Category: Consumer Protection

FDA Issues Draft Guidance on Mandatory Food Recalls Under the Food Safety Modernization Act

The Food and Drug Administration (FDA) recently issued a draft guidance titled, “Questions and Answers Regarding Mandatory Food Recalls.” FDA was given general mandatory food recall authority by the Food Safety Modernization Act (FSMA). The guidance is notable for its brevity, coming in at a total of seven pages including the cover. Although much of the content will be familiar to those with experience in food recalls, the guidance does discuss the procedure for FDA to order a mandatory food recall and the assessment of user fees for those subject to such a recall.

With respect to the procedure, the guidance states after FDA finds that the criteria for a mandatory recall have been met, it must first provide the responsible party with an opportunity to perform a voluntary recall of the food. FDA will provide this opportunity in writing using an expeditious method. If the responsible party does not voluntarily cease distribution and recall the food within the time and manner prescribed by FDA, FDA may order the responsible party to cease distributing the article of food, order the responsible party to give notice to certain other persons to cease distributing the article of food, and give the responsible party an opportunity for an informal hearing. After these steps are completed, FDA may order a recall if it determines that the removal of the food from commerce is necessary. Only the FDA Commissioner has the authority to order a recall.

As to user fees, the guidance observes that the FDA has the authority to collect fees from a responsible party for a domestic facility and an importer who does not comply with a food recall order. The fees would cover time spent by FDA conducting food recall activities, including technical assistance, follow-up effectiveness checks, and public notifications. FDA defines noncompliance to include (1) not initiating a recall as ordered by FDA, (2) not conducting the recall in the manner specified by FDA in the recall order, or (3) not providing FDA with requested information regarding the recall, as ordered by FDA. FDA publishes a Federal Register notice of fees for non-compliance with a Recall Order no later than 60 days before the start of each fiscal year.

Given that most parties will voluntarily recall food when the statutory conditions are satisfied to avoid a public relations disaster and harsh FDA action, it seems unlikely that FDA will have to resort often to the exercise of its mandatory recall authority or assessment of fees. The fact that FDA has this authority, however, helps ensure FDA will not have to exercise it.

A copy of the draft guidance document can be found here.

ARTICLE BY Hae Park-Suk & Lynn C. Tyler, M.S. of Barnes & Thornburg LLP
© 2015 BARNES & THORNBURG LLP

Are Cosmetics Gaining Higher Congressional and FDA Scrutiny?

Currently, FDA regulates cosmetics to ensure they are not adulterated or misbranded, but does not have the authority to order cosmetic recalls or require adverse event reporting.  Senators Dianne Feinstein (D-CA) and Susan Collins (R-ME) seek to change that.

On April 20, 2015, they introduced the Personal Care Products Safety Act (S.1014). The Act, if passed, would modify Chapter VI of the Federal Food, Drug, and Cosmetic Act (FDCA) to strengthen FDA’s oversight of, and regulatory authority over, cosmetic products.

Title I of the Act (“Cosmetic Safety”) gives FDA authority to order cosmetic recalls, as well as require manufacturers to:

  1. Report adverse events,

  2. Label ingredients not appropriate for children,

  3. Post complete label information (including ingredients and product warnings) online, and

  4. Register their facilities with FDA.

In addition to this significant new authority over manufacturers, the Act also requires FDA to work with industry and consumer groups to annually select and review at least 5 ingredients or non-functional constituents.

The first 5 ingredients, if the law is passed, will be:

  1. Diazolidinyl urea

  2. Lead acetate

  3. Methylene glycol/methanediol/formaldehyde

  4. Propyl paraben

  5. Quaternium-15

Title II of the Act (“Fees Related to Cosmetic Safety”) outlines the costs associated with enforcement of the new standards. With an annual implementation cost estimated at $20.6 million, it is to be funded by annual fees from all registered owners or operators of cosmetic facilities engaged in manufacturing or processing in the United States.

The Act has wide industry support, including the Personal Care Products Council (a 600+ member company trade association), large cosmetics manufacturers, and consumer groups.  Since it was introduced, it has gained two co-sponsors, Senators Barbara Boxer (D-CA) and Amy Klobuchar (D-MN).

The Act is consistent with FDA’s current priorities related to cosmetics.  Two of these priorities have been reporting of adverse events (with the majority of issues seen in hair care products), and maintaining a distinct line between over-the-counter drugs and cosmetics, because cosmetics need not currently undergo the additional scrutiny that OTC drugs must.

