Connected products can make the world a safer place: electronic sensors in the home can detect problems and send smartphone notifications to the homeowner; smart alert devices can notify family members or home help companies that an elderly person has fallen and needs assistance. But with over 64 billion connected products in the marketplace, there is a concern that connected devices could introduce hazards that might lead to a risk of injury due to problems with software updates or customization, faulty connections, and even consumer modifications.
As the body charged with overseeing consumer product safety in the U.S., over the last few years, the Consumer Product Safety Commission (CPSC) has shown an increasing interest in defining its role with regard to connected products. In May 2018, the CPSC held a public hearing on IoT, obtaining feedback from a range of stakeholders on potential risks of connected consumer products and the agency’s role. In late September, CPSC staff submitted to the Commission a status report outlining the CPSC’s work on consumer product IoT issues since the public hearing. The report also outlines how CPSC staff understands the agency’s role, which is safeguarding consumers from potential physical product risks, as well as how its work intersects with the jurisdiction of other agencies as they oversee connected products.
The report notes that this is an ongoing process, stating that CPSC staff is working on “how to define consumer product safety in terms of the IoT, the intersection of, and interdependencies among, consumer product safety, data security and privacy, and how our traditional risk management approaches apply to connected products.” The report acknowledges that privacy and data security are not within CPSC’s jurisdiction, but noted that at least one participant in CPSC’s 2018 hearing warned that “CPSC should pay attention to certain cybersecurity threats that create opportunities for physical harm, a risk not previously considered, and resist creating any prescriptive rules for IoT devices.”
To increase institutional knowledge of IoT benefits and challenges, CPSC has dedicated resources to develop its staff’s expertise. CPSC has also participated in developing voluntary standards, has taken a leadership role in establishing an interagency IoT working group, and has been developing its capability to simulate home networks at its laboratory.
The staff report outlines three ongoing internal projects relating to IoT. The first involves developing a methodology for assessing safety-related implications arising out of software and firmware updates to connected products. This project is at what CPSC views as the intersection of product safety and data security and potential “hazardization” of connected products as a result of data vulnerabilities. CPSC is also looking at connected heating appliances and the risks associated with their remote activation. Finally, CPSC is studying smart toys “in an effort to identify physical safety hazards.” It is surprising that CPSC staff would dedicate resources to toys as opposed to other products, like in-home safety devices, since the physical safety of toys is strictly regulated by the mandatory toy safety standard, ASTM F-963. The likelihood of physical hazardization of toys is far lower than, for example, connected home security devices and sensors. In those categories, connectivity, and thus security breaches that affect the operation of those devices, may be directly related to both safety risks and advantages. Indeed, home safety devices is a category where we have actually seen CPSC recall activity.
The report notes that CSPC is engaging in product safety assessments of connected& shared e-scooters. This is likely in response to reports of e-scooters that were vulnerable to hacking. The emerging hazards of micro-mobility devices such as shared e-scooters are also a focus of CPSC’s Operating Plan for Fiscal Year 2020 and represent another product category that appears to be more vulnerable to hazardization than connected toys.
CPSC staff intended to develop a best practices guide for industry and consumers on connected products, which was an enumerated project in the proposed Operating Plan for Fiscal Year 2020. However, an amendment introduced by Commissioner Feldman focuses CPSC’s resources on IoT intergovernmental work instead. Given the report’s acknowledgment that the agency is still working to develop staff expertise in IoT, attempting to create such a guide appears premature at this juncture.
The sharp increase in the number of connected devices in the market means it is necessary and appropriate for CPSC to continue to build expertise on IoT issues, even though very few examples of actual product safety hazards attributable to some type of connectivity failures exist. It would be useful for CPSC to focus its efforts and resources on product categories that pose a higher potential risk to the physical safety of consumers through hazardization or failure as a result of connectivity, without overstating potential risks. It is encouraging that through the intergovernmental initiatives a variety of federal agencies are working collaboratively to better understand the various consumer protection issues potentially raised by connected products that fit within their respective jurisdictions.
On October 10, 2019, the California Attorney General released the highly anticipated draft regulations for the California Consumer Privacy Act (CCPA). The regulations focus heavily on three main areas: 1) notices to consumers, 2) consumer requests and 3) verification requirements. While the regulations focus heavily on these three topics, they also discuss special rules for minors, non-discrimination standards and other aspects of the CCPA. Despite high hopes, the regulations do not provide the clarity many companies desired. Instead, the regulations layer on new requirements while sprinkling in further ambiguities.
The most surprising new requirements proposed in the regulations include:
New disclosure requirements for businesses that collect personal information from more than 4,000,000 consumers
Businesses must acknowledge the receipt of consumer requests within 10 days
Businesses must honor “Do Not Sell” requests within 15 days and inform any third parties who received the personal information of the request within 90 days
Businesses must obtain consumer consent to use personal information for a use not disclosed at the time of collection
The following are additional highlights from each of the three main areas:
1. Notices to consumers
The regulations discuss four types of notices to consumers: notice at the time of collection, notice of the right to opt-out of the sale of personal information, notice of financial incentives and a privacy policy. All required notices must be:
Easy to read in plain, straightforward language
In a format that draws the consumer’s attention to the notice
Accessible to those with disabilities
Available in all languages in which the company regularly conducts business
The regulations make clear that it is necessary, but not sufficient, to update your privacy policy to be compliant with CCPA. You must also provide notice to consumers at the time of data collection, which must be visible and accessible before any personal information is collected. The regulations make clear that no personal information may be collected without proper notice. You may use your privacy policy as the notice at the time of collection, but you must link to a specific section of your privacy policy that provides the statutorily required notice.
