Photo of Boaz I. GreenPhoto of Sheila Millar

With millions of children home due to school closures, the Consumer Product Safety Commission (CPSC) recently issued checklists with guidance on keeping homes safe during this period. Protecting children from accidental ingestion of potentially harmful products found in the home featured prominently in these documents. CPSC’s current focus on poison prevention continues a recent trend of increased enforcement of child-resistant closure requirements under the Poison Prevention Packaging Act (PPPA). We previously noted an uptick in recalls of products containing lidocaine for PPPA violations and predicted that this trend would not only continue but also expand to other products. As we expected, recalls for PPPA violations rose to 14 in 2019. These recalls involved various products, including those containing lidocaine, dietary supplements, prescription medication, and wintergreen essential oils. To date, the CPSC has already announced nine recalls for PPPA violations in 2020, including eight recalls in March for prescription drugs, chemical products and a pain relieving skin cream.

These recent recalls are occurring at a time when supply chains are under tremendous strain due to the COVID-19 crisis. As states and municipalities scramble to contain the coronavirus pandemic, many have shut down all but “essential” services, which threatens to limit the manufacture of packaging and its components. To help guide local decisions on business closures and restrictions, the Cybersecurity and Infrastructure Security Agency’s (CISA) published its Guidance on the Essential Critical Infrastructure Workforce: Ensuring Community and National Resilience in COVID-19 Response on March 19, 2020. As noted in our sister blog, The Daily Intake, the guidance was broad in scope. However, only packaging for Food and Agriculture products was initially expressly covered, despite the critical role that child-resistant closures and packaging play in ensuring the continued supply of numerous essential goods and services. After pushback from business, CISA published version 2.0 of its guidance on March 28, which broadened coverage of the packaging supply chain to include not just Food and Agriculture, but Transportation and Logistics.

Allowing companies manufacturing child-resistant packaging to continue to operate is critical. Restrictions on the ability to manufacture and distribute child-resistant packaging would have resulted in even greater shortages of essential products like medicines and many household cleaners, including sanitizing cleaners.

Despite the strains on supply chains, companies selling medications and household chemicals remain vigilant about maintaining compliance procedures for both the product and the packaging. At a time when market needs are rising, it is vital that new entrants into the cleaning and sanitizing market educate themselves about all regulatory requirements before introducing these products. This will avoid the costs and disruptions of regulatory enforcement should the product or packaging not comply. More importantly, use of proper packaging is crucial to protect children, especially at a time when so many families are confined to their homes.

Photo of JC WalkerPhoto of Sheila Millar

In a notice approved for publication in the Federal Register, the Federal Trade Commission (FTC) advised on March 27, 2020 that it is soliciting feedback on proposed new EnergyGuide label requirements for portable air conditioners. The FTC’s Energy Labeling Rule requires manufacturers to attach yellow EnergyGuide labels to major home appliances and other consumer products to help consumers compare models’ energy usage and costs.

In prior calls for comments on the Energy Labeling Rule, The FTC garnered feedback from industry, consumer groups, and other stakeholders in favor of, or unopposed to, EnergyGuide labels for portable air conditioners. However, a regulatory freeze in January 2017 caused the Department of Energy (DOE) to postpone finalizing efficiency standards for portable air conditioners and the Commission likewise delayed finalizing the label requirements. Now that a new compliance date has been set by the DOE, the Commission proposes requiring EnergyGuide labeling for portable air conditioners to coincide with new DOE efficiency standards for portable air conditioners beginning January 10, 2025.

The FTC also seeks comments on updating the Rule to conform with new DOE energy descriptors for central air conditioners and current requirements for layout, format, and adhesion of EnergyGuide labels.

Comments from interested stakeholders should be submitted 60 days after publication in the Federal Register, which is expected soon.

Photo of Sheila MillarPhoto of Tracy Marshall

As fears escalate over the spread of coronavirus (COVID-19), scared consumers may be more susceptible to claims by companies offering cure-all remedies. The Federal Trade Commission (FTC) and Food and Drug Administration (FDA) are aware and looking out for consumers. The two agencies sent joint warning letters to seven companies – Vital Silver, Quinessence Aromatherapy Ltd., N-ergetics, GuruNanda, LLC, Vivify Holistic Clinic, Herbal Amy LLC, and The Jim Bakker Show – demanding that they immediately stop making unsupported health claims and cease advertising unapproved and misbranded products as medicines.

