Photo of Sheila Millar

Online shopping has taken on greater importance for many people homebound since the coronavirus lockdowns began. And, while many are lounging at home in pajamas and yoga pants, there are still a lot of fashion-conscious shoppers out there anxious to take advantage of bargain prices and speedy deliveries. But how is a stay-at-home fashionista supposed to remain au courant if the clothes she orders are out of style by the time they arrive? The Federal Trade Commission (FTC) has something to say about this. The FTC’s Trade Regulation Rule Concerning the Sale of Mail, Internet or Telephone Order Merchandise (the Mail Order Rule), requires that companies live up to their shipping promises and, to quote fashion guru Tim Gunn, “make it work” or give customers the option to get their money back. On April 21, 2020, the FTC announced a settlement with California retailer Fashion Nova for $9.3 million, the highest sum ever imposed for violations of the Mail Order Rule, for making assurances about its shipping times that came apart at the seams.

The Mail Order Rule bars sellers from soliciting mail, internet, or telephone order sales unless they have a reasonable basis to expect that they can ship the ordered merchandise within the time stated on the solicitation or, if no time is stated, within 30 days. In the event the company cannot ship the goods, it must offer customers the option either to consent to a further delay or to cancel the order and to receive a refund – not simply store credit or a gift card – within a reasonable time.

According to the FTC’s complaint, Fashion Nova made numerous representations about the speed of its shipping. Despite marketing promises of “Free 2 Day Shipping on all U.S. Orders $75 and Up,” “Fast Canada Shipping Only $10,” and “Fast International 6-10 Shipping Only $15,” Fashion Nova failed to deliver the goods. Items were frequently out of stock or materially different from what consumers ordered – for example, a different size, damaged, or used. Moreover, the company failed to provide an expedient way for customers to cancel orders and neglected to issue prompt refunds. The FTC also charged Fashion Nova with making false claims about the speed of its shipping options in violation of Section 5 of the FTC Act.

In addition to the fine, the stipulated order permanently restrains Fashion Nova from making representations about its shipping being faster than 30 days without clearly and conspicuously disclosing, before payment, the date by which the merchandise will be shipped or received.

Even with the inevitable delays caused by increased online shopping during the current pandemic, it is still vital for retailers to ensure they are fulfilling orders in compliance with the Mail Order Rule. Expensive settlements like this one are so last season.

Photo of Sheila MillarPhoto of Tracy Marshall

Canadian company Tapplock, Inc. sells smart locks to the U.S. market that the company advertised as “sturdy,” “secure,” and even “unbreakable.” Tapplock’s assurances that the locks were strengthened with “double-layered lock design” and made with “anti-shim and anti-pry technologies” could be quite an enticement for consumers looking for top-of-the-line connected home security. There was a small problem with Tapplock’s claims, however: three researchers hacked into the locks using several methods – one simply by unscrewing the product’s back panel in a few seconds. The locks are not so smart after all, according to the Federal Trade Commission (FTC), which issued a complaint alleging the company’s locks contained vulnerabilities that made them anything but unbreakable.

Tapplock’s padlocks are fingerprint enabled and open via a mobile app when the user is within Bluetooth range. The app logs usernames, email addresses, profile photos, location history, and geolocation of a user’s smart lock. But researchers found several serious flaws that compromised security. In one case, researchers were able to bypass the account authentication process, gaining full access to the accounts of all Tapplock users and their personal information without being re-directed to the login page. Another vulnerability was the company’s failure to encrypt the Bluetooth communication between the lock and the app, which allowed researchers to lock and unlock nearby Tapplock smart locks. The app also had a flaw that prevented users from effectively revoking access by third parties who were previously authorized.

The FTC alleged that these flaws could have been easily fixed had Tapplock taken reasonable steps to identify possible risks. Standard security measures include conducting vulnerability or penetration testing; taking sufficient measures to detect and prevent users from bypassing authentication procedures to gain access to other users’ accounts; adopting and implementing written data security standards, policies, procedures, or practices; and providing privacy and security training for employees.