The regulations specifically provide that for offline collection, businesses could provide a paper version of the notice or post prominent signage. Similar to General Data Protection Regulation (GDPR), a company may only use personal information for the purposes identified at the time of collection. Otherwise, the business must obtain explicit consent to use the personal information for a new purpose.
In addition to the privacy policy requirements in the statute itself, the regulations require more privacy policy disclosures. For example, the business must include instructions on how to verify a consumer request and how to exercise consumer rights through an agent. Further, the privacy policy must identify the following information for each category of personal information collected: the sources of the information, how the information is used and the categories of third parties to whom the information is disclosed. For businesses that collect personal information of 4,000,000 or more consumers, the regulations require additional disclosures related to the number of consumer requests and the average response times. Given the additional nuances of the disclosure requirements, we recommend working with counsel to develop your privacy policy.
If a business provides financial incentives to a consumer for allowing the sale of their personal information, then the business must provide a notice of the financial incentive. The notice must include a description of the incentive, its material terms, instructions on how to opt-in to the incentive, how to withdraw from the incentive and an explanation of why the incentive is permitted by CCPA.
Finally, the regulations state that service providers that collect personal information on behalf of a business may not use that personal information for their own purposes. Instead, they are limited to performing only their obligations under the contract between the business and service provider. The contract between the parties must also include the provisions described in CCPA to ensure that the relationship is a service provider/business relationship, and not a sale of personal information between a business and third party.
2. Consumer requests
Businesses must provide at least two methods for consumers to submit requests (most commonly an online form and a toll-free number), and one of the methods must reflect the manner in which the business primarily interacts with the consumer. In addition, businesses that substantially interact with consumers offline must provide an offline method for consumers to exercise their right to opt-out, such as providing a paper form. The regulations specifically call out that in-person retailers may therefore need three methods: a paper form, an online form and a toll-free number.
The regulations do limit some consumer request rights by prohibiting the disclosure of Social Security numbers, driver’s license numbers, financial account numbers, medical-related identification numbers, passwords, and security questions and answers. Presumably, this is for two reasons: the individual should already know this information and most of these types of information are subject to exemptions from CCPA.
One of the most notable clarifications related to requests is that the 45-day timeline to respond to a consumer request includes any time required to verify the request. Additionally, the regulations introduce a new timeline requirement for consumer requests. Specifically, businesses must confirm receipt of a request within 10 days. Another new requirement is that businesses must respond to opt-out requests within 15 days and must inform all third parties to stop selling the consumer’s information within 90 days. Further, the regulations require that businesses maintain request records logs for 24 months.
3. Verification requirements
The most helpful guidance in the regulations relates to verification requests. The regulations provide that a more rigorous verification process should apply to more sensitive information. That is, businesses should not release sensitive information without being highly certain about the identity of the individual requesting the information. Businesses should, where possible, avoid collecting new personal information during the verification process and should instead rely on confirming information already in the business’ possession. Verification can be through a password-protected account provided that consumers re-authenticate themselves. For websites that provision accounts to users, requests must be made through that account. Matching two data points provided by the consumer with data points maintained by the business constitutes verification to a reasonable degree of certainty, and the matching of three data points constitutes a high degree of certainty.
The regulations also provide prescriptive steps of what to do in cases where an identity cannot be verified. For example, if a business cannot verify the identity of a person making a request for access, then the business may proceed as if the consumer requested disclosure of only the categories of personal information, as opposed to the content of such personal information. If a business cannot verify a request for deletion, then the business should treat the request as one to opt-out of the sale of personal information.
Next steps
These draft regulations add new wrinkles, and some clarity, to what is required for CCPA compliance. As we move closer to January 1, 2020 companies should continue to focus on preparing compliant disclosures and notices, finalizing their privacy policies and establishing procedures to handle consumer requests. Despite the need to press forward on compliance, the regulations are open to initial public comment until December 6, 2019, with a promise to finalize the regulations in the spring of 2020. We expect further clarity as these draft regulations go through the comment process and privacy professionals, attorneys, businesses and other stakeholders weigh in on their clarity and reasonableness.
The CDC announced that 77% of the injured vapers were using e-cigarettes with tobacco and THC products, and 17% were using only nicotine. The CDC partnered with state-based health care services and research hospitals to try to determine the cause of the recent spike in vaping lung damage cases.
The Mayo Clinic of Arizona is one of the first to release data derived from recent cases. The research team tested lung biopsy samples from 17 patients, including two who have since died from the condition. All 17 biopsies suggested that the lung injuries were most likely caused by “direct toxicity or tissue damage from noxious chemical fumes.” These fumes are generated from the vaporized e-cigarette liquids. Researchers said it does not appear that the build-up of lipids, reported earlier as a possible cause of the lung damage, was a factor in these 17 patients.
According to Dr. Larsen, the senior author of the study, “It would seem prudent based on our observations to explore ways to better regulate the industry and better educate the public, especially our youth, about the risks associated with vaping.”
The past year has seen a proliferation of lawsuits alleging that food product labels mislead consumers about the product’s ingredients. The trend continued last month, with decisions from the Court of Appeals for the First Circuit and one of its district courts reaching different results on motions to dismiss complaints alleging deceptive food labels.
Last month, the First Circuit reinstated a class action lawsuit against New England Coffee for violation of Massachusetts’ consumer protection laws related to the coffee brand’s label for “Hazelnut Crème” coffee. Dumont v. Reily Foods, 18-2055 (1st Cir. Aug. 8, 2019). Plaintiff alleged that the product name was deceptive because the product did not contain hazelnuts. A Massachusetts federal district court judge dismissed the suit because the complaint lacked sufficient particularized facts to satisfy the heightened pleading standard for fraud allegations.