The warning letters admonish the businesses for violating Section 5 of the Federal Trade Commission Act and the Food, Drug, and Cosmetic Act (FD&C Act). For example, the Jim Bakker Show apparently touted its Silver Solution as “proven … to kill every pathogen it has ever been tested on … and it can kill any of these known viruses.” However, the FDA makes clear that no product currently exists that has been confirmed to treat or cure COVID-19. Products that are not approved by the FDA but marketed as safe and/or effective for the treatment or prevention of a particular virus violate sections 301, 331, and 502 of the FD&C Act. The companies were given 48 hours to respond and outline what steps they are taking to address the issues raised by the FTC and FDA. The letters bluntly advise that failure to immediately correct the violations can result in enforcement action.

In a press release, the FTC confirmed that “coronavirus-related advertising claims will be subject to exacting scrutiny,” including “product names, URLs, metatags, and other ways companies can suggest or imply claims to consumers.” Given the potential harm to consumers who rely on unproven cures to prevent contracting coronavirus, the FDA is taking urgent measures to protect consumers from products that, without approval or authorization, claim to mitigate, prevent, treat, diagnose, or cure COVID-19.

While the FTC and FDA crack down on fraudulent cures, the Environmental Protection Agency (EPA), which has jurisdiction over products classified as pesticides (including anti-microbials and disinfectants), issued a statement that lists certain products as effective against killing coronaviruses on surfaces. The EPA advises potential purchasers to check the EPA registration number to confirm that the product is effective against the specific pathogen of interest.

It’s a point we’ve made before but that bears repeating any time a company states or implies that a product could treat or cure a disease or condition: these claims not only must be backed by competent and reliable scientific testing, but may require FDA approval. Failure to follow these standards of conduct is not just potentially misleading to consumers but could compromise their health. That’s why these types of false claims risk agency action and a lot of bad press.

Photo of Boaz I. GreenPhoto of Sheila Millar

Some months after Environmental Protection Agency (EPA) official Nancy Beck was rumored to be the President’s choice to serve as Chair of the Consumer Product Safety Commission (CPSC), the news is now official. The White House announced Beck’s nomination on March 2, 2020.

Beck’s nomination, if approved by the Senate, would bring the CPSC back to its full complement of five Commissioners and break the political deadlock at the Commission. The departure of CPSC Acting Chair Ann Marie Buerkle, a Republican, last October, and the surprising appointment of Democrat Robert Adler as acting head of the agency, resulted in a 2-2 split along party lines. In an equally divided Commission, there is no natural majority, making rulemaking and other Commission-level decisions more difficult to pass. The Acting Chair has significant authority to direct resources and staff activities in ways that both keep the Commission functioning and affect policy without relying on Commission votes, but the business community has long endorsed a fully functioning slate of CPSC Commissioners. Nominating an individual with years of technical and scientific experience to helm CPSC would bring a new type of expertise to an agency that strives to be data and science driven.

Beck currently serves as the Principal Deputy Assistant Administrator for the Office of Chemical Safety and Pollution Prevention at EPA. She came to EPA after working for the American Chemistry Council and the Washington State Department of Health.

Photo of Sheila MillarPhoto of Tracy Marshall

The UK Information Commissioner’s Office (ICO) recently finalized its Age-appropriate design: a code of practice for online services (the code). The code applies to any “relevant information society services which are likely to be accessed by children” (by which the ICO means minors under age 18), whether designed for kids or general audiences. The new version makes few significant changes from the consultation draft circulated in May 2019. The ICO added a 12-month transition period and issued industry-specific guidance for media companies, however, most of the substance of the code remains the same. It calls on companies to adopt a risk-based and proportionate approach to age verification and to determine whether their services are “likely to be accessed by children.” While the finalized code offers examples of how a business might ascertain age and whether minors are likely to visit a website or service, it fails to provide a specific, workable definition of “likely to be accessed by children” or technical guidance. The code is not a law, but “it sets standards and explains how the General Data Protection Regulation applies in the context of children using digital services.”

The updated code still defines “children” as minors under 18, citing the UN Convention on the Rights of the Child. It requires that the best interests of the child be foremost when processing personal data of children. Companies must adhere to 15 new standards, starting with privacy-by-design. The code directs businesses to carry out data protection impact assessments, apply data minimization principles, and avoid “nudge” techniques. The initial draft described “nudge” techniques broadly, generating strong criticism that the ICO was straying into advertising issues outside its purview; the final version clarifies that the focus is on nudge techniques that encourage children to disclose unnecessary personal data or to weaken or turn off privacy controls. Default settings for services should be “high privacy,” and geolocation tracking and profiling should be given a default setting of “off.”

