Photo of Sheila A. MillarPhoto of Tracy P. Marshall

On September 13, 2021, President Biden nominated Alvaro Bedoya for Commissioner of the Federal Trade Commission (FTC) to replace outgoing FTC Commissioner Rohit Chopra. Earlier this year, President Biden nominated Chopra to head the Consumer Financial Protection Bureau (CFPB). If confirmed, Bedoya would round out the slate of FTC commissioners and solidify the agency’s Democratic majority.

Bedoya is the founding director of the Center on Privacy and Technology at Georgetown University Law Center, where he is a visiting professor of law. He has a background in privacy law and policy, with a special interest in facial recognition technology. Bedoya’s work on facial recognition technology led the National Institute of Standards and Technology (NIST) to conduct the first comprehensive bias audit of face recognition algorithms and paved the way for a federal law that requires bias testing in airport face recognition systems, Section 1919 of the FAA Reauthorization Act of 2018. Previously, Bedoya served as the first chief counsel to the U.S. Senate Judiciary Subcommittee on Privacy, Technology and the Law.

Naming a nominee with a strong background in privacy to serve on the FTC is consistent with the Administration’s support for strengthening privacy and cybersecurity. This commitment is reflected in the Build Back Better Act, which earmarks $1 billion to create a new privacy bureau within the FTC dedicated to stopping unfair and deceptive acts and practices related to privacy violations, data security incidents, identity theft, and other data abuses.

Photo of Sheila A. MillarPhoto of Tracy P. Marshall

As the Labor Day weekend approaches, the Federal Bureau of Investigation (FBI) and Cybersecurity and Infrastructure Security Agency (CISA) are warning U.S. entities to remain alert and protect against the rising incidence of ransomware attacks over holidays and weekends. A joint cybersecurity advisory issued on August 31, 2021 reviews recent ransomware attacks that occurred over holiday weekends, describes some of the tactics, techniques, and procedures commonly used by ransomware attackers, and offers some best practices and mitigation strategies for entities that experience a ransomware or other data security incident. As ransomware and other types of cyberattacks become more frequent and sophisticated, and as U.S. and international data security and breach notification laws and reporting requirements become more stringent, it is important for all organizations to implement security programs and incident response plans, continuously assess their programs and plans, and monitor for threats.

According to the advisory, criminal cyberattacks have escalated dramatically in the last year. The number of ransomware attacks in particular increased by 20% including a 225% increase in ransom demands. And these numbers are continuing to rise. Most frequently, ransomware attackers use phishing or brute force on unsecured remote desktop protocol (RDP) endpoints to gain network access. Other common techniques identified in the advisory include precursor or dropper malware, exploitation of software or operating system vulnerabilities, exploitation of service providers with access to networks, and use of stolen credentials.

When cybercriminals infiltrate networks and databases, they often gain unauthorized access to personal information, including sensitive personal information like Social Security numbers, banking or credit card account information, and health information. Responding to ransomware and other attacks necessarily triggers a company’s data breach response plan.

Responding to any data breach, whether or not it is associated with a ransomware demand, requires good planning so that the organization is positioned to understand and comply with the myriad federal, state, and international notification and reporting requirements. For example, companies that are publicly traded must identify material risks to the business in their periodic reports to the U.S. Securities and Exchange Commission, and the Gramm-Leach-Bliley Act and Health Insurance Portability and Accountability Act impose notification and reporting requirements that may apply depending on the types of information compromised. In addition, many states have adopted a data security law, and all 50 states have enacted a data breach notification law (for an overview of U.S. data breach notification laws, click here).

Minimize Risk

The joint cybersecurity advisory offers the following guidance to minimize attacks:

  • Establish a baseline understanding of the network architecture and routine activity;
  • Review data logs to compare standard performance to suspicious or anomalous activity;
  • Watch out for unusual inbound and outbound network traffic, compromised administrator privileges or escalation of permissions on an account, theft of login and password credentials, a substantial increase in database read volume, geographical irregularities in access and login patterns, attempted user activity during anomalous logon times, and attempts to access folders on a server that are not linked to the HTML within the pages of the web server, and baseline deviations in the type of outbound encrypted traffic;
  • Use intrusion prevention systems and automated security alerting systems;
  • Employ honeytokens to track data outside the network; and
  • Use cyber hygiene services.