More information on the Personal Care Products Safety Act can be found in Senator Feinstein’s statement upon its introduction.

ARTICLE BY Michelle Gillette & Katherine Fox of Mintz, Levin, Cohn, Ferris, Glovsky and Popeo, P.C.
©1994-2015 Mintz, Levin, Cohn, Ferris, Glovsky and Popeo, P.C. All Rights Reserved.

Maker’s Mark Defeats “Handmade” Class Action Lawsuit

Could consumers have plausibly believed that one of the country’s top-selling bourbon brands is “handmade”?  Not according to one federal district court in Florida, which recently dismissed a class action alleging Maker’s Mark deceived consumers by labeling its whiskey as “handmade.” The decision by U.S. District Judge Robert Hinkle comes on the heels of a California federal court’s decision not to dismiss outright a similar consumer class action involving Tito’s Handmade Vodka.  Compare Salters v. Beam Suntory, Inc., 14-cv-659, Dkt. 31, (N.D. Fla. May 1, 2015) with Hofmann v. Fifth Generation, Inc., 14-cv-2569, Dkt. 15 (S.D. Cal. Mar. 18, 2015)).  These divergent opinions suggest that courts are still puzzling over just how much credence to grant putative class claims based on allegedly deceptive liquor labels at the motion to dismiss stage, particularly under the U.S. Supreme Court’s decision in Bell Atlantic Corp v. Twombly, 550 U.S. 544 (2007).  In Twombly, the Court made clear that plaintiffs must include enough facts in a complaint to make their claim to relief not just conceivable, but plausible—or else face dismissal.

Salters, the Florida case, is part of a wave of recently filed class actions accusing alcoholic beverage producers of violating state consumer protection statutes.  In the typical case, as here, the plaintiffs claim to have purchased the brand in reliance on allegedly deceptive labeling and contend they would not have purchased it or would have paid less otherwise.  The Salters plaintiffs claimed they were damaged because Maker’s Mark sold “their ‘handmade’ Whisky to consumers with the false representation that the Whisky was ‘handmade’ when, in actuality, the Whisky is made via a highly-mechanized process, which is devoid of human hands.”

Judge Hinkle flatly rejected the idea that this could support a claim.  Citing Twombly, he noted that although whether a label is false or misleading is generally a question of fact, a motion to dismiss should be granted if the complaint’s factual allegations do not “render plaintiffs’ entitlement to relief plausible.”  The court observed that taken literally, all bourbon is handmade, because it is not a naturally occurring product; construed less literally, which was apparently the plaintiffs’ approach, “no reasonable consumer could believe” that bourbon could be made by hand, presumably without commercial-scale equipment, “at the volume required for a nationally marketed brand like Maker’s Mark.”  In any event, court found the plaintiffs’ claims implausible under any definition of “handmade,” writing:

In sum, no reasonable person would understand “handmade” in this context to mean literally made by hand.  No reasonable person would understand “handmade” in this context to mean substantial equipment was not used.  If “handmade” means only made from scratch, or in small units, or in a carefully monitored process, then the plaintiffs have alleged no facts plausibly suggesting that statement is untrue.  If “handmade” is understood to mean something else . . . the statement is the kind of puffery that cannot support claims of this kind.

The court appears to have concluded that when applied to a product as popular as Maker’s Mark, the word “handmade” is more an unactionable “general, undefined statement that connotes greater value,” like describing a bourbon as “smooth,” than a factual representation easily capable of being false or misleading.  Though this may pass the common sense test, it is less clear whether other courts will agree.  In the Tito’s case, for instance, the court declined to accept at the motion to dismiss stage an argument similar to the one that persuaded the Maker’s Mark judge, holding that “the representation that vodka that is (allegedly) mass-produced in automated modern stills from commercially manufactured neutral grain spirit is nonetheless “Handmade” in old-fashioned pot stills arguably could mislead a reasonable consumer.”

These cases highlight the need to carefully examine product labeling and advertising claims and consider whether consumers (or plaintiffs’ attorneys) could challenge them as untrue.  This is relatively simple when claims involve factual issues such as where a product is produced, but less so with words like “handmade,” which could arguably qualify as either non-actionable “puffery” or a quantifiable claim.

