Photo of Sheila MillarPhoto of Tracy Marshall
Members of the Federal Communications Commission, Nov. 2013
Members of the Federal Communications Commission, Nov. 2013

On the heels of the Open Internet Order adopted by the Federal Communications Commission (FCC) last year, FCC Chairman Tom Wheeler has circulated a Notice of Proposed Rulemaking (NPRM) to fellow Commissioners that would apply the privacy protections of the Communications Act to broadband Internet access services. Wheeler’s proposal will be voted on at the FCC’s March 31, 2016 Open Meeting and, if adopted, will be released for public comment. According to the Fact Sheet released by the FCC that summarizes the NPRM, the proposal is limited in scope in that it does not address the privacy practices of websites over which the Federal Trade Commission (FTC) has jurisdiction, other types of services offered by broadband Internet Service Providers (ISPs), or government surveillance, encryption, and law enforcement issues. The proposal nevertheless has major implications for ISPs and the rapidly evolving U.S. privacy and data security landscape.

The proposal would separate the use of customer data by ISPs into three categories, focusing on ensuring that customers have choice in how their data is used, clear understanding of what data is being collected about them, and assurances that their data is secure. The three categories are organized around customer consent:

  • Consent Inherent in Decision to Purchase Broadband Services. ISPs would be able to use customer data as necessary to provide broadband services and direct service-related marketing to customers without obtaining additional consent, based on a customer’s decision to purchase broadband service.
  • Opt-Out Required. ISPs would be able to use customer data to market communications-related services unrelated to the service purchased by a customer and to share data with affiliates for such purposes, but customers must be given an opt-out option with respect to such data usage.
  • Opt-In Required. All other uses of customer data would require express, affirmative opt-in consent from customers.

Thus, under the proposal, ISPs would not be prohibited from using and sharing customer data, but customers would have choices about how their data is used and shared.

The proposal would also establish data security requirements for ISPs to protect customer data against data breaches and other vulnerabilities, which reportedly includes (among other things) requirements for internal risk management, employee training, strong customer authentication, and protection of information shared with third parties. In the event of a breach of customer data, ISPs would be required to notify (1) affected customers within 10 days of discovery, (2) the FCC within 7 days of discovery, and (3) the Federal Bureau of Investigation and the U.S. Secret Service (for breaches affecting more than 5,000 customers) within 7 days of discovery of the breach. These proposed timeframes for notifications are shorter than most state data breach notification laws currently in effect.

This NPRM is just one of several instances of the FCC taking an active interest in consumer privacy and data security issues over the last few years. Earlier this week, the FCC settled with Verizon Wireless over its use of “supercookies” and alleged failure to adequately protect customers’ information (see our post here). Last year, AT&T settled with the FCC for $25 million over allegations that employees at the company’s call centers had inappropriately shared customers’ information with cellphone traffickers (see our post here). That settlement remains the FCC’s largest relating to data security. With these recent actions, the FCC has become a major player in the privacy and data security arena, along with the FTC, state attorneys general, plaintiffs’ lawyers, and foreign regulators.

Photo of Sheila Millar
Ancient Greek Jewelry, by MatthiasKabel, GFDL/CC-BY-SA-3.0
Ancient Greek Jewelry, by MatthiasKabel, GFDL/CC-BY-SA-3.0

The Federal Trade Commission (FTC or Commission) announced that it will extend the period for the public to comment on its proposed update to the Guides for the Jewelry, Precious Metals, and Pewter Industries (the Jewelry Guides, published in 16 C.F.R. Part 23). Comments are now due June 3, 2016, instead of April 4, 2016.

