Category: Consumer Protection

EPA agreement with Kennedy Center protects water quality of Potomac River, Chesapeake Bay

PHILADELPHIA – The John F. Kennedy Center for the Performing Arts in Washington, D.C. has settled alleged Clean Water Act violations at its facility in Washington, D.C., the U.S. Environmental Protection Agency announced today.

The Kennedy Center, located at 2700 F St NW, has a Clean Water Act permit regulating its discharges of condenser cooling water from the facility’s air conditioning system into the Potomac River, which is part of the Chesapeake Bay watershed.

This settlement addresses alleged violations of temperature and pH discharge permit limits required under the Kennedy Center’s Clean Water Act permit. EPA also cited the Kennedy Center for failing to timely submit monitoring reports and failing to submit pH influent data. Additionally, the agreement addresses alleged violations identified by the District of Columbia’s Department of Energy and Environment during a prior inspection of the facility.

As part of the settlement, the Kennedy Center is required to submit a compliance implementation plan. The Kennedy Center has certified that it is now in compliance with permit requirements.

This agreement is part of EPA’s National Compliance Initiative: Reducing Significant Non-Compliance with National Pollutant Discharge Elimination System (NPDES) Permits. For more information about the Clean Water Act permit program, visit www.epa.gov/npdes.

Read this article in its original. form here.

© Copyright 2021 United States Environmental Protection Agency

Article by the EPA

Read more about the Clean Water Act in the NLR section Energy, Climate, and Environmental Law News.

Surprise Billing Regulations: Out-Of-Network Providers at In-Network Facilities

On 1 July 2021, the Department of the Treasury, the Department of Labor, and the Department of Health and Human Services (the Departments) issued an interim final rule (IFR)1 implementing certain provisions of the No Surprises Act (the Act).2 Congress enacted the Act in 2020 to protect patients from “surprise medical bills” and to limit so called “out-of-network” cost sharing bills for patients receiving care from providers who are not “in-network” participating providers in the patient’s health plan. The Act is applicable to emergency services, non-emergency services furnished by out-of-network providers at certain in-network health care facilities, and air ambulance services furnished by out-of-network providers. The IFR provides additional guidance to health care providers and facilities, including hospital and freestanding emergency departments, for complying with the Act. Comments on the IFR are due on 7 September 2021. Assuming no further changes from the Departments following the comment period, the requirements for providers as outlined in the IFR will be effective as of 1 January 2022.

For in-network providers and facilities, the Act and the IFR will require advance planning with respect to certain public and patient-specific disclosures. In-network providers and facilities will also need to prepare patient notice and consent forms in order to comply with updated surprise billing protections. Further, such providers will need to be actively coordinating with plans and insurers prior to seeking payment in order to determine whether notice and consent and/or balance billing prohibitions are triggered.

Key takeaways include:

  • The IFR extends surprise billing protections to non-emergency services furnished by an out-of-network provider at in-network health care facilities.
  • Out-of-network providers may not bill patients for an amount that exceeds in-network cost sharing, as determined in accordance with the balance billing provisions, when furnishing services at an in-network health care facility.
  • Such balance billing prohibitions will not apply if the patient has been provided with adequate notice as has agreed to waive such requirements pursuant to a valid consent, with certain enumerated exceptions.
  • Providers and facilities will further be required to make certain additional disclosures regarding protections against balance billing, including written disclosures to patients and prominent public displays on-site and online.

BACKGROUND

The Act provides protections from surprise medical bills for certain emergency and non-emergency services. The Act protects patients from surprise medical bills for emergency services from the point of evaluation and treatment until the patient can be stabilized and can consent to transfer to an in-network facility. Such protections apply to three emergency categories (1) emergency services received at an out-of-network facility, (2) emergency services rendered by an out-of-network individual provider, such as an emergency physician, regardless of whether the facility is in- or out-of-network, and (3) emergency services provided by out-of-network air ambulances. Additionally, patients will be protected from surprise medical bills for non-emergency services (1) provided by an out-of-network provider at an in-network facility and (2) out-of-network air ambulance services.3 For services subject to these protections, the Act limits cost sharing for out-of-network services to in-network levels and requires such cost sharing to count toward any in-network deductibles and out-of-pocket maximums.4

The Act effectively repeals the “Greatest of Three Rule” framework. Prior to the Act, the Affordable Care Act (ACA) enacted provisions requiring that insurance companies hold out-of-network patients harmless as if they were in-network. The ACA’s implementing regulations required insurers or private health plans to reimburse providers at the greatest of three enumerated amounts (the Greatest of Three Rule): (1) the rate generally reimbursed by the plan of insurance for out-of-network providers (i.e., the usual, customary, and reasonable amount); (2) the median in-network rate; or (3) the Medicare rate. The Act will effectively repeal the Greatest of Three Rule framework and replace it with a new reimbursement regime for emergency and certain non-emergency out-of-network services. The Act directs the Departments to establish through rulemaking the methodology that a group health plan or health insurance issuer offering group or individual health insurance coverage must use to determine the “qualifying payment amount” used to determine a patient’s coinsurance. For provider reimbursement where there is no governing state law or agreement between the payor and the provider, the Act establishes a baseball style arbitration that takes into account the qualifying payment amount. To learn more about how the No Surprises Act and IFR address reimbursement, please see our prior alerts here and here.

IMPACT FOR OUT-OF-NETWORK PROVIDERS AT IN-NETWORK FACILITIES

In the IFR, the Departments contend that surprise billing is a significant issue across all types of coverage and throughout the country, particularly certain specialties that are not “actively shoppable by consumers,” such as anesthesiology or laboratory providers, which often bill as out-of-network at in-network facilities.5 While the IFR focuses in part on emergency services, it also focuses on non-emergency services in certain circumstances, specifically extending surprise billing protections to non-emergency services furnished by an out-of-network provider at an in-network health care facility.6 Specifically, if a health plan provides benefits for certain non-emergency items and services at a facility, the plan must cover items and services furnished to a plan enrollee by an out-of-network provider with respect to a visit at an in-network health care facility, including meeting requirements regarding cost-sharing, payment amounts, and processes for resolving billing disputes. For providers, the IFR clarifies the Act’s requirement that out-of-network providers or facilities may not bill patients for an amount that exceeds in-network cost sharing. This cost-sharing is determined in accordance with the balance billing provisions. The balance billing prohibition is applicable when an out-of-network provider furnishes services at an in-network health care facility. The prohibition specifically includes those off-site out-of-network providers, such as laboratories, who furnish items or services that a patient receives as part of a visit to the in-network facility.7 The prohibitions on balance billing do not apply if certain notice is provided to the patient and the patient waives the balance billing protections with respect to the particular out-of-network provider.8

NOTICE AND CONSENT REQUIREMENTS

The IFR details the following specific standards around the notice and consent requirements for out-of-network providers providing items or services at in-network facilities.