The notion that all minors should be treated like children is problematic, reflecting a lack of real understanding of the developmental differences between kids, tweens, and teens. Even more onerous from an implementation standpoint are the obligations to provide very different and specific types of notices depending on the age of the “child.” For digital services that are targeted to different age ranges, the operational obligation will be significant, especially considering the small screen sizes of mobile devices. Importantly, the worry is that the code will force businesses to collect more, not less, data about a child and, specifically, to collect and retain data about a user’s age in circumstances where it is not permitted or is discouraged under other laws like the U.S. Children’s Online Privacy Protection Act (COPPA).

The code departs from existing, accepted definitions of a “child” reflected in privacy, advertising, and product safety laws. For example, COPPA applies to operators of websites or online services that are either directed to children under 13 or have actual knowledge that they are collecting personal information online from a child under 13. COPPA does not require operators to guess whether kids might visit a site not designed with them in mind. Such sites are expected to assume that visitors are under 13 rather than collect and retain birthdates. And COPPA does not obligate general audience sites, such as e-commerce sites, to seek out age information. Similarly, the U.S. Consumer Product Safety Improvement Act (CPSIA) defines a “children’s product” as one designed and intended primarily for children 12 and younger. Defining “children” to include all minors is likewise inconsistent with decades of child development research on advertising to children, which generally defines children as around age 12. Defining a child as anyone under 18 is also inconsistent with Article 8.1 of the EU General Data Protection Regulation (GDPR), which imposes a default age of 16 but allows member states to set the age of a child between 13 and 16. (Ironically, the UK set its GDPR age of consent at 13.) The International Chamber of Commerce Marketing and Advertising Reference Guide on Advertising to Children provides useful background on why it makes sense to distinguish between children and teens for advertising and privacy purposes.

While the code does not have the force of law, it is persuasive in ICO and court determinations and will be a key measure of compliance with the UK Privacy and Electronic Communications Regulations and the GDPR. And, like the GDPR, penalties can reach £17 million or 4% of global turnover. Businesses that fail to comply with the code therefore could face added scrutiny by the UK ICO, leaving them potentially vulnerable to punitive fines. If approved by Parliament, the code is expected to take effect in 2021.

Unfortunately, despite statements about the necessity for the code and its achievability, operationalizing its standards will be enormously difficult and the extent to which it will actually enhance children’s privacy is questionable. Nevertheless, the Ireland Data Protection Commission (DPC) has also been working on a consultation on children’s privacy and may also consider similar approaches.

The code presents some conflicts for global businesses who have applied COPPA as the gold standard for children’s privacy protection. And while merely making available a digital service to UK or international visitors is likely not enough to trigger application of the code, businesses may choose to geo-gate and block UK visitors instead. As more countries adopt additional proscriptive requirements and guidance on privacy, the possibility of conflicts and inconsistences are real, creating a confusing landscape for consumers and businesses alike.

Photo of Sheila MillarPhoto of Tracy Marshall

At a time when influencers are making a living – and sometimes millions of dollars – for promoting everything from eye shadow to the latest smartphone, the Federal Trade Commission (FTC) is reassessing its Guides Concerning the Use of Endorsements and Testimonials in Advertising (the Guides). The Guides provide direction to businesses that use influencers and endorsers on when and how to make disclosures concerning a “material connection” or commercial relationship between the advertiser and influencer.

The Guides were enacted in 1980. The FTC amended the Guides in 2009 to include new requirements for influencers to disclose material connections – whether in the form of cash, free products, or other consideration – with companies whose products or services they recommend. But in 2009, the FTC could not predict the massive growth of global platforms such as YouTube and Instagram where some influencers have millions of followers. The FTC is now seeking public comments on a range of issues including:

  • whether the practices addressed by the Guides are prevalent in the marketplace and whether the Guides are effective at addressing those practices;
  • whether consumers have benefitted from the Guides and what impact, if any, the Guides have had on the flow of truthful information to consumers;
  • whether the FTC’s guidance document, The FTC’s Enforcement Guides: What People Are Asking, should be incorporated into the Guides;
  • how well advertisers and endorsers are disclosing unexpected material connections in social media;
  • whether children are capable of understanding disclosures of material connections and how those disclosures might affect children;
  • whether incentives like free or discounted products bias consumer reviews, even when a favorable review is not required to receive the incentive, and whether or how such incentives should be disclosed;
  • whether composite ratings that include reviews based on incentives are misleading, even when reviewers disclose incentives in the underlying reviews;
  • whether the Guides should address the use of affiliate links by endorsers; and
  • what, if any, disclosures should advertisers or operators of review sites make about the collection and publication of reviews to prevent them from being deceptive or unfair.