The Commission’s proposal is part of a retrospective review that began with a July 2012 request for comment and included a public roundtable. Based on its initial request and public comments (of which the FTC received 43), the Commission has proposed a number of changes. Specifically, the proposal:

  • Advises against using terms like “silver” or “platinum” for coated products unless adequately qualified to indicate that the product has only a surface layer of the advertised precious metal.
  • Updates the safe harbors for surface applications of gold to ensure that marketers’ durability claims match the thicknesses used.
  • Recommends disclosure of rhodium surface applications on products marked or described as precious metal, such as rhodium-plated items marketed as “white gold” or “silver.”
  • Clarifies the Commission’s view of how consumers understand the relative quantity of each precious metal in a product that contains more than one precious metal.
  • Discourages the use of terms such as “gold,” “silver,” or “platinum” for products unless they contain at least a specified level of the precious metal (for gold, typically 10 karat; for silver, 925/1000ths; for platinum without qualification, typically 950 parts per thousand).
  • Clarifies how to adequately disclose purity.
  • States that it is unfair or deceptive to describe products filled with a substantial quantity of lead glass with the word “ruby” or other similar terms and descriptors (for example, “treated ruby,” “laboratory-grown,” or “composite ruby”).
  • Identifies descriptors that constitute incorrect (and therefore misleading) varietals, such as “yellow emerald” to describe a golden beryl or heliodor, or “green amethyst” to describe prasiolite.
  • Confirms that it is not unfair or deceptive to use the term “cultured” to describe laboratory-created diamonds if the term is immediately accompanied by “laboratory-created,” “laboratory- grown,” “[manufacturer name]-created,” “synthetic,” or similar words or phrases.
  • Modifies guidance on misuse of the term “gem.”
  • Adds guidance on disclosing of treatments to pearls and cultured pearls.

The Commission granted the request for extension from an advocacy group citing the potential need to conduct consumer research and metallurgical testing, and to obtain other information from experts. In the meantime, the current Jewelry Guides remain in effect.

Photo of Sheila MillarPhoto of Tracy Marshall

On March 7, 2016, the Enforcement Bureau of the Federal Communications Commission (FCC) entered into a Consent Decree with Verizon Wireless relating to the company’s use of Unique Identifier Headers (UIDH) for targeted advertising purposes.  UIDH are commonly referred to as “supercookies” because they cannot be deleted.  This concludes the FCC’s investigation into whether Verizon Wireless failed to adequately protect customer proprietary information and failed to disclose information regarding its use of UIDH, in violation of the FCC’s 2010 Open Internet Transparency Rule and Section 222 of the Communications Act.  Under the terms of the Consent Decree, Verizon Wireless must (among other things) pay a $1.35 million fine, designate a Compliance Officer who is privacy certified, obtain opt-in consent before sharing a customer’s UIDH with a third party for targeted advertising and allow customers to opt-out, employ “reasonable and accepted security standards” when generating UIDH, disclose its use of UIDH in privacy policies and FAQs, and ensure that other Verizon entities who receive UIDH from the company likewise comply with the terms of the Consent Decree (and Verizon Wireless may only share UIDH with other Verizon entities with either opt-in or opt-out consent).

Verizon Wireless began using UIDH in 2012, and the company’s tracking practices were called into question by journalists and privacy advocates in 2014.  The FCC launched its investigation in December 2014, and the U.S. Senate Committee on Commerce, Science, and Transportation issued a letter to Verizon Wireless in January 2015 expressing concern about the practices of one of the company’s advertising partners who used UIDH for unauthorized purposes by restoring cookies that users had deleted.  Verizon Wireless updated its privacy policy last year to allow customers to opt-out of UIDH.

This is not the FCC’s first enforcement action relating to consumer privacy and data security, but it is a sign of the agency’s increasing interest in online privacy matters.  Last year, the FCC’s Enforcement Bureau entered into a $25 million Consent Decree with AT&T after data breaches at call centers in Mexico, Columbia, and the Philippines resulted in the unauthorized disclosure of sensitive personal information and Customer Proprietary Network Information for approximately 280,000 U.S. customers.  The landscape will continue to evolve as the FCC considers more privacy regulations for broadband providers.

Photo of Sheila MillarPhoto of Tracy Marshall

On February 29, 2016, the European Commission’s (EC) released a much anticipated draft adequacy decision on the EU–U.S. Privacy Shield.  With this and enactment of the Judicial Redress Act last week (see our post here), the European Union came yet another step closer to finalizing the agreement between the EU and the U.S. to enable data transfers from the EU to the U.S.  The draft adequacy decisions lays out the basis for a determination that, under the Privacy Shield, U.S. entities will adequately protect the privacy rights of EU citizens.  To read more, click here.