Mitigation

The FBI and CISA also advise that organizations implement mitigation strategies to reduce the likelihood of compromise and loss in the event of an attack, such as the following:

  • Continuously and actively monitor for ransomware threats over holidays and weekends, and assign IT security employees who will be “on call” during these times;
  • Make an offline data backup;
  • Advise individuals to not click on suspicious links;
  • Secure and monitor RDP or other potentially risky services;
  • Update the organization’s operating system (OS) and software;
  • Scan for vulnerabilities;
  • Require strong passwords;
  • Use multifactor identification;
  • Secure network(s): implement segmentation, filter traffic, and scan ports;
  • Secure user accounts; and
  • Implement an incident response plan.

In the event of a ransomware attack, the FBI and CISA recommend turning off all networked devices and isolating the infected system from all networks and any other potential networking capabilities.

The pre-Labor Day joint cybersecurity advisory is a timely reminder that because cybercriminals increasingly target organizations over holidays and weekends when staffing may be reduced, it is important that organizations never drop their guard and continue to monitor for and defend against attacks. Ensuring that strong preventative and mitigation strategies are in place will help businesses avoid missteps that make their networks vulnerable to attack. As the saying goes, an ounce of prevention is worth a pound of cure.

Photo of Sheila A. MillarPhoto of Tracy P. Marshall

The Federal Trade Commission (FTC) took the unprecedented step of removing one of the approved Safe Harbor organizations under the Children’s Online Privacy Protection Act (COPPA) for failing to provide effective monitoring and assessment of its member companies’ websites, as required under the COPPA Rule. Earlier this year, Commission staff warned Aristotle International, Inc., whose Safe Harbor program was approved in 2012, that it was concerned about Aristotle’s monitoring practices and was considering withdrawing approval. On June 1, Aristotle informed the FTC that it was leaving the COPPA Safe Harbor program, and on August 4, the FTC announced that it had removed the company from the list.

Pursuant to Section 312.11(a) of the COPPA Rule, industry groups or other persons can apply to the FTC for approval of self-regulatory program guidelines. Approved programs must provide substantially the same or greater protections for children as those outlined in the COPPA Rule. Businesses that fully adhere to an approved COPPA Safe Harbor program will be deemed in compliance with the COPPA Rule for enforcement purposes under § 312.11(g), which provides incentives to businesses to support self-regulatory programs.

The August 4 press release announcing Aristotle’s removal from the COPPA Safe Harbor list included a troubling comment by the FTC’s Bureau of Consumer Protection’s Acting Director, Sam Levine, that may spell changes ahead for Safe Harbor programs: “There is a clear conflict of interest when self-regulatory organizations are funded by the website operators and app developers they are supposed to police, so we will be closely scrutinizing other children’s privacy oversight outfits to determine whether they are living up to their obligations.”

While the Acting Director’s statement reflects a concern over conflicts of interest as it pertains to Aristotle, it also appears to question the role, nature, and purpose of self-regulatory programs, as reflected in COPPA and the COPPA Rule. Antipathy towards the notion of industry self-regulation is reflected also in recent proposed legislation introduced by Rep. Castor (D- FL). But self-regulatory advertising and privacy programs, which are commonly funded by the “industry groups” authorized to apply for recognition under COPPA, provide enormous benefits to consumers, businesses, and regulators, as the FTC has recognized for decades.

Businesses play an essential role in the success and effectiveness of self-regulatory programs. Their financial support and input help to ensure that the organizations that serve them meet their respective legal compliance responsibilities. Self-regulatory programs not only help check on a participant’s compliance but also serve as a vehicle for businesses to air practical concerns about compliance burdens, assess implications of technological advancements and consumer interfaces, and put forward innovative ideas that can make compliance easier and less expensive. The Safe Harbor provisions of COPPA and other self-regulatory frameworks are intended to promote flexibility and efficiency by allowing businesses to tailor their compliance programs and to reward participants’ good faith efforts to comply with the law.

