Category: Consumer Protection

Thailand’s Personal Data Protection Act Enters into Force

On June 1, 2022, Thailand’s Personal Data Protection Act (“PDPA”) entered into force after three years of delays. The PDPA, originally enacted in May 2019, provides for a one-year grace period, with the main operative provisions of the law originally set to come into force in 2020. Due to the COVID-19 pandemic, however, the Thai government issued royal decrees to extend the compliance deadline to June 1, 2022. 

The PDPA mirrors the EU General Data Protection Regulation (“GDPR”) in many respects. Specifically, it requires data controllers and processors to have a valid legal basis for processing personal data (i.e., data that can identify living natural persons directly or indirectly). If such personal data is sensitive personal data (such as health data, biometric data, race, religion, sexual preference and criminal record), data controllers and processors must ensure that data subjects give explicit consent for any collection, use or disclosure of such data. Exemptions are granted for public interest, contractual obligations, vital interest or compliance with the law.

The PDPA applies both to entities in Thailand and abroad that process personal data for the provision of products or services in Thailand. Like the GDPR, data subjects are guaranteed rights, including the right to be informed, access, rectify and update data; restrict and object to processing; and the right to data erasure and portability. Breaches may result in fines between THB500,000 (U.S.$14,432) and THB5 million, plus punitive compensation. Certain breaches involving sensitive personal data and unlawful disclosure also carry criminal penalties including imprisonment of up to one year.

Article By Hunton Andrews Kurth’s Privacy and Cybersecurity of Hunton Andrews Kurth

For more communications, media & internet news, click here to visit the National Law Review.

Copyright © 2022, Hunton Andrews Kurth LLP. All Rights Reserved.

Senate Bill to Revise and Reassess GRAS Program

  • On May 27, Senator Edward J. Markey (D-Mass.), alongside Senators Richard Blumenthal (D-Conn.) and Elizabeth Warren (D-Mass)., introduced the Ensuring Safe and Toxic-Free Foods Act, which is described as “comprehensive legislation that ensures the Department of Health and Human Services (HHS) fulfills its responsibility to promote the health and well-being of American families by directing the Food and Drug Administration (FDA) to strengthen the Substances Generally Recognized as Safe (GRAS) Rule, which exempts companies from seeking pre-market approval for food chemicals.” A summary of the legislation is available here.
  • The legislation would prohibit manufacturers from independently designating substances as GRAS (or manufacturing or selling food containing those substances) without supplying notice and supporting information to the Secretary of HHS. Substances that are carcinogenic or that have evidence of reproductive or developmental toxicity would be prohibited from receiving a GRAS designation. Further, the legislation would require that a GRAS Notice and all supporting information be publicly available online and subject to a 90-day review period.
  • The legislation would also direct the Secretary to create an Office of Food Chemical Safety Reassessment within FDA’s CFSAN. The new office would be responsible for reassessing the safety of existing food additives, food contact substances, color additives, and substances that had already received GRAS status. The office would be required to reassess at least 10 substances (or class of substances) once every three years. As included in the bill, the first 10 substances to be reviewed would be:
    • Perfluoroalkyl substances and polyfluoroalkyl substances
    • Ortho-phthalates
    • The class of bisphenols
    • Titanium dioxide
    • Potassium bromate
    • Perchlorate
    • Butylated hydroxyanisole (BHA)
    • Butylated hydroxytoluene (BHT)
    • Brominated vegetable oil (BVO)
    • Propyl paraben
  • With regard to the legislation, Senator Markey has said “The FDA too often falls short on their responsibility to promote food safety, highlighted recently by the baby formula crisis where FDA’s deputy commissioner for food policy did not learn about the whistleblower complaint for four months. It is long past time we revise existing food safety measures and close the loophole allowing manufacturers to self-regulate what new substances can enter our food supply.”

Article By Food and Drug Law at Keller and Heckman of Keller and Heckman LLP

For more biotechnology, life sciences, food and drug law news, click here to visit the National Law Review.
© 2022 Keller and Heckman LLP

DOJ Limits Application of Computer Fraud and Abuse Act, Providing Clarity for Ethical Hackers and Employees Paying Bills at Work Alike

On May 19, 2022, the Department of Justice announced it would not charge good-faith hackers who expose weaknesses in computer systems with violating the Computer Fraud and Abuse Act (CFAA or Act), 18 U.S.C. § 1030. Congress enacted the CFAA in 1986 to promote computer privacy and cybersecurity and amended the Act several times, most recently in 2008. However, the evolving cybersecurity landscape has left courts and commentators troubled by potential applications of the CFAA to circumstances unrelated to the CFAA’s original purpose, including prosecution of so-called “white hat” hackers. The new charging policy, which became effective immediately, seeks to advance the CFAA’s original purpose by clarifying when and how federal prosecutors are authorized to bring charges under the Act.