Photo of Sheila MillarPhoto of Tracy Marshall
Pres. Obama gestures at signing ceremony for Judicial Redress Act
Pres. Obama gestures at signing ceremony for Judicial Redress Act

President Barack Obama signed the Judicial Redress Act on Wednesday, February 24, 2016, which will eventually enable European Union citizens to seek remedies for alleged privacy violations by the federal government in U.S. courts.  The Act gives the U.S. Department of Justice (DOJ) authority to designate countries or international organizations that (1) have appropriate privacy protections for sharing information with the U.S., (2) permit the sharing of personal data for commercial purposes with the U.S., and (3) have DOJ-certified data transfer policies that do not impede U.S. national security interests. EU citizens (and citizens of other countries/organizations designated in the future by DOJ) will be able to seek remedies under the Privacy Act against certain U.S. agencies for the mishandling of personal information in criminal or terror investigations, including for the improper disclosure of their data. Potential remedies include injunctive relief and monetary damages.

The passage of this Act is a key element of the recently announced EU–U.S. Privacy Shield (more here), the successor agreement to the U.S.–EU Safe Harbor Agreement. (The Act’s passage also allows negotiations to move forward on the “umbrella agreement”—the Data Protection and Privacy Agreement (DPPA)—concerning the privacy of personal information exchanged for law enforcement purposes.) Safe Harbor, which dates from the Clinton Administration in 2000, was an agreement to allow the transfer of data from the EU (where privacy is a fundamental right) to the U.S. (a country that does not have a legal privacy regime deemed “adequate” under EU law to protect privacy) so long as businesses agreed to abide by European privacy practices and requirements. The Safe Harbor, however, from the outset, was attacked by some, and in the intervening years a number of things combined to cast the Safe Harbor in doubt. The sheer increase in the volume of data transfers by commercial entities is a global phenomenon, but the perception that “big data” was increasingly concentrated in the hands of American businesses—from retailers and news organizations to social media—led to a growing distrust about data protection practices. (Some U.S. businesses believe there is a competitive side to the privacy focus as the EU seeks to work on the Digital Single Market.) Some data protection authorities (notably in Germany) began taking aim at the Safe Harbor, preferring contractual instruments, binding corporate rules, or simply local processing. Then came Edward Snowden’s revelations of widespread data surveillance by U.S. government agencies, sometimes by tapping into the data that was transferred to the U.S.

Finally, in summer 2016, the tipping point for the Safe Harbor came when the European Court of Justice (ECJ) concluded that Member State’s data protection authorities (DPAs) could not be restrained by a European Commission decision recognizing the U.S.–EU Safe Harbor Agreement from exercising their own independent judgment about protecting their citizens’ privacy rights (see related post here). Since then, data transfers under the Safe Harbor have been in purgatory, waiting for a resolution by governments to allow them to send data across the Atlantic without encumbrance.

The Privacy Shield is meant to be that resolution. It still must be approved by a variety of EU bodies before being finalized, and was predicated on a number of concessions by the U.S. government, including giving EU citizens the right to sue in U.S. courts. The Judicial Redress Act fulfills that American promise, going part of the way to reassure EU citizens who heard, in the wake of the Snowden revelations, that Americans did not have to worry about surveillance because it was only being done to foreigners. It remains to be seen whether all of the United States’ promises as part of the Privacy Shield negotiations will be enough to convince individual countries in the EU to approve the new pact and allow this additional tool to be used to satisfy adequacy requirements to support data transfers.

Photo of Sheila MillarPhoto of Azim Chowdhury

For all of you who know the U.S. Consumer Product Safety Commission (CPSC), you know that the agency distinctly does not have authority over tobacco or tobacco products. This arguably wasn’t always the case. Early on, the American Public Health Association petitioned the CPSC to regulate cigarettes containing more than 21 mg of tar. When the Commission voted not to take action, a district court ordered it to under the Federal Hazardous Substances Act (FHSA), but Congress amended the law before the CPSC could take action. See Consumer Product Safety Commission Improvements Act, Pub. L. 94–284, 90 Stat. 503 (May 11, 1976); see also Food & Drug Administration v. Brown & Williamson Corp., 529 U.S. 120, 150–151 (2000) (discussing the petition, litigation, and statutory amendment). Tobacco and tobacco products have been explicitly excluded from CPSC jurisdiction since that 1976 law.