FTC Commissioner Rohit Chopra issued a separate statement in which he called for the FTC to perform a “self-critical analysis of the agency’s enforcement approach” and to focus on advertisers, not small influencers. He expressed a hope that after reviewing the comments, the Commission would consider going beyond the Guides by: (1) adopting requirements for technology platforms that facilitate and either directly or indirectly profit from influencer marketing; (2) codifying elements of the existing Guides into formal rules to allow for imposition of civil penalties; and (3) specifying the requirements that companies must adhere to in their contractual arrangements with influencers.

Interested parties should submit comments within 60 days of publication of the Request for Comments in the Federal Register, which is expected soon.

Photo of Boaz I. Green

Keller and Heckman Counsel Boaz Green’s article, “CPSC Increases Focus on Regulatory Violations,” was featured in an Expert Spotlight published by Stericycle. The article discusses the Consumer Product Safety Commission’s (CPSC) growing focus on regulatory violations and the rising number of recalls of regulated products. Companies that import regulated products must also contend with CPSC inspections at the port. CPSC has been more aggressively demanding seizure and destruction of imported regulated products that CPSC had found to be non-compliant. The article provides advice for improving regulatory compliance and reducing the risk of a recall or port detention.

To read the full article, click here.

Photo of Sheila Millar

GOJO Industries, the maker of Purell hand sanitizer, needs to clean up its advertising act according to the U.S. Food and Drug Administration (FDA). The FDA sent GOJO a letter on January 17, 2020 warning the company to stop making unsubstantiated claims about its hand sanitizers to avoid giving consumers the impression that they are pharmaceutical products. The FDA further stated that “the defendant’s statements regarding the efficacy of the Products to combat Ebola, norovirus, influenza, absenteeism, and common colds indicate the Products were being marketed as drugs without FDA approval.” The agency cautions that failure to promptly correct the violations may result in legal action, including seizure and injunction.

On the heels of the FDA warning letter, a class action against GOJO was filed in New York Federal court over claims that Purell products could prevent the spread of everything from the flu to Ebola. While the world braces for a possible pandemic of the Wuhan Coronavirus, GOJO assured consumers that Purell products could stem the spread of viral diseases with marketing and packaging statements such as “Kills more than 99.99% of most common germs that may cause illness in a healthcare setting, including MRSA & VRE.” GOJO also stated that their products were “proven to reduce absenteeism” among students and teachers and that a “recent outcome study shows that providing the right products, in a customized solution, along with educational resources for athletes and staff can reduce MRSA and VRE by 100%.”

The plaintiffs charge that Purell’s marketing statements were misleading and unfair because they gave “the impression to consumers the products are effective at preventing colds, flu, absenteeism and promoting bodily health and increased academic achievement.” FDA and plaintiffs assert that GOJO could not substantiate its health claims since “no topical antiseptic products have ever been able to achieve the results defendant advertises.” Plaintiffs assert that consumers relied on GOJO’s health claims when deciding to buy products to help protect their health.

Companies that either expressly state or imply that over-the-counter products can “reduce the risk of spread” of any disease or condition are likely to attract both regulatory scrutiny and the attention of class action attorneys. The lawsuit and FDA warning letter to GOJO serve as reminders that businesses should carefully craft advertising claims and back them up with competent and reliable scientific evidence.

Photo of Sheila MillarPhoto of Tracy Marshall

On January 7, 2020, the National Institute of Standards and Technology (NIST) released a draft of revised cybersecurity recommendations for IoT devices at both the pre-market and post-market stages. NISTIR 8259, Recommendations for IoT Device Manufacturers: Foundational Activities and Core Device Cybersecurity Capability Baseline, identifies six voluntary steps manufacturers should take to account for security throughout a connected device’s lifecycle. It builds on the agency’s initial IoT guidance released last June, NISTIR 8228, Considerations for Managing Internet of Things (IoT) Cybersecurity and Privacy Risks. Comments on the revised draft are due by February 7, 2020.