DOJ to Decline Prosecution of Good-Faith Security Research

The new policy exempts activity of white-hat hackers and states that “the government should decline prosecution if available evidence shows the defendant’s conduct consisted of, and the defendant intended, good-faith security research.” The policy defines “good-faith security research” as “accessing a computer solely for purposes of good-faith testing, investigation, and/or correction of a security flaw or vulnerability, where such activity is carried out in a manner designed to avoid any harm to individuals or the public, and where the information derived from the activity is used primarily to promote the security or safety of the class of devices, machines, or online services to which the accessed computer belongs, or those who use such devices, machines, or online services.”

In practice, this policy appears to provide, for example, protection from federal charges for the type of ethical hacking a St. Louis Post-Dispatch reporter performed in 2021. The reporter uncovered security flaws in a Missouri state website that exposed the Social Security numbers of over 100,000 teachers and other school employees. The Missouri governor’s office initiated an investigation into the reporter’s conduct for unauthorized computer access. While the DOJ’s policy would not affect prosecutions under state law, it would preclude federal prosecution for the conduct if determined to be good-faith security research.

The new policy also promises protection from prosecution for certain arguably common but contractually prohibited online conduct, including “[e]mbellishing an online dating profile contrary to the terms of service of the dating website; creating fictional accounts on hiring, housing, or rental websites; using a pseudonym on a social networking site that prohibits them; checking sports scores at work; paying bills at work; or violating an access restriction contained in a term of service.” Such activities resemble the facts of Van Buren v. United States, No. 19-783, which the Supreme Court decided in June 2021. In Van Buren, the 6-3 majority rejected the government’s broad interpretation of the CFAA’s prohibition on “unauthorized access” and held that a police officer who looked up license plate information on a law-enforcement database for personal use—in violation of his employer’s policy but without circumventing any access controls—did not violate the CFAA. The DOJ did not cite Van Buren as the basis for the new policy. Nor did the DOJ identify any another impetus for the change.

To Achieve More Consistent Application of Policy, All Federal Prosecutors Must Consult with Main Justice Before Bringing CFAA Charges

In addition to exempting good-faith security research from prosecution, the new policy specifies the steps for charging violations of the CFAA. To help distinguish between actual good-faith security research and pretextual claims of such research that mask a hacker’s malintent, federal prosecutors must consult with the Computer Crime and Intellectual Property Section (CCIPS) before bringing any charges. If CCIPS recommends declining charges, prosecutors must inform the Office of the Deputy Attorney General (DAG) and may need to obtain approval from the DAG before initiating charges.

Article By Kyle R. Freeny, Linda Ricci, Jena M. Valdetero, and Brittany M. Fisher of Greenberg Traurig, LLP

For more data privacy and cybersecurity legal news, click here to visit the National Law Review.

©2022 Greenberg Traurig, LLP. All rights reserved.

NCLC Tells FCC “Callers can easily avoid making calls to telephone numbers that have been reassigned….” – But Is it That Simple?

The National Consumer Law Center is at it again.

In response to the Department of Health and Human Services’ recent letter to the FCC seeking clarity on whether the TCPA applies to texts it would like to make to alert Americans of certain medical benefits, the NCLC–an organization that nominally represents consumers, but really seems to represent the interests of the plaintiff’s bar–has filed a comment.

Unsurprisingly, the NCLC takes the position that HHS needs no relief. Government contractors are covered by the TCPA–it says–but the texts at issue in HHS’ letter are consented, so they’re fine. (Although it later clarifies that only “many” but not “all” of the enrollees whom HHS wishes to call have “probably” given their telephone numbers as part of written enrollment agreements–so perhaps not.)

Hmmmm. Feels like a trap. But we’ll ignore that for now.