The First Circuit reversed in a 2-1 decision. The majority noted that although the ingredient list on the product package’s back label read “100% Arabica Coffee Naturally and Artificially Flavored,” reasonable consumers might take different approaches in determining whether the coffee actually contained real hazelnuts. One might check the list of ingredients to ensure the coffee contained hazelnut while others may not, instead relying on the name of the product, without searching the ingredient list, “much like one might easily buy a hazelnut cake without studying the ingredients list to confirm that the cake actually contains some hazelnut.” The majority accordingly concluded that whether the product name implied that the product contained hazelnuts was better suited for resolution “from six jurors, rather than three judges.” In dissent, Circuit Judge Lynch argued that “a reasonable consumer plainly could not view the phrase ‘Hazelnut Crème’ as announcing the presence of actual hazelnut in a bag of coffee which also proclaims it is “100% Arabica Coffee.”
Neither opinion is especially persuasive. As for the dissent, hazelnuts are not coffee, and the fact that a coffee product called “Hazelnut Crème” is said to contain 100% Arabica Coffee does not reasonably rule out the possibility that the product contains hazelnuts. By the same token, however, other courts have concluded that reasonable consumers do not ignore a product’s prominently displayed ingredient list when information on the front label may be viewed as ambiguous concerning whether an ingredient is or is not contained in the product. See, e.g., Jessani et al. v. Monini North America, which one of the authors litigated and which this blog covered. To the extent the Dumont majority suggests otherwise, the opinion would be misguided. That said, whereas the olive oil product in Monini was labeled as “truffle flavored,” here, there was no modifier to suggest that the coffee in question simply tasted, or smelled, like hazelnuts. In such cases, perhaps, one could conclude that the front label lacked ambiguity, and thus would not compel prospective purchasers to search the label further.
Less than a week after the First Circuit’s Dumont decision, Judge Alison Burroughs of the District of Massachusetts tossed a putative class action suit alleging that the advertising and packaging of the cereal “Honey Bunches of Oats” falsely suggested it was sweetened only or primarily with honey, when in fact the main sweeteners are sugar, brown sugar, and corn syrup. Lima v. Post Consumer Brands, 18-12100 (D. Mass. Aug. 13, 2019).The plaintiffs pointed to images of a sun, bee, and honey dipper as representing that honey was the principal sweetener in the cereal. They also cited surveys showing that most consumers believe honey is “better for you than sugar” and that approximately half of consumers are willing to pay more for foods that are primarily sweetened with honey.
In concluding that the consumers failed to state a claim, Judge Burroughs found that plaintiffs had offered no reasonable basis for their alleged belief that the honey references on the packaging implied that honey was the primary sweetener in the cereal rather than simply one of its primary flavors. In addition, even assuming the packaging could be viewed as portraying honey to be an ingredient instead of or as well as a flavor, Judge Burroughs found that plaintiffs still failed to state a claim. She noted that, unlike the “Hazelnut Crème” product in Dumont that did not contain any hazelnut, Honey Bunches of Oats did, in fact, contain honey. She also distinguished the case from Mantikas v. Kellogg, in which the Second Circuit found that a “made with whole grain” claim could imply that the product contained more whole wheat flour than white flour. Here, according to Judge Burroughs, the mere references to honey on the package carried no implication that honey was the primary sweetener, and a reasonable consumer concerned about how the cereal was sweetened would have consulted the cereal’s list of ingredients.
If nothing else, these cases underscore the fact-specific nature of the inquiry as to what product labels imply about their ingredients.
The most comprehensive data privacy law in the United States, the California Consumer Privacy Act (CCPA), will take effect on January 1, 2020. The CCPA is an expansive step in U.S. data privacy law, as it enumerates new consumer rights regarding collection and use of personal information, along with corresponding duties for businesses that trade in such information.
While the CCPA is a state law, its scope is sufficiently broad that it will apply to many businesses that may not currently consider themselves to be under the purview of California law. In addition, in the wake of the CCPA, at least a dozen other states have introduced their own comprehensive data privacy legislation, and there is heightened consideration and support for a federal law to address similar issues.
Below, we examine the contours of the CCPA to help you better understand the applicability and requirements of the new law. While portions of the CCPA remain subject to further clarification, the inevitable challenges of compliance, coupled with the growing appetite for stricter data privacy laws in the United States generally, mean that now is the time to ensure that your organization is prepared for the CCPA.
Does the CCPA apply to my business?
Many businesses may rightly wonder if a California law even applies to them, especially if they do not have operations in California. As indicated above, however, the CCPA is not necessarily limited in scope to businesses physically located in California. The law will have an impact throughout the United States and, indeed, worldwide.
The CCPA will have broad reach because it applies to each for-profit business that collects consumers’ personal information, does business in California, and satisfies at least one of three thresholds:
Has annual gross revenues in excess of $25 million; or
Alone or in combination, annually buys, receives for commercial purposes, sells, or shares for commercial purposes, the personal information of 50,000 or more California consumers; or
Derives 50 percent or more of its annual revenues from selling consumers’ personal information
While the CCPA is limited in its application to California consumers, due to the size of the California economy and its population numbers, the act will effectively apply to any data-driven business with operations in the United States.
What is considered “personal information” under the CCPA?
The CCPA’s definition of “personal information” is likely the most expansive interpretation of the term in U.S. privacy law. Per the text of the law, personal information is any “information that identifies, relates to, describes, is capable of being associated with, or could reasonably be linked, directly or indirectly, with a particular consumer or household.”