Much has changed since then. Tobacco products have recently evolved beyond traditional cigarettes and other tobacco-leaf–containing products to include “electronic” devices that aerosolize nicotine. Under the 2009 Family Smoking Prevention and Tobacco Control Act (FSPTCA), Pub. L. 111–31, 123 Stat. 1,776 (June 22, 2009), the Food and Drug Administration (FDA) gained authority to regulate tobacco products, which are now defined to include any products that contain nicotine derived from tobacco. Nicotine-containing electronic cigarettes and the “e-liquids” used in them will come under FDA’s tobacco authority as soon as FDA finalizes its “Deeming Regulation.”

The limitation on CPSC’s jurisdiction on products in the “nicotine family” also appears set to be loosened – albeit only slightly – as Congress just passed the Child Nicotine Poisoning Prevention Act (S. 142), which is currently awaiting the President’s signature. The law would impose packaging restrictions on certain liquid nicotine products similar to those already required under the Poison Prevention Packaging Act (PPPA), Pub. L. 91–601, 84 Stat. 1,670 (Dec. 30, 1970). Read more about the impending law on a Keller and Heckman LLP client alert here.

Photo of Sheila MillarPhoto of Tracy Marshall

The Supreme Court yesterday denied an attempt by a defendant to moot a class action under the Telephone Consumer Protection Act (TCPA), 48 Stat. 1064, Pub. L. 102–243 (Dec. 20, 1991) (codified at 47 U.S.C. § 227), on the basis of an unaccepted settlement offer to the named plaintiff. The case, Campbell-Ewald Co. v. Gomez, No. 14–857, was decided on a 6–3 vote, with Justice Ginsburg writing for the majority, joined by a concurrence from Justice Thomas.

Campbell-Ewald Co. was working under a contract for the U.S. Navy to provide marketing services in connection with recruiting. The company proposed to send a text message to young adults aged 18 to 24 encouraging them to learn more about the Navy. The Navy approved the campaign, conditioned on sending solicitations only to persons who had opted in to receiving messages. The text of the message was:

Destined for something big? Do it in the Navy. Get a career. An education. And a chance to serve a greater cause. For a FREE Navy video call [phone number].

Jose Gomez received the message, and alleges that he never consented to receiving messages, and that he was outside the relevant age range at the time (he was nearly 40). He sued in federal court in California and sought class certification. Campbell-Ewald offered to pay him the maximum for his personal damages, excluding attorney’s fees, and filed an offer of judgment pursuant to Federal Rule of Civil Procedure 68. He rejected the settlement, and after the district court dismissed the case and the Ninth Circuit Court of Appeals reversed the dismissal, the Supreme Court granted certiorari.

There, Campbell-Ewald argued that the unaccepted settlement offer rendered the named plaintiff’s complaint moot, because the offer would have fully satisfied his personal claims. The Court held that Campbell-Edward’s settlement bid and Federal Rule of Civil Procedure 68 offer of judgment, once rejected, had no continuing efficacy, based on basic principles of contract law. With no settlement offer continuing to operate, the parties remained adverse – each retained the same stake in the litigation they had at the outset. The district court thus retained jurisdiction to decide the case.

Separately, Campbell-Edward, as a contractor for the U.S. Navy, sought derivative sovereign immunity, but the Court rejected this claim. The Court acknowledged that the U.S. and its agencies are not subject to the TCPA. Because sovereign immunity must be lifted by statute, however, and because neither the TCPA nor any other statute does so with respect to TCPA claims, the federal government is not subject to TCPA claims. This governmental immunity does not transfer in whole to contractors; they obtain some immunity, but “[t]hat immunity, … unlike the sovereign’s, is not absolute.” Where a contractor violates both federal law and the contracting authority’s instructions, no derivative immunity shields the contractor from suits based on the violation.