  • The notice must be tailored to the individual patient in each circumstance, including identification of the provider or facility and a good faith estimate of the amount to be billed.9
  • A facility may provide a single notice for multiple out-of-network providers, provided that (1) each provider’s name is specifically listed, (2) each provider includes an individual estimate of the items and services they are individually furnishing, and (3) the patient has the option to consent to waive balance billing protections with respect to each individual provider separately.10
  • The notice and consent forms must be provided together and cannot be attached to or incorporated into any other documents.11
  • The notice be provided within an appropriate timeframe for the patient to make an informed decision. For example, for appointments scheduled in advance, notice should be made at least 72 hours before the date of the appointment, or if an appointment is made on the day of, notice should be given at least three hours prior to furnishing the items or services.12
  • The notice must make clear that the good faith estimate and patient consent do not constitute a contract or a binding commitment to the estimated charge.13
  • The notice must include information regarding whether prior authorization or other care management limitations may be required prior to the provision of services.14
  • The notice must clearly state that the patient is not required to consent to receive such items and services, and that the patient may instead seek care from an available in-network provider or facility and that in such cases, in-network cost-sharing amounts will apply.15
  • For post-stabilization services furnished by an out-of-network provider at an in-network emergency facility, the notice must include a list of in-network providers at the facility who are able to furnish the same items or services and state that the patient may be referred at their option to such provider(s).16
  • The Departments also clarified that an in-network facility may provide the notice on behalf of an out-of-network provider.17
  • Notice must be available in any of the 15 most common languages in the geographic region in which the facility is located. If an individual cannot understand any of the provided languages, the provider or facility must obtain a qualified interpreter.18
  • A patient may demonstrate consent by signature of the consent form, and may revoke consent by notifying the provider or facility in writing prior to the furnishing of items or services.19
  • Obtained consent must be maintained for a minimum of seven years.20

EXCEPTIONS TO NOTICE AND CONSENT REQUIREMENTS

In limited circumstances under the Act and as outlined in the IFR, notice and consent requirements do not apply for certain types of non-emergency items or services. In these situations, the prohibition on balance billing and in-network cost-sharing requirements will continue to apply. Specifically, notice and consent requirements do not apply to (1) ancillary services, including items and services related to emergency medicine, anesthesiology, pathology, radiology, and neonatology; (2) items and services provided by assistant surgeons, hospitalists, and intensivists; (3) diagnostic services, including radiology and laboratory services; and (4) items and services provided by an out-of-network provider where there is no in-network provider who can furnish such item or service and the applicable facility.21 Further, notice and consent requirements do not apply for items or services furnished as a result of unforeseen, urgent medical needs arising when post-stabilization services are furnished and the out-of-network provider or facility has already satisfied the notice and comment criteria.22

DISCLOSURE REQUIREMENTS

In addition to notice and consent requirements, the Act also requires providers and facilities to provide general public disclosures regarding patient protections against balance billing, including written disclosures to patients and postings both physically displayed in a prominent location at the location of the provider or facility and on a public website. These requirements will apply for plan years beginning on or after 1 January 2022. The disclosure provided to patients must include clear and understandable information about applicable state requirements and how to contact appropriate federal and state authorities if the patient believes the provider or facility has violated any applicable requirements for balance billing.23 This disclosure may be on a one-page form and should be provided no later than at the time the provider requests payment from the patient (or if no payment is requested from the patient, at the time a claim for payment is submitted). The Departments suggest that this disclosure may be provided earlier, such as at the time when an individual schedules an appointment or when other standard notice disclosures, such as the Notice of Privacy Practices, are provided.24 The IFR states that the Departments will separately issue a model disclosure notice for providers and facilities. Notably, providers that do not furnish items or services at a health care facility or in connection with visits at a health care facility are not required to make such disclosures, and disclosures are only required for patients who are participants, beneficiaries, or enrollees of group health plans or insurance coverage offered by an insurer.25 Further, in order to streamline the documents provided to patients, the IFR clarifies that a provider may satisfy the above disclosure requirements if it has a written agreement with the facility that requires the facility to provide a single disclosure including information about balance billing requirements that are applicable to both the facility and the provider.26

ENFORCEMENT AND COMPLIANCE

The Act authorizes states to enforce certain requirements of the Act and requires the Department of Health and Human Services (HHS) to enforce if a state fails to substantially enforce the requirements.27 Failure to meet the requirements of the Act may result in civil monetary penalties in states where HHS directly enforces balance billing requirements. Accordingly, out-of-network providers and facilities should take necessary precautions to ensure that their billing practices are in alignment with the Act and IFR guidance. For example, the Departments recommend that out-of-network providers that furnish non-emergency services confirm whether the facility at which they are providing such services is in-network or not to determine whether balance billing protections will apply. Additionally, out-of-network providers should be in communication with applicable plans and insurers when limitations on cost-sharing do not apply, including when proper notice and consent have been obtained. The Departments further emphasize that out-of-network providers providing non-emergency services may need to alter current billing practices to ensure they are not running afoul of the Act’s requirements. In particular, out-of-network providers may need to bill a health plan or insurer before billing an individual directly, in order to determine whether the plan covers the applicable non-emergency services at issue and thus triggers the applicable requirements.28

CONCLUSION

Out-of-network providers who furnish services at in-network facilities, as well as in-network facilities that allow out-of-network providers to furnish services at their facilities, should be prepared to operationalize notice, consent, and disclosure requirements for out-of-network providers providing services in their facilities. Before providing services at a given location, out-of-network providers that furnish non-emergency services should confirm whether the facility at which they are providing such services is in- or out-of-network to determine whether balance billing protections will apply. Additionally, providers may need to alter current billing practices to meet the requirements of the Act. In particular, providers will need to proactively communicate with plans and insurers when limitations on cost-sharing do not apply, including when proper notice and consent have been obtained.

Our health care practice routinely assists health systems, hospitals, and other providers and suppliers with legal advice and strategic considerations, including providing advice on reimbursement matters and preparing clients’ public comments on proposed and final rulemakings.

Footnotes

1 Requirements Related to Surprise Billing; Part I, Office of Personnel Management, Dep’t of Treasury, Dep’t of Labor, Dep’t of Health and Human Serv., 86 Fed. Reg. 36,872 (July 13, 2021) (Interim Rule).

2 The No Surprises Act was signed into law as part of the Consolidated Appropriations Act of 2021 (H.R. 133; Division BB – Private Health Insurance and Public Health Provisions).

3 See Interim Final Rule at 36,878, 36,882-83.

4 Interim Rule at 36,877.

5 Id. at 36,922.

6 Id. at 36,882.

7 Id. at 36,904-05.

8 Id. at 36,905.

9 Id. at 36,906.

10 Id. at 36,907.

11 Id. at 36,906.

12 Id. at 36,907.

13 Id. at 36,908.

14 Id.

15 Id.

16 Id.

17 Id. at 36,906.

18 Id. at 36,909-10.

19 Id. at 36,909.

20 Id. at 36,911.

21 Id.

22 Id. at 36,910.

23 Id. at 36,912.

24 Id. at 36,914.

25 Id.

26 Id. at 36,915.

27 Id. at 36918.

28 Id. at 36,905.

Copyright 2021 K & L Gates
For more articles about healthcare coverage, visit the NLR Healthcare Law section.

New Jersey’s Safe Passing Law Aims to Protect Cyclists and Pedestrians on the Road

The COVID-19 pandemic may have halted or reduced travel for many in New Jersey, but the end of the year also came with a surprising and sobering statistic: the number of fatal accidents involving cars in New Jersey rose in 2020 despite the pandemic.

Last year, 587 fatal accidents were reported across the state, up from 558 in 2019. Fatal accidents involving pedestrians have also risen, and so have fatal accidents involving cyclists. Eighteen cyclists lost their lives on New Jersey roads last year, up from only twelve the year before.

In response to these alarming numbers—and the long-term work of certain local bike safety advocacy groups—the New Jersey state legislature recently passed a bipartisan bill to increase the safety of New Jersey’s bikers and pedestrians. This bill, now known as the New Jersey Safe Passing Law, was signed into law by New Jersey Governor Phil Murphy on Thursday, August 5th.