The critical piece here though is what the NCLC–very powerful voice, for better or (often) worse–is telling the FCC about the effectiveness of the new Reassigned Number Database:

3. Callers can easily avoid making calls to telephone numbers that have been reassigned to someone other than the enrollee

A primary source of TCPA litigation risk has been calls inadvertently made to numbers that are no longer assigned to the person who provided consent. Courts have held the caller liable for making automated calls to a cell phone number that has been reassigned to someone other than the person who provided consent to be called.29

The Commission has implemented the Reassigned Number Database specifically to address that risk of liability, as well as to limit the number of unwanted robocalls:

The FCC’s Reassigned Numbers Database (RND) is designed to prevent a consumer from getting unwanted calls intended for someone who previously held their phone number. Callers can use the database to determine whether a telephone number may have been reassigned so they can avoid calling consumers who do not want to receive the calls. Callers that use the database can also reduce their potential Telephone Consumer Protection Act (TCPA) liability by avoiding inadvertent calls to consumers who have not given consent for the call.31

The database has been fully operational since November 1, 2021. It provides a means for callers to find out before making a call if the phone number has been reassigned. If the database wrongly indicates that the number has not been reassigned, so long as the caller has used the database correctly, no TCPA liability will apply for reaching the wrong party. 32 Thus, as long as HHS’s callers make use of this simple, readily available database, they can be confident that they will not be held liable for making calls to reassigned numbers.

While I steadfastly support both the creation and use of the RND, it also must be observed that there are myriad problems with the RND as it currently exists. Most importantly, the data sets in the RND are only comprehensive through October 1, 2021 and spotty back to February, 2021 (beyond which there are no records!)

So for folks like HHS–and servicers of mortgages, and retailers, and credit card companies–who want to reach customers who provided their contact information before 10/2021 or 2/2021 the RND is simply not helpful.

The NCLC’s over simplification of a critical issue is not surprising. They once told Congress that the TCPA is “Straightforward and Clear” after all.

Full comment here: NCLC Comments-c3

We’ll keep an eye on developments on HHS’ letter and all the FCC goings ons.

Article By Eric J. Troutman of Troutman Firm

For more TCPA and communications legal news, click here to visit the National Law Review.

© 2022 Troutman Firm

Comparing and Contrasting the State Laws: Does Pseudonymized Data Exempt Organizations from Complying with Privacy Rights?

Some organizations are confused as to the impact that pseudonymization has (or does not have) on a privacy compliance program. That confusion largely stems from ambiguity concerning how the term fits into the larger scheme of modern data privacy statutes. For example, aside from the definition, the CCPA only refers to “pseudonymized” on one occasion – within the definition of “research” the CCPA implies that personal information collected by a business should be “pseudonymized and deidentified” or “deidentified and in the aggregate.”[1] The conjunctive reference to research being both pseudonymized “and” deidentified raises the question whether the CCPA lends any independent meaning to the term “pseudonymized.” Specifically, the CCPA assigns a higher threshold of anonymization to the term “deidentified.” As a result, if data is already deidentified it is not clear what additional processing or set of operations is expected to pseudonymize the data. The net result is that while the CCPA introduced the term “pseudonymization” into the American legal lexicon, it did not give it any significant legal effect or status.

Unlike the CCPA, the pseudonymization of data does impact compliance obligations under the data privacy statutes of Virginia, Colorado, and Utah. As the chart below indicates, those statutes do not require that organizations apply access or deletion rights to pseudonymized data, but do imply that other rights (e.g., opt out of sale) do apply to such data. Ambiguity remains as to what impact pseudonymized data has on rights that are not exempted, such as the right to opt out of the sale of personal information. For example, while Virginia does not require an organization to re-identify pseudonymized data, it is unclear how an organization could opt a consumer out of having their pseudonymized data sold without reidentification.

ENDNOTES

[1] Cal. Civ. Code § 1798.140(ab)(2) (West 2021). It should be noted that the reference to pseudonymizing and deidentifying personal information is found within the definition of the word “Research,” as such it is unclear whether the CCPA was attempting to indicate that personal information will not be considered research unless it has been pseudonymized and deidentified, or whether the CCPA is mandating that companies that conduct research must pseudonymize and deidentify. Given that the reference is found within the definition section of the CCPA, the former interpretation seems the most likely intent of the legislature.