Justice Thomas’s concurrence was based on the common-law history of tenders, arguing that “a mere offer of relief was insufficient to deprive a court of jurisdiction” at the time of the founding. Chief Justice Roberts, writing the lead dissent, argued that the offer of full satisfaction of Gomez’s claims mooted the case, eliminating a federal court’s jurisdictional minimum requirement of an actual case or controversy; this, he argued, deprived the district court of jurisdiction. Justice Alito, who joined the principal dissent, wrote separately to emphasize that his vote was premised on the absence of any dispute that the company would make good on its promise to pay plaintiff the money offered (“Absent this fact, I would be compelled to find that the case is not moot.”).

The decision not to moot the claims is not just a boost to TCPA plaintiffs, it is a boost to class action plaintiffs generally. TCPA plaintiffs, and those similarly situated, are not out of the woods yet, however. An important case with somewhat similar arguments, but under the Fair Credit Reporting Act (FCRA), 84 Stat. 1127, Pub. L. 91–508 (Oct. 26, 1970) rather than the TCPA, has already been heard at the Court: Spokeo, Inc. v. Robins, No. 13–1339. (We wrote about that case previously here, after the Court granted certiorari.) In that case, the Court will address whether Congress can confer Article III standing on a plaintiff who suffers no independent, concrete harm, by making a bare violation of a statute liable in a suit brought by a private plaintiff. If the Court decides that case against the plaintiff, then consumer claims under a range of federal statutes could be restricted, including under the TCPA.

Consumer class actions, a subject of several important Court cases in recent years, continue to be in the legal spotlight, and thus feature among the top concerns of in-house counsel everywhere.

Photo of Sheila Millar

Members of the U.S. Consumer Product Safety Commission (CPSC) are set to vote on a final rule to allow the staff not only to participate on the committees that develop voluntary standards, but to vote as members of the committees and even lead them (provided the Executive Director gives prior approval). If the Commission approves the rule, this will overturn the current limitations on staff participation. The outcome of the vote, originally scheduled for January 6, 2016, has not yet been publicly announced. The delay in public announcement of a vote often indicates continued deliberation among Commissioners, up to and including a decision to hold a public hearing on an issue.

The proposal follows from the Commission’s 2013 proposed rule, which responded to a 2012 recommendation by the U.S. Government Accountability Office (GAO) that the CPSC study the feasibility of assuming a more active, engaged role in the development of voluntary standards. Comments from stakeholders on the original proposal ran the gamut. Some entirely opposed both new forms of participation, some supported both, and some supported staff voting but not taking a leadership role.

Critiques of the proposal pointed to the potential violations of the Administrative Procedure Act (APA), the Federal Advisory Committee Act (FACA), and potential openness requirements under the Government in the Sunshine Act, which in turn might violate standards organization rules. Proponents thought that voluntary standards would benefit from the votes of CPSC staffers who were already participating in the discussions.

The voluntary standards development process has long been a key aspect of the CPSC’s mission. Congress has instructed that CPSC, when considering rulemaking on a specific hazard, defer to a voluntary standard that effectively addresses the contemplated hazard, and that either is currently widely followed or expected to be.

Further, in the 2008 Consumer Product Safety Improvement Act (CPSIA), Congress directed the Commission to identify voluntary standards for durable nursery products and make them mandatory, either as a whole or with specific amendments that improve safety. This process, called the § 104 process after the statutory provision, prompted critiques from then-Commissioners and others that the staff’s views are given inappropriate extra weight. This follows from their ability to recommend that the Commission adopt a voluntary standard with changes, including changes that might have been considered and rejected by the voluntary standards committee.

If the Commission does approve the proposal as staff drafted, we will see whether staff participation improves the voluntary standards process, or whether concerns that have beset the § 104 process are magnified.