The CCPA goes on to note that while traditional personal identifiers such as name, address, Social Security number, passport, and the like are certainly personal information, so are a number of other categories that may not immediately come to mind, including professional or employment-related information, geolocation data, biometric data, educational information, internet activity, and even inferences drawn from the sorts of data identified above.
As a practical matter, if your business collects any information that could reasonably be linked back to an individual consumer, then you are likely collecting personal information according to the CCPA.
When does a business “collect” personal information under the CCPA?
To “collect” or the “collection” of personal information under the CCPA is any act of “buying, renting, gathering, obtaining, receiving, or accessing any personal information pertaining to a consumer by any means.” Such collection can be active or passive, direct from the consumer or via the purchase of consumer data sets. If your business is collecting personal information directly from consumers, then at or before the point of collection the CCPA imposes a notice obligation on your business to inform consumers about the categories of information to be collected and the purposes for which such information will (or may) be used.
To reiterate, if your business collects any information that could reasonably be linked back to an individual, then you are likely collecting personal information according to the CCPA.
If a business collects personal information but never sells any of it, does the CCPA still apply?
Yes. While there are additional consumer rights related to the sale of personal information, the CCPA applies to businesses that collect personal information solely for internal purposes, or that otherwise do not disclose such information.
What new rights does the CCPA give to California consumers?
The CCPA gives California consumers four primary new rights: the right to receive information on privacy practices and access information, the right to demand deletion of their personal information, the right to prohibit the sale of their information, and the right not to be subject to price discrimination based on their invocation of any of the new rights specified above.
What new obligations does a business have regarding these new consumer rights?
Businesses that fall under the purview of the CCPA have a number of new obligations under the law:
A business must take certain steps to assist individual consumers with exercising their rights under the CCPA. This must be accomplished by providing a link on the business’s homepage titled “Do Not Sell My Personal Information” and a separate landing page for the same. In addition, a business must update its privacy policy (or policies), or a California-specific portion of the privacy policy, to include a separate link to the new “Do Not Sell My Personal Information” page.
A business also must provide at least two mechanisms for consumers to exercise their CCPA rights by offering, at a minimum, a dedicated web page for receiving and processing such requests (the CCPA is silent on whether this web page must be separate from or can be combined with the “Do Not Sell My Personal Information” page), and a toll-free 800 number to receive the same.
Upon receipt of a verified consumer request to delete personal information, the business must delete that consumer’s personal information within 45 days.
Upon receipt of a verified consumer request for information about the collection of that consumer’s personal information, a business must provide the consumer with a report within 45 days that includes the following information from the preceding 12 months:
Categories of personal information that the business has collected about the consumer;
Specific pieces of personal information that the business possesses about the consumer;
Categories of sources from which the business received personal information about the consumer;
A corporate statement detailing the commercial reason (or reasons) that the business collected such personal information about the consumer; and
The categories of third parties with whom the business has shared the consumer’s personal information.
Upon receipt of a verified consumer request for information about the sale of that consumer’s personal information, a business must provide the consumer with a report within 45 days that includes the following information from the preceding 12 months:
Categories of personal information that the business has collected about the consumer;
Categories of personal information that the business has sold about the consumer;
Categories of third parties to whom the business has sold the consumer’s personal information; and
The categories of personal information about the consumer that the business disclosed to a third party (or parties) for a business purpose.
Finally, a business must further update its privacy policy (or policies), or the California-specific section of such policy(s), to:
Identify all new rights afforded consumers by the CCPA;
Identify the categories of personal information that the business has collected in the preceding 12 months;
Include a corporate statement detailing the commercial reason (or reasons) that the business collected such personal information about the consumer;
Identify the categories of personal information that the business has sold in the prior 12 months, or the fact that the business has not sold any such personal information in that time; and
Note the categories of third parties with whom a business has shared personal information in the preceding 12 months.
What about employee data gathered by employers for internal workplace purposes?
As currently drafted, nothing in the CCPA carves out an exception for employee data gathered by employers. A “consumer” is simply defined as a “natural person who is a California resident …,” so the law would presumably treat employees like anyone else. However, the California legislature recently passed Bill AB 25, which excludes from the CCPA information collected about a person by a business while the person is acting as a job applicant, employee, owner, officer, director, or contractor of the business, to the extent that information is collected and used exclusively in the employment context. Bill AB 25 also provides an exception for emergency contact information and other information pertaining to the administration of employee benefits. The bill awaits the governor’s signature – he has until October 13, 2019 to sign.
But not so fast – Bill AB 25 only creates a one-year reprieve for employers, rather than a permanent exception. The exceptions listed above will expire on January 1, 2021. By that time, the legislature may choose to extend the exceptions indefinitely, or businesses should be prepared to fully comply with the CCPA.
California employers would thus be wise to start considering the type of employee data they collect, and whether that information may eventually become subject to the CCPA’s requirements (either on January 1, 2021 or thereafter). Personal information is likely to be present in an employee’s job application, browsing history, and information related to payroll processing, to name a few areas. It also includes biometric data, such as fingerprints scanned for time-keeping purposes. Employers who collect employees’ biometric information, for example, would be well advised to review their biometric policies so that eventual compliance with the CCPA can be achieved gradually during this one-year grace period.
Notwithstanding this new legislation, there remains little clarity as to how the law will ultimately be applied in the employer-employee context, if and when the exceptions expire. Employers are encouraged to err on the side of caution and to reach out to experienced legal counsel for further guidance if they satisfy any one of the above thresholds.
What are the penalties for violation of the CCPA?