[2] The GDPR does not expressly define the term “sale,” nor does it ascribe particular obligations to companies that sell personal information. Selling, however, is implicitly governed by the GDPR as any transfer of personal information from one controller to a second controller would be considered a processing activity for which a lawful purpose would be required pursuant to GDPR Article 6.

[3] Va. Code 59.1-577(B) (2022).

[4] Utah Code Ann. 13-61-303(1)(a) (2022).

[5] Va. Code 59.1-577(D) (2022) (exempting compliance with Va. Code 59.1-573(A)(1) through (4)

[6] C.R.S. 6-1-1307(3) (2022) (exempting compliance with C.R.S. Section 6-1-1306(1)(b) to (1)(e)).

[7] Utah Code Ann. 13-61-303(1)(c) (exempting compliance with Utah Code Ann. 13-61-202(1) through (3)).

[8] Va. Code 59.1-577(D) (2022) (exempting compliance with Va. Code 59.1-573(A)(1) through (4)

[9] C.R.S. 6-1-1307(3) (2022) (exempting compliance with C.R.S. Section 6-1-1306(1)(b) to (1)(e)).

[10] Va. Code 59.1-577(D) (2022) (exempting compliance with Va. Code 59.1-573(A)(1) through (4)

[11] C.R.S. 6-1-1307(3) (2022) (exempting compliance with C.R.S. Section 6-1-1306(1)(b) to (1)(e)).

[12] Utah Code Ann. 13-61-303(1)(c) (exempting compliance with Utah Code Ann. 13-61-202(1) through (3)).

[13] Va. Code 59.1-577(D) (2022) (exempting compliance with Va. Code 59.1-574).

[14] Va. Code 59.1-577(D) (2022) (exempting compliance with Va. Code 59.1-574).

Article By David A. Zetoony of Greenberg Traurig, LLP

For more data privacy and cybersecurity legal news, click here to visit the National Law Review.

©2022 Greenberg Traurig, LLP. All rights reserved.

New Jersey Employers Are Now Required to Provide Written Notice Before Using Tracking Devices in Employee-Operated Vehicles

Earlier this year, New Jersey Governor Phil Murphy signed into law Assembly Bill No. 3950, which requires employers in the State to provide written notice to an employee before using a tracking device on a vehicle used by the employee. The new law, which went into effect on April 18, 2022, recognizes that employers may have a legitimate business interest in being able to track their workforce’s whereabouts—particularly when traveling or working offsite—while also reconciling that with the protection of workers’ privacy rights. At the very least, the days of covertly tracking employee vehicles appear to be a thing of the past.

The law defines “tracking device” as any “electronic or mechanical device which is designed or intended to be used for the sole purpose of tracking the movement of a vehicle, person, or device,” with a specific carveout for devices used solely for the purpose of documenting employee expense reimbursement.

Significantly, the written notice requirement applies to the use of tracking devices in any vehicles used by an employee. It does not matter whether it is an employee’s personal vehicle (whether owned or leased) or company-owned or provided. Written notice must be provided regardless.

Failure to comply with the law’s notice requirements can carry substantial penalties. An employer who knowingly makes use of a tracking device in a vehicle used by an employee without providing written notice to the employee shall be subject to a civil penalty up to $1,000.00 for the first violation, and then up to $2,500.00 for each subsequent violation. These fines can add up quickly, especially for service businesses with large vehicle fleets, among others. Additionally, it is possible that failure to comply with the law’s notice requirements may implicate employee privacy rights that could lead to further civil exposure.

Private employers within the State must ensure they have appropriate policies and procedures in place to comply with the new law’s requirements and insulate their businesses from potential liability for violations. While it does not specify what the required “written notice” must look like or how it must be conveyed to employees, at minimum employers should update their employee handbooks as well as provide a stand-alone, written notice to employees, with signed confirmation and acknowledgement of receipt. Additionally, rule and regulations regarding GPS tracking of employee vehicles may vary from state to state, so employers with a multi-state presence or service area need to be aware of the different laws that may apply to them depending on where their employees are working.

Employers who have not yet updated their forms and procedures should immediately contact counsel and take steps to ensure that they are in compliance. Similarly, it may be prudent for employers who drafted their own policies to have experienced employment counsel perform a policy or handbook review and provide advice and guidance regarding employer responsibilities and obligations, including but not limited to ensuring compliance with New Jersey’s new vehicle tracking device law.