Under the proposed settlement terms, Tapplock must implement a comprehensive data security plan that is assessed by an independent third party biennially. The order also prohibits the company from misrepresenting its privacy and security practices.

The FTC’s proposed settlement agreement serves as a reminder that smart device manufacturers must ensure that privacy and security measures are part of the design and that security measures are described accurately. Overselling data security may attract customers in the short term but attracting this kind of attention from the FTC is anything but smart.

Photo of Sheila Millar

While the Federal Trade Commission (FTC)’s recent action against Williams-Sonoma for allegedly false “Made in USA” claims garnered headlines for its $1 million penalty, FTC staff continue to offer insights into the Commission’s enforcement position on such claims through its closing letter process. For example, the FTC sent a closing letter to epoxy manufacturer J-B Weld on March 19, 2020 following a referral from the National Advertising Review Board (NARB) after the company refused to accept all of NARB’s recommendations regarding its “Made in USA” claims. The FTC declined to take further action in light of the advertiser’s remedial steps, including updating packaging for several product lines, removing U.S.-origin “line” claims from its website and social media channels, and requiring third-party sellers to update their information about the origin of the company’s products.

J-B Weld’s U.S. origin claims were challenged by a competitor before the National Advertising Division (NAD). In particular, the objections centered on whether “Made in the USA” claims were proper for J-B Weld’s glues and adhesive products when tubes, caps, syringes, and applicators were foreign-made. Acknowledging that the FTC’s guidance did not expressly address the question of packaging, NAD agreed that the origin of point of sale, paper packaging and “bubble” material typically discarded by consumers was not relevant to the claim, but that the other packaging items were because they were central to how the product was dispensed. NARB agreed with NAD that information on the percentage of the total manufacturing cost represented by the foreign content was necessary to support a domestic origin claim. The advertiser refused to comply, noting that NARB declined to consider information from third-party suppliers not available during the NAD review, and that the cost data was highly confidential. NARB referred the matter to the FTC.

The FTC observed that the company made epoxy and silicone adhesive products in the United States, but also sells cyanoacrylate and other adhesive products that either incorporate significant imported content or are wholly imported. Notably, the FTC commented on the issue of packaging for the product, saying:

While the glue contained in that packaging was “all or virtually all” made in the United States, the packaging itself, which had no independent value to consumers and was typically discarded upon depletion, was not. In the absence of consumer perception evidence showing otherwise, FTC staff finds it is unlikely that reasonable consumers interpreted the unqualified U.S. origin claims on these adhesive products as covering the incidental, discarded packaging.

NAD and NARB rules have been applied strictly to prevent introduction of evidence on appeal, but the FTC will consider additional evidence in the case of a referral and did so in issuing the closing letter.

Photo of Sheila Millar

Home furnishings giant Williams-Sonoma – whose brands include Pottery Barn, Le Creuset, and West Elm – invokes an upscale, modern American lifestyle. Many of its products are marketed not only as “quality” but also “crafted in America.” Consumers who received mattress pads from the Pottery Barn Teen and Kids were therefore surprised to see labels indicating that the products were “Made in China.” The Federal Trade Commission (FTC) wasn’t pleased.

In its complaint against Williams-Sonoma, the FTC alleged that items from its Rejuvenation, Goldtouch Bakeware and items from its Pottery Barn Teens and Pottery Barn Kids lines were advertised as wholly “Made in USA” but were actually made elsewhere. Unfortunately, this was not the first time the FTC received similar complaints. In 2018, the FTC received complaints that Williams-Sonoma’s online ads and promotional materials for Pottery Barn Teen organic mattress pads stated the pads were “Crafted in America from local and imported materials” when the law labels stated the pads were made in China. When the FTC approached Williams-Sonoma about the issue, the company apologized for what it called human error and promised to take immediate steps to rectify its country-of-origin verification process.