ARTICLE BY Jennifer Aronoff of McDermott Will & Emery
© 2015 McDermott Will & Emery

Supreme Court to Decide Who Can Sue Under Privacy Law

Does a consumer, as an individual, have standing to sue a consumer reporting agency for a “knowing violation” of the Fair Credit Reporting Act (“FCRA”), even if the individual may not have suffered any “actual damages”?

The question will be decided by the U.S. Supreme Court in Spokeo, Inc. v. Robins, 742 F.3d 409 (9th Cir. 2014), cert. granted, 2015 U.S. LEXIS 2947 (U.S. Apr. 27, 2015) (No. 13-1339). The Court’s decision will have far-reaching implications for suits under the FCRA and other statutes that regulate privacy and consumer credit information.

FCRA

Enacted in 1970, the Fair Credit Reporting Act obligates consumer reporting agencies to maintain procedures to assure the “maximum possible accuracy” of any consumer report it creates. Under the statute, consumer reporting agencies are persons who regularly engage “in the practice of assembling or evaluating consumer credit information or other information on consumers for the purpose of furnishing consumer reports to third parties.” Information about a consumer is considered to be a consumer report when a consumer reporting agency has communicated that information to another party and “is used or expected to be used or collected” for certain purposes, such as extending credit, underwriting insurance, or considering an applicant for employment. The information in a consumer report must relate to a “consumer’s credit worthiness, credit standing, credit capacity, character, general reputation, personal characteristics, or mode of living.”

Under the FCRA, consumers may bring a private cause of action for alleged violations of their FCRA rights resulting from a consumer reporting agency’s negligent or willful actions. For a negligent violation, the consumer may recover the actual damages he or she may have sustained. For a “willful” or “knowing” violation, a consumer may recover either actual damages or statutory monetary damages of $100 to $1,000.

Background

Spokeo is a website that aggregates personal data from public records that it sells for many purposes, including employment screening. The information provided on the site may include an individual’s contact information, age, address, income, credit status, ethnicity, religion, photographs, and social media use.

Spokeo, Inc., has the dubious distinction of receiving the first fine ($800,000) from the Federal Trade Commission (“FTC”) for FCRA violations involving the sale of Internet and social media data in the employment screening context. The FTC alleged that the company was a consumer reporting agency and that it failed to comply with the FCRA’s requirements when it marketed consumer information to companies in the human resources, background screening, and recruiting industries.

Conflict in Circuit Courts

In Robins v. Spokeo, Inc., Thomas Robins had alleged several FCRA violations, including the reckless production of false information to potential employers. Robins did not allege he had suffered or was about to suffer any actual or imminent harm resulting from the information that was produced, raising only the possibility of a future injury.

The U.S. Court of Appeals for the Ninth Circuit, based in San Francisco, held that allegations of willful FCRA violations are sufficient to confer Article III standing to sue upon a plaintiff who suffers no concrete harm, and who therefore could not otherwise invoke the jurisdiction of a federal court, by authorizing a private right of action based on a bare violation of the statute. In other words, the consumer need not allege any resulting damage caused by a violation; the “knowing violation” of a consumer’s FCRA rights alone, the Ninth Circuit held, injures the consumer. The Ninth Circuit’s holding is consistent with other circuits that have addressed the issue. See e.g., Beaudry v. TeleCheck Servs., Inc., 579 F.3d 702, 705-07 (6th Cir. 2009). It refused to follow the U.S. Court of Appeals for the Eighth Circuit in finding that one “reasonable reading of the [FCRA] could still require proof of actual damages but simply substitute statutory rather than actual damages for the purpose of calculating the damage award.” Dowell v. Wells Fargo Bank, NA, 517 F.3d 1024, 1026 (8th Cir. 2008).

The constitutional question before the U.S. Supreme Court is the scope of Congress’ authority to confer Article III standing, particularly, whether a violation of consumers’ statutory rights under the FCRA are the type of injury for which Congress may create a private cause of action to redress. In Beaudry, the Sixth Circuit identified two limitations on Congress’ ability to confer standing:

  1. the plaintiff must be “among the injured,” and

  2. the statutory right must protect against harm to an individual rather than a collective.

The defendant companies in Beaudry provided check-verification services. They had failed to account for a change in the numbering system for Tennessee driver’s licenses. This led to reports incorrectly identifying consumers as first-time check-writers.