COPYRIGHT © 2022, STARK & STARK
Article By Cory Rand with Stark & Stark.
For more articles about New Jersey Legislation, visit the NLR New Jersey law section.

Litigation Minute: Defending Consumer Class Action Claims Involving PFAS

WHAT YOU NEED TO KNOW IN A MINUTE OR LESS

Defending consumer class action claims alleging false and misleading product labeling based on the presence of per- and polyfluoroalkyl substances (PFAS) is similar to the defense of other food and beverage labeling class actions, but there are nuances the food and beverage industry should consider.

What Are PFAS?

As noted in last week’s edition, PFAS are per- and polyfluoroalkyl substances used for their flame-retardant and water-resistant properties. They are used in clothing, cosmetics, and food packaging. PFAS can also be found in municipal water supplies.

How Do PFAS Relate to Consumer Class Actions?

Plaintiffs’ counsel have brought consumer class actions against the makers and sellers of food and beverages alleging that the presence of PFAS in the labeled product renders the labeling false and misleading. Consumer class actions involving PFAS typically allege that the presence of PFAS renders affirmative representations on the product labeling false or misleading, or that the presence of PFAS must be disclosed on the label.

For example, both of these theories are at play in the case of Davenport v. L’Oreal USA, Inc. The complaint asserts that (1) the representations that L’Oreal’s waterproof mascaras are safe, effective, high quality, and appropriate for use on consumers’ eyelashes are false or misleading due to the presence of PFAS; and (2) L’Oreal failed to disclose to consumers that PFAS are present in detectable amounts in its waterproof mascaras.1

How is the Defense of PFAS Consumer Class Actions Similar to the Defense of Other Consumer Class Actions?

In most instances, the defense of consumer class actions involving PFAS allegations does not differ substantially from the defense of other types of consumer class actions. In the case of an alleged affirmative misrepresentation, the inquiry is the same on a pleadings challenge – whether the labeling is likely to mislead a reasonable person given the presence of PFAS in the product.

Moreover, plaintiffs typically assert a “premium price” theory, meaning the plaintiff claims he or she would not have purchased the item, or would have paid less, had the PFAS been properly disclosed. These allegations provide the defense with an opportunity to attack the damages model on class certification, similar to other types of consumer class actions.

How is the Defense of PFAS Consumer Class Actions Different From the Defense of Other Consumer Class Actions?

The defense of consumer class actions involving PFAS will differ from other consumer class actions in two key ways, depending on the allegations.

First, given the current lack of regulations governing the presence of PFAS in food and beverage products, the food and beverage industry should be aware that there is generally no duty to disclose the presence of PFAS in the absence of a relevant false or misleading statement on the product labeling. This lack of regulations provides an additional avenue for a pleadings challenge that may not otherwise succeed.

Second, scientific testing will be critical to determining whether there are any, or a uniform quantity of, PFAS present across the entire product line. PFAS variations between product exemplars may provide an additional avenue to defeat class certification.

Takeaway

Unfortunately, it appears that the food and beverage industry will see a new wave of class action litigation focused on the presence of PFAS in products. However, it also appears that many tried and true defense strategies will be applicable to such claims, and the unique nature of PFAS litigation will provide class defendants with additional strategies.

FOOTNOTES

1Davenport v. L’Oreal USA, Inc., No. 2:22-cv-01195 (C.D. Cal.).

Copyright 2022 K & L Gates
Article By Matthew G. Ball with K&L Gates.
For more articles about litigation, visit the NLR Litigation section.

Six Things to Know About New York’s New Employer Notification Requirements for Electronic Monitoring of Employees

Under an amendment to the New York Civil Rights Law that will take effect on May 7, 2022, private-sector employers that monitor their employees’ use of telephones, emails, and the internet must provide notice of such monitoring. The following provides highlights of the new law.

Question 1. Which employers and electronic monitoring activities are covered?

Answer 1. The law applies to any private individual or entity with a place of business in New York, and it broadly covers “telephone conversations or transmissions, electronic mail or transmissions, or internet access or usage by an employee by any electronic device or system, including but not limited to the use of a computer, telephone, wire, radio, or electromagnetic, photoelectronic or photo-optical systems [that] may be subject to monitoring.”

Q2. Are any electronic monitoring activities exempted from coverage?

