and Border Patrol (CBP) officers flagged Cycra shipments of finished products imported from Taiwan bearing MUSA labels. The complaint also alleges that the CEO controlled or had authority to control, or participated in, the alleged violative practices, had direct knowledge of the company’s overseas business dealings, and was the primary point of contact with CBP agents.

The MUSA Rule prohibits marketers from labeling products as “Made in USA” unless:

(1) “the final assembly or processing of the product occurs in the United States”;

(2) “all significant processing that goes into the product occurs in the United States”; and

(3) “all or virtually all ingredients or components of the product are made and sourced in the United States.”

A violation of the MUSA Labeling Rule is considered by the FTC to be an unfair or deceptive act or practice in violation of Section 5(a) of the FTC Act.

Under the FTC’s proposed consent order, Cycra and its CEO, Steven James, were fined $872,577. A total of $221,385 is due within 8 days, after which the rest of this penalty is suspended based on financial statements furnished by the company and James; it will be reinstated if either misrepresent the company’s or James’ personal financial condition. Both respondents are barred from representing their products are “Made in the USA,” whether expressly or impliedly, unless:

  • The final assembly or processing of the product occurs in the U.S., all significant processing that goes into the product occurs in the U.S., and all or virtually all ingredients or components of the product are made and sourced in the U.S.; or
  • A clear and conspicuous qualification appears immediately adjacent to the representation that accurately conveys the extent to which the product contains foreign parts, ingredients, or components, and/or processing; or,
  • For a claim that a product is assembled in the U.S., the product is last substantially transformed in the U.S., the product’s principal assembly takes place in the U.S., and U.S. assembly operations are substantial.

Other injunctive provisions include a requirement to identify purchasers so the agency can administer redress, mandatory direct notices to purchasers, plus mandatory reporting on the notification program under penalty of perjury, and a mandatory cooperation clause. The proposed order also includes other customary terms, such as a prohibition on any misleading representation regarding the country of origin, record-keeping obligations, and compliance monitoring annually for 20 years. Both the company and James must submit reports detailing all business activities and how they are complying with the terms of the order.

Promises of “Made in the USA” can be enticing to consumers looking to support businesses that offer homegrown products. But companies promoting their products or services as American-made need to remember that FTC expects them to abide by the MUSA Rule, and that failure to do so can be costly to both companies and executives.

Photo of Sheila MillarPhoto of Anushka N. Rahman

On April 19, 2023, the U.S Consumer Product Safety Commission (CPSC or Commission) voted to adopt ASTM F2057-23 as a mandatory safety standard to prevent injuries and deaths of children from the tip-over of freestanding clothing storage units (CSUs). The newly adopted standard supersedes a prior CPSC safety standard for CSUs that was due to take effect May 24, 2023, and was passed to meet the requirements of the Stop Tip-overs of Unstable, Risky Dressers on Youth Act (STURDY Act or Act), which was signed into law on December 23, 2022. Adoption of the revised ASTM standard should help eliminate confusion and facilitate compliance by industry and will become mandatory 120 days from publication in the Federal Register (which has not yet occurred as of this writing). That means the likely effective date will be somewhere around the end of August.

The STURDY Act directs the CPSC to examine and assess the effectiveness of “any voluntary consumer product safety standards” for CSUs and promulgate a safety standard pursuant to the Act within one year. The standard applies to all CSUs 27 inches and above and requires testing that simulates the weight of children up to 60 pounds and accounts for real-world use—including the stability of the unit when placed on carpet, with items in drawers, with multiple open drawers, and with dynamic force. Warning labels for CSUs are also required. 

The Commission vote to approve the new standard was 3-1. In statements, Chair Alex Hoehn-Saric and Commissioner Peter Feldman welcomed the new standard, noting it enjoys broad consensus across industry and advocacy groups. Commissioner Richard Trumka, dissenting, issued a statement in which he characterized approval of the new rule as a “grave error” that went against prior advice of CPSC staff. However, Commissioner Mary Boyle noted in her statement approving the vote that the new rule, while different from the prior CPSC mandatory safety standard, is what Congress required under the STURDY Act. Commissioner Boyle concluded “that it is reasonable to determine that ASTM F2057-23 meets the requirements of STURDY” and will “make a meaningful difference for safety.”

CPSC estimates that from January 2000 through April 2022, CSU tip-overs were responsible for the deaths of 199 children and thousands of emergency room visits. The Commission’s vote ended nearly two decades of work and uncertainty on the issue of CSU tip-overs. With a final rule pending, industry and parents can feel reassured that all CSUs covered by the rule will be subject to the same safety standard. Notably, the final rule had the support of both the furniture industry and Parents Against Tip-Overs, an NGO that championed efforts to establish a mandatory safety standard.