NIST explains that the IoT devices in scope for this publication have at least one transducer (sensor or actuator) for interacting directly with the physical world and at least one network interface (e.g., Ethernet, Wi-Fi, Bluetooth, Long Term Evolution [LTE], Zigbee, Ultra-Wideband [UWB]) for interfacing with the digital world.

The draft recommends that manufacturers take four pre-market steps:

  1. Identify expected customers and define expected use cases;
  2. Research customer cybersecurity goals, including device identification, device configuration, data protection, logical access to interfaces, and software and firmware updating;
  3. Determine how to address customer goals; and
  4. Plan for adequate support of customer goals.

NIST advises two additional post-market steps:

  1. Define approaches for communicating to customers; and
  2. Decide what to communicate and how to do it.

NIST recommends that manufacturers consider: cybersecurity risk-related assumptions made during design and development; support and lifespan expectations; the cybersecurity capabilities that a device or manufacturer provides; device composition and capabilities, such as information about the device’s software, firmware, hardware, services, functions, and data types; software and firmware updates; and end-of-life or retirement options. Many of NIST’s recommendations may also help IoT device manufacturers assess security measures related to the safety of a connected consumer product and its operation.

Photo of Sheila MillarPhoto of Tracy Marshall

Businesses that rely on standard contractual clauses (SSCs) to transfer personal data outside the European Economic Area (EEA) just got good news. The long-awaited decision from the EU Advocate General (AG) is here: SCCs are valid. The AG’s opinion, although non-binding, is significant for the case brought by Austrian privacy activist Max Schrems against Facebook, currently before the European Court of Justice (CJEU), as the CJEU generally follows the AG’s reasoning in its decisions.

By way of background, in 2010 the European Commission issued Decision 2010/87, which adopted SCCs model. SCCs establish three sets of contractual terms intended to protect data transfers from the EEA to certain other countries, including the U.S. Two versions of the SCCs apply to data transfers from the EEA to data controllers outside the EEA, and the transfers of data from the EEA to data processors outside the EEA.

Under the General Data Protection Regulation (GDPR) (like Directive 95/46/EC which preceded its adoption), personal data may only be transferred out of the EEA to a third country if that country ensures an adequate level of data protection. Schrems previously challenged the former U.S./EU Safe Harbor, resulting in a determination that it did not assure adequate protection. The Safe Harbor was then replaced by the current EU-U.S. Privacy Shield. SCCs, the Privacy Shield, and binding corporate rules (BCRs) are currently recognized as options to assure adequacy. In this latest challenge, Schrems argued that Facebook’s SCCs were inadequate, and that SCCs in general offered insufficient protection for data transfers from the EEA to the U.S. Schrems requested that SCCs be suspended, the matter was then referred to the CJEU.

In evaluating Decision 2010/87, the AG concluded that the fact SCCs are not binding on authorities in third countries “does not in itself render that decision invalid.” The opinion goes on to state:

The compatibility of Decision 2010/87 with the Charter depends on whether there are sufficiently sound mechanisms to ensure that transfers based on the standard contractual clauses are suspended or prohibited where those clauses are breached or impossible to honour … that is the case in so far as there is an obligation — placed on the data controllers and, where the latter fail to act, on the supervisory authorities — to suspend or prohibit a transfer when, because of a conflict between the obligations arising under the standard clauses and those imposed by the law of the third country of destination, those clauses cannot be complied with … the analysis of the questions has disclosed nothing to affect the validity of Decision 2010/87.

As the AG noted, the current case does not require the CJEU to rule on the lawfulness of the EU-U.S. Privacy Shield framework, which is a separate mechanism for transferring data outside the EEA. Nonetheless, the AG expressed sympathy with a separate argument by Schrems that the Privacy Shield does not offer sufficient safeguards “in the light of the right to respect for private life and the right to an effective remedy.”

These EU decisions are relevant to the current discussion about what a possible framework for federal privacy legislation should look like. As debates about privacy continue, it will be important for policymakers to remember that requirements imposed on businesses to protect key individual privacy rights must be balanced by considering the extent of possible harm to consumers, economic efficiency, innovation, and burdens to all participants in the ecosystem.