The Sixth Circuit did not require the plaintiffs in Beaudry to allege the consequential damages resulting from the incorrect information. Instead, it held that the FCRA “does not require a consumer to wait for consequential harm” (such as the denial of credit) before bringing suit under FCRA for failure to implement reasonable procedures in the preparation of consumer reports. The Ninth Circuit endorsed this position, holding that the other standing requirements of causation and redressability are satisfied “[w]hen the injury in fact is the violation of a statutory right that [is] inferred from the existence of a private cause of action.”

Authored by: Jason C. Gavejian and Tyler Philippi of Jackson Lewis P.C.

Jackson Lewis P.C. © 2015

CPSC & DOJ Sue Michaels Stores for Failing to Report Product Safety Hazard and Filing Misleading Information

Mintz, Levin, Cohn, Ferris, Glovsky and Popeo, P.C.

For the first time in recent memory, the Department of Justice (DOJ) and Consumer Product Safety Commission (CPSC) jointly announced the filing of a lawsuit in federal court for the imposition of a civil penalty and injunctive relief for violation of the Consumer Product Safety Act (CPSA). The lawsuit is against arts and crafts retailer Michaels Stores and its subsidiary Michaels Stores Procurement Co. Inc. (collectively, “Michaels” or “the Company”)  for failing to timely report a potential product safety hazard to the CPSC. Unlike other CPSC civil penalty actions involving DOJ, this penalty does not already have a negotiated consent decree in place and it appears that the case could be fully litigated.

The complaint alleges that Michaels knowingly violated the CPSA by failing to timely report to the CPSC that the glass walls of certain vases were too thin to withstand normal handling, thereby posing a laceration hazard to consumers.  According to the complaint, multiple consumers suffered injuries, including nerve damage and hand surgeries, from 2007 to late 2009.

Michaels allegedly did not report the potential defect to the Commission until February 2010.  Of course, we only know one side of the allegations, and Michaels will respond to those allegations in the coming weeks. The Company did state that “it believes the facts will show it acted promptly and appropriately.”

WaterNotably, the complaint also alleges that when Michaels filed an initial report with the CPSC in 2010, it provided “only the limited information required to be furnished by distributors and retailers” under the CPSA.  However, and critically, as the complaint sets forth in more detail, manufacturers—whose definition under the CPSA includes importers of record—are required to provide more information to the Commission than retailers.

According to the government, Michaels’ report conveyed the false impression that the Company did not import the vases, even though the Company was the importer of record and thus was required to submit significantly more information as themanufacturer of the vases.  The lawsuit alleges that Michaels made this misrepresentation in order to avoid the responsibility of undertaking a product recall.

As for the remedy, the government is seeking a civil penalty (in an unidentified amount) and various forms of injunctive relief, including the enactment of a stringent compliance program to ensure future compliance with CPSC reporting obligations.  This requested relief is similar to what the CPSC has required in almost all civil penalty agreements with other companies over the past few years.

What makes this complaint so newsworthy is that the government and Michaels plan to litigate the imposition of a civil penalty.  As noted above, this is not a frequent occurrence because companies tend to settle civil penalty claims rather than litigate. Given how infrequently civil penalties are litigated and the lack of any legal precedent guiding civil penalty negotiations under the heightened $15 million penalty limits, any judgment likely would have a wide-ranging impact on all future civil penalty negotiations between companies and the CPSC.

As we have previously stated, we expect the Commission to remain active in 2015 in bringing enforcement actions against companies for violations of the CPSA and other safety statutes.

We will watch this case closely and update our readers on any noteworthy developments.

ARTICLE BY

Matthew Cohen
Matthew R. Howsare
Charles A. Samuels
Mintz, Levin, Cohn, Ferris, Glovsky and Popeo, P.C.
Consumer Product Matters Blog

CPSC & DOJ Sue Michaels Stores for Failing to Report Product Safety Hazard and Filing Misleading Information

Mintz, Levin, Cohn, Ferris, Glovsky and Popeo, P.C.

For the first time in recent memory, the Department of Justice (DOJ) and Consumer Product Safety Commission (CPSC) jointly announced the filing of a lawsuit in federal court for the imposition of a civil penalty and injunctive relief for violation of the Consumer Product Safety Act (CPSA). The lawsuit is against arts and crafts retailer Michaels Stores and its subsidiary Michaels Stores Procurement Co. Inc. (collectively, “Michaels” or “the Company”)  for failing to timely report a potential product safety hazard to the CPSC. Unlike other CPSC civil penalty actions involving DOJ, this penalty does not already have a negotiated consent decree in place and it appears that the case could be fully litigated.