A2. The law does not cover processes “designed to manage the type or volume of incoming or outgoing electronic mail or telephone, voice mail or internet usage,” and it also does not apply to processes “that are not targeted to monitor or intercept the electronic mail or telephone voice mail or internet usage of a particular individual.” The law also exempts processes that are “performed solely for the purpose of computer system maintenance and/or protection.”

Q3. What are some of the law’s compliance obligations?

A3. Private-sector employers that “monitor[] or otherwise intercept[] [employee] telephone conversations or transmissions, electronic mail or transmissions, or internet access or usage” must post a notice of electronic monitoring in a “conspicuous place which is readily available for viewing” by affected employees. Employers also must furnish new employees with written notice when they are hired. The law requires that newly hired employees acknowledge receipt of the notice, “either in writing or electronically.”

Q4. What information must be included in the notices?

A4. Under the law, employers are required to notify employees that “any and all telephone conversations or transmissions, electronic mail or transmissions, or internet access or usage by an employee by any electronic device or system” may be subject to monitoring “at any and all times and by any lawful means.” The law requires that the written notice advise employees that the electronic devices or systems that may be subject to monitoring include, but are not limited to, “computer, telephone, wire, radio or electromagnetic, photoelectronic or photo-optical systems.”

Q5. What are the penalties for violations of the law?

A5. The law provides for the imposition of civil penalties for violations of its requirements. Employers found to be in violation of the law are subject to civil penalties of $500 for a first offense, $1,000 for a second offense, and $3,000 for a third offense and for each subsequent offense. The Office of the New York State Attorney General will enforce the law.

Q6. Are there similar requirements in other jurisdictions?

A6. Connecticut and Delaware also require employers to provide notification of electronic monitoring. As the requirements of these laws vary slightly from New York’s law, employers doing business in either or both of these states and in New York may wish to consider whether to adopt a single approach, or adopt approaches tailored to each jurisdiction’s requirements.

Key Takeaways

New York employers that have not already taken action to comply with this new law may wish to consider whether to post physical notices in the workplace or utilize electronic postings that are visible upon logging in to the employer’s computer, or both.

Employers may also wish to determine how to incorporate the required notice to new employees in their new-hire and onboarding systems. Employers that address electronic monitoring in existing policies may also wish to review the existing policies to ensure that the information in those policies is consistent with the nature of the notification required by the new law, and update existing policies if warranted.

Employers may also wish to consider whether to obtain written or electronic acknowledgments of electronic monitoring from current employees. In addition, employers may wish to evaluate the potential for challenges to the use of information obtained through electronic monitoring absent compliance with the notice requirements.

© 2022, Ogletree, Deakins, Nash, Smoak & Stewart, P.C., All Rights Reserved.
For more articles about labor laws, visit the NLR Labor & Employment section.

Community Banks and Overdrafts — Time for Reconsideration?

Bank consumer overdraft fees (together with nonsufficient funds (NSF) fees and returned check fees) have long been a target of attacks by consumer advocacy groups and progressive politicians who claim that such fees are disproportionately levied on the most vulnerable consumers. The Obama-era Consumer Financial Protection Bureau (CFPB) initiated efforts to regulate overdraft programs, which were shelved during the Trump administration, and legislation to restrict overdraft fees has regularly been proposed and considered by Congress, but not enacted.

2022, however, may be the year that the US financial regulatory agencies finally move to impose formal restrictions on banks’ overdraft fee programs. In particular, the CFPB, increasingly assertive in President Biden’s second year in office, has clearly signaled its intent to take action in this area:

  • Rohit Chopra, the director of the CFPB, has spoken out on numerous occasions — in public appearances, opinion pieces, and blog posts — regarding the imperative of reining in so-called junk fees charged by banks and other financial companies.
  • On January 26, 2022, the CFPB published a request for public comment targeting “exploitative junk fees,” including overdraft and NSF fees. The CFPB stated that the goal of its information request was to assist the agency’s plan to “craft rules, issue industry guidance, and focus supervision and enforcement resources,” with the goals of reducing excessive fees and eliminating illegal practices.