Violations of the CCPA are enforced by the California Attorney General’s office, which can issue civil monetary fines of up to $2,500 per violation, or $7,500 for each intentional violation. Currently, the California AG’s office must provide notice of any alleged violation and allow for a 30-day cure period before issuing any fine.
Are there any exceptions to the CCPA?
Yes, there are a number of exceptions. First, the CCPA only applies to California consumers and businesses that meet the threshold(s) identified above. If a business operates or conducts a transaction wholly outside of California then the CCPA does not apply.
There are also certain enumerated exceptions to account for federal law, such that the CCPA is pre-empted by HIPAA, the Gramm-Leach-Bliley Act, the Fair Credit Reporting Act as it applies to personal information sold to or purchased from a credit reporting agency, and information subject to the Driver’s Privacy Protection Act.
Would it be fair to say that the CCPA is not very clear, and maybe even a bit confusing?
Yes, it would. The CCPA was drafted, debated, and enacted into law very quickly in the face of some legislative and ballot-driven pressures. As a result, the bill as enacted is a bit confusing and even contains sections that appear to contradict its other parts. The drafters of the CCPA, however, recognized this and have included provisions for the California AG’s office to provide further guidance on its intent and meaning. Amendment efforts also remain underway. As such, it is likely that the CCPA will be an evolving law for at least the short term.
Regardless, the CCPA will impose real-world requirements effective January 1, 2020, and the new wave of consumer privacy legislation it has inspired at the state and federal level is likely to bring even more of the same. It is important to address these issues now, rather than when it is too late.
Within the past decade, regular tobacco users have turned to electronic cigarettes in an effort to wean off of traditional cigarettes, believing them to be a safer option for human health. E-cigarettes, also known as nicotine vaporizers, vaporizer cigarettes, or simply vape pens, have grown in popularity over the past several years, partially driven by the debut of Juul’s e-cig devices in 2015. Now, Juul Labs is a leading manufacturer of e-cigarette devices and e-liquid flavors nationwide. Despite its growing popularity, especially among teens and young adults, Juul has been at the center of several consumer legal battles, most of which allege that Juul’s e-cig devices are extremely detrimental to users’ health. Several suits have been filed by parents or guardians on behalf of teenage children.
Several consumers have accused Juul Labs of deliberately marketing its products to appeal to the younger generation. A lawsuit recently filed by the father of a Carmel, Indiana teen in the U.S. District Court in Indianapolis alleged that his son was enticed by the rainbow colors and fruity flavors of Juul’s e-cigarette products, which contained excessive levels of nicotine. The teen later developed an intense nicotine addiction and fears that his addiction may lead to health problems throughout his life.
Other suits have similarly claimed that Juul specifically targets underage markets with its presence on several social media platforms and use of online influencers to attract teen users.
This is not the first attack against Juul’s advertising practices. Stanford University researchers evaluated Juul’s marketing campaigns over its first three years on the market, and the resulting impact on teens and young adults, in a January 2019 study.
By analyzing Juul’s website, social media platforms, hashtags, and customer campaign emails, the researchers concluded that, “Juul’s advertising imagery in its first [six] months on the market was patently youth oriented.” Though Juul representatives have repeatedly denied that the company intentionally targets a younger generation in its marketing, the study revealed how Juul, “continued to engage in advertising either targeted to youth…or by placing its promotional material preferentially in youth consumed media channels…”
Juul lawsuits have also been filed in response to defective vape batteries and device explosions. Juul’s e-cigarette products are operated by lithium-ion batteries, which can allegedly overheat and explode. In several instances, vape explosions have damaged users’ mouths, hands, and other body parts, causing burns, broken jaws, and even deaths. Treacy Gangi, for example, filed a lawsuit in November 2017 on behalf of her husband who was killed by an exploding e-cigarette, similar to a Juul device.
Another lawsuit recently filed by an Ohio mother on behalf of her two teen daughters claimed that Juul failed to warn its customers of the high levels of nicotine in its devices. The complaint stated that the two twin daughters, who are now 16 years old, began vaping in 2016 and initially purchased the devices in a store that “knowingly sold e-cigarettes to underage customers.” The teens quickly became addicted to their e-cigarettes and were eventually vaping two Juul pods a day. According to the lawsuit, one Juul pod contains the same amount of nicotine as two packs of cigarettes.
Similar lawsuits have claimed that in addition to containing excessive levels of nicotine, Juul products are advertised as being a healthier alternative to traditional cigarettes. Recent cases, however, have shown that vaping Juul e-cigarettes is linked to a number of health conditions, including heart disease, lung damage, and seizures. The Centers for Disease Control and Prevention (CDC) is inspecting the recent hospitalizations of more than 149 individuals whose health problems are linked to vaping. The patients, who are predominantly teens and young adults, reportedly developed severe lung illnesses that have been associated with vaping.
According to recent cases, vaping also puts users at risk of experiencing seizures, which is a known symptom of nicotine poisoning. The FDA has received about 127 reports of seizures linked to vaping since 2010, and issued a warning about the potential correlation between vaping and seizures (convulsions) in April 2019.
Amid a lack of research and information on the health risks of using e-cigarettes, an Illinois patient was reportedly the first to die of a lung illness that was associated with vaping. Health experts say that more research needs to be done in order to understand the health implications of vaping, before other users face a similar fate.
The Federal Trade Commission and the Ohio attorney general recently initiated legal action against a payment processor arising from alleged activities that enabled its customers to defraud consumers.
According to the FTC, the defendants generated and processed remotely created payment orders (“RCPOs”) or checks that allowed unscrupulous merchants, including deceptive telemarketing schemes, to withdraw money from their victims’ bank accounts.