As the FTC continues to discuss potential changes to the COPPA Rule in its ongoing review, initiated in 2019, FTC oversight of COPPA Safe Harbor organizations is sure to be discussed. In his statement on a 2020 notice accepting a proposed consent agreement with Miniclip for falsely representing it participated in a COPPA Safe Harbor organization, Commissioner Rohit Chopra suggested a number of possible changes to the Safe Harbor framework. Some of these suggestions are already reflected in the COPPA Rule. For example, the Rule requires that Safe Harbor organizations monitor and assess members’ adherence to COPPA and their own privacy notices and provides for revocation of approval.

If a COPPA Safe Harbor organization fails to adhere to applicable rules, or neglects to exercise proper oversight of its members, it can and should be sanctioned by the FTC as a violation of the Rule. However, the assumption underlying the criticism that industry funding of self-regulatory programs necessarily removes their independence is contradicted by more than twenty years of largely successful COPPA Safe Harbors and has implications for other longstanding privacy and advertising self-regulatory programs and dispute resolution mechanisms. Foreclosing industry-led Safe Harbor organizations from exploring other revenue options or programs, as some have suggested, or forcing public disclosure of all documents and interactions with participants, will undermine the usefulness and value of the Safe Harbor process. Careful thought should be given to how to best assure that COPPA Safe Harbor organizations fully comply with their oversight responsibilities under COPPA while maintaining appropriate incentives to attract business participants and maintain the financial viability and independence of the Safe Harbor organization.

Photo of Sheila A. Millar

The Children’s Advertising Review Unit (CARU), a division of BBB National Programs, recently updated its Self-Regulatory Guidelines for Children’s Advertising. Important updates include:

  • To align with the Children’s Online Privacy Protection Act (COPPA), the Guidelines now apply to national advertising primarily directed to children under the age of 13 instead of under 12, regardless of the medium involved.
  • The Guidelines outline criteria used to assess whether a national ad is primarily directed to children.
  • The Guidelines confirm that placement or integration of a product, service, character, or brand in editorial, educational, entertainment, or other non-commercial content is not within scope unless it constitutes an endorsement.
  • The Guidelines respond to the rise of influencer marketing by incorporating principles of the FTC Guidelines on Endorsements and Testimonials.
  • A new section specifies that in-app and in-game advertising may not use unfair, deceptive, or other manipulative tactics to encourage such purchases, and requires that methods for exiting an ad are “clear and conspicuous.” Games and apps with in-game purchases must make clear that such transactions involve real currency.
  • Reflecting the growing societal focus on diversity and inclusion, another new provision of the Guidelines urges advertisers to refrain from depicting or encouraging negative social stereotyping, prejudice, or discrimination.
  • The privacy section of the previous version of the Guidelines has been removed and published separately.

The new Guidelines take effect January 1, 2022.

Photo of Sheila A. MillarPhoto of Taylor D. JohnsonPhoto of Anushka N. Rahman

The circular economy. Sustainability. Single-use plastics bans. Marine litter. Microplastics. Climate change. These are only some of the issues driving the demand for more “environmentally friendly” products. In recent years, we have seen a surge in product and raw material innovations designed to improve environmental performance, and companies around the world are pledging to take action to reduce their environmental impact. These product developments and business commitments encourage marketers to differentiate their offerings and operations by making claims that highlight environmental enhancements or benefits.

The uptick in environmental marketing claims is generating increased attention from class action lawyers and regulators, and false advertising claims are one of the fastest-growing areas of litigation in the U.S.  Click here, for a more detailed review of some of the federal, state, local and global developments that advertisers should consider when crafting environmental marketing campaigns.

Photo of Sheila A. MillarPhoto of Mike Gentine

After more than five months of silence regarding its choices to lead the U.S. Consumer Product Safety Commission (“CPSC”), the Biden Administration has now unveiled all three of its CPSC nominees in less than two weeks, with its July 13 announcement of President Biden’s intent to nominate Richard Trumka, Jr., currently General Counsel and Staff Director at the House Oversight and Investigations Committee’s Subcommittee on Economic and Consumer Policy.