The attack on overdraft fee programs has been echoed by other administration officials as well as by allied politicians. Acting Comptroller of the Currency Michael Hsu has called traditional bank overdraft programs “a significant part” of a “regressive system” that penalizes the poor and has stated that “banks that hesitate to adopt pro-consumer overdraft programs will soon be negative outliers.” On March 31, 2022, the House Financial Services Subcommittee held a hearing on possible government intervention to restrict overdraft programs, clearly showing coordination by the committee majority with the Biden administration’s initiatives. In March 2022, a group of US Senate Democrats (including Banking Committee Chairman Sherrod Brown) sent letters to seven large banks urging them to abolish or significantly reduce overdraft and other fees, and in early April, New York Attorney General Letitia James, in recent letters signed by numerous other state attorneys general, asked the country’s four largest banks to eliminate consumer overdraft fees altogether by summer 2022.

Adding to the chorus of Biden administration and other political voices critical of overdraft fees has been a steady stream of announcements over the past year by many large banks regarding plans to eliminate or greatly restrict their overdraft and related fees. In January 2022 alone, five of the country’s largest banks announced the planned elimination of NSF fees and certain overdraft charges. These announcements add weight to the CFPB’s attacks on overdraft fee programs and will inevitably result in additional pressure on other large banks to follow suit.

The bottom line is that federal regulation of this area may finally be on the horizon, if not imminent, although it is anyone’s guess what form regulatory action will take. The initial targets of any action taken by the CFPB — whether formal rulemaking, statements of policy, or increased enforcement activity — are likely to be banking companies that have total assets in excess of $10 billion and that are thus subject to direct supervision by the CFPB. However, whatever new policy is implemented by the CFPB in this area will inevitably be applied by the three principal federal banking agencies to financial institutions of all sizes, and community banks should prepare themselves for increased examination scrutiny of their overdraft fee programs and the potential for enforcement actions.

Accordingly, community banks — especially those heavily reliant on overdraft fee income — should review their overdraft programs, ensure that they are compliant with existing regulations and best practices, and consider changes to respond to possible regulatory concerns. While it is impossible to react effectively to a regulatory regime that has not been proposed, much less implemented, reports and statements by the CFPB and other banking agencies provide some guidance. First, the CFPB has indicated that it will demand transparent and fully disclosed pricing of overdraft solutions that allow consumers to make an informed choice. In addition, Acting Comptroller Hsu stated in a December 2021 speech — in which he notably did not call for banks to eliminate overdraft fees — that the OCC had identified several features of bank overdraft programs that could be modified or recalibrated to help achieve the goal of improving the financial health of vulnerable consumers. He stated that these changes included:

  • Requiring consumer opt-in to the overdraft program.
  • Providing a grace period before charging an overdraft fee.
  • Allowing negative balances without triggering an overdraft fee.
  • Offering consumers balance-related alerts.
  • Providing consumers with access to real-time balance information.
  • Linking a consumer’s checking account to another account for overdraft protection.
  • Collecting overdraft or NSF fees from a consumer’s next deposit only after other items have been posted or cleared.
  • Not charging separate and multiple overdraft fees for multiple items in a single day and not charging additional fees when an item is re-presented.

Finally, community banks should closely monitor CFPB and other bank regulators’ overdraft fee initiatives, through state and national bankers associations and otherwise, and continue to explore potential methods of managing their overdraft programs in line with stated and possible future regulatory concerns.

© 2022 Jones Walker LLP
For more about banking institutions, visit the NLR Financial, Securities & Banking section.

L’Oreal PFAS Lawsuit Again Shows ESG Risks of Marketing

In less than six months, L’Oreal has now found itself to be the target of PFAS lawsuits related to its mascara products. The latest L’Oreal PFAS lawsuit was filed in the New Jersey federal court on April 8, 2022. Cosmetics and PFAS is a topic that saw increased scrutiny from the scientific community, legislature, and the media in 2021. As we predicted in early 2021, the increased attention on the industry presented significant risks to the cosmetics industry, and our prediction was that the developments made the cosmetics industry the number two target for future PFAS lawsuits. In less than three months, four industry giants – Shiseido, CoverGirlL’Oreal and Burt’s Bees – were hit with lawsuits related to their cosmetics and PFAS content in some of the companies’ products.  The industry, insurers, and investment companies interested in the consumer goods vertical with niche interest in cosmetics companies must pay careful attention to the cosmetics lawsuits and the increasing trend of lawsuits targeting the industry.