The complaint alleges that Michaels knowingly violated the CPSA by failing to timely report to the CPSC that the glass walls of certain vases were too thin to withstand normal handling, thereby posing a laceration hazard to consumers.  According to the complaint, multiple consumers suffered injuries, including nerve damage and hand surgeries, from 2007 to late 2009.

Michaels allegedly did not report the potential defect to the Commission until February 2010.  Of course, we only know one side of the allegations, and Michaels will respond to those allegations in the coming weeks. The Company did state that “it believes the facts will show it acted promptly and appropriately.”

WaterNotably, the complaint also alleges that when Michaels filed an initial report with the CPSC in 2010, it provided “only the limited information required to be furnished by distributors and retailers” under the CPSA.  However, and critically, as the complaint sets forth in more detail, manufacturers—whose definition under the CPSA includes importers of record—are required to provide more information to the Commission than retailers.

According to the government, Michaels’ report conveyed the false impression that the Company did not import the vases, even though the Company was the importer of record and thus was required to submit significantly more information as themanufacturer of the vases.  The lawsuit alleges that Michaels made this misrepresentation in order to avoid the responsibility of undertaking a product recall.

As for the remedy, the government is seeking a civil penalty (in an unidentified amount) and various forms of injunctive relief, including the enactment of a stringent compliance program to ensure future compliance with CPSC reporting obligations.  This requested relief is similar to what the CPSC has required in almost all civil penalty agreements with other companies over the past few years.

What makes this complaint so newsworthy is that the government and Michaels plan to litigate the imposition of a civil penalty.  As noted above, this is not a frequent occurrence because companies tend to settle civil penalty claims rather than litigate. Given how infrequently civil penalties are litigated and the lack of any legal precedent guiding civil penalty negotiations under the heightened $15 million penalty limits, any judgment likely would have a wide-ranging impact on all future civil penalty negotiations between companies and the CPSC.

As we have previously stated, we expect the Commission to remain active in 2015 in bringing enforcement actions against companies for violations of the CPSA and other safety statutes.

We will watch this case closely and update our readers on any noteworthy developments.

ARTICLE BY

Matthew Cohen
Matthew R. Howsare
Charles A. Samuels
Mintz, Levin, Cohn, Ferris, Glovsky and Popeo, P.C.
Consumer Product Matters Blog

Junk Fax Act Compliance: One Week Left to Request a Waiver for Non-Compliance

McDermott Will & Emery

Thursday, April 30, 2015, marks the last day a business can request a retroactive waiver for failing to comply with certain fax advertising requirements promulgated by theFederal Communications Commission (FCC). The scope of these requirements was clarified on October 30, 2014, when the FCC issued an Order (2014 Order) under the Junk Fax Prevention Act of 2005 (Junk Fax Act). The 2014 Order confirms that senders of all advertising faxes must include information that allows recipients to opt out of receiving future faxes from that sender.

The 2014 Order clarifies certain aspects of the FCC’s 2006 Order under the Junk Fax Act (the Junk Fax Order). Among other requirements, the Junk Fax Order established the requirement that the sender of an advertising fax provide notice and contact information that allows a recipient to “opt out” of any future fax advertising transmissions.

Following the FCC’s publication of the Junk Fax Order, some businesses interpreted the opt-out requirements as not applying to advertising faxes sent with the recipient’s prior express permission (based on footnote 154 in the Junk Fax Order). The 2014 Order provided a six-month period for senders to comply with the opt-out requirements of the Junk Fax Order for faxes sent with the recipient’s prior express permission and to request retroactive relief for failing to comply. The six-month period ends on April 30, 2015. Without a waiver, the FCC noted that “any past or future failure to comply could subject entities to enforcement sanctions, including potential fines and forfeitures, and to private litigation.”

ARTICLE BY

Julia Jacobson
Matthew R. Turnell
McDermott Will & Emery

New Data Security Bill Seeks Uniformity in Protection of Consumers’ Personal Information

Morgan, Lewis & Bockius LLP.