However, the following year, the FTC found that the company “continued to disseminate advertisements and promotional materials, including through its website and social media platforms, which deceptively claimed certain categories of Williams-Sonoma products were all or virtually all made in the United States.” Made in the USA claims went beyond mattress pads. The company also touted that its Rejuvenation furniture, Goldtouch Bakeware, and products from its Pottery Barn Teen and Kids lines were “Made in America” or “Made in the USA.” But according to the FTC, “numerous Goldtouch Bakeware products, Rejuvenation-branded products, and Pottery Barn Teen and Pottery Barn Kids-branded upholstered furniture products are wholly imported or contain significant imported materials or components.”

Under the terms of the settlement agreement, Williams-Sonoma will pay a fine of $1 million and is barred from representing that its products are made in the USA unless:

  • The final assembly or processing of the product occurs in the United States, all significant processing that goes into the product occurs in the United States, and all or virtually all ingredients or components of the product are made and sourced in the United States; or
  • A clear and conspicuous qualification appears immediately adjacent to the representation that accurately conveys the extent to which the product contains foreign parts, ingredients, components, and/or processing;
  • For a claim a product is made in the U.S., that the product is last substantially transformed in the United States, the product’s principal assembly takes place in the United States, and United States assembly operations are substantial

Whether an investigation by the FTC involves a U.S.-origin claim or another matter, the lesson of this enforcement action is that companies must deliver on promises to the FTC to take corrective action, and ensure that substantiation and claims of “Made in USA” comply with the FTC’s country of origin rules.

Photo of Boaz I. GreenPhoto of Sheila Millar

With millions of children home due to school closures, the Consumer Product Safety Commission (CPSC) recently issued checklists with guidance on keeping homes safe during this period. Protecting children from accidental ingestion of potentially harmful products found in the home featured prominently in these documents. CPSC’s current focus on poison prevention continues a recent trend of increased enforcement of child-resistant closure requirements under the Poison Prevention Packaging Act (PPPA). We previously noted an uptick in recalls of products containing lidocaine for PPPA violations and predicted that this trend would not only continue but also expand to other products. As we expected, recalls for PPPA violations rose to 14 in 2019. These recalls involved various products, including those containing lidocaine, dietary supplements, prescription medication, and wintergreen essential oils. To date, the CPSC has already announced nine recalls for PPPA violations in 2020, including eight recalls in March for prescription drugs, chemical products and a pain relieving skin cream.

These recent recalls are occurring at a time when supply chains are under tremendous strain due to the COVID-19 crisis. As states and municipalities scramble to contain the coronavirus pandemic, many have shut down all but “essential” services, which threatens to limit the manufacture of packaging and its components. To help guide local decisions on business closures and restrictions, the Cybersecurity and Infrastructure Security Agency’s (CISA) published its Guidance on the Essential Critical Infrastructure Workforce: Ensuring Community and National Resilience in COVID-19 Response on March 19, 2020. As noted in our sister blog, The Daily Intake, the guidance was broad in scope. However, only packaging for Food and Agriculture products was initially expressly covered, despite the critical role that child-resistant closures and packaging play in ensuring the continued supply of numerous essential goods and services. After pushback from business, CISA published version 2.0 of its guidance on March 28, which broadened coverage of the packaging supply chain to include not just Food and Agriculture, but Transportation and Logistics.

Allowing companies manufacturing child-resistant packaging to continue to operate is critical. Restrictions on the ability to manufacture and distribute child-resistant packaging would have resulted in even greater shortages of essential products like medicines and many household cleaners, including sanitizing cleaners.

Despite the strains on supply chains, companies selling medications and household chemicals remain vigilant about maintaining compliance procedures for both the product and the packaging. At a time when market needs are rising, it is vital that new entrants into the cleaning and sanitizing market educate themselves about all regulatory requirements before introducing these products. This will avoid the costs and disruptions of regulatory enforcement should the product or packaging not comply. More importantly, use of proper packaging is crucial to protect children, especially at a time when so many families are confined to their homes.

