Environmental claims are attractive to marketers because they are attractive to consumers. The Federal Trade Commission (FTC) has issued guidance—the Guides for the Use of Environmental Marketing Claims, or Green Guides—to help industry assess what consumers will understand about various “green” claims. Among the most important claims is whether a product is “recyclable,” and determining when an unqualified claim of recyclability can be made is based in large part on the availability of recycling to consumers. The more broadly consumers in the sales area will have access to recycling, the stronger a marketer’s claim of recyclability can be. Less access means that a marketer must qualify its claim, which also (necessarily) reduces its impact.  Because the term “recyclable” is so important to marketers, and because its use is predicated on showing consumer access to recycling facilities, studies demonstrating the availability of recycling are critical substantiation tools in the field of green claims.  Similarly, substantiation requirements for other claims, like non-toxic, renewable, degradable and the like, often require a specific understanding of relevant standards, with the overlay of assessing implications from a consumer perception standpoint. 

Keller and Heckman partner Sheila Millar will address recyclable and other green claims at this week’s FPI Spring 2016 Conference during a panel session on “Environmental Marketing Claims and Foodservice Packaging.” The panel will also discuss results of a new “availability of recycling programs” study and what it means for the foodservice packaging industry. Established in 1933, the Foodservice Packaging Institute (FPI) is the trade association for the foodservice packaging industry in North America. FPI’s members include raw material and machinery suppliers, packaging converters, foodservice distributors and operators/retailers. The conference is being held in Ponte Vedra Beach, Florida.

Photo of Sheila MillarPhoto of Peter L. de la Cruz

On April 22, 2016, California’s Office of Environmental Health Hazard Assessment (OEHHA) added styrene to the Proposition 65 list of carcinogens. OEHHA maintains a list of chemicals required under Proposition 65 (formally, the California Safe Drinking Water and Toxic Enforcement Act) that are “known to the state” to be reproductive toxicants or carcinogens based on Proposition 65 criteria. OEHHA also proposed a No Significant Risk Level, or NSRL, for styrene of 27 µg per day. Under Proposition 65, companies that sell products in the state must inform consumers if their products or establishments will expose consumers to a listed chemical above the NSRL.

OEHHA’s listing follows a litigation settlement with the Sierra Club. The settlement agreement required OEHHA to decide whether to list a number of substances under Proposition 65’s “authoritative bodies” listing mechanism if there is sufficient evidence to conclude that the chemical is a carcinogen to humans. OEHHA’s listing is based on a 2011 action by the National Toxicology Program’s (NTP) Report on Carcinogens, which listed styrene as “reasonably anticipated to be a human carcinogen.”

Comments on the proposed NSRL are due by June 6, 2016.

Photo of Sheila MillarPhoto of Tracy Marshall

Continuing its tradition of active involvement in digital economy questions, the Department of Commerce’s (DOC) National Telecommunications and Information Administration (NTIA) issued a request for public comment on questions posed by the growth of the Internet of Things (IoT). The explosive growth of connected products, anticipated to reach 25 billion by 2020, is one reason for the request for comment. The request for comment is intended to reflect the “four pillars” of DOC’s Digital Economy Agenda: promoting a free and open Internet worldwide; promoting trust and confidence online; ensuring Internet access for workers, families and companies; and promoting innovation in the digital economy.

NTIA seeks comment on a range of IoT questions grouped under various headings, including general, technology, infrastructure, policy and international engagement. Questions touch on technical and policy opportunities to promote (or hinder) growth, challenges (including privacy and cybersecurity, impacts on rural communities, etc.), infrastructure needs (interoperability, standards, spectrum, available network infrastructure, etc.) and international engagement. NTIA has previously sponsored several multi-stakeholder workshops, including a current initiative on facial recognition technology, and specifically solicits comment on whether a multi-stakeholder initiative would be useful. After receiving comments, NTIA will use the input to draft a “green paper” identifying key issues affecting deployment of IoT, discussing potential benefits and challenges, and outlining roles for the federal government in advancing IoT technologies in collaboration with the private sector. Comments are due by 5 p.m. ET on May 23, 2016.

