Category: Consumer Protection

Comparing and Contrasting the State Laws: Does Pseudonymized Data Exempt Organizations from Complying with Privacy Rights?

Some organizations are confused as to the impact that pseudonymization has (or does not have) on a privacy compliance program. That confusion largely stems from ambiguity concerning how the term fits into the larger scheme of modern data privacy statutes. For example, aside from the definition, the CCPA only refers to “pseudonymized” on one occasion – within the definition of “research” the CCPA implies that personal information collected by a business should be “pseudonymized and deidentified” or “deidentified and in the aggregate.”[1] The conjunctive reference to research being both pseudonymized “and” deidentified raises the question whether the CCPA lends any independent meaning to the term “pseudonymized.” Specifically, the CCPA assigns a higher threshold of anonymization to the term “deidentified.” As a result, if data is already deidentified it is not clear what additional processing or set of operations is expected to pseudonymize the data. The net result is that while the CCPA introduced the term “pseudonymization” into the American legal lexicon, it did not give it any significant legal effect or status.

Unlike the CCPA, the pseudonymization of data does impact compliance obligations under the data privacy statutes of Virginia, Colorado, and Utah. As the chart below indicates, those statutes do not require that organizations apply access or deletion rights to pseudonymized data, but do imply that other rights (e.g., opt out of sale) do apply to such data. Ambiguity remains as to what impact pseudonymized data has on rights that are not exempted, such as the right to opt out of the sale of personal information. For example, while Virginia does not require an organization to re-identify pseudonymized data, it is unclear how an organization could opt a consumer out of having their pseudonymized data sold without reidentification.

ENDNOTES

[1] Cal. Civ. Code § 1798.140(ab)(2) (West 2021). It should be noted that the reference to pseudonymizing and deidentifying personal information is found within the definition of the word “Research,” as such it is unclear whether the CCPA was attempting to indicate that personal information will not be considered research unless it has been pseudonymized and deidentified, or whether the CCPA is mandating that companies that conduct research must pseudonymize and deidentify. Given that the reference is found within the definition section of the CCPA, the former interpretation seems the most likely intent of the legislature.

[2] The GDPR does not expressly define the term “sale,” nor does it ascribe particular obligations to companies that sell personal information. Selling, however, is implicitly governed by the GDPR as any transfer of personal information from one controller to a second controller would be considered a processing activity for which a lawful purpose would be required pursuant to GDPR Article 6.

[3] Va. Code 59.1-577(B) (2022).

[4] Utah Code Ann. 13-61-303(1)(a) (2022).

[5] Va. Code 59.1-577(D) (2022) (exempting compliance with Va. Code 59.1-573(A)(1) through (4)

[6] C.R.S. 6-1-1307(3) (2022) (exempting compliance with C.R.S. Section 6-1-1306(1)(b) to (1)(e)).

[7] Utah Code Ann. 13-61-303(1)(c) (exempting compliance with Utah Code Ann. 13-61-202(1) through (3)).

[8] Va. Code 59.1-577(D) (2022) (exempting compliance with Va. Code 59.1-573(A)(1) through (4)

[9] C.R.S. 6-1-1307(3) (2022) (exempting compliance with C.R.S. Section 6-1-1306(1)(b) to (1)(e)).

[10] Va. Code 59.1-577(D) (2022) (exempting compliance with Va. Code 59.1-573(A)(1) through (4)

[11] C.R.S. 6-1-1307(3) (2022) (exempting compliance with C.R.S. Section 6-1-1306(1)(b) to (1)(e)).

[12] Utah Code Ann. 13-61-303(1)(c) (exempting compliance with Utah Code Ann. 13-61-202(1) through (3)).

[13] Va. Code 59.1-577(D) (2022) (exempting compliance with Va. Code 59.1-574).

[14] Va. Code 59.1-577(D) (2022) (exempting compliance with Va. Code 59.1-574).

Article By David A. Zetoony of Greenberg Traurig, LLP

For more data privacy and cybersecurity legal news, click here to visit the National Law Review.

©2022 Greenberg Traurig, LLP. All rights reserved.

New Jersey Employers Are Now Required to Provide Written Notice Before Using Tracking Devices in Employee-Operated Vehicles

Earlier this year, New Jersey Governor Phil Murphy signed into law Assembly Bill No. 3950, which requires employers in the State to provide written notice to an employee before using a tracking device on a vehicle used by the employee. The new law, which went into effect on April 18, 2022, recognizes that employers may have a legitimate business interest in being able to track their workforce’s whereabouts—particularly when traveling or working offsite—while also reconciling that with the protection of workers’ privacy rights. At the very least, the days of covertly tracking employee vehicles appear to be a thing of the past.

The law defines “tracking device” as any “electronic or mechanical device which is designed or intended to be used for the sole purpose of tracking the movement of a vehicle, person, or device,” with a specific carveout for devices used solely for the purpose of documenting employee expense reimbursement.