The New Jersey Safe Passing Law

Under the New Jersey Safe Passing Law, drivers who are passing cyclists or pedestrians must move over one lane if it’s safe to do so. If moving over one lane isn’t possible or safe, drivers must allow four feet of space between their vehicle and the pedestrian or cyclist until they’ve safely passed them. In the event that it isn’t possible to safely allow four feet of space, the driver is required to slow their vehicle to 25 miles per hour.

In addition to cyclists and pedestrians, the bill also covers New Jersey residents with mobility issues who are riding electric scooters or in wheelchairs. Drivers who fail to follow the new law may face fines of $100, while drivers who cause bodily injury by failing to comply may face a fine of up to $500 and have two motor vehicle points added to their driving record.

Struck by a car while cycling? Here are a few next steps

While the Safe Passing Law is certainly a significant step toward making the road a safer place for cyclists, negligent drivers can still present a danger on the road.

If you’ve been injured by a vehicle on the road while biking, you may be wondering what recourse you have for paying medical bills and recovering damages.

Once you’ve carefully documented the accident, spoken to any police dispatched to the scene, and gotten any needed medical attention, the following steps can help ensure you receive the proper compensation and help:

  1. Contact an attorney. Having an experienced attorney on your side can be crucial if you need to pursue damages from the party at fault or need help making an insurance claim.
  2. Since New Jersey is a “no fault” insurance state, medical bills should be covered through your own health insurance or through the Personal Injury Protection benefits included in your auto insurance (P.I.P. benefits may be applicable even if you’re injured while riding a bike).
  3. Depending on the specifics of your auto insurance policy, you may also be entitled to pursue additional damages for pain and suffering or non-economic loss. A skilled attorney can guide you through your options for pursuing damages and help to ensure that you receive what you’re entitled to.
COPYRIGHT © 2021, STARK & STARK

Article By Domenic B. Sanginiti, Jr of Stark & Stark

For more articles on state legislation changes, visit the NLR Public Services, Infrastructure, Transportation section.

Privilege Dwindles for Data Breach Reports

Data privacy lawyers and cyber security incident response professionals are losing sleep over the growing number of federal courts ordering disclosure of post-data breach forensic reports.  Following the decisions in Capital One and Clark Hill, another district court has recently ordered the defendant in a data breach litigation to turn over the forensic report it believed was protected under the attorney-client privilege and work product doctrines. These three decisions help underscore that maintaining privilege over forensic reports may come down to the thinnest of margins—something organizations should keep in mind given the ever-increasing risk of litigation that can follow a cybersecurity incident.

In May 2019, convenience store and gas station chain Rutter’s received two alerts signaling a possible breach of their internal systems. The same day, Rutter’s hired outside counsel to advise on potential breach notification obligations. Outside counsel immediately hired a forensic investigator to perform an analysis to determine the character and scope of the incident. Once litigation ensued, Rutter’s withheld the forensic report from production on the basis of the attorney-client privilege and work product doctrines. Rutter’s argued that both itself and outside counsel understood the report to be privileged because it was made in anticipation of litigation. The Court rejected this notion.

With respect to the work product doctrine, the Court stated that the doctrine only applies where identifiable or impending litigation is the “primary motivating purpose” of creating the document. The Court found that the forensic report, in this case, was not prepared for the prospect of litigation. The Court relied on the forensic investigator’s statement of work which stated that the purpose of the investigation was to “determine whether unauthorized activity . . . resulted in the compromise of sensitive data.” The Court decided that because Rutter’s did not know whether a breach had even occurred when the forensic investigator was engaged, it could not have unilaterally believed that litigation would result.

The Court was also unpersuaded by the attorney-client privilege argument. Because the forensic report only discussed facts and did not involve “opinions and tactics,” the Court held that the report and related communications were not protected by the attorney-client privilege. The Court emphasized that the attorney-client privilege does not protect communications of fact, nor communications merely because a legal issue can be identified.

The Rutter’s decision comes on the heels of the Capital One and Clark Hill rulings, which both held that the defendants failed to show that the forensic reports were prepared solely in anticipation of litigation. In Capital One, the company hired outside counsel to manage the cybersecurity vendor’s investigation after the breach, however, the company already had a longstanding relationship and pre-existing agreement with the vendor. The Court found that the vendor’s services and the terms of its new agreement were essentially the same both before and after the outside counsel’s involvement. The Court also relied on the fact that the forensic report was eventually shared with Capital One’s internal response team, demonstrating that the report was created for various business purposes.

In response to the data breach in the Clark Hill case, the company hired a vendor to investigate and remediate the systems after the attack. The company also hired outside counsel, who in turn hired a second cybersecurity vendor to assist with litigation stemming from the attack. During the litigation, the company refused to turn over the forensic report prepared by the outside counsel’s vendor. The Court rejected this “two-track” approach finding that the outside counsel’s vendor report has not been prepared exclusively for use in preparation for litigation. Like in Capital One, the Court found, among other things, that the forensic report was shared not only with inside and outside counsel, but also with employees inside the company, IT, and the FBI.

As these cases demonstrate, the legal landscape around responding to security incidents has become filled with traps for the unwary.  A coordinated response led by outside counsel is key to mitigating a data breach and ensuring the lines are not blurred between “ordinary course of business” factual reports and incident reports that are prepared for litigation purposes.

© 2021 Bracewell LLP

Article By Philip J. BezansonSeth D. DuCharme, and Brittney E. Justice of Bracewell LLP

Fore more articles on cybersecurity, visit the NLR Communications, Media, Internet, and Privacy Law News section.

Trifecta of New Privacy Laws Protect Personal Data

Following California’s lead, two states recently enacted new privacy laws designed to protect consumers’ rights over their personal data. The Colorado Privacy Act and the Virginia Consumer Data Protection Act mimic California privacy laws and the EU General Data Protection Regulation (GDPR) by imposing stringent requirements on companies that collect or process personal data of state residents. Failure to comply may subject companies to enforcement actions and stiff fines and penalties by regulators.

Virginia Consumer Data Protection Act

On March 2, 2021, Virginia’s legislature passed the Consumer Data Protection Act (CDPA, the Act), which goes into effect on January 1, 2023.

Organizations Subject to the CDPA

The Act generally applies to entities that conduct business in the state of Virginia or that produce products or services targeted to residents of the state and meet one or both of the following criteria: (1) control or process personal data of 100,000 Virginia consumers annually, (2) control or process personal data of at least 25,000 consumers (statute silent as to whether this is an annual requirement) and derive more than 50 percent of gross revenue from the sale of personal data. The processing of personal data includes the collection, use, storage, disclosure, analysis, deletion or modification of personal data.

Notably, certain organizations are exempt from compliance with the CDPA, including government agencies, financial institutions subject to the Gramm-Leach-Bliley Act (GLBA), entities subject to the Health Insurance Portability and Accountability Act (HIPAA), nonprofit organizations and institutions of higher education.

Broad Definition of Personal Data

The CDPA broadly defines personal data to include any information that is linked to an identifiable individual, but does not include de-identified or publicly available information. The Act distinguishes personal sensitive data, which includes specific categories of data such as race, ethnicity, religion, mental or physical health diagnosis, sexual orientation, citizenship or immigration status, genetic or biometric data, children’s data and geolocation data.

Consumers’ Data Protection Rights

The new Virginia privacy law recognizes certain data protection rights over consumers’ personal information, including the right to access their data, correct inaccuracies in their data, request deletion of their data, receive a copy of their data, and opt out of the processing of their personal data for purposes of targeted advertising, the sale of their data or profiling.