Photo of Sheila Millar

Availability of insurance is often among the first questions that arises when a company encounters a data breach or other Internet-related problem involving company records, even where the company lacks a cyberinsurance policy. The federal Fourth Circuit Court of Appeals recently affirmed a ruling by a District Court that required insurance coverage for an inadvertent disclosure of private healthcare information under the policy’s provisions regarding the publication of material that may give “unreasonable publicity” to, or disclose information about, a person’s private life. Travelers Indem. Co. v. Portal Healthcare Solutions, LLC, Case No. 14-1944 (4th Cir. April 11, 2016) (unpublished).  Two patients of Portal Healthcare who found their medical information through a Google search filed a class action suit against the hospital for allegedly having inadvertently made hospital medical records available and unprotected on the Internet. Portal then sought coverage against its insurer, Travelers Indemnity Company.

Travelers, in turn, sought a declaratory judgment that it was not obliged to defend Portal under the traditional policies that Portal had purchased. The trial court found coverage under policy language covering an injury arising from the “electronic publication of material” that discloses information about a person’s private life. See Travelers Indem. Co. v. Portal Healthcare Solutions, LLC, 35 F. Supp. 3d 765 (E.D. Va. 2014). This type of traditional invasion of privacy claim has historically been covered by this type of policy. According to the trial court, the private medical information was “published” because it was available to everyone on the Internet—even though it was unclear whether anyone besides the two plaintiffs had ever accessed it—and because the information clearly related to the patient’s private life. The appellate court agreed with the trial court’s reasoning and affirmed the finding that Travelers had a duty to defend Portal in the suit.

Whether a particular insurance policy will cover a particular data breach depends on the terms of the relevant provisions, and this case may represent a unique situation in both the contractual terms and the facts surrounding the alleged breach. However, the appeals court’s decision is a persuasive reminder that insurance policies are generally read to benefit the insured where possible and where ambiguity lies. Companies managing their data flows should ensure that agreements with vendors appropriately to maximize data protections and appropriately apportion responsibility in the event of breach. Insurance coverage is also an important consideration. In this era of exponential growth in data breach litigation, companies should also carefully examine insurance policies for both coverage and for exclusions, as the insurance industry’s response to this sort of coverage decision may involve added limits on the types of claims that are covered.

 

Photo of Sheila MillarPhoto of Tracy Marshall

At its Open Meeting yesterday, the Federal Communications Commission (FCC) adopted a Notice of Proposed Rulemaking (NPRM) that would apply the privacy protections in Section 222 of the Communications Act to broadband Internet Service Providers (ISPs). The text of the NPRM, which reportedly seeks public comment on more than 500 questions relating to privacy and security obligations for ISPs when handling customer data that they obtain in the provision of Internet access services, has not yet been released.

As we previously reported, the proposal focuses on ensuring that customers have choice as to how their data is used, a clear understanding of what data is being collected about them, and assurances that their data is secure. Of particular significance, the FCC has proposed that ISPs provide customers the ability to opt-out of the use of their data to market communications-related services that are unrelated to services they have purchased, and that customers be required to provide opt-in consent before their data can be used for other purposes. In addition, the NPRM proposes data security requirements to protect customer data against breaches and other vulnerabilities and data breach notification requirements.

The NPRM does not apply to web sites and other “edge services” over which the Federal Trade Commission (FTC) has jurisdiction.  Commission votes on the NPRM were split along party lines, with the three Democratic Commissioners approving and the two Republican Commissioners dissenting. In their separate statements, Republican Commissioners O’Rielly and Pai questioned the FCC’s authority and expertise to regulate privacy and data security, and opined that these matters would be better addressed by the FTC, which has more experience enforcing privacy and data security laws in a technology-neutral manner. While this debate will continue, there is no question that the NPRM proposes a host of new requirements that add more complexity to the evolving U.S. privacy and data security landscape.