On July 2, the White House had announced it would nominate Alexander Hoehn-Saric, Chief Counsel for Communications and Consumer Protection with the House Energy & Commerce, to be a CPSC Commissioner and the agency’s chairperson, and Mary Boyle, currently CPSC’s Executive Director as a Commissioner, as well.

As we wrote previously, the Commission currently has one vacant seat with another opening this October with Commissioner Elliot Kaye’s departure after his hold-over year, and a third available Commission slot with the end of Acting Chairperson Bob Adler’s term. We assumed that Hoehn-Saric and Boyle would be slotted for the open seat and Kaye’s; the White House has confirmed that assumption with its formal submission of their nominations to the Senate. That means Trumka would be slotted for Adler’s seat. Assuming the three nominees are confirmed, the Commissioners and their terms would be as follows through the current Biden Administration:

Biden Consumer Product Safety Commission
Commissioner Term Through
Dana Baiocco (R) 2024
Mary Boyle (D) if confirmed 2025
Peter Feldman (R) 2026
Alexander Hoehn-Saric (D, Chair) if confirmed 2027
Richard Trumka, Jr. (D) if confirmed 2028

The Senate Committee on Commerce, Science, and Transportation will need to hold one or more hearings to consider the three nominees. With the Senate’s August recess looming, a hearing in the next three weeks seems unlikely, but is possible. A Committee vote on their nominations would come after a hearing, and a floor vote some time after that. With Kaye slated to depart October 27, and Adler expressing a desire to step down rather than stay for a holdover year, we anticipate action this fall on all three nominees.

Photo of Sheila A. MillarPhoto of Jean-Cyril Walker

Goods advertised as “Made in the USA” (MUSA) are potential money-makers for manufacturers tapping into the market of consumers who seek home-grown products. In recent years, however, the Federal Trade Commission (FTC) has investigated companies that deceptively marketed their goods as American-made, sending out warning letters, closing out investigations of companies that quickly change their advertising, and initiating more forceful enforcement action against advertisers who cannot substantiate MUSA claims. The FTC now has an additional legal basis for these investigations: a new rule that requires business making unqualified MUSA claims on their labels to prove their products are “all or virtually all” sourced and manufactured in America – or potentially pay hefty fines.

The Made in USA Labeling Rule (The Rule) codifies the Commission’s Decisions and Orders and its Enforcement Policy Statement on U.S. Origin Claims. It applies to all labels, whether they appear on product packaging or online, and includes mail order catalogs or mail order promotional materials that include a seal, mark, tag, or stamp declaring goods are “Made in the United States.”

Under the Rule, companies are barred from making unqualified MUSA claims unless they can establish that:

  • Final assembly or processing of the product occurs in the United States;
  • Significant processing that goes into the product occurs in the United States; and
  • All or virtually all ingredients or components of the product are made and sourced in the United States.

The Rule provides an exemption for companies that can show their unqualified MUA claims are not deceptive. This isn’t a new concept. However, it also empowers the FTC to pursue civil penalties of up to $43,280 per violation against companies that make false MUSA claims.

The vote to approve the Final Rule was 3-2. Voting in favor, Commissioners Rohit Chopra, Rebecca Kelly Slaughter, and Chair Lina Khan issued a statement praising the action, which is consistent with a 1994 statute codified in 15 U.S.C. § 45(a). The Rule reflects longstanding guidance and legal precedent without imposing new obligations on businesses. The three Commissioners applauded the “broader range of remedies including the ability to seek redress, damages, penalties, and other relief from those who lie about a Made in USA label” authorized by the Rule. Commissioner Christine S. Wilson dissented, saying that the Rule is overbroad and “could be read to cover all advertising, not just labeling.” She argued that the rule thereby exceeds the FTC’s statutory authority. She added: “The Supreme Court’s recent decision in AMG  has eliminated the FTC’s ability to seek equitable monetary relief under Section 13(b) of the FTC Act to compensate consumers. Thus, the temptation to test the limits of our remaining sources of authority is strong.”

In addition to its authority under the Rule, the FTC will continue to pursue deceptive MUSA advertising claims via its authority under Section 5 of the FTC Act.