If a consumer exercises any of these rights under the CDPA, a company must respond within 45 days – subject to a one-time 45-day extension. If the company declines to take action in response to the consumer’s request, the company must notify the consumer within 45 days of receipt of the request. Any information provided in response to a consumer’s request shall be provided by the company free of charge, up to twice annually per consumer. The company must establish a procedure for a consumer to appeal the company’s refusal to take action on the consumer’s request. The company is required to provide the consumer with written notice of the decision on appeal within 60 days of receipt of an appeal.

Responsibilities of Data Controllers

The CDPA imposes several requirements on companies/data controllers, including limiting the collection of personal data, safeguarding personal data by implementing reasonable data security practices and obtaining a consumer’s consent prior to processing any sensitive data.

Moreover, data controllers should have a Privacy Notice that clearly explains the categories of personal data collected and processed; the purpose for processing personal data; how consumers can exercise their rights over their personal data; any categories of personal data shared with third parties; the categories of third parties with which personal data is shared; and consumers’ right to opt out of the processing of their personal data.

Importantly, all data controllers are required to conduct and document a data protection assessment (DPA). The DPA should identify and weigh the benefits and risks of processing consumers’ personal data and the safeguards that can reduce such risks. The Virginia Attorney General (VA AG) may require a controller to produce a copy of its DPA upon request.

Furthermore, data controllers must enter into a binding written contract with any third parties that process personal data (data processors) at the direction of the controller. This contract should address the following issues: instructions for processing personal data; nature and purpose of processing; type of data subject to processing; duration of processing; duty of confidentiality with respect to the data; and deletion or return of data to the data controller. In addition, the contract should include a provision that enables the data controller or a third party to conduct an assessment of the data processor’s policies and procedures for compliance with the protection of personal data.

Regulatory Enforcement

The VA AG has the exclusive authority to enforce the CDPA. Prior to initiating an enforcement action, the VA AG is required to provide the company/data controller with written notice identifying violations of the Act. If the company cures the violations within 30 days and provides the VA AG with express notice of the same, then no action will be taken against the company. The law permits the VA AG to impose statutory civil penalties of up to $7,500 for each violation of the Act. Moreover, the VA AG also may seek recovery of its attorneys’ fees and costs incurred in investigating and enforcing the resolution of violations of the Act.

Colorado Privacy Act

On July 7, 2021, Colorado passed the Colorado Privacy Act (CPA), which takes effect on July 1, 2023. In many respects, the CPA mirrors Virginia’s new privacy law.

Organizations Subject to the Law

The CPA applies to companies/data controllers that:

  • Conduct business in the state of Colorado or
  • Produce or deliver commercial products or services that are targeted to residents of Colorado and
  • Satisfy one or both of the following criteria:
    • Control or process personal data of 100,000 or more Colorado consumers annually
    • Derive revenue from the sale of personal data and process or control personal data of 25,000 or more Colorado consumers (statute silent as to whether this is an annual requirement).

Notably, the CPA does not apply to personal data that is protected under certain other laws, including GLBA, HIPAA, the Fair Credit Reporting Act, the Driver’s Privacy Protection Act, Children’s Online Privacy Protection Act (COPPA), Family Educational Rights and Privacy Act (FERPA), customer data maintained by a public utility, employment records or data maintained by an institution of higher education. 

Broad Definition of Personal Data

The CPA broadly defines personal data as information that can be linked to an identifiable individual, but does not include de-identified or publicly available information. The law also distinguishes personal sensitive data that may include race, ethnicity, religion, mental or physical health condition or diagnosis, sexual orientation or citizenship. 

Consumers’ Data Protection Rights

The law sets forth consumers’ data protection rights, including the right to access their personal data; the right to correct inaccuracies in their data; the right to request deletion of their data; the right to obtain a copy of their data; and the right to opt out of the processing of their personal data for the purposes of targeted advertising, the sale of their data or profiling.

A company/data controller must respond to a consumer’s request within 45 days – subject to a single 45-day extension as reasonably required. The company must notify the consumer within 45 days if the company declines to take action in response to a consumer’s request. Information provided in response to a consumer request shall be provided by the company free of charge, once annually per consumer. The company must establish a procedure for a consumer to appeal the company’s refusal to take action on a consumer’s request. The company shall provide the consumer a written decision on an appeal within 45 days of receipt of the appeal. The company may extend the appeal response deadline by 60 additional days where reasonably necessary.

Responsibilities of Data Controllers

The CPA imposes a number of stringent requirements on companies, including limiting the collection of personal data to what is reasonably necessary; taking reasonable measures to secure personal data from unauthorized acquisition during both storage and use; and obtaining a consumer’s consent prior to processing any sensitive data.

The data controller should have a clear and conspicuous Privacy Notice that sets forth the categories of personal data processed by the company, the purpose for processing personal data and the means by which consumers can withdraw their consent to processing of their data. The Privacy Notice should identify the categories of personal data collected or processed, categories of personal data shared with third parties and the categories of third parties with which personal data is shared. The Privacy Notice also must disclose whether the company sells personal data or processes personal data for targeted advertising, and the means by which consumers can opt out of the sale or processing of their data. 

A data controller shall not process any personal data that represents a heightened risk of harm to a consumer without conducting a data protection assessment (DPA). The DPA must identify and weigh the benefits from the processing of personal data that may flow to the controller, the consumer and the public against the potential risks to the rights of the consumer. These risks may be mitigated by safeguards adopted by the company. The company may be required to produce its DPA to the Colorado Attorney General (CO AG) upon request.

A company/data controller must enter into a binding contract with any third parties (data processors) that process personal data at the direction of the data controller. This contract should address the following issues: data processing procedures, instructions for processing personal data, nature and purpose of processing, type of data subject to processing, duration of processing, and deletion or return of data by the data processor. The contract also should include a provision that allows the controller to perform audits and inspections of the processor at least once annually and at the processor’s expense. The audit should examine the processor’s policies and procedures regarding the protection of personal data. If an audit is performed by a third party, the processor shall provide a copy of the audit report to the controller upon request. 

Regulatory Enforcement

The CO AG has the exclusive authority to enforce the DPA by bringing an enforcement action on behalf of Colorado consumers. A violation of the DPA is considered to be a deceptive trade practice. Prior to initiating an enforcement action, the CO AG must issue a notice of violation to the company and provide an opportunity to cure the violation. If the company fails to cure the violation within 60 days of receipt of notice of the violation, the CO AG may commence an enforcement action. Civil penalties may be imposed for violations of the Act.

Conclusion

Companies that collect or process consumer data are well advised to heed these new privacy laws imposed by Virginia and Colorado, since more states are sure to adopt similar laws. Failure to adhere to these new stringent legal requirements summarized in the table below may subject companies to regulatory enforcement actions, in addition to fines and penalties.

Requirements Virginia  Colorado
Consumer Data Protection Rights
Right to access personal data X X
Right to correct personal data X X
Right to delete personal data X X
Right to receive a copy of personal data X X
Right to opt out of processing personal data X X
Duty to Respond to Consumer Requests
Within 45 days (subject to one-time extension) X X
Notice of refusal to take action X X
Provide information free of charge X X
Appeal process X X
Privacy Notice
Categories of personal data collected or processed X X
Purpose for processing data X X
How consumers can exercise their rights X X
Categories of personal data shared with third parties X X
Categories of third parties with which personal data is shared X X
How consumers can opt out of the sale or processing of their personal data X X
Data Protection Assessment (DPA)
Documented DPA weighing the benefits and risks of processing consumers’ personal data, and the safeguards that can reduce such risks X X
Binding Contract Between Data Controller and Third-Party Data Processor
Instructions for processing personal data X X
Nature and purpose of the processing X X
Type of data subject to processing X X
Duration of processing X X
Duty of confidentiality X X
Deletion or return of data X X
Audits of data processor’s policies and procedures to safeguard data and comply with privacy laws X X
Enforcement
Enforcement by Attorney General X X
Fines and penalties X X

© 2021 Wilson Elser

Article By

Anjali C. Das of Wilson Elser Moskowitz Edelman & Dicker LLP

For more articles on data privacy legislation, visit the NLR Communications, Media, Internet and Privacy Law News section.