Significantly, the written notice requirement applies to the use of tracking devices in any vehicles used by an employee. It does not matter whether it is an employee’s personal vehicle (whether owned or leased) or company-owned or provided. Written notice must be provided regardless.

Failure to comply with the law’s notice requirements can carry substantial penalties. An employer who knowingly makes use of a tracking device in a vehicle used by an employee without providing written notice to the employee shall be subject to a civil penalty up to $1,000.00 for the first violation, and then up to $2,500.00 for each subsequent violation. These fines can add up quickly, especially for service businesses with large vehicle fleets, among others. Additionally, it is possible that failure to comply with the law’s notice requirements may implicate employee privacy rights that could lead to further civil exposure.

Private employers within the State must ensure they have appropriate policies and procedures in place to comply with the new law’s requirements and insulate their businesses from potential liability for violations. While it does not specify what the required “written notice” must look like or how it must be conveyed to employees, at minimum employers should update their employee handbooks as well as provide a stand-alone, written notice to employees, with signed confirmation and acknowledgement of receipt. Additionally, rule and regulations regarding GPS tracking of employee vehicles may vary from state to state, so employers with a multi-state presence or service area need to be aware of the different laws that may apply to them depending on where their employees are working.

Employers who have not yet updated their forms and procedures should immediately contact counsel and take steps to ensure that they are in compliance. Similarly, it may be prudent for employers who drafted their own policies to have experienced employment counsel perform a policy or handbook review and provide advice and guidance regarding employer responsibilities and obligations, including but not limited to ensuring compliance with New Jersey’s new vehicle tracking device law.

COPYRIGHT © 2022, STARK & STARK
Article By Cory Rand with Stark & Stark.
For more articles about New Jersey Legislation, visit the NLR New Jersey law section.

Litigation Minute: Defending Consumer Class Action Claims Involving PFAS

WHAT YOU NEED TO KNOW IN A MINUTE OR LESS

Defending consumer class action claims alleging false and misleading product labeling based on the presence of per- and polyfluoroalkyl substances (PFAS) is similar to the defense of other food and beverage labeling class actions, but there are nuances the food and beverage industry should consider.

What Are PFAS?

As noted in last week’s edition, PFAS are per- and polyfluoroalkyl substances used for their flame-retardant and water-resistant properties. They are used in clothing, cosmetics, and food packaging. PFAS can also be found in municipal water supplies.

How Do PFAS Relate to Consumer Class Actions?

Plaintiffs’ counsel have brought consumer class actions against the makers and sellers of food and beverages alleging that the presence of PFAS in the labeled product renders the labeling false and misleading. Consumer class actions involving PFAS typically allege that the presence of PFAS renders affirmative representations on the product labeling false or misleading, or that the presence of PFAS must be disclosed on the label.

For example, both of these theories are at play in the case of Davenport v. L’Oreal USA, Inc. The complaint asserts that (1) the representations that L’Oreal’s waterproof mascaras are safe, effective, high quality, and appropriate for use on consumers’ eyelashes are false or misleading due to the presence of PFAS; and (2) L’Oreal failed to disclose to consumers that PFAS are present in detectable amounts in its waterproof mascaras.1

How is the Defense of PFAS Consumer Class Actions Similar to the Defense of Other Consumer Class Actions?

In most instances, the defense of consumer class actions involving PFAS allegations does not differ substantially from the defense of other types of consumer class actions. In the case of an alleged affirmative misrepresentation, the inquiry is the same on a pleadings challenge – whether the labeling is likely to mislead a reasonable person given the presence of PFAS in the product.

Moreover, plaintiffs typically assert a “premium price” theory, meaning the plaintiff claims he or she would not have purchased the item, or would have paid less, had the PFAS been properly disclosed. These allegations provide the defense with an opportunity to attack the damages model on class certification, similar to other types of consumer class actions.

How is the Defense of PFAS Consumer Class Actions Different From the Defense of Other Consumer Class Actions?

The defense of consumer class actions involving PFAS will differ from other consumer class actions in two key ways, depending on the allegations.

First, given the current lack of regulations governing the presence of PFAS in food and beverage products, the food and beverage industry should be aware that there is generally no duty to disclose the presence of PFAS in the absence of a relevant false or misleading statement on the product labeling. This lack of regulations provides an additional avenue for a pleadings challenge that may not otherwise succeed.

Second, scientific testing will be critical to determining whether there are any, or a uniform quantity of, PFAS present across the entire product line. PFAS variations between product exemplars may provide an additional avenue to defeat class certification.

Takeaway

Unfortunately, it appears that the food and beverage industry will see a new wave of class action litigation focused on the presence of PFAS in products. However, it also appears that many tried and true defense strategies will be applicable to such claims, and the unique nature of PFAS litigation will provide class defendants with additional strategies.