One thing has been clear across several different administrations: false MUSA claims are a concern to regulators and will continue to garner enforcement attention. Companies that wish to label and/or advertise products as U.S.-made should make sure they understand the Rule as well as advertising basics, and confirm that they can substantiate express or implied MUSA claims on packaging, labeling, and advertising. False claims on labels could trigger civil penalties.

Photo of Sheila A. MillarPhoto of Tracy P. Marshall

On June 4, 2021, the European Commission adopted  a new set of standard contractual clauses (SCCs) governing exchanges of personal data between data controllers and data processors and transfers of personal data from the EU to the U.S. or other countries that are not deemed to ensure adequate protection for personal data. The revised SCCs reflect new requirements for the protection of personal data under the EU General Data Protection Regulation (GDPR) and take account of the July 2020 judgment of the Court of Justice of the European Union (CJEU) in Schrems II that declared the EU-U.S. Privacy Shield framework for data transfers invalid and stipulated stricter requirements for transfers of personal data based on SCCs.

The new SCCs are designed to reflect the growing complexities of cross-border data processing and digital supply chains by offering a more flexible, if more stringent, approach that adds additional scenarios under which personal data is transferred. The new SCCs enter into force on September 27, 2021 for new contracts. There is an 18-month transition period for existing contracts based on previous sets of SCCs. The old SCCs should be replaced by the new version by December 27, 2022.

Key provisions of the new SCCs include:

Types of data transfers

The new SCCs provide different “modules” to address transfers of personal data in four scenarios. As with previous sets of SCCs, the new SCCs cover controller to controller transfers (Module One) and controller to processor transfers (Module Two). For the first time, the European Commission has also addressed processor to controller transfers (Module Three) and processor to processor transfers (Module Four).

Compliance with Schrems II

The CJEU’s decision in Schrems II upheld the validity of SCCs, but the court ruled that organizations must warrant that third countries to which data is exported provide adequate protection for personal data transfers under EU law. Organizations that cannot comply with this requirement must either introduce additional safeguards or cancel transfers.

The new SCCs appear to address this issue by allowing organizations to take a risk-based approach that assesses the state of the art, implementation costs, the nature, scope, context, and purpose(s) of processing, and whether public authorities are likely to access the personal data being transferred. The clauses include notification obligations to the data exporter, and, where possible, the data subject, of a legally binding request from a public authority for personal data. Because the Schrems II decision focused on disclosure of personal data of EU residents to the U.S. government, these clauses may be particularly significant for companies facing demands from a variety of U.S. agencies for such data.

Sensitive Data

Where a transfer involves “sensitive” personal data as defined under EU law (i.e., data revealing racial or ethnic origin, political opinions, religious or philosophical beliefs, or trade union membership, genetic data, or biometric data for the purpose of uniquely identifying a natural person, data concerning health or a person’s sex life or sexual orientation, or data relating to criminal convictions or offences) the data importer must apply special restrictions or adopt safeguards appropriate to the specific risk involved, such as restricting who can access personal data, adopting added security measures (such as pseudonymization), or other measures.

Onward transfers

Onward transfers to additional recipients in third countries are allowed only if:

  • The onward transfer is to a country with adequate safeguards in place for the protection of personal data or the third party otherwise ensures appropriate safeguards; or
  • The onward transfer is necessary for the establishment, exercise, or defense of legal claims in administrative, regulatory, or judicial proceedings or is necessary to protect the vital interests of the data subject or of another natural person.

“Docking clause”

More than two parties can now sign onto to a single contract pertaining to data transfers at any time during its term.

Recordkeeping

Data importers are required to document their processing activities and inform data exporters if they become unable to comply with the SCCs. Data exporters must document that they used reasonable efforts to ensure that data importers are able to comply with the new contractual clauses.

***

Global businesses as well as policymakers have a strong interest in making certain that personal data can be freely transferred and that the data is appropriately protected. The European Commission’s decision should help ensure that SCCs remain a tool for businesses to meet their GDPR obligations in today’s complex world.

Photo of Sheila A. MillarPhoto of Mike Gentine

After more than five months of eager anticipation, the CPSC community finally knows who will be leading the agency, assuming confirmations go as smoothly as expected. President Biden announced on July 2, 2021 that he will nominate Alexander Hoehn-Saric for Chair and a seat on the Commission. Hoehn-Saric is currently Chief Counsel to the House Consumer Protection & Commerce Subcommittee, the arm of the House Energy & Commerce Committee that has oversight of CPSC.