PFAS and Cosmetics: the 2021 Foundation

On June 15, 2021, a scientific study in the Journal of Environmental Science and Technology Letters published conclusions regarding testing of a variety of cosmetics products from the United States and Canada for PFAS content, and found PFAS present in over half of the products. On the same day that the study was published, the No PFAS In Cosmetics Act 2021 was introduced in the Senate by U.S. Senators Susan Collins (R-ME), Richard Blumenthal (D-CT), Dianne Feinstein (D-CA), Maggie Hassan (D-NH), Jeanne Shaheen (D-NH), Kirsten Gillibrand (D-NY), and Angus King (I-ME). The bill sought to ban PFAS in cosmetics.

These two developments led us to conclude “with these developments, our prediction that cosmetics is the number two target for PFAS litigation issues behind water rings true.”

Why PFAS In Cosmetics Is A Concern

PFAS content in cosmetics raises concerns for human health in scientific communities due to the fact that PFAS are capable of entering the bloodstream in ways other than direct oral ingestion, and one of these ways includes dermal absorption. Concerns have also been raised regarding absorption of PFAS into the bloodstream by way of tear ducts. The absorption issue is one that is being studied fairly extensively through various pending scientific studies. At the end of 2021, the federal Agency for Toxic Substances and Disease Registry (ATSDR) went so far as to recommend that citizens in Southern New Hampshire reduce their risk of further PFAS exposure by avoiding the use of certain consumer goods, including cosmetics.

L’Oreal PFAS Lawsuit

On April 8, 2022, plaintiff Rebecca Vega filed a lawsuit in the New Jersey federal court seeking a proposed class action lawsuit against LOreal. The L’Oreal PFAS lawsuit alleges that the company does not disclose to consumers that its mascara and other products contain PFAS. Instead, the lawsuit states, the products were fraudulently and misleadingly marketed as safe for consumers and environmentally friendly, in violation of federal and state consumer laws. The Complaint details several examples of L’Oreal marketing indicating the safe nature of the products.

The plaintiff seeks certification of the class action lawsuit, injunctive relief, damages, fees, costs and a jury trial. The proposed class is any consumer in the United States, or in the subclass of New Jersey, who purchased the relevant L’Oreal products.

Just the Beginning For Cosmetics Industry

With studies underway, legislation pending that targets cosmetics, and increasing media reporting on cosmetics concerns to human health, the cosmetics industry has a target on its back with respect to PFAS that will have impacts on the industry’s involvement in litigation. Twelve months ago, we made this prediction: “Personal injury / products liability cases, false advertising, and failure to disclose theories of liability are some of the more prominent allegations that cosmetics companies are likely to face. Further, the cosmetics industry is concerned about federal and state level regulatory enforcement action for environmental pollution remediation costs stemming from placing PFAS waste into the environment as a by-product of the manufacturing process.”

The first part of our prediction is becoming reality, as four significant cosmetics industry players now find themselves embroiled in litigation focused on false advertising, consumer protection violations, and deceptive statements made in marketing and ESG reports. The lawsuits may well serve as a test case for plaintiffs’ bar to determine whether similar lawsuits will be successful in any (or all) of the fifty states in this country. Each cosmetics company faces the stark possibility of needing to defend lawsuits involving plaintiffs in all fifty states for products that contain PFAS.

It should be noted that these lawsuits would only touch on the marketing, advertising, ESG reporting, and consumer protection type of issues. Separate products lawsuits could follow that take direct aim at obtaining damages for personal injury for plaintiffs from cosmetics products. In addition, environmental pollution lawsuits could seek damage for diminution of property value, cleanup costs, and PFAS filtration systems if drinking water cleanup is required.

Conclusion

It is of the utmost importance that businesses along the whole supply chain in the cosmetics industry evaluate their PFAS risk. Public health and environmental groups urge legislators to regulate PFAS at an ever-increasing pace. Similarly, state level EPA enforcement action is increasing at a several-fold rate every year. Now, the first wave of lawsuits take direct aim at the cosmetics industry. Companies that did not manufacture PFAS, but merely utilized PFAS in their manufacturing processes, are therefore becoming targets of costly enforcement actions at rates that continue to multiply year over year. Lawsuits are also filed monthly by citizens or municipalities against companies that are increasingly not PFAS chemical manufacturers.

©2022 CMBG3 Law, LLC. All rights reserved.
Article By John Gardella with CMBG3 Law.
For more articles on ESG lawsuits, visit the NLR Environmental, Energy & Resources section.