FOOTNOTES

1Davenport v. L’Oreal USA, Inc., No. 2:22-cv-01195 (C.D. Cal.).

Copyright 2022 K & L Gates
Article By Matthew G. Ball with K&L Gates.
For more articles about litigation, visit the NLR Litigation section.

Six Things to Know About New York’s New Employer Notification Requirements for Electronic Monitoring of Employees

Under an amendment to the New York Civil Rights Law that will take effect on May 7, 2022, private-sector employers that monitor their employees’ use of telephones, emails, and the internet must provide notice of such monitoring. The following provides highlights of the new law.

Question 1. Which employers and electronic monitoring activities are covered?

Answer 1. The law applies to any private individual or entity with a place of business in New York, and it broadly covers “telephone conversations or transmissions, electronic mail or transmissions, or internet access or usage by an employee by any electronic device or system, including but not limited to the use of a computer, telephone, wire, radio, or electromagnetic, photoelectronic or photo-optical systems [that] may be subject to monitoring.”

Q2. Are any electronic monitoring activities exempted from coverage?

A2. The law does not cover processes “designed to manage the type or volume of incoming or outgoing electronic mail or telephone, voice mail or internet usage,” and it also does not apply to processes “that are not targeted to monitor or intercept the electronic mail or telephone voice mail or internet usage of a particular individual.” The law also exempts processes that are “performed solely for the purpose of computer system maintenance and/or protection.”

Q3. What are some of the law’s compliance obligations?

A3. Private-sector employers that “monitor[] or otherwise intercept[] [employee] telephone conversations or transmissions, electronic mail or transmissions, or internet access or usage” must post a notice of electronic monitoring in a “conspicuous place which is readily available for viewing” by affected employees. Employers also must furnish new employees with written notice when they are hired. The law requires that newly hired employees acknowledge receipt of the notice, “either in writing or electronically.”

Q4. What information must be included in the notices?

A4. Under the law, employers are required to notify employees that “any and all telephone conversations or transmissions, electronic mail or transmissions, or internet access or usage by an employee by any electronic device or system” may be subject to monitoring “at any and all times and by any lawful means.” The law requires that the written notice advise employees that the electronic devices or systems that may be subject to monitoring include, but are not limited to, “computer, telephone, wire, radio or electromagnetic, photoelectronic or photo-optical systems.”

Q5. What are the penalties for violations of the law?

A5. The law provides for the imposition of civil penalties for violations of its requirements. Employers found to be in violation of the law are subject to civil penalties of $500 for a first offense, $1,000 for a second offense, and $3,000 for a third offense and for each subsequent offense. The Office of the New York State Attorney General will enforce the law.

Q6. Are there similar requirements in other jurisdictions?

A6. Connecticut and Delaware also require employers to provide notification of electronic monitoring. As the requirements of these laws vary slightly from New York’s law, employers doing business in either or both of these states and in New York may wish to consider whether to adopt a single approach, or adopt approaches tailored to each jurisdiction’s requirements.

Key Takeaways

New York employers that have not already taken action to comply with this new law may wish to consider whether to post physical notices in the workplace or utilize electronic postings that are visible upon logging in to the employer’s computer, or both.

Employers may also wish to determine how to incorporate the required notice to new employees in their new-hire and onboarding systems. Employers that address electronic monitoring in existing policies may also wish to review the existing policies to ensure that the information in those policies is consistent with the nature of the notification required by the new law, and update existing policies if warranted.

Employers may also wish to consider whether to obtain written or electronic acknowledgments of electronic monitoring from current employees. In addition, employers may wish to evaluate the potential for challenges to the use of information obtained through electronic monitoring absent compliance with the notice requirements.

© 2022, Ogletree, Deakins, Nash, Smoak & Stewart, P.C., All Rights Reserved.
For more articles about labor laws, visit the NLR Labor & Employment section.

Community Banks and Overdrafts — Time for Reconsideration?

Bank consumer overdraft fees (together with nonsufficient funds (NSF) fees and returned check fees) have long been a target of attacks by consumer advocacy groups and progressive politicians who claim that such fees are disproportionately levied on the most vulnerable consumers. The Obama-era Consumer Financial Protection Bureau (CFPB) initiated efforts to regulate overdraft programs, which were shelved during the Trump administration, and legislation to restrict overdraft fees has regularly been proposed and considered by Congress, but not enacted.

2022, however, may be the year that the US financial regulatory agencies finally move to impose formal restrictions on banks’ overdraft fee programs. In particular, the CFPB, increasingly assertive in President Biden’s second year in office, has clearly signaled its intent to take action in this area:

  • Rohit Chopra, the director of the CFPB, has spoken out on numerous occasions — in public appearances, opinion pieces, and blog posts — regarding the imperative of reining in so-called junk fees charged by banks and other financial companies.
  • On January 26, 2022, the CFPB published a request for public comment targeting “exploitative junk fees,” including overdraft and NSF fees. The CFPB stated that the goal of its information request was to assist the agency’s plan to “craft rules, issue industry guidance, and focus supervision and enforcement resources,” with the goals of reducing excessive fees and eliminating illegal practices.