The FTC’s Telemarketing Sales Rules specifically prohibits the use of RCPOs in connection with telemarketing sales. RCPOs are created by the processor and result in debits to consumers’ bank accounts without a signature.
“To execute their payment processing scheme, Defendants open business checking accounts under various assumed names with banks and credit unions, the majority of which are local institutions,” according to the complaint. Within the last five years, the defendants opened at least 60 business checking accounts at 25 different financial institutions, mainly in Texas and Wisconsin, to enable their activity, the regulators said. “Defendants often misrepresent to the financial institution the type of business for which they open the account, and routinely fail to disclose the real reason for which they open the account—processing consumer payments for third-party merchants via RCPOs. Red flags about Defendants’ practices have led at least 15 financial institutions to close accounts opened by Defendants. When that happens, Defendants typically open new accounts with different financial institutions. ”
According to the Ohio AG and FTC lawyers, the defendants specifically market their RCPO payment processing service to high risk merchants. The complaint also alleges that the defendants are aware that some of their largest merchant- clients sell their products or services through telemarketing.
The FTC and Ohio AG also allege that the defendants violated the TSR by charging consumers advance fees before providing any debt relief service, failing to identify timely and clearly the seller of the purported service in telemarketing calls, and failing to pay to access the FTC’s National Do Not Call Registry.
The Ohio AG previously had previously filed suit against the defendants for similar violations.
According to the FTC CID attorneys, the telemarketing operations that defendants supported included, among others, student debt relief schemes, and a credit interest reduction scheme. The FTC and Ohio allege that using RCPOs, the defendants have withdrawn more than $13 million from accounts of victims of these telemarketing operations since January 2016.
“The FTC will continue to pursue such schemes aggressively, and hold accountable payment processors that are complicit in the illegal conduct,” FTC lawyer Andrew Smith said in a statement about the case.
The complaint alleges violations of the FTC Act and Ohio state law, and seeks injunctive relief plus disgorgement of alleged ill-gotten gains.
At the same time, the FTC and state of Ohio filed another enforcement action against one of the processor’s biggest clients based in Canada and the Dominican Republic.
Federal and state regulators have evidenced a willingness to both go after merchants that engage in unfair and deceptive practices that are injurious to consumers, as well as the payment processors that enable merchants to engage in such conduct.
The defendant New England Coffee Company sells a “Hazelnut Crème” coffee. The plaintiff sued because the coffee contains no nut – it’s all coffee, no nut, only nut flavored. The district court dismissed the complaint without leave to amend on the basis that the complaint wasn’t sufficiently specific. After rejecting that ground for dismissal and also rejecting a preemption argument, the majority noted that the defendants argued as an alternative ground to support the dismissal that the factual allegations complaint failed to state a plausible claim, and that’s the part of the decision that interests us.
Whether the label was deceptive, Judge Kayatta, writing for himself and Judge Torruella, opined was a question of fact. While the label said it was “100% Arabica coffee” and listed no hazelnut as an ingredient, Judge Kayatta said that perhaps a reasonable factfinder could conclude the name of the product was sufficient, without having to read the “fine print,” “much like one might easily buy a hazelnut cake without studying the ingredients list to confirm that the cake actually contains some hazelnut.”
Responding to the dissent, Judge Kayatta wrote: “Our dissenting colleague [Judge Lynch] envisions a more erudite reader of labels, tipped off by the accent grave on the word “crème,” and armed perhaps with several dictionaries, a bit like a federal judge reading a statute. We are less confident that ‘common parlance’ would exhibit such linguistic precision. Indeed, we confess that one of us thought “crème” was a fancy word for cream, with Hazelnut Crème being akin, for example, to hazelnut butter, a product often found in another aisle of the supermarket.”
Judge Kayatta further wrote: “None of this is to say that our dissenting colleague’s reading is by any means unreasonable. To the contrary, we ourselves would likely land upon that reading were we in the grocery aisle with some time to peruse the package.”
In her dissent, Judge Lynch said that she disagreed with the majority that this presented a “close” question – in her view “a reasonable consumer plainly could not view the phrase ‘Hazelnut Crème’ as announcing the presence of actual hazelnut in a bag of coffee which also proclaims it is ‘100% Arabica Coffee.’” Aside from noting that the package ingredient only said it included 100% Arabica coffee and never said it contained an actual nut, Judge Lynch explained how the word “Crème” means, both in the dictionary and in common parlance, a cream or cream sauce as used in cookery or a sweet liqueur, with the latter usually “used with the flavor specified” (citing Webster’s) – in short, “hazelnut Crème” clearly indicates a flavoring, not an ingredient. The majority’s hazelnut cake analogy was inapt because cakes are “made up of many ingredients.” .
My thoughts on this opinion are, first, it sounds like a lively chambers discussion, and second, I wonder about the degree to which each of the members of the panel does his or her own grocery shopping, and, if so, whether he or she reads labels, and whether this, consciously or not, influenced their thinking.
Since according to the majority opinion, either Judge Kayatta or Judge Torruella thought “Hazelnut Crème” meant hazelnut butter (really? in coffee? And despite the fact no dairy product was listed on the label?), did the majority reason that it follows that a reasonable consumer could be confused, because obviously the members of the majority are reasonable consumers? As noted above, the majority stated that “we” would “likely” realize there was no actual hazelnut in the coffee “were we in the grocery aisle with some time to peruse the package.” Are they saying that’s not the reasonable consumer standard –someone with time to peruse a package? It’s unreasonable to have them look at the ingredients? Or is the majority saying “likely” isn’t good enough to avoid a jury question?