CPSC Sues Amazon to Force Recall of Hazardous Products Sold on Amazon.com

The U.S. Consumer Product Safety Commission (CPSC) announced on July 14, 2021, that it filed an administrative complaint against Amazon.com, “the world’s largest retailer, to force Amazon to accept responsibility for recalling potentially hazardous products sold on Amazon.com.” CPSC claims that the specified products sold through Amazon’s “fulfilled by Amazon” (FBA) program are defective and pose a risk of serious injury or death to consumers and that Amazon is legally responsible to recall them. According to the complaint, the products include “24,000 faulty carbon monoxide detectors that fail to alarm, numerous children’s sleepwear garments that are in violation of the flammable fabric safety standard risking burn injuries to children, and nearly 400,000 hair dryers sold without the required immersion protection devices that protect consumers against shock and electrocution.”

CPSC filed the complaint under the Consumer Product Safety Act (CPSA). According to the complaint, Amazon acts as a “distributor,” as defined by CPSA, of its FBA products by: (a) receiving delivery of FBA consumer products from a merchant with the intent to distribute the product further; (b) holding, storing, sorting, and preparing for shipment FBA products in its warehouses and fulfillment centers; and (c) distributing FBA consumer products into commerce by delivering FBA products directly to consumers or to common carriers for delivery to consumers.

The complaint states that after CPSC notified Amazon about the hazards presented by the specified products, Amazon took “several unilateral actions,” including:

  • Removing the Amazon Standard Identification Numbers (ASIN) for certain of the specified products; and
  • Notifying consumers who purchased certain of the specified products that they could present a hazard. Amazon also offered a refund to these consumers in the form of an Amazon gift card credited to their account.

According to the complaint, these actions “are insufficient to remediate the hazards posed by the Subject Products and do not constitute a fully effectuated Section 15 mandatory corrective action ordered by” CPSC. The complaint states that “[a] Section 15 order requiring Amazon to take additional actions in conjunction with the CPSC as a distributor is necessary for public safety.” The complaint asks CPSC to:

  1. Determine that Amazon is a distributor of consumer products in commerce, as those terms are defined in the CPSA;
  2. Determine that the specified products are substantial product hazards under CPSA Sections 15(a)(1), 15(a)(2), and 15(j);
  3. Determine that public notification in consultation with CPSC is required to protect the public adequately from substantial products hazards created by the specified products, and order Amazon to take actions set out in CPSA Section 15(c)(1), including but not limited to:
    1. Cease distribution of the specified products, including removal of the ASINs and any other listings of the specified products and functionally identical products, from Amazon’s online marketplace and identifying such ASINs to CPSC;
    2. Issue a CPSC-approved direct notice to all consumers who purchased the specified products that includes a particularized description of the hazard presented by each specified product and encourage the return of the specified product;
    3. Issue a CPSC-approved press release, as well as any other public notice documents or postings required by CPSC staff, that inform consumers of the hazard posed by the specified products and encourage the return or destruction of the specified products;
  4. Order that Amazon facilitate the return and destruction of the specified products, at no cost to consumers, to protect the public adequately from the substantial product hazard posed by the specified products, and order Amazon to take actions set out in CPSA Section 15(d)(1), including but not limited to:
    1. Refund the full the purchase price to all consumers who purchased the specified products and, to the extent not already completed, conditioning such refunds on consumers returning the specified products or providing proof of destruction;
    2. Destroy the specified products that are returned to Amazon by consumers or that remain in Amazon’s inventory, with proof of such destruction via a certificate of destruction or other acceptable documentation provided to CPSC staff;
    3. Provide monthly progress reports to reflect, among other things, the number of specified products located in Amazon’s inventory, returned by consumers, and destroyed;
    4. Provide monthly progress reports identifying all functionally equivalent products removed by Amazon from amazon.com pursuant to the CPSC Order, including the ASIN, the number distributed prior to removal, and the platform through which the products were sold;
  5. Provide monthly reports summarizing the incident data submitted to CPSC through the Retailer Reporting Program;
  6. Order that Amazon is prohibited from distributing in commerce the specified products, including any functionally identical products; and
  7. Order that Amazon take other and further actions as CPSC deems necessary to protect the public health and safety and to comply with CPSA and the Flammable Fabrics Act (FFA).

CPSC “urges consumers to visit SaferProducts.gov to check for recalls prior to purchasing products and to report any incidents or injuries to the CPSC.” CPSC published the complaint in the July 21, 2021, Federal Register. 86 Fed. Reg. 38450.

Commentary

In CPSC’s July 14, 2021, press release, Acting Chair Robert Adler states that the decision to file an administrative complaint is “a huge step across a vast desert — we must grapple with how to deal with these massive third-party platforms more efficiently, and how best to protect the American consumers who rely on them.” According to The Washington Post, CPSC issued the administrative complaint “after months of behind-the-scenes negotiations between regulators and Amazon as the agency tried to persuade the company to follow the CPSC’s rules for getting dangerous products off the market, according to a senior agency official who spoke on the condition of anonymity to comment on internal discussions.” This same official stated that “Amazon officials refused to acknowledge that the CPSC has the authority to compel the company to remove unsafe products.”

As reported in our February 16, 2018, blog item, “EPA Settles with Amazon on Distribution of Unregistered Pesticides,” the U.S. Environmental Protection Agency (EPA) and Amazon entered into a Consent Agreement and Final Order (CAFO) whereby Amazon agreed to pay $1,215,700 in civil penalties for approximately 4,000 alleged violations under Section 3 of the Federal Insecticide, Fungicide, and Rodenticide Act (FIFRA) for the distribution of unregistered pesticide products. EPA later issued stop sale, use, or removal orders (SSURO) to Amazon and eBay for selling certain pesticide products that EPA claims are unregistered, misbranded, or restricted-use pesticides, and pesticide devices that EPA asserts make false or misleading claims. More information on the SSURO is available in our June 17, 2020, blog item, “EPA Issues Stop Sale, Use, or Removal Orders to Amazon and eBay for Unregistered and Misbranded Pesticides and Devices, Including Products with Claims Related to COVID-19.”

As reported in our October 9, 2020, blog item, Representatives Frank Pallone, Jr. (D-NJ), Chair of the House Committee on Energy and Commerce, and Jan Schakowsky (D-IL), Chair of the House Energy and Commerce Subcommittee on Consumer Protection and Commerce, requested that Amazon Chief Executive Officer (CEO) and Chair Jeff Bezos launch an investigation into the safety of Amazon’s product line, AmazonBasics, and answer a series of questions pertaining to the company’s product safety and recall practices. The Committee’s October 7, 2020, press release notes that the request comes after a CNN investigation found that many of AmazonBasics’ electronic products “have exploded, caught fire, sparked, melted, or otherwise created hazardous situations at rates well above comparable products.” According to the press release, many of these products were never recalled and continue to be sold.

CPSC’s administrative complaint is just the latest indication of the pressure on Amazon to ensure the safety of the products the platform hosts. These federal agency and Congressional efforts will almost certainly cause more pressure on product manufacturers to ensure the products they offer for sale on Amazon are compliant with the relevant regulations.