Photo of JC WalkerPhoto of Sheila Millar

In a notice approved for publication in the Federal Register, the Federal Trade Commission (FTC) advised on March 27, 2020 that it is soliciting feedback on proposed new EnergyGuide label requirements for portable air conditioners. The FTC’s Energy Labeling Rule requires manufacturers to attach yellow EnergyGuide labels to major home appliances and other consumer products to help consumers compare models’ energy usage and costs.

In prior calls for comments on the Energy Labeling Rule, The FTC garnered feedback from industry, consumer groups, and other stakeholders in favor of, or unopposed to, EnergyGuide labels for portable air conditioners. However, a regulatory freeze in January 2017 caused the Department of Energy (DOE) to postpone finalizing efficiency standards for portable air conditioners and the Commission likewise delayed finalizing the label requirements. Now that a new compliance date has been set by the DOE, the Commission proposes requiring EnergyGuide labeling for portable air conditioners to coincide with new DOE efficiency standards for portable air conditioners beginning January 10, 2025.

The FTC also seeks comments on updating the Rule to conform with new DOE energy descriptors for central air conditioners and current requirements for layout, format, and adhesion of EnergyGuide labels.

Comments from interested stakeholders should be submitted 60 days after publication in the Federal Register, which is expected soon.

Photo of Sheila MillarPhoto of Tracy Marshall

As fears escalate over the spread of coronavirus (COVID-19), scared consumers may be more susceptible to claims by companies offering cure-all remedies. The Federal Trade Commission (FTC) and Food and Drug Administration (FDA) are aware and looking out for consumers. The two agencies sent joint warning letters to seven companies – Vital Silver, Quinessence Aromatherapy Ltd., N-ergetics, GuruNanda, LLC, Vivify Holistic Clinic, Herbal Amy LLC, and The Jim Bakker Show – demanding that they immediately stop making unsupported health claims and cease advertising unapproved and misbranded products as medicines.

The warning letters admonish the businesses for violating Section 5 of the Federal Trade Commission Act and the Food, Drug, and Cosmetic Act (FD&C Act). For example, the Jim Bakker Show apparently touted its Silver Solution as “proven … to kill every pathogen it has ever been tested on … and it can kill any of these known viruses.” However, the FDA makes clear that no product currently exists that has been confirmed to treat or cure COVID-19. Products that are not approved by the FDA but marketed as safe and/or effective for the treatment or prevention of a particular virus violate sections 301, 331, and 502 of the FD&C Act. The companies were given 48 hours to respond and outline what steps they are taking to address the issues raised by the FTC and FDA. The letters bluntly advise that failure to immediately correct the violations can result in enforcement action.

In a press release, the FTC confirmed that “coronavirus-related advertising claims will be subject to exacting scrutiny,” including “product names, URLs, metatags, and other ways companies can suggest or imply claims to consumers.” Given the potential harm to consumers who rely on unproven cures to prevent contracting coronavirus, the FDA is taking urgent measures to protect consumers from products that, without approval or authorization, claim to mitigate, prevent, treat, diagnose, or cure COVID-19.

While the FTC and FDA crack down on fraudulent cures, the Environmental Protection Agency (EPA), which has jurisdiction over products classified as pesticides (including anti-microbials and disinfectants), issued a statement that lists certain products as effective against killing coronaviruses on surfaces. The EPA advises potential purchasers to check the EPA registration number to confirm that the product is effective against the specific pathogen of interest.

It’s a point we’ve made before but that bears repeating any time a company states or implies that a product could treat or cure a disease or condition: these claims not only must be backed by competent and reliable scientific testing, but may require FDA approval. Failure to follow these standards of conduct is not just potentially misleading to consumers but could compromise their health. That’s why these types of false claims risk agency action and a lot of bad press.

Photo of Boaz I. GreenPhoto of Sheila Millar

Some months after Environmental Protection Agency (EPA) official Nancy Beck was rumored to be the President’s choice to serve as Chair of the Consumer Product Safety Commission (CPSC), the news is now official. The White House announced Beck’s nomination on March 2, 2020.