The attack on overdraft fee programs has been echoed by other administration officials as well as by allied politicians. Acting Comptroller of the Currency Michael Hsu has called traditional bank overdraft programs “a significant part” of a “regressive system” that penalizes the poor and has stated that “banks that hesitate to adopt pro-consumer overdraft programs will soon be negative outliers.” On March 31, 2022, the House Financial Services Subcommittee held a hearing on possible government intervention to restrict overdraft programs, clearly showing coordination by the committee majority with the Biden administration’s initiatives. In March 2022, a group of US Senate Democrats (including Banking Committee Chairman Sherrod Brown) sent letters to seven large banks urging them to abolish or significantly reduce overdraft and other fees, and in early April, New York Attorney General Letitia James, in recent letters signed by numerous other state attorneys general, asked the country’s four largest banks to eliminate consumer overdraft fees altogether by summer 2022.

Adding to the chorus of Biden administration and other political voices critical of overdraft fees has been a steady stream of announcements over the past year by many large banks regarding plans to eliminate or greatly restrict their overdraft and related fees. In January 2022 alone, five of the country’s largest banks announced the planned elimination of NSF fees and certain overdraft charges. These announcements add weight to the CFPB’s attacks on overdraft fee programs and will inevitably result in additional pressure on other large banks to follow suit.

The bottom line is that federal regulation of this area may finally be on the horizon, if not imminent, although it is anyone’s guess what form regulatory action will take. The initial targets of any action taken by the CFPB — whether formal rulemaking, statements of policy, or increased enforcement activity — are likely to be banking companies that have total assets in excess of $10 billion and that are thus subject to direct supervision by the CFPB. However, whatever new policy is implemented by the CFPB in this area will inevitably be applied by the three principal federal banking agencies to financial institutions of all sizes, and community banks should prepare themselves for increased examination scrutiny of their overdraft fee programs and the potential for enforcement actions.

Accordingly, community banks — especially those heavily reliant on overdraft fee income — should review their overdraft programs, ensure that they are compliant with existing regulations and best practices, and consider changes to respond to possible regulatory concerns. While it is impossible to react effectively to a regulatory regime that has not been proposed, much less implemented, reports and statements by the CFPB and other banking agencies provide some guidance. First, the CFPB has indicated that it will demand transparent and fully disclosed pricing of overdraft solutions that allow consumers to make an informed choice. In addition, Acting Comptroller Hsu stated in a December 2021 speech — in which he notably did not call for banks to eliminate overdraft fees — that the OCC had identified several features of bank overdraft programs that could be modified or recalibrated to help achieve the goal of improving the financial health of vulnerable consumers. He stated that these changes included:

  • Requiring consumer opt-in to the overdraft program.
  • Providing a grace period before charging an overdraft fee.
  • Allowing negative balances without triggering an overdraft fee.
  • Offering consumers balance-related alerts.
  • Providing consumers with access to real-time balance information.
  • Linking a consumer’s checking account to another account for overdraft protection.
  • Collecting overdraft or NSF fees from a consumer’s next deposit only after other items have been posted or cleared.
  • Not charging separate and multiple overdraft fees for multiple items in a single day and not charging additional fees when an item is re-presented.

Finally, community banks should closely monitor CFPB and other bank regulators’ overdraft fee initiatives, through state and national bankers associations and otherwise, and continue to explore potential methods of managing their overdraft programs in line with stated and possible future regulatory concerns.

© 2022 Jones Walker LLP
For more about banking institutions, visit the NLR Financial, Securities & Banking section.

L’Oreal PFAS Lawsuit Again Shows ESG Risks of Marketing

In less than six months, L’Oreal has now found itself to be the target of PFAS lawsuits related to its mascara products. The latest L’Oreal PFAS lawsuit was filed in the New Jersey federal court on April 8, 2022. Cosmetics and PFAS is a topic that saw increased scrutiny from the scientific community, legislature, and the media in 2021. As we predicted in early 2021, the increased attention on the industry presented significant risks to the cosmetics industry, and our prediction was that the developments made the cosmetics industry the number two target for future PFAS lawsuits. In less than three months, four industry giants – Shiseido, CoverGirlL’Oreal and Burt’s Bees – were hit with lawsuits related to their cosmetics and PFAS content in some of the companies’ products.  The industry, insurers, and investment companies interested in the consumer goods vertical with niche interest in cosmetics companies must pay careful attention to the cosmetics lawsuits and the increasing trend of lawsuits targeting the industry.