©2021 Bergeson & Campbell, P.C.

Article By Lynn L. Bergeson, Lisa M. Campbell and Carla N. Hutton at Bergeson & Campbell, P.C. For more CPSC news, see the Consumer Protection section of the National Law Review.

CFPB Suit Against Student Loan Trusts Dismissed

On March 26, 2021, Judge Maryellen Noreika of the U.S. District Court for the District of Delaware dismissed a lawsuit brought by the Consumer Financial Protection Bureau (“CFPB”) in Consumer Financial Protection Bureau v. The National Collegiate Master Student Loan Trusts,1 finding, inter alia, that the CFPB’s suit was constitutionally defective due to the CFPB’s untimely attempt to ratify the prosecution of the litigation in the wake of the Supreme Court’s decision in Seila Law LLC v. Consumer Financial Protection Bureau.  This case has been closely watched by many participants in the structured finance industry, because the litigants had disputed over the question of whether the trusts at issue in the litigation are “covered persons” liable under the Consumer Financial Protection Act despite their status as passive securitization trust entities—a question that has important and wide-reaching implications for the structured finance markets.

Background

The National Collegiate Student Loan Trusts (the “Trusts”) hold more than 800,000 private student loans through 15 different Delaware statutory trusts created between 2001 and 2007, totaling approximately $12 billion.  The loans originally were made to students by private banks.  The Trusts provided financing for the student loans by selling notes to investors in securitization transactions.  The Trusts also provided for the servicing of and collection on those student loans by engaging third-party servicers.  However, the Trusts themselves are passive special purpose entities lacking employees or internal management; instead, to operate, the Trusts relied on various interlocking trust-related agreements with multiple third-party service providers to—among other things—administer each of the Trusts, determine the relative priority of economic interests in the Trusts, and service the Trusts’ loans.

On September 4, 2014, the CPFB issued a civil investigative demand (“CID”) to each of the Trusts for information concerning thousands of allegedly illegal student loan debt collection lawsuits used to collect on defaulted loans held by the Trusts.  On May 9, 2016, the CFPB alerted the Trusts to the fact that the CFPB was considering initiating enforcement proceedings against the Trusts based on the collection lawsuits through a Notice and Opportunity to Respond and Advice (“NORA”).  A few weeks later, the law firm McCarter & English, LLP (“McCarter”), purporting to represent the Trusts, submitted a NORA response to the CFPB.  McCarter and the CFPB then proceeded to negotiate a Proposed Consent Judgment to resolve the CFPB’s investigation of the Trusts.

The Litigation

On September 18, 2017, the CFPB filed suit against the Trusts in Delaware federal court (the “Court”), alleging that the Trusts had violated the Consumer Financial Protection Act of 2010 (the “CFPA”) by engaging in unfair and deceptive practices in connection with their servicing and collection of student loans.  Although the CFPB acknowledged that the Trusts had no employees and that the alleged misconduct resulted from actions taken by the Trusts’ servicers and sub-servicers in the course of their debt collection activities—rather than any actions taken by the Trusts themselves—the CFPB nonetheless named only  the Trusts as defendants.  On the same day, the CFPB also filed a motion to approve the Proposed Consent Judgment negotiated with McCarter.

However, within days of the CFPB’s initiation of the lawsuit, multiple parties associated with the Trusts intervened in the litigation to argue against the entry of the Proposed Consent Judgment.  The intervenors expressed concern that the entry of the Proposed Consent Judgment would impermissibly impair or rewrite their respective contractual obligations as set forth in the agreements underlying the Trusts.  After discovery, on May 31, 2020, the Court denied the CFPB’s motion to approve the Proposed Consent Judgement, holding that McCarter lacked authority to execute the Proposed Consent Judgment pursuant to terms of the agreements governing the Trusts and Delaware law.

On June 29, 2020, in another lawsuit involving the CFPB, the United States Supreme Court held in Seila Law LLC v. Consumer Financial Protection Bureau that the CFPB’s structure violated the Constitution’s separation of powers.2  Specifically, the Supreme Court held that “an independent agency led by a single Director and vested with significant executive power” has “no basis in history and no place in our constitutional structure,”3 and that the statutory restriction on the President’s authority to remove the CFPB’s Director only for “inefficiency, neglect, or malfeasance” violated the separation of powers.4  The Supreme Court then concluded that the proper remedy was to sever the removal restriction, and ultimately allowed the CFPB to stand.  The Supreme Court also noted that an enforcement action that the CFPB had filed to enforce a CID while its structure was unconstitutional may nonetheless be enforceable if it was later successfully ratified by an acting director of the CFPB who was removable at will by the President.  If not so ratified, however, the enforcement action must be dismissed.

Around the time the Supreme Court issued its decision in Seila Law, various intervenors were briefing multiple motions to dismiss the CFPB’s complaint against the Trusts.  One subset of intervenors—Ambac Assurance Corporation, the Pennsylvania Higher Education Assistance Agency, and the Wilmington Trust Company5 (collectively, “Ambac”)—argued, inter alia, that: (i) the Supreme Court’s decision in Seila Law required dismissal of the CFPB’s complaint because the CFPB’s ratification of the litigation against the Trusts was untimely, and (ii) the Court lacked subject matter jurisdiction over its asserted claims because the Trusts are not “covered persons” as required under the CFPA.  Another intervenor, Transworld Systems, Inc.6 (“TSI”) also argued that the CFPB’s complaint merited dismissal for lack of subject matter jurisdiction as well.

The Court’s Holding

Subject Matter Jurisdiction

The Court held that it possessed the requisite subject matter jurisdiction to decide the CFPB’s claims, and rejected the contention that a showing of whether the Trusts are “covered persons” is a jurisdictional requirement under the CFPA.  To determine whether a restriction—such as the term “covered persons”—is jurisdictional, the Court looked to “whether Congress has clearly stated that the rule is jurisdictional.”7  “[A]bsent such a clear statement,” courts “should treat the restriction as nonjurisdictional.”8

The Court then examined the CFPA, observing that there is no clear statement in the CFPA’s jurisdictional grant that “covered persons” is required.  The Court noted that only one section of the CFPA addresses the issue of subject matter jurisdiction, and that section granted jurisdiction over “an action or adjudication proceeding brought under Federal consumer law” with no mention of “covered persons” whatsoever.9

While the Court agreed that the term “covered persons” appeared multiple times throughout the CFPA, it pointed out that none of the sections where “covered persons” appeared mentioned jurisdiction.

Enforcement Authority

In light of the Supreme Court’s holding in Seila Law, the Court granted Ambac’s motion to dismiss the CFPB’s complaint due to the CFPB’s lack of enforcement authority as a result of its untimely ratification of the litigation.

As an initial matter, the Court observed that there was no question that the CFPB initiated the enforcement action against the Trusts at a time when its structure violated the constitutional separation of powers.  The task facing the Court, then, would be to determine (i) whether that constitutional defect has been cured by ratification, or (ii) whether dismissal of the suit is required.  Under the applicable Third Circuit precedent, there are three general requirements for ratification of previously-unauthorized action by an agency: (1) “the ratifier must, at the time of ratification, still have the authority to take the action to be ratified”; (2) “the ratifier must have full knowledge of the decision to be ratified”; and (3) “the ratifier must make a detached and considered affirmation of the earlier decision.”10  Here, the parties’ dispute centered around the first requirement.