This week, the Federal Trade Commission (FTC) entered into a proposed settlement with Unrollme Inc. (“Unrollme”), a free personal email management service that offers to assist consumers in managing the flood of subscription emails in their inboxes. The FTC alleged that Unrollme made certain deceptive statements to consumers, who may have had privacy concerns, to persuade them to grant the company access to their email accounts. (In re Unrolllme Inc., File No 172 3139 (FTC proposed settlement announced Aug. 8, 2019).
This settlement touches many relevant issues, including the delicate nature of online providers’ privacy practices relating to consumer data collection, the importance for consumers to comprehend the extent of data collection when signing up for and consenting to a new online service or app, and the need for downstream recipients of anonymized market data to understand how such data is collected and processed. (See also our prior post covering an enforcement action involving user geolocation data collected from a mobile weather app).
A quick glance at headlines announcing the settlement might give the impression that the FTC found Unrollme’s entire business model unlawful or deceptive, but that is not the case. As described below, the settlement involved only a subset of consumers who received allegedly deceptive emails to coax them into granting access to their email accounts. The model of providing free products or services in exchange for permission to collect user information for data-driven advertising or ancillary market research remains widespread, though could face some changes when California’s CCPA consumer choice options become effective or in the event Congress passes a comprehensive data privacy law.
As part of the Unrollme registration process, users grant Unrollme access to selected personal email accounts for decluttering purposes. However, this permission also allows Unrollme to access and scan inboxes for so-called “e-receipts” or emailed receipts from e-commerce transactions. After scanning users’ e-receipt data (which might include billing and shipping addresses and information about the purchased products or services), Unrollme’s parent company, Slice Technologies, Inc., would anonymize the data and package it into market research reports that are sold to various companies, retailers and others. According to the FTC complaint, when some consumers declined to grant permission to their email accounts during signup, Unrollme, during the relevant time period, tried to make them reconsider by sending allegedly deceptive statements about its access (e.g, “You need to authorize us to access your emails. Don’t worry, this is just to watch for those pesky newsletters, we’ll never touch your personal stuff”). The FTC claimed that such messages did not tell users that access to their inboxes would also be used to collect e-receipts and to package that data for sale to outside companies, and that thousands of consumers changed their minds and signed up for Unrollme.
As part of the settlement, Unrollme is prohibited from misrepresentations about the extent to which it accesses, collects, uses, stores or shares information in connection with its email management products. Unrollme must also send an email to all current users who enrolled in Unrollme after seeing the allegedly deceptive statements and explain Unrollme’s data collection and usage practices. Unrollme is also required to delete all e-receipt data obtained from recipients who enrolled in Unrollme after seeing the challenged statements (unless Unrollme receives affirmative consent to maintain such data from the affected consumers).
In an effort at increased transparency, Unrollme’s current home page displays several links to detailed explanations of how the service collects and analyzes user data (e.g., “How we use data”).
Interestingly, this is not the first time Unrollme’s practices have been challenged, as the company faced a privacy suit over its data mining practices last year. (See Cooper v. Slice Technologies, Inc., No. 17-7102 (S.D.N.Y. June 6, 2018) (dismissing a privacy suit that claimed that Unrollme did not adequately disclose to consumers the extent of its data mining practices, and finding that consumers consented to a privacy policy that expressly allowed such data collection to build market research products and services).
Hyperconnectivity is a real phenomenon and it is changing the concerns of society because of the kinds of interactions that can be brought about by IoT devices, which could be: i) People to people; ii) People to things (objects, machines); iii) Things/machines to things/machines.
It gives rise to different issues for people. According to a European Survey, 72% of EU Internet users worry that too much of their personal data is being shared online and that they have little control over what happens to this information[1]. It gives rise to inevitable ethical issues and its relationship with the techno environment.
The discussion on ethics that follows aims to provide a quick tour on general ethical principles and theories that are available as they may apply to IoT[2]. Law and ethics are overlapping, but ethics goes beyond law. Thus, a comparison of law and ethics is made and their differences are pointed out in the great work of Spyros G Tzafestas, who wrote Ethics and Law in the Internet of Things World. In this article, he considers that the risks and harms in a digital world are very high and complex, especially explaining those tech terms and their impact in our private life. Thus, it is of primary importance to review IoT and understand the limitations of protective legal, regulatory and ethical frameworks, in order to provide sound recommendations for maximizing good and minimizing harm[3].
Major data security concerns have also been raised with respect to ‘cloud’-supported IoT. Cloud computing (‘the cloud’) essentially consists of the concentration of resources, e.g. hardware and software, into a few physical locations by a cloud service provider (e.g. Amazon Web Service)[4]. We are living in a data-sharing storm and the economic impact of IoT’s cyber risks is increasing with the integration of digital infrastructure in the digital economy[5]. We are surrounded by devices which contain our data, for instance:
Wearable health technologies: wearable devices that continuously monitor the health status of a patient or gather real-world information about the patient such as heart rate, blood pressure, fever;
Wearable textile technologies: clothes that can change their color on demand or based on the biological condition of the wearer or according to the wearer’s emotions;
As a result of the serious impact IoT may have and because it involves a huge number of connected devices, it creates a new social, political, economic, and ethical landscape. Therefore, for a sustainable development of IoT, political and economic decision-making bodies have to develop proper regulations in order to be able to control the fair use of IoT in society.
In this sense, the most developed regions as regards establishing IoT Regulations and an ethical framework are the European Union and the United States both of which have enacted:
Legislation/regulations.
Ethics principles, rules and codes.