PFAS and Cosmetics: the 2021 Foundation

On June 15, 2021, a scientific study in the Journal of Environmental Science and Technology Letters published conclusions regarding testing of a variety of cosmetics products from the United States and Canada for PFAS content, and found PFAS present in over half of the products. On the same day that the study was published, the No PFAS In Cosmetics Act 2021 was introduced in the Senate by U.S. Senators Susan Collins (R-ME), Richard Blumenthal (D-CT), Dianne Feinstein (D-CA), Maggie Hassan (D-NH), Jeanne Shaheen (D-NH), Kirsten Gillibrand (D-NY), and Angus King (I-ME). The bill sought to ban PFAS in cosmetics.

These two developments led us to conclude “with these developments, our prediction that cosmetics is the number two target for PFAS litigation issues behind water rings true.”

Why PFAS In Cosmetics Is A Concern

PFAS content in cosmetics raises concerns for human health in scientific communities due to the fact that PFAS are capable of entering the bloodstream in ways other than direct oral ingestion, and one of these ways includes dermal absorption. Concerns have also been raised regarding absorption of PFAS into the bloodstream by way of tear ducts. The absorption issue is one that is being studied fairly extensively through various pending scientific studies. At the end of 2021, the federal Agency for Toxic Substances and Disease Registry (ATSDR) went so far as to recommend that citizens in Southern New Hampshire reduce their risk of further PFAS exposure by avoiding the use of certain consumer goods, including cosmetics.

L’Oreal PFAS Lawsuit

On April 8, 2022, plaintiff Rebecca Vega filed a lawsuit in the New Jersey federal court seeking a proposed class action lawsuit against LOreal. The L’Oreal PFAS lawsuit alleges that the company does not disclose to consumers that its mascara and other products contain PFAS. Instead, the lawsuit states, the products were fraudulently and misleadingly marketed as safe for consumers and environmentally friendly, in violation of federal and state consumer laws. The Complaint details several examples of L’Oreal marketing indicating the safe nature of the products.

The plaintiff seeks certification of the class action lawsuit, injunctive relief, damages, fees, costs and a jury trial. The proposed class is any consumer in the United States, or in the subclass of New Jersey, who purchased the relevant L’Oreal products.

Just the Beginning For Cosmetics Industry

With studies underway, legislation pending that targets cosmetics, and increasing media reporting on cosmetics concerns to human health, the cosmetics industry has a target on its back with respect to PFAS that will have impacts on the industry’s involvement in litigation. Twelve months ago, we made this prediction: “Personal injury / products liability cases, false advertising, and failure to disclose theories of liability are some of the more prominent allegations that cosmetics companies are likely to face. Further, the cosmetics industry is concerned about federal and state level regulatory enforcement action for environmental pollution remediation costs stemming from placing PFAS waste into the environment as a by-product of the manufacturing process.”

The first part of our prediction is becoming reality, as four significant cosmetics industry players now find themselves embroiled in litigation focused on false advertising, consumer protection violations, and deceptive statements made in marketing and ESG reports. The lawsuits may well serve as a test case for plaintiffs’ bar to determine whether similar lawsuits will be successful in any (or all) of the fifty states in this country. Each cosmetics company faces the stark possibility of needing to defend lawsuits involving plaintiffs in all fifty states for products that contain PFAS.

It should be noted that these lawsuits would only touch on the marketing, advertising, ESG reporting, and consumer protection type of issues. Separate products lawsuits could follow that take direct aim at obtaining damages for personal injury for plaintiffs from cosmetics products. In addition, environmental pollution lawsuits could seek damage for diminution of property value, cleanup costs, and PFAS filtration systems if drinking water cleanup is required.

Conclusion

It is of the utmost importance that businesses along the whole supply chain in the cosmetics industry evaluate their PFAS risk. Public health and environmental groups urge legislators to regulate PFAS at an ever-increasing pace. Similarly, state level EPA enforcement action is increasing at a several-fold rate every year. Now, the first wave of lawsuits take direct aim at the cosmetics industry. Companies that did not manufacture PFAS, but merely utilized PFAS in their manufacturing processes, are therefore becoming targets of costly enforcement actions at rates that continue to multiply year over year. Lawsuits are also filed monthly by citizens or municipalities against companies that are increasingly not PFAS chemical manufacturers.

©2022 CMBG3 Law, LLC. All rights reserved.
Article By John Gardella with CMBG3 Law.
For more articles on ESG lawsuits, visit the NLR Environmental, Energy & Resources section.

FTC Imposes Record-Setting $10M Fine Against Multistate Auto Dealer, Settling Charges of Racial Discrimination and Unauthorized Charges

On March 31, the FTC and Illinois State Attorney General announced a settlement of charges against a large, multistate auto dealer that allegedly discriminated against black consumers and included illegal junk fees for unwanted “add-ons” in customers’ bills.