Biden has also nominated Mary Boyle for a seat on the Commission. Boyle has been a longtime CPSC career staffer, currently serving as the agency’s Executive Director after years in the Office of General Counsel that included a term as General Counsel.

Currently, one spot on the five-member body is open as well as the Chairmanship. Current Acting Chair Bob Adler’s term is set to end in October; he can hold over for up to a year if no replacement is confirmed for his seat, although he has expressed a desire to leave the agency when his term ends this year. Commissioner and former Chair Elliot Kaye is already in his holdover year and will leave the agency no later than October unless he is renominated and confirmed. We understand Hoehn-Saric and Boyle will be nominated for the open seat and Commissioner Kaye’s slot, leaving Commissioner Adler to remain as Commissioner while the White House selects a third nominee.

CPSC Commissioners serve for fixed terms regardless of confirmation dates. As a result, whoever takes the open seat would have a term running through 2025, whoever takes Commissioner Kaye’s seat would serve through 2027, and whoever takes Commissioner Adler’s seat would serve through 2028. The two Republican Commissioners, Dana Baiocco and Peter Feldman, have terms that run to 2024 and 2026, respectively. CPSC is allowed no more than three Commissioners from the same political party. With two Republicans already serving and a remaining seat to fill, President Biden has an opportunity to add another Democrat to round out a full complement of Commissioners.

Photo of Sheila A. MillarPhoto of Mike Gentine

After completing its review of testing and labeling regulations for children’s products, staff of the Consumer Product Safety Commission (CPSC) recommended leaving the current product testing and component part testing regulations as is. The CPSC carried out this review of the “Testing and Labeling Regulations Pertaining to Product Certification of Children’s Products, Including Reliance on Component Part Testing” (testing rule) under section 610 of the Regulatory Flexibility Act (RFA), which requires a review 10 years after publication for any rule that has a significant impact on a substantial number of small businesses. Along with 16 C.F.R. part 1109, “Conditions and Requirements for Relying on Component Part Testing or Certification, or Another Party’s Finished Product Certification, to Meet Testing and Certification Requirements” (component part testing rule), the testing rule was up for review this year, as both rules do have a significant impact on many small businesses.

The testing rule lays out rules and standards for manufacturers to follow in obtaining third party testing for children’s products periodically and when there has been a material change in a product’s design or manufacturing process. It also specifies how products may be labeled to indicate compliance with Section 14 of the Consumer Product Safety Act (CPSA). The component part testing rule specifies how manufacturers can use third party tests of component parts of products to certify the compliance of the finished product. The component part testing rule was intended to reduce the costs and other burdens of testing finished children’s products.

Section 610 requires agencies to consider five factors in reviewing rules to minimize any significant economic impact of the rule on small entities:

  1. The continued need for the rule;
  2. The nature of complaints or comments received concerning the rule from the public;
  3. The complexity of the rule;
  4. The extent to which the rule overlaps, duplicates, or conflicts with other Federal rules, and, to the extent feasible, with State and local governmental rules; and
  5. The length of time since the rule has been evaluated or the degree to which technology, economic conditions, or other factors have changed in the area affected by the rule.

Following an analysis of the feedback received by staff during the 60-day public comment period and after considering the five factors, the CPSC concluded that no changes to the testing and component part testing rules were warranted at this time. The Commission acknowledged that the costs of third-party testing for compliance certification still pose significant costs on some small businesses, but rejected requests for test burden relief, such as reducing the required frequency of periodic testing or revising the definition of small batch manufacturer, as either inconsistent with ensuring compliance or precluded by statute. The CPSC did note that additional guidance on using the component part testing rule could help small businesses use the rule to reduce their costs. Input from children’s product companies on that point may be useful in developing approaches that achieve both compliance and cost reduction goals.

To learn more about current product safety issues and regulatory considerations for connected devices, register now for our free webinar: Product Safety and Regulation of Connected Products, June 24 at noon.