Photo of Sheila MillarPhoto of Jean-Cyril Walker

The U.S. Consumer Product Safety Commission (CPSC) today announced that it had obtained a record $15,450,000 settlement of civil penalty liability from three Gree Electric entities (Gree Electric Appliances, Inc., of Zhuhai; Hong Kong Gree Electric Appliances Sales Co., Ltd.; and Gree USA Sales, Ltd.) (collectively, Gree). (The settlement is provisional until after the public has an opportunity to comment on it.) The settlement relates to the sale of dehumidifiers under 13 different brand names and allegations that Gree knowingly:

  • failed to report a defect and unreasonable risk of serious injury to CPSC immediately (within 24 hours) with dehumidifiers sold;
  • made misrepresentations to CPSC staff during its investigation; and
  • sold dehumidifiers bearing the UL safety certification mark that did not meet UL flammability standards.

The dehumidifiers have been the subject of three recall announcements, in September 2013 (the original recall), January 2014 (an expansion), and May 2014 (a reannouncement). The dehumidifiers could overheat, smoke, and catch fire, posing fire and burn hazards to consumers and their property. In the May 2014 reannouncement, the CPSC noted that:

  • the number of incidents had increased from 119 to 471 (a 395% jump);
  • the number of fires increased from 46 to 121 (a 263% jump); and
  • property damage reports increased from $2.15 million to nearly $4.5 million (a 209% jump).

The settlement includes the maximum penalty available under the Consumer Product Safety Act (CPSA), $15.15 million, plus $100,000 per misrepresentation for certification misrepresentations, as noted by Commissioner Joseph P. Mohorovic in his statement on the penalty. In the settlement, where Gree does not admit to the CPSC staff’s charges, the company agrees to implement a compliance program (in line with recent CPSC settlements), including:

  • written standards, policies, and procedures for CPSA compliance;
  • confidential employee compliance concern reporting;
  • training and communication regarding compliance policies and procedures;
  • senior management and board responsibility for compliance; and
  • record retention requirements.

Commissioner Mohorovic was joined by Commissioner Marietta Robinson in praising the CPSC staff for their work in obtaining this settlement. Commissioner Ann Marie Buerkle voted against accepting the provisional settlement.

A high dollar settlement has long been rumored, particularly given statements by CPSC Chairman Elliot Kaye to the effect that he believed Congress expected double-digit-million penalties after increasing the CPSC’s maximum penalty amount in the 2008 Consumer Product Safety Improvement Act (CPSIA). The allegations in the proposed order, including alleged false use of a third-party safety seal and the failure to notify the CPSC promptly on learning of the improper use of the seal, are especially serious, making the penalty amount perhaps less surprising. This type of conduct is, fortunately, extremely rare and the proposed order should not serve as a model for the range of penalties that might be proposed for vastly different conduct.

Photo of Sheila Millar

The newly launched Children’s Confection Advertising Initiative (CCAI), modeled on the Children’s Food and Beverage Advertising Initiative (CFBAI) and its Core Principles, is the latest food industry self-regulatory announcement under which participants agree to limit advertising to children under 12 or in elementary schools (from pre-kindergarten through sixth grade). The Council of Better Business Bureaus (CBBB) and the National Confectioners Association (NCA) will lead the CCAI.

The initiative is aimed at small- and mid-sized companies and has fewer administrative requirements than the CFBAI. “Charter participants” are Ferrara Candy Company; Ghirardelli Chocolate Company; Jelly Belly Candy Company; Just Born Quality Confections; The Promotion in Motion Companies, Inc.; and R.M. Palmer Company. They join six CFBAI participants (American Licorice Company; Ferrero USA; The Hershey Company; Mars, Incorporated; Mondelez International; and Nestlé) in the pledge to restrict advertising to kids under 12.

Federal Trade Commission (FTC) Chairwoman Edith Ramirez released a statement praising the formation of the initiative: “This new initiative is a welcome addition to the CBBB’s existing [CFBAI] and represents the type of self-regulatory solution the FTC has long advocated…. I also hope that this new partnership with the [NCA] will encourage other smaller candy companies to participate.”