Citing violations under the FTC Act, TILA, ECOA, and comparable Illinois laws, the complaint alleged that eight of the dealerships and two general managers of Illinois dealerships tacked on illegal fees for unwanted products to customers’ bills, often at the end of hours-long negotiations. These add-ons were allegedly buried in the consumers’ purchase contracts, which were sometimes upwards of 60-pages long, and sometimes added despite consumers specifically declining the products.

In addition, employees of the auto dealership also allegedly discriminated against black consumers during the process of financing vehicle purchases.  On average, black customers at the dealerships were charged $190 more in interest and paid $99 more for similar add-ons than comparable non-Latino white customers.

The multistate dealer will have to pay $10 million to settle the lawsuit per the stipulated order, the largest monetary judgment ever required in an FTC auto lending case.

Putting it into Practice:  From FTC Chair Lina Khan and Commissioner Rebecca Slaughter, the FTC appears poised to allege violations of the FTC Act’s prohibition on unfair acts or practices in light of discrimination found to be based on disparate treatment or having a disparate impact.  Their statement discusses how discriminatory practices can be evaluated under the FTC’s three-part unfairness test and concludes that such conduct fits squarely into the kind of conduct that can be addressed by the FTC’s unfairness prong.  This joint statement echoes similar announcements by CFPB Director Chopra about the use of unfairness to combat discrimination more broadly (we discussed Director Chopra’s statement and updates to the CFPB’s exam procedures in a recent Consumer Finance and FinTech blog post here).

The size of the financial judgment in this case underscores the seriousness with which the FTC takes discriminatory practices in consumer credit transactions entered into by entities over which they have authority, which includes auto dealerships.  As the FTC becomes increasingly focused on enforcement of key laws to protect consumers against discriminatory conduct, companies should use these latest agency pronouncements as a reason to be on high alert for potential discriminatory outcomes in their business activities, even if unintentional.

Article By Moorari Shah, A.J. S. Dhaliwal, and Katie Daw of Sheppard, Mullin, Richter & Hampton LLP

For more antitrust legal news, click here to visit the National Law Review.

Copyright © 2022, Sheppard Mullin Richter & Hampton LLP.

Utah Becomes Fourth U.S. State to Enact Consumer Privacy Law

On March 24, 2022, Utah became the fourth state in the U.S., following California, Virginia and Colorado, to enact a consumer data privacy law, the Utah Consumer Privacy Act (the “UCPA”). The UCPA resembles Virginia’s Consumer Data Protection Act (“VCDPA”) and Colorado’s Consumer Privacy Act (“CPA”), and, to a lesser extent, the California Consumer Privacy Act (as amended by the California Privacy Rights Act) (“CCPA/CPRA”). The UCPA will take effect on December 31, 2023.

The UCPA applies to a controller or processor that (1) conducts business in Utah or produces a product or service targeted to Utah residents; (2) has annual revenue of $25,000,000 or more; and (3) satisfies at least one of the following thresholds: (a) during a calendar year, controls or processes the personal data of 100,000 or more Utah residents, or (b) derives over 50% of its gross revenue from the sale of personal data, and controls or processes the personal data of 25,000 or more consumers.

As with the CPA and VCDPA, the UCPA’s protections apply only to Utah residents acting solely within their individual or household context, with an express exemption for individuals acting in an employment or commercial (B2B) context. Similar to the CPA and VCDPA, the UCPA contains exemptions for covered entities, business associates and protected health information subject to the Health Insurance Portability and Accountability Act of 1996 (“HIPAA”), and financial institutions or personal data subject to the Gramm-Leach-Bliley Act (“GLB”). As with the CCPA/CPRA and VCDPA, the UCPA also exempts from its application non-profit entities.

In line with the CCPA/CPRA, CPA and VCDPA, the UCPA provides Utah consumers with certain rights, including the right to access their personal data, delete their personal data, obtain a copy of their personal data in a portable manner, opt out of the “sale” of their personal data, and opt out of “targeted advertising” (as each term is defined under the law). Notably, the UCPA adopts the VCDPA’s more narrow definition of “sale,” which is limited to the exchange of personal data for monetary consideration by a controller to a third party. Unlike the CCPA/CPRA, CPA and VCDPA, the UCPA will not provide Utah consumers with the ability to correct inaccuracies in their personal data. Also unlike the CPA and VCDPA, the UCPA will not require controllers to obtain prior opt-in consent to process “sensitive data” (i.e., racial or ethnic origin, religious beliefs, sexual orientation, citizenship or immigration status, medical or health information, genetic or biometric data, or geolocation data). It will, however, require controllers to first provide consumers with clear notice and an opportunity to opt out of the processing of his or her sensitive data. With respect to the processing of personal data “concerning a known child” (under age 13), controllers must process such data in accordance with the Children’s Online Privacy Protection Act. The UCPA will prohibit controllers from discriminating against consumers for exercising their rights.

In addition, the UCPA will require controllers to implement reasonable and appropriate data security measures, provide certain content in their privacy notices, and include specific language in contracts with processors.