Last week, House lawmakers floated a bipartisan bill titled the Data Security and Breach Notification Act (the Bill). The Bill comes on the heels of legislation proposed by US President Barack Obama, which we recently discussed in a previous post. The Bill would require certain entities that collect and maintain consumers’ personal information to maintain reasonable data security measures in light of the applicable context, to promptly investigate a security breach, and to notify affected individuals of the breach in detail. In our Contract Corner series, we have examined contract provisions related to cybersecurity, including addressing a security incident if one occurs.

Some notable aspects of the Bill include the following:

  • Notification to individuals affected by a breach would generally be required within 30 days after a company has begun taking investigatory and corrective measures (rather than based on the date of the breach’s discovery).

  • Notification to the Federal Trade Commission (FTC) and the Secret Service or the Federal Bureau of Investigation would be required if the number of individuals whose personal information was (or there is a reasonable basis to conclude was) leaked exceeds 10,000.

  • To advance uniform and consistently applied standards throughout the United Sates, the Bill would preempt state data security and notification laws. However, the scope of preemption continues to be discussed, and certain entities would be excluded from the Bill’s requirements, including entities subject to existing data security regulatory regimes (e.g., entities covered by the Health Insurance Portability and Accountability Act).

  • Violations of the Bill would be enforced by the FTC or state attorneys general (and not by a private right of action).

ARTICLE BY

Michael L. Pillion
A. Benjamin Klaber
Morgan, Lewis & Bockius LLP

Online Behavioral Advertising: Industry Guides Require Real Time Notice When Data Are Collected or Used for Personalized Ads

Greenberg Traurig Law firm

WHAT’S COVERED?

Online behavioral advertising (OBA) has become a very common tool for commercial websites. OBA can be defined as follows:

the collection of data online from a particular computer or device regarding web viewing behaviors over time and across Web sites for the purpose of using such data to predict preferences or interests and to deliver advertising to that computer or device presumed to be of interest to the user of the computer/device based on observed Web viewing behaviors.

OBA might be implemented by use of cookies directly on a company’s website by the company itself. Or it might occur through technology embedded in ads from other parties displayed on the company’s site. Either way, the operators of commercial websites need to be aware when OBA is occurring on their sites and should be taking steps to provide greater transparency about OBA occurring on their sites.

WHAT’S THE CONCERN?

While the use of OBA is largely unregulated by law in the U.S. at this time, its spread has generated concern among privacy advocates. Of particular concern is the gathering of data about consumers without their knowledge where such information is supposed to be anonymous but advances in technology make it more and more possible to link that information to individuals (not just devices) through combination with other information. Examples can include information about health conditions and other sensitive information gleaned by watching the sites a user visits, the searches he/she conducts, etc. Key characteristics of OBA include that it is: (a) invisible to the user; (b) hard to detect; and (c) resilient to being blocked or removed.

In an effort to stave off government regulation of OBA in the United States, the Digital Advertising Alliance (DAA), a consortium of the leading advertising trade associations, has instituted a leading set of guidelines. Based on standards proposed by the Federal Trade Commission, the DAA Self-Regulatory Program is designed to give consumers enhanced control over the collection and use of data regarding their Internet viewing for OBA purposes.

WHAT’S REQUIRED?

The key principles of the DAA’s guides are to provide greater transparency to consumers to allow them to know when OBA is occurring and to provide the ability to opt out. For commercial website operators that allow OBA on their sites, the compliance implications are as follows:

  1. First Party OBA. First Parties are website operators/publishers. If a company simply gathers information for its own purposes on its own site, it is generally not covered by the guidelines. However, as soon as the First Party allows others to engage in OBA via the site, it has a duty to monitor and make sure that proper disclosures are being made and even to make the disclosures itself if the others do not do so, including assuring that “enhanced notice” (usually the icon discussed below or a similar statement) appears on every page of the First Party’s site where OBA is occurring.

  2. Third-Party OBA. Third parties are ad networks, data companies/brokers, and sometimes advertisers themselves, who engage in OBA through ads placed on other parties’ sites. These Third Parties should provide consumers with the ability to exercise choice with respect to the collection and use of data for OBA purposes. (See below on how to provide recommended disclosures.)

  3. Service Providers. These are providers of Internet access, search capability, browsers, apps or other tools that collect data about sites a user visits Service Providers generally are expected to provide clear disclosure of OBA practices which may occur via their services, obtain consumer consent for such practices, and provide an easy-to-use opt-out mechanism.