Photo of Sheila MillarPhoto of Tracy Marshall

Lumosity, an online site and smartphone app, is supposed to help its users train their brains so they can achieve their “full potential in every aspect of life.” Unfortunately, the company was unenlightened when it came to avoiding false advertising claims. According to the Federal Trade Commission (FTC), the company claimed that using its products would improve performance on everyday tasks, in school, at work, and in athletics; delay age-related cognitive decline and protect against mild cognitive impairment, dementia, and Alzheimer’s disease; and reduce cognitive impairment associated with health conditions, including stroke, traumatic brain injury, PTSD, ADHD, the side effects of chemotherapy, and Turner syndrome. The company also claimed that scientific studies proved these benefits.

The company’s ads featured many testimonials lauding the company’s products and benefits, but the endorsements were incentivized through contests and promotions offering prizes and rewards.

On Tuesday, January 5, 2015, the FTC announced a proposed settlement of false cognition-enhancing claims and violations of the FTC’s Guides Concerning the Use of Endorsements and Testimonials in Advertising with Lumosity, Lumos Labs, and their principals. Due to financial hardship, the proposed $50 million civil penalty was reduced to $2 million. The FTC participates in the National Prevention Council – which provides coordination and leadership at the federal level regarding prevention, wellness, and health promotion practices. The FTC said that the settlement furthers the Council’s goal of increasing the number of Americans who are healthy at all stages of life, and of protecting consumer from misleading health claims.

The settlement is the latest in a line of cases focusing on health and cognition benefits involving foods, dietary supplements and “learning” products. Note to advertisers: if you are making brain health or similar claims, be sure you have appropriate support for the claims at the time you make them. And don’t forget that offering incentives for endorsements and testimonials triggers disclosure and other obligations under FTC guidelines.

Photo of Sheila MillarPhoto of Tracy Marshall

In the rush of holidays and storms around the country (and weirdly warm weather here in D.C.), it was easy to miss that Congress finally approved the Cybersecurity Information Sharing Act (CISA).  The bill was included in the middle of its omnibus spending package, the Consolidated Appropriations Act, 2016, Pub. L. 114–113 (Dec. 18, 2015), which Congress approved just before shutting down for the break.

The law encourages companies to share cyberthreat information with the federal government and each other.  They are explicitly authorized to monitor their own information systems, those of other non-federal entities (with authorization and written consent), and to share information about “cyber threat indicators” and defensive measures.  The Department of Homeland Security (DHS) is the designated portal through which information can be shared, and through which companies can receive liability protections for sharing cyberthreat information with the government.  Companies are obligated to review and remove any personally identifiable information “known at the time of sharing” and unrelated to cyber threats before sharing information with DHS.  DHS is similarly directed to implement privacy protections before sharing with other agencies.

These privacy protections were adopted partially in response to criticisms from non-governmental organizations (NGOs) such as the American Civil Liberties Union (ACLU) and the Electronic Frontier Foundation (EFF), who argued that the privacy protections were inadequate and worrisome in light of liability limitations.  These opponents remained opposed to the legislation even with these protections.

Many businesses, on the other hand, have favored legislation that offers an appropriate incentive structure to motivate companies to share information that could help them combat cyberthreats from private groups and state actors, while protecting them from liability.  Notably, however, the tech industry itself has vacillated on support for CISA.  One software trade association has variously supported, been neutral toward, and finally opposed the version of CISA passed last month.

The broader business community’s support has only grown in the wake of cyberattacks and subsequent public recriminations.  The logic of CISA is relatively simple: The information sharing will give companies the incentive to share the information that will redound to their benefit and benefit other companies as well.  In the absence of legal authorization and protections, they assert that businesses have been reluctant to share information.  In turn, malicious actors have exploited weaknesses that might have been known had information been shared.  At the same time, when breaches occur, companies have faced both regulatory investigations and class action lawsuits for allegedly failing to implement appropriate and adequate security measures necessary to protect the information of their proprietary information, and the information of their customers and employees. The business community hopes that CISA will facilitate cyberthreat-sharing while limiting liability exposure.

Some critics continue to assert that the bill does not accomplish enough to promote better cybersecurity while offering too little in the way of privacy protections for consumers. Only time will tell if CISA will both improve the cybersecurity environment and strike the right balance of protecting privacy once it is implemented.