Unlike the CCPA/CPRA, VCDPA and CPA, the UCPA will not require controllers to conduct data protection assessments prior to engaging in data processing activities that present a heightened risk of harm to consumers, or to conduct cybersecurity audits or risk assessments.

In line with existing U.S. state privacy laws, the UCPA does not provide for a private right of action. The law will be enforced by the Utah Attorney General.

Article By the Privacy and Cybersecurity Practice Group at Hunton Andrews Kurth

For more cybersecurity and data privacy legal news, click here to visit the National Law Review.

Copyright © 2022, Hunton Andrews Kurth LLP. All Rights Reserved.

Surprise! The No Surprises Act Changes Again

The No Surprises Act (Act), which became effective Jan. 1, 2022, is the latest health care law passed with the best of intent: to create consumer protection from unexpected out-of-network medical bills and to create a federal independent dispute resolution (IDR) process to resolve payment disputes between payers and out-of-network providers. Unfortunately, the Act, especially the U.S. Department of Health and Human Services’ (HHS) implementation of the IDR process, also creates a new administrative burden for health care providers. Providers and medical associations filed lawsuits in multiple jurisdictions to challenge HHS’ implementation of the IDR process and the constitutionality of the Act before it was even in effect.

On Feb. 24, 2022, the United States District Court for the Eastern District of Texas granted the Texas Medical Association’s Motion for Summary Judgement to vacate select IDR requirements. The Court found that HHS’ interim final rule’s IDR process, intended to resolve payment disputes regarding reimbursement for out-of-network emergency services and out-of-network services provided at in-network facilities, was contrary to the clear language of the Act[1] (Rule).

In general, the Act[2] requires health insurance payers (Insurers) to reimburse providers for certain out-of-network services at a statutorily calculated “out-of-network rate.”[3] Where an All-Payer Model Agreement or specified state law does not exist, to set such a rate, an Insurer must issue an initial out-of-network rate decision and pay such amount to the providers within 30 days after the out-of-network claim is submitted.[4] If the provider disagrees with the Insurer’s proposed out-of-network reimbursement rate, the provider has a 30-day window to negotiate a different payment rate with the Insurer.[5] If these negotiations fail, the parties can proceed to the IDR process.[6]

Congress adopted a baseball-style arbitration model for the Act’s IDR process. The Insurer and provider each submit a proposed out-of-network rate with limited supporting evidence. The arbitrator picks one of the offers while taking into account specified considerations, including the “qualified payment amount,” the provider’s training, experience, quality, and outcomes measurements, the provider’s market share, the patient’s acuity, the provider’s teaching status, case mix, and scope of services, and the provider’s/Insurer’s good-faith attempts to enter into a network agreement.[7] The “qualifying payment amount” (QPA), is designed to represent the median rate the Insurer would pay for the item or service if it were provided by an in-network provider.[8]

The Rule requires the IDR arbitrator to select the proposed payment amount that is closest to the QPA unless “the certified IDR entity [arbitrator] determines that credible information submitted by either party … clearly demonstrates that the [QPA] is materially different[9] from the appropriate out-of-network rate.”[10] This is a clear departure from the analysis set forth in the Act.

The Texas Medical Association challenged the Rule under the Administrative Procedures Act (APA), arguing that the Departments exceeded their authority by giving “outsized weight” to one statutory factor over the others specified by Congress, and that the Departments failed to comply with the APA’s notice and comments requirements in promulgating the Rule. In turn, the Departments argued that the plaintiffs did not have standing to bring the claims.

After dispensing with defendant’s standing arguments, the Eastern District of Texas Court ruled in favor of the plaintiff’s Motion for Summary Judgment and determined that “the Act unambiguously establishes the framework for deciding payment disputes and concludes that the Rule conflicts with the statutory text.” Under the Act, the arbitrators (or certified IDR entities) “shall consider … the qualifying payment amounts” and the provider’s level of training, experience, and quality outcomes, the market share held by the provider, the patient’s acuity, the provider’s teaching status, case mix, and scope of services, and the demonstrated good faith efforts of both parties in entering into a network agreement.”[11] The Act did not specify that any one factor should be considered the “primary” or “most important” factor. The Rule, in contrast, requires arbitrators to “select the offer closest to the [QPA]” unless “credible” information, including information supporting the “additional factors,” “clearly demonstrates that the [QPA] is materially different from the appropriate out-of-network rate.”[12] The Departments characterized the other factors as “permissible additional factors” that may be considered only when appropriate.[13] The Court found that the Department’s Rule was inconsistent with the Act and that since Congress had spoken clearly on the factors to be considered in the arbitration process, the Department’s interpretation of the Act was not appropriate and had exceeded the Department’s authority.[14]

Following the Court’s decision, the Departments issued a memorandum on Feb. 28, 2022, clarifying the Act’s requirements for providers and Insurers. The memo specifically noted that the Court’s decision would not, in their opinion, affect the patient-provider dispute resolution process.[15] The Departments also stated they would withdraw any guidance inconsistent with the Court’s Opinion, provide additional training for interested parties, and keep the IDR process portal open to resolve disputes. The Departments also will be considering further rulemaking to address the IDR process.