HOW TO COMPLY

Generally, Third Parties and Service Providers should give clear, meaningful, and prominent notice on their own websites that describes their OBA data collection and use practices. Such notice should include clear descriptions that include:

  • The types of data collected online, including any PII for OBA purposes;

  • The uses of such data, including whether the data will be transferred to a nonaffiliate for OBA purposes;

  • An easy to use mechanism for exercising choice with respect to the collection and use of the data for OBA purposes or to the transfer of such data to a nonaffiliate for such purpose; and

  • The fact that the entity adheres to OBA principles.

In addition, “enhanced notice” should appear on each and every ad (or page) where OBA is occurring. The “enhanced notice” means more than just traditional disclosure in a privacy policy. It means placement of a notice on the page/ad where OBA is occurring. The notice typically is given in the form of the following icon (in blue color) which should link to a DAA page describing OBA practices and providing an easy-to-use opt-out mechanism:

online behavioral advertising

The icon/link should appear in or around each ad where data are collected. Alternatively, it can appear on each page of a website on which any OBA ads are being served. It is normally the duty of the advertisers (Third Parties) to deploy the icon. However, if they fail to do so, then the operator of the site where the OBA ads appear has the duty to make appropriate real-time disclosures about OBA on each page where OBA activity is occurring, including links to the DAA page describing OBA practices and providing an easy-to-use opt-out mechanism.

ENFORCEMENT

The DAA is taking its OBA guidelines seriously. It has issued sets of “compliance warnings” to many major U.S. companies. While DAA has no direct authority to impose fines or penalties, its issuance of a ruling finding a violation of its guidelines could create a tempting target for the FTC or plaintiffs’ class action lawyers to bring separate actions against a company not following the DAA guidelines. For all these reasons, operators of websites employing OBA (either first party or third party) should pay heed to the DAA Guidelines.

ARTICLE BY

Ed Chansky
David A. Wheeler
OF
Greenberg Traurig, LLP

California To Expand Its Data Breach Notification Rules

Sheppard Mullin Law Firm

California has broadened its data breach notification statutes in response to the increasing number of large data breaches of customer information.  AB 1710, which Governor Jerry Brown signed into law, amends California’s Data Breach Notification Law to (1) ban the sale, advertising for sale or offering for sale of social security numbers, (2) extend the existing data-security law and obligations applicable to entities that own or license customer information to entities that “maintain” the information, and (3) require that if the person or business providing notification of a breach under the statute was the source of the breach then the notice must include an offer to provide appropriate identity theft prevention and mitigation services, if any, at no cost for 12 months along with any information necessary to take advantage of the offer.  The last of these amendments has spurned some debate over whether the statute actually mandates an offer of credit monitoring or other services given its use of the phrase “if any.”  It is also unclear what exactly is intended by or who qualifies as “the source of the breach.”

The use and placement of the phrase “if any” in the statute does create some ambiguity.  The statute, however, speaks in mandatory terms when it states the notification “shall include” an offer of these services.  Its plain language also suggests the phrase “if any” is directed to the question of whether appropriate identity theft or mitigation services exist and are available – not whether or not they must be offered.  A review of the measure’s legislative history confirms this.  The Committee analyses all discuss this element of the statute as “requiring” an offer of services.  Indeed, the legislative analysis immediately following the addition of the phrase “if any” defined the problem under existing law to be that it does not require any prevention or mitigation steps and states that this measure (AB 1710) addresses this issue by requiring an offer of appropriate “identity theft prevention and mitigation services, if any are available,…”  This interpretation is also consistent with the fact that an offer is only required when the breach involves disclosure of highly sensitive information that tends to lead to identity theft or credit card fraud, i.e., the customer’s social security, driver’s license or California identification number.

The standard of whether or not such services would, to some degree, be appropriate will not likely be the primary conversation that this amendment sparks.  The more lively topic will likely be who is the “source of the breach” (and even then the offer is only required when you are both the source of the breach and the party giving notice under the statute) and what standards apply for determining “appropriate” services.  The legislative history is not as equally helpful on these questions.  Thus, until the scope of this new requirement becomes more clear, businesses involved in a breach under the statute need to carefully think through the risks of offering certain services when providing notice.

These new rules take effect on January 1, 2015.  To review the amended statute or its legislative history click here.

ARTICLE BY

Brian R. Blackman
OF
Sheppard, Mullin, Richter & Hampton LLP