Under the first requirement, the Court noted that “it is essential that the party ratifying should be able not merely to do the act ratified at the time the act was done, but also at the time the ratification was made.”11  On July 9, 2020, the CFPB’s then-Director, Kathy Kraninger, had ratified the decision to initiate the CFPB’s litigation against the Trusts a few weeks after the Supreme Court’s decision in Seila Law.  The Court held that Director Kraninger’s ratification was ineffective, because (i) an enforcement action arising from alleged CFPA violations must be brought no later than three years after the date of discovery of the violation to which the action relates,12 (ii) ratification is ineffective when it takes place after the relevant statute of limitations has expired, and (iii) the CFPB clearly had discovery of the Trusts’ alleged CFPA violations more than three years before the ratification date, i.e., before July 9, 2017.  Thus, Director Kraninger’s ratification of the CFPB’s decision to file suit against the Trusts failed to cure the constitutional defects raised by Seila Law, and the CFPB’s complaint—initially filed by a CFPB director unconstitutionally insulated from removal—could not be enforced.

In so holding, the Court rejected the CFPB’s argument that the timeliness requirements for ratification were satisfied because the CFPB had brought the original suit within the applicable limitations period.  The Court likewise rejected the CFPB’s request to equitably toll the statute of limitations for ratification, because the CFPB “could not identify a single act that it took to preserve its rights in this case in anticipation of the constitutional challenges that could have reasonably ended with an unfavorable ruling from the Supreme Court.”13

Key Takeaways

The securitization industry has operated for decades on the premise that agreements governing securitization transactions provide that transaction parties are responsible for their own malfeasance and, barring special circumstances, will not be held accountable for the misconduct of other parties to the transaction.  A decision holding that passive securitization entities like the Trusts are “covered persons” under the CFPA—and thus potentially responsible for the actions of their third-party service providers—would undermine the certainty of contract terms that undergirds the success of the structured finance industry, with grave implications for the heathy functioning of the industry.  While the substantive question of whether passive securitization entities like the Trusts could indeed be “covered persons” and held accountable for the actions of their third-party service providers remains to be answered for another day, the Court did observe that it “harbor[ed] some doubt” that the plain language of the CFPA extended to passive statutory trusts,14 and expressed skepticism as to whether the CFPB could successfully replead in a manner that would successfully cure the deficiencies in its original complaint.

1   2021 WL 1169029, at *3 (D. Del. Mar. 26, 2021).

2   140 S.Ct. 2183, 2197 (June 29, 2020).  For a detailed discussion on Seila Law, please see our July 2, 2020 Clients & Friends Memo, “Seila Law LLC v. Consumer Financial Protection Bureau: Has the Supreme Court Tamed or Empowered the CFPB?”, available at https://www.cadwalader.com/resources/clients-friends-memos/seila-law-llc-v-consumer-financial-protection-bureau-has-the-supreme-court-tamed-or-empowered-the-cfpb.

3   Id. at 2201.

4   Id. at 2197.

5   Ambac Assurance Corporation provided financial guarantee insurance with respect to securities in over half of the Trusts.  The Pennsylvania Higher Education Assistance Agency is the Primary Servicer for the Trusts, while the Wilmington Trust Company is the Trusts’ Owner Trustee.

6   TSI is a sub-servicer responsible for the collection of the Trusts’ delinquent loans.

7   Nat’l Collegiate Master Student Loan Tr. at *3 (citing Sebelius v. Auburn Reg’l Med. Ctr., 568 U.S. 145, 153 (2013)).

8   Id.

9   See 12 U.S.C. § 5565(a)(1).

10  Nat’l Collegiate Master Student Loan Tr. at *4 (quoting Advanced Disposal Serv. E., Inc. v. Nat’l Labor Relations Bd., 820 F.3d 592, 602 (3d Cir. 2016)).

11  Id. (quoting Advanced Disposal, 820 F.3d at 603) (emphasis in original).

12  12 U.S.C. § 5564(g)(1).

13  Nat’l Collegiate Master Student Loan Tr. at 7.

14  Id. at 3.

© Copyright 2020 Cadwalader, Wickersham & Taft LLP

ARTICLE BY Ellen Holloman,  Neil J. Weidner,  Cheryl D. Barnes
Rachel Rodman, Scott A. Cammarn and Ailsa Chau of
Cadwalader, Wickersham & Taft LLP

For more articles on the CFPB, visit the NLR Financial Institutions & Banking section.

Major Drop In Toy Safety Inspections for Over Six Months Due to COVID-19 Threat

A USA TODAY investigation found that the Consumer Product Safety Commission (CPSC) pulled its toy police from ports around the country for over 6 months because of the threat of COVID-19, causing a major drop in safety inspections. This is a follow up from our Most Dangerous Toys of 2020 post, further warning parents, grandparents, and gift-givers to research a toy’s potential hazards before clicking the “buy now” button.

CPSC inspectors are supposed to intercept bad toys and other household products before they reach the market.

“Anything that could potentially harm consumers, my job is to stop it here,”
– CPCS compliance investigator from a video posted on the agency’s website.

The leaders of the federal agency made the decision without warning consumers or full disclosure to Congress. They continued the shutdown at the ports and a government testing laboratory until September, including spring and summer months that were their inspectors’ busiest in 2019.

USA TODAY found an extraordinary lapse in safety surveillance during the pandemic which was hidden from the public. From April to September, during the COVID-19 closures, the agency issued a fourth of the violations it did during the same period a year earlier.

CPSC inspectors performed an average of 3,000 monthly screenings at the ports at the beginning of 2020, according to internal agency data. By May, that number had fallen to about 100 and in August, they only performed 47. As of December 2020, the records show inspectors were still not working in five of the 18 ports they normally patrol, Chicago, New York City, Savannah, Buffalo, New York, and Norfolk, Virginia.

Target, Dollar Tree, Walgreens, Amazon, and UPS were among the large wholesale distributors, shipping companies, and name-brand retailers who brought in products from overseas while the CSPS investigators were away from their posts this year, not screening for hazards that wholesalers and retailers are supposed to test for themselves.

Shoppers of these stores and others that import products will have no way to differentiate good products from any bad items that have slipped in. Experts fear it could take years to discover the dangerous items that have been allowed into American homes.

If you notice any problems, experts say to immediately report them to a CPSC website where such complaints are publicly posted: saferproducts.gov.

© 2020 by Clifford Law Offices PC. All rights reserved.
For more articles on toy safety, visit the National Law Review Consumer Protection section.

Consumer Product Safety Advocates Pen Memorandum to Biden Transition Team Foreshadowing Push for More Active and Aggressive CPSC

For years consumer product safety advocate groups have bemoaned the seeming lack of aggressiveness from the Consumer Product Safety Commission (“CPSC”). As an example, they complain that the CPSC levied no civil penalties on companies in 2020, 2 in 2019, and only 1 in 2018, penalties being a surrogate in their minds for enforcement. As counsel for many companies, we know that this is not the case and CPSC compliance activity has remained vigorous. But perhaps the ongoing criticisms led Acting Chairman Robert Adler to publicly announce in mid-November the CPSC’s recent vote to refer a case to the DOJ for prosecution of a civil penalty.

With the Commission evenly split 2-2 between Democrats and Republicans, and the incoming Biden administration only one month away, in early November seven industry groups penned a memorandum to the Biden Transition Team to advocate for greater power for, and greater use of existing power, by the agency. This is an important message because these leading advocates may well populate the Commission at high levels in the next few years.