Beck’s nomination, if approved by the Senate, would bring the CPSC back to its full complement of five Commissioners and break the political deadlock at the Commission. The departure of CPSC Acting Chair Ann Marie Buerkle, a Republican, last October, and the surprising appointment of Democrat Robert Adler as acting head of the agency, resulted in a 2-2 split along party lines. In an equally divided Commission, there is no natural majority, making rulemaking and other Commission-level decisions more difficult to pass. The Acting Chair has significant authority to direct resources and staff activities in ways that both keep the Commission functioning and affect policy without relying on Commission votes, but the business community has long endorsed a fully functioning slate of CPSC Commissioners. Nominating an individual with years of technical and scientific experience to helm CPSC would bring a new type of expertise to an agency that strives to be data and science driven.

Beck currently serves as the Principal Deputy Assistant Administrator for the Office of Chemical Safety and Pollution Prevention at EPA. She came to EPA after working for the American Chemistry Council and the Washington State Department of Health.

Photo of Sheila MillarPhoto of Tracy Marshall

The UK Information Commissioner’s Office (ICO) recently finalized its Age-appropriate design: a code of practice for online services (the code). The code applies to any “relevant information society services which are likely to be accessed by children” (by which the ICO means minors under age 18), whether designed for kids or general audiences. The new version makes few significant changes from the consultation draft circulated in May 2019. The ICO added a 12-month transition period and issued industry-specific guidance for media companies, however, most of the substance of the code remains the same. It calls on companies to adopt a risk-based and proportionate approach to age verification and to determine whether their services are “likely to be accessed by children.” While the finalized code offers examples of how a business might ascertain age and whether minors are likely to visit a website or service, it fails to provide a specific, workable definition of “likely to be accessed by children” or technical guidance. The code is not a law, but “it sets standards and explains how the General Data Protection Regulation applies in the context of children using digital services.”

The updated code still defines “children” as minors under 18, citing the UN Convention on the Rights of the Child. It requires that the best interests of the child be foremost when processing personal data of children. Companies must adhere to 15 new standards, starting with privacy-by-design. The code directs businesses to carry out data protection impact assessments, apply data minimization principles, and avoid “nudge” techniques. The initial draft described “nudge” techniques broadly, generating strong criticism that the ICO was straying into advertising issues outside its purview; the final version clarifies that the focus is on nudge techniques that encourage children to disclose unnecessary personal data or to weaken or turn off privacy controls. Default settings for services should be “high privacy,” and geolocation tracking and profiling should be given a default setting of “off.”

The notion that all minors should be treated like children is problematic, reflecting a lack of real understanding of the developmental differences between kids, tweens, and teens. Even more onerous from an implementation standpoint are the obligations to provide very different and specific types of notices depending on the age of the “child.” For digital services that are targeted to different age ranges, the operational obligation will be significant, especially considering the small screen sizes of mobile devices. Importantly, the worry is that the code will force businesses to collect more, not less, data about a child and, specifically, to collect and retain data about a user’s age in circumstances where it is not permitted or is discouraged under other laws like the U.S. Children’s Online Privacy Protection Act (COPPA).

The code departs from existing, accepted definitions of a “child” reflected in privacy, advertising, and product safety laws. For example, COPPA applies to operators of websites or online services that are either directed to children under 13 or have actual knowledge that they are collecting personal information online from a child under 13. COPPA does not require operators to guess whether kids might visit a site not designed with them in mind. Such sites are expected to assume that visitors are under 13 rather than collect and retain birthdates. And COPPA does not obligate general audience sites, such as e-commerce sites, to seek out age information. Similarly, the U.S. Consumer Product Safety Improvement Act (CPSIA) defines a “children’s product” as one designed and intended primarily for children 12 and younger. Defining “children” to include all minors is likewise inconsistent with decades of child development research on advertising to children, which generally defines children as around age 12. Defining a child as anyone under 18 is also inconsistent with Article 8.1 of the EU General Data Protection Regulation (GDPR), which imposes a default age of 16 but allows member states to set the age of a child between 13 and 16. (Ironically, the UK set its GDPR age of consent at 13.) The International Chamber of Commerce Marketing and Advertising Reference Guide on Advertising to Children provides useful background on why it makes sense to distinguish between children and teens for advertising and privacy purposes.