The No Surprises Act continues to surprise us all with more adaptations. Enforcement of this new law remains uncertain in light of the numerous legal challenges, including at least one constitutionality challenge.

[1] Requirements Related to Surprise Billing: Part II, 86 Fed. Reg. 55,980 (Oct. 7, 2021).

[2] Consolidated Appropriations Act of 2021, Pub. L. No. 116-260, div. BB, tit. I, 134 Stat. 1182, 2758-2890 (2020).

[3] 300gg-111(a)(1)(C)(iv)(II) and (b)(1)(D).

[4] 300gg-111(a)(1)(C)(iv) and (b)(1)(C).

[5] 300gg-111(c)(1)(A).

[6] 300gg-111(c)(1)(B).

[7] 300gg-111(c)(5).

[8] 300gg-111(a)(3)(E)(i)(I)-(II).

[9] “Material difference” is defined as “a substantial likelihood that a reasonable person with the training and qualifications of a certified IDR entity making a payment determination would consider the submitted information significant in determining the out-of-network rate and would view the information as showing that the [QPA] is not the appropriate out-of-network rate. 149.510(a)(2)(viii).

[10] 45 C.F.R. 149.510(c)(4)(ii).

[11] 300gg-111(c)(5)(C)(i)-(ii).

[12] 45 C.F.R. 149.510(c)(4)(ii)(A).

[13] 86 Fed. Reg. 56,080.

[14] Because the Departments had exceeded their statutory authority, no Chevron deference was owed to their regulations. Chevron U.S.A. v. Natural Resources Defense Council, Inc., 468 U.S. 837 (1984).

[15] This is a separate dispute resolution process designed to address disputes between patients and providers when bills for uninsured and self-pay patients are inconsistent with the good faith estimate provided by the health care provider.

Article By Stacey A. Borowicz and Joseph D. Wheeler of Dinsmore & Shohl LLP

For more healthcare legal news, click here to visit the National Law Review.

© 2022 Dinsmore & Shohl LLP. All rights reserved.

Regulation by Definition: CFPB Broadens Definition of “Unfairness” to Rein in Discrimination

In a significant move, the CFPB announced on March 16revision to its supervisory operations to address discrimination outside of the traditional fair lending context, with future plans to scrutinize discriminatory conduct that violates the federal prohibition against “unfair” practices in such areas as advertising, pricing, and other areas to ensure that companies are appropriately testing for and eliminating illegal discrimination.  Specifically, the CFPB updated its Exam Manual for Unfair, Deceptive, or Abusive Acts or Practices (UDAAPs) noting that discrimination may meet the criteria for “unfairness” by causing substantial harm to consumers that they cannot reasonably avoid.

With this update, the CFPB intends to target discriminatory practices beyond its use of the Equal Credit Opportunity Act (ECOA) – a fair lending law which covers extensions of credit – and plans to also enforce the Consumer Financial Protection Act (CFPA), which prohibits UDAAPs in connection with any transaction for, or offer of, a consumer financial product or service.  To that end, future examinations will focus on policies or practices that, for example, exclude individuals from products and services, such as “not allowing African-American consumers to open deposit accounts, or subjecting African-American consumers to different requirements to open deposit accounts” that may be an unfair practice where the ECOA may not apply to this particular situation.

The CFPB notes that, among other things, examinations will (i) focus on discrimination in all consumer finance markets; (ii) require supervised companies to include documentation of customer demographics and the impact of products and fees on different demographic groups; and (iii) look at how companies test and monitor their decision-making processes for unfair discrimination, as well as discrimination under ECOA.

In a statement accompanying this announcement, CFPB Director Chopra stated that “[w]hen a person is denied access to a bank account because of their religion or race, this is unambiguously unfair . . . [w]e will be expanding our anti-discrimination efforts to combat discriminatory practices across the board in consumer finance.”

Putting it Into Practice:  This announcement expands the CFPB’s examination footprint beyond discrimination in the fair lending context and makes it likely that examiners will assess a company’s anti-discrimination programs as applied to all aspects of all consumer financial products or services, regardless of whether that company extends any credit.  By framing discrimination also as an UDAAP issue, the CFPB appears ready to address bias in connection with other kinds of financial products and services.  In particular, the CFPB intends to closely examine advertising and marketing activities targeted to consumers based on machine learning models and any potential discriminatory outcomes.

Article By Moorari Shah and A.J. S. Dhaliwal of Sheppard, Mullin, Richter & Hampton LLP

For more financial legal news, click here to visit the National Law Review.

Copyright © 2022, Sheppard Mullin Richter & Hampton LLP.