Photo of Sheila MillarPhoto of Tracy Marshall
Members of the Federal Communications Commission, Nov. 2013
Members of the Federal Communications Commission, Nov. 2013

On the heels of the Open Internet Order adopted by the Federal Communications Commission (FCC) last year, FCC Chairman Tom Wheeler has circulated a Notice of Proposed Rulemaking (NPRM) to fellow Commissioners that would apply the privacy protections of the Communications Act to broadband Internet access services. Wheeler’s proposal will be voted on at the FCC’s March 31, 2016 Open Meeting and, if adopted, will be released for public comment. According to the Fact Sheet released by the FCC that summarizes the NPRM, the proposal is limited in scope in that it does not address the privacy practices of websites over which the Federal Trade Commission (FTC) has jurisdiction, other types of services offered by broadband Internet Service Providers (ISPs), or government surveillance, encryption, and law enforcement issues. The proposal nevertheless has major implications for ISPs and the rapidly evolving U.S. privacy and data security landscape.

The proposal would separate the use of customer data by ISPs into three categories, focusing on ensuring that customers have choice in how their data is used, clear understanding of what data is being collected about them, and assurances that their data is secure. The three categories are organized around customer consent:

  • Consent Inherent in Decision to Purchase Broadband Services. ISPs would be able to use customer data as necessary to provide broadband services and direct service-related marketing to customers without obtaining additional consent, based on a customer’s decision to purchase broadband service.
  • Opt-Out Required. ISPs would be able to use customer data to market communications-related services unrelated to the service purchased by a customer and to share data with affiliates for such purposes, but customers must be given an opt-out option with respect to such data usage.
  • Opt-In Required. All other uses of customer data would require express, affirmative opt-in consent from customers.

Thus, under the proposal, ISPs would not be prohibited from using and sharing customer data, but customers would have choices about how their data is used and shared.

The proposal would also establish data security requirements for ISPs to protect customer data against data breaches and other vulnerabilities, which reportedly includes (among other things) requirements for internal risk management, employee training, strong customer authentication, and protection of information shared with third parties. In the event of a breach of customer data, ISPs would be required to notify (1) affected customers within 10 days of discovery, (2) the FCC within 7 days of discovery, and (3) the Federal Bureau of Investigation and the U.S. Secret Service (for breaches affecting more than 5,000 customers) within 7 days of discovery of the breach. These proposed timeframes for notifications are shorter than most state data breach notification laws currently in effect.

This NPRM is just one of several instances of the FCC taking an active interest in consumer privacy and data security issues over the last few years. Earlier this week, the FCC settled with Verizon Wireless over its use of “supercookies” and alleged failure to adequately protect customers’ information (see our post here). Last year, AT&T settled with the FCC for $25 million over allegations that employees at the company’s call centers had inappropriately shared customers’ information with cellphone traffickers (see our post here). That settlement remains the FCC’s largest relating to data security. With these recent actions, the FCC has become a major player in the privacy and data security arena, along with the FTC, state attorneys general, plaintiffs’ lawyers, and foreign regulators.

Photo of Sheila Millar
Ancient Greek Jewelry, by MatthiasKabel, GFDL/CC-BY-SA-3.0
Ancient Greek Jewelry, by MatthiasKabel, GFDL/CC-BY-SA-3.0

The Federal Trade Commission (FTC or Commission) announced that it will extend the period for the public to comment on its proposed update to the Guides for the Jewelry, Precious Metals, and Pewter Industries (the Jewelry Guides, published in 16 C.F.R. Part 23). Comments are now due June 3, 2016, instead of April 4, 2016.