While the code does not have the force of law, it is persuasive in ICO and court determinations and will be a key measure of compliance with the UK Privacy and Electronic Communications Regulations and the GDPR. And, like the GDPR, penalties can reach £17 million or 4% of global turnover. Businesses that fail to comply with the code therefore could face added scrutiny by the UK ICO, leaving them potentially vulnerable to punitive fines. If approved by Parliament, the code is expected to take effect in 2021.

Unfortunately, despite statements about the necessity for the code and its achievability, operationalizing its standards will be enormously difficult and the extent to which it will actually enhance children’s privacy is questionable. Nevertheless, the Ireland Data Protection Commission (DPC) has also been working on a consultation on children’s privacy and may also consider similar approaches.

The code presents some conflicts for global businesses who have applied COPPA as the gold standard for children’s privacy protection. And while merely making available a digital service to UK or international visitors is likely not enough to trigger application of the code, businesses may choose to geo-gate and block UK visitors instead. As more countries adopt additional proscriptive requirements and guidance on privacy, the possibility of conflicts and inconsistences are real, creating a confusing landscape for consumers and businesses alike.

Photo of Sheila MillarPhoto of Tracy Marshall

At a time when influencers are making a living – and sometimes millions of dollars – for promoting everything from eye shadow to the latest smartphone, the Federal Trade Commission (FTC) is reassessing its Guides Concerning the Use of Endorsements and Testimonials in Advertising (the Guides). The Guides provide direction to businesses that use influencers and endorsers on when and how to make disclosures concerning a “material connection” or commercial relationship between the advertiser and influencer.

The Guides were enacted in 1980. The FTC amended the Guides in 2009 to include new requirements for influencers to disclose material connections – whether in the form of cash, free products, or other consideration – with companies whose products or services they recommend. But in 2009, the FTC could not predict the massive growth of global platforms such as YouTube and Instagram where some influencers have millions of followers. The FTC is now seeking public comments on a range of issues including:

  • whether the practices addressed by the Guides are prevalent in the marketplace and whether the Guides are effective at addressing those practices;
  • whether consumers have benefitted from the Guides and what impact, if any, the Guides have had on the flow of truthful information to consumers;
  • whether the FTC’s guidance document, The FTC’s Enforcement Guides: What People Are Asking, should be incorporated into the Guides;
  • how well advertisers and endorsers are disclosing unexpected material connections in social media;
  • whether children are capable of understanding disclosures of material connections and how those disclosures might affect children;
  • whether incentives like free or discounted products bias consumer reviews, even when a favorable review is not required to receive the incentive, and whether or how such incentives should be disclosed;
  • whether composite ratings that include reviews based on incentives are misleading, even when reviewers disclose incentives in the underlying reviews;
  • whether the Guides should address the use of affiliate links by endorsers; and
  • what, if any, disclosures should advertisers or operators of review sites make about the collection and publication of reviews to prevent them from being deceptive or unfair.

FTC Commissioner Rohit Chopra issued a separate statement in which he called for the FTC to perform a “self-critical analysis of the agency’s enforcement approach” and to focus on advertisers, not small influencers. He expressed a hope that after reviewing the comments, the Commission would consider going beyond the Guides by: (1) adopting requirements for technology platforms that facilitate and either directly or indirectly profit from influencer marketing; (2) codifying elements of the existing Guides into formal rules to allow for imposition of civil penalties; and (3) specifying the requirements that companies must adhere to in their contractual arrangements with influencers.

Interested parties should submit comments within 60 days of publication of the Request for Comments in the Federal Register, which is expected soon.