The people who signed the document are capable and well intentioned. We share their goals for a strong, more effective CPSC but we question their proposed remedies. The Agency has a wealth of statutory authorities at its disposal. It just needs the resources, financial and technological, to better use them as well as a greater focus on priority areas. In this post, we will focus on the general, non product-specific proposals except to note that furniture and juvenile products are top of the list.

The memorandum, published on November 11th, was signed by leaders of the American Academy of Pediatrics, Consumer Federation of America, Consumer Reports, Cuneo Gilbert & LaDuca, Kids In Danger, Public Citizen, and U.S. Public Interest Research Group (PIRG). Among the many actions advocated in the memo, the groups included a plea to the Biden Administration to utilize the CPSC to:

  • File more formal administrative or legal complaints to seek recalls (although we note that the  voluntary approach is far more effective and less resource intensive);
  • Make more frequent public preliminary determinations that corrective action will be warranted (without recognizing the legal requirements for findings and due process to justify this commercially devastating action);
  • “[R]everse the current trend and go back to imposing meaningful civil penalties on corporate violations of consumer product safety law” (without recognizing the real world deterrent effect of the threat of any penalties for public-facing companies.)

Section 6(b) still the Misunderstood Villain Subject to Much False News

Perhaps one of the most controversial CPSC-related statutory provisions is Section 6(b) of the Consumer Product Safety Act (“CPSA”). The section requires the CPSC to take reasonable steps to ensure that disclosure of information identifying a specific product, manufacturer, or private labeler, is accurate, fair in the circumstances, and reasonably related to effectuating the purpose of the CPSA and related laws. Information voluntarily submitted to the Commission under Section 15 (reports of potentially defective or unsafe products) is shielded from disclosure, even from FOIA requests, without the agency first going through procedural mechanisms to ensure release of the information doesn’t run afoul of 6(b). This provision resulted from unfair and devastating harm to companies from unjustified public condemnations and announcements by CPSC.

There is no known evidence to support the claim that the CPSC has been prevented by law from disclosing important information about unsafe products. The law provides for accelerated disclosures where justified. Nevertheless, consumer advocates have for years put forward the rallying cry that manufacturers have a veto over CPSC’s release of information that harms the public. The advocates’ memo calls for Congress to repeal Section 6(b). Absent such a bill, the advocates call for clarification that Section 6(b) does not extend to records released under FOIA, which currently runs contra to Supreme Court precedent from 1980.1

The memorandum also calls for significantly less reliance on consensus standards as both the basis for compliance action and regulatory action. Cost-benefit analysis would be downgraded (even though it is a hallmark of the Clinton and Obama Administrations.) These proposals are fraught with problems and fail to recognize that globally the product safety system has as its essential underpinning consensus standards, which results in a very safe consumer product ecosystem in the United States.

Finally, the advocates state that CPSC is woefully underfunded, given the incredibly important mission of consumer protection. Many CPSC observers share this sentiment. The memo calls for a drastic expansion of the agency, and increased budget for the CPSC.2 In fact, the memo advocates for a doubling of CPSC appropriations, an impractical request.

What This Means: Aggressive Advocacy and Activity Inside and Outside the Agency  

For those regularly following the CPSC, the issues discussed in the advocates’ memorandum with great passion are nothing new. What changes, however, is the context. While Senate Leadership has been unable to confirm a third Republican commissioner nominee or a Chairman nominee with the failed attempts to confirm Ann Marie Buerkle and Nancy Beck (thus far), the Commission sits at a 2-2 position. Bob Adler, an Obama appointee, has been acting Chairman for over one year, allowing for an essentially Democratic-controlled agency under a Republican administration except for the deadlock on most regulatory actions. We will eventually see who gets nominated by the Biden administration and whether eventual new leadership will implement and advocate on the inside for the positions advocated to the Transition Team.

One can safely presume that the CPSC will be far more aggressive in the coming years. Companies would be well-served to protect themselves by ensuring their houses are in order—effective safety procedures in place up and down the supply chain.

Consumer Product Safety Commission v. GTE Sylvania, Inc., 447 U.S. 102 (1980).

CPSC requested a budget of $135 million for FY 2021.

©1994-2020 Mintz, Levin, Cohn, Ferris, Glovsky and Popeo, P.C. All Rights Reserved.
For more articles on the CPSC, visit the National Law Review Consumer Protection section.

CPSC Issues COVID-19 Consumer Products Guidance, Further Muddying the Regulatory Waters and Increasing Scrutiny of COVID-19 Products

As the COVID-19 pandemic continues, and with an incoming Biden administration that is expected to step up efforts to control the spread of the virus, use of personal protective equipment (“PPE”) and cleaning/disinfectant products has never been more important or widespread among the public.  However, in late October, the Consumer Product Safety Commission (“CPSC”) issued guidance on its website asserting that certain consumer protection rules within its jurisdiction apply to PPE, and reminding consumers of the CPSC laws that apply to cleaning/disinfectant products (the “COVID Guidance”).

The CPSC commissioners disagree about the import or official applicability of the COVID Guidance, and questions abound as to how it interplays with FDA regulations issued by the U.S. Food and Drug Administration (“FDA”), including Emergency Use Authorizations (“EUA”), as well as EPA regulations on disinfectant products – not to mention how or whether the COVID Guidance impacts the protections afforded by the Public Readiness and Emergency Preparedness Act (the “PREP Act”).  But in any case, the guidance unquestionably heightens scrutiny around COVID-related products, and likely will give consumer plaintiffs’ attorneys additional lawsuit fodder – so manufacturers should understand it.

Broadly, the COVID Guidance covers two broad categories of products: face coverings, gowns, gloves (i.e., PPE), and cleaning/disinfectant products.

Face Coverings, Gowns, and Gloves

Under the COVID Guidance, face coverings, gowns, and gloves designed for consumer use are considered “articles of wearing apparel” and therefore must (1) comply with the flammability requirements of the Flammable Fabrics Act; and (2) be tested to either 16 C.F.R. Part 1610 (Standard for the Flammability of Clothing Textiles) or Part 1611 (Standard for the Flammability of Vinyl Plastic Film), depending on the materials used for construction.  Further, U.S. manufacturers and importers of these products must issue a General Certificate of Conformity (“GCC”) certifying that these clothing articles meet all applicable requirements.

The COVID Guidance imposes additional requirements for PPE apparel designed specifically for children’s use (i.e., ages 12 and under).  Under the Consumer Product Safety Act (“CPSA”), all children’s products must bear permanent tracking information, meet total lead content limits, and meet lead in paint or similar surface coating limits (if either a paint or surface coating is present on the product).  Product testing must take place at a CPSC-accepted testing lab, and U.S. manufacturers/importers of these products must also issue a Children’s Product Certificate.

Cleaning Solutions

Household cleaning solutions – for example, hand sanitizers and soaps – are primarily regulated by the FDA, but also fall under the jurisdiction of the CPSC if they constitute a “hazardous substance” under the Federal Hazardous Substances Act (“FHSA”).  Generally, the FHSA defines a “hazardous substance” as (1) a substance (or mixture of substances) that may cause substantial personal injury or substantial illness during customary or reasonably foreseeable handling or use, including reasonably foreseeable ingestion by children; and (2) the substance (or mixture of substances) is toxic, corrosive, an irritant, a strong sensitizer, is flammable or combustible, or generates pressure through decomposition, heat, or other means.  The FHSA requires that hazardous substances bear prominent warnings on their labels – for example, “KEEP OUT OF REACH OF CHILDREN,” “DANGER”, and “HARMFUL OR FATAL IF SWALLOWED,” among others.

© 2020 Foley & Lardner LLP
For more articles on the CPSC, visit the National Law Review Consumer Protection section.