The Commission’s proposal is part of a retrospective review that began with a July 2012 request for comment and included a public roundtable. Based on its initial request and public comments (of which the FTC received 43), the Commission has proposed a number of changes. Specifically, the proposal:

  • Advises against using terms like “silver” or “platinum” for coated products unless adequately qualified to indicate that the product has only a surface layer of the advertised precious metal.
  • Updates the safe harbors for surface applications of gold to ensure that marketers’ durability claims match the thicknesses used.
  • Recommends disclosure of rhodium surface applications on products marked or described as precious metal, such as rhodium-plated items marketed as “white gold” or “silver.”
  • Clarifies the Commission’s view of how consumers understand the relative quantity of each precious metal in a product that contains more than one precious metal.
  • Discourages the use of terms such as “gold,” “silver,” or “platinum” for products unless they contain at least a specified level of the precious metal (for gold, typically 10 karat; for silver, 925/1000ths; for platinum without qualification, typically 950 parts per thousand).
  • Clarifies how to adequately disclose purity.
  • States that it is unfair or deceptive to describe products filled with a substantial quantity of lead glass with the word “ruby” or other similar terms and descriptors (for example, “treated ruby,” “laboratory-grown,” or “composite ruby”).
  • Identifies descriptors that constitute incorrect (and therefore misleading) varietals, such as “yellow emerald” to describe a golden beryl or heliodor, or “green amethyst” to describe prasiolite.
  • Confirms that it is not unfair or deceptive to use the term “cultured” to describe laboratory-created diamonds if the term is immediately accompanied by “laboratory-created,” “laboratory- grown,” “[manufacturer name]-created,” “synthetic,” or similar words or phrases.
  • Modifies guidance on misuse of the term “gem.”
  • Adds guidance on disclosing of treatments to pearls and cultured pearls.

The Commission granted the request for extension from an advocacy group citing the potential need to conduct consumer research and metallurgical testing, and to obtain other information from experts. In the meantime, the current Jewelry Guides remain in effect.

Photo of Sheila MillarPhoto of Tracy Marshall

On March 7, 2016, the Enforcement Bureau of the Federal Communications Commission (FCC) entered into a Consent Decree with Verizon Wireless relating to the company’s use of Unique Identifier Headers (UIDH) for targeted advertising purposes.  UIDH are commonly referred to as “supercookies” because they cannot be deleted.  This concludes the FCC’s investigation into whether Verizon Wireless failed to adequately protect customer proprietary information and failed to disclose information regarding its use of UIDH, in violation of the FCC’s 2010 Open Internet Transparency Rule and Section 222 of the Communications Act.  Under the terms of the Consent Decree, Verizon Wireless must (among other things) pay a $1.35 million fine, designate a Compliance Officer who is privacy certified, obtain opt-in consent before sharing a customer’s UIDH with a third party for targeted advertising and allow customers to opt-out, employ “reasonable and accepted security standards” when generating UIDH, disclose its use of UIDH in privacy policies and FAQs, and ensure that other Verizon entities who receive UIDH from the company likewise comply with the terms of the Consent Decree (and Verizon Wireless may only share UIDH with other Verizon entities with either opt-in or opt-out consent).

Verizon Wireless began using UIDH in 2012, and the company’s tracking practices were called into question by journalists and privacy advocates in 2014.  The FCC launched its investigation in December 2014, and the U.S. Senate Committee on Commerce, Science, and Transportation issued a letter to Verizon Wireless in January 2015 expressing concern about the practices of one of the company’s advertising partners who used UIDH for unauthorized purposes by restoring cookies that users had deleted.  Verizon Wireless updated its privacy policy last year to allow customers to opt-out of UIDH.

This is not the FCC’s first enforcement action relating to consumer privacy and data security, but it is a sign of the agency’s increasing interest in online privacy matters.  Last year, the FCC’s Enforcement Bureau entered into a $25 million Consent Decree with AT&T after data breaches at call centers in Mexico, Columbia, and the Philippines resulted in the unauthorized disclosure of sensitive personal information and Customer Proprietary Network Information for approximately 280,000 U.S. customers.  The landscape will continue to evolve as the FCC considers more privacy regulations for broadband providers.