Standards/guidelines;
Contractual arrangements;
Regulations for the devices connected;
Regulations for the networks and their security; and
Regulations for the data associated with the devices.
In light of this, the next section will deal with Data Protection Regulations, Consumer Protection Acts, IoT and Cyber Risks Laws, Roadmap for Standardization of Regulations, Risk Maturity, Strategy Design and Impact Assessment related with 2020 scenario, which is: 200 billion sensor devices and market size that, by 2025, will be between $2.7 trillion and $3 trillion a year.
Europe
The Alliance for Internet of Things Innovation (AIOTI) was initiated by the European Commission in order to open a stream of dialogue between European stakeholders within the Internet of Things (IoT) market. The overall goal of this initiative was the creation of a dynamic European IoT ecosystem to unleash the potential of IoT.
In October 2015, the Alliance published 12 reports covering IoT policy and standards issues. It provided detailed recommendations for future collaborations in the Internet of Things Focus Area of the 2016-2017 Horizon 2020 programme[7].
The IoT regulation framework in Europe is a growth sector:
EU Directive-2013/40: this Directive deals with “Cybercrime” (i.e., attacks against information systems). It provides definitions of criminal offences and sets proper sanctions for attacks against information systems[8].
EU NIS Directive 2016/1148: this Network and Information Security (NIS) Directive concerns “Cybersecurity” issues. Its aim is to provide legal measures to assure a common overall level of cybersecurity (network/information security) in the EU, and an enhanced coordination degree among EU Members[9].
EU Directive 2014/53: this Directive “On the harmonization of the laws of the member states relating to the marketing of radio equipment”[10] is concerned with the standardization issue which is important for the joint and harmonized development of technology in the EU.
EU GDPR: European General Data Protection Regulation 2016/679: this regulation concerns privacy, ownership, and data protection and replaces EU DPR-2012. It provides a single set of rules directly applicable in the EU member states.
EU Connected Communities Initiative: this initiative concerns the IoT development infrastructure, and aims to collect information from the market about existing public and private connectivity projects that seek to provide high-speed broadband (more than 30 Mbps).
United States
A quick overview of the general US legislation that protects civil rights (employment, housing, privacy, information, data, etc.) includes:
Fair Housing Act (1968);
Fair Credit Reporting Act (1970);
Electronic Communication Privacy Act (1986), which is applied to service providers that transmit data, the Privacy Act 1974 which is based on the Fair Information Practice Principle (FIPP) Guidelines;
Breach Notification Rule which requires companies utilizing health data to notify consumers that are affected by the occurrence of any data breach; and
IoT Cybersecurity Improvement Act 2019: the Bill seeks “[t]o leverage Federal Government procurement power to encourage increased cybersecurity for Internet of Things devices.” In other words, this bill aims to shore up cybersecurity requirements for IoT devices purchased and used by the federal government, with the aim of affecting cybersecurity on IoT devices more broadly.
SB-327 Information privacy: connected devices: California’s new SB 327 law, which will take effect in January 2020, requires all “connected devices” to have a “reasonable security feature.”
The above legislation is general, and in principle can cover IoT activities, although it was not designed with IoT in mind. Legislation devoted particularly to IoT includes the following:
White House Initiative 2012: the purpose of this initiative is to specify a framework for protecting the privacy of the consumer in a networked work.
This initiative involves a report on a ‘Consumer Bill of Rights” which is based on the so-called “Fair Information Practice Principles” (FIPP). This includes two principles:
Respect for Context Principle: consumers have a right to insist that the collection, use, and disclosure of personal data by Companies is done in ways that are compatible with the context in which consumers provide the data;
Individual Control Principle: consumers have a right to exert control over the personal data companies collect from them or how they use it.
China
Where we start to see the most advanced picture is in China. In 2017, the Ministry of Industry and Information Technology (MIIT), China’s telecom regulator and industrial policy maker, issued the Circular on Comprehensively Advancing the Construction and Development of Mobile Internet of Things (NB-IoT) (MIIT Circular [2017] No. 351, the “Circular”), with the following approach in the opening provisions:
Building a wide-coverage, large-connect, low-power mobile Internet of Things (NB-IoT) infrastructure and developing applications based on NB-IoT technology will help promote the construction of network powers and manufacturing powers, and promote “mass entrepreneurship, innovation” and “Internet +” development. In order to further strengthen the IoT application infrastructure, promote the deployment of NB-IoT networks and expand industry applications, and accelerate the innovation and development of NB-IoT[11]
Nowadays China already has a huge packet of regulation on technological matters:
2015 State Council – China Computer Information System Security Protection Regulation (first in 1994);
2007 MPS – Management Method for Information Security Protection for Classified Levels;
2001 NPC Standing Committee – Resolution about Protection of Internet Security;
2012 NPC Standing Committee – Resolution about Enhance Network Information Protection;
July 2015: National Security Law – ‘secure and controllable’ systems and data security in critical infrastructure and key areas;
2014 MIIT – Guidance on Enhance Telecom and Internet Security;
2013 MIIT – Regulation about Telecom and Internet Personal Information Protection
2014 China Banking Regulatory Commission – Guidance for Applying Secure and Controllable Information;
Technology to Enhance Banking Industry Cybersecurity and Informatization Development
Further, as if this were not enough, the Chinese government is being proactive and has several important laws and regulations in the Pipeline, as it can be seen from the list below:
CAC: Administrative Measures on Internet Information Services;
CAC Rules on Security Protection for Critical Information Infrastructure;
Cybersecurity Law;
Cyber Sovereignty;
Security of Product and Service;
Security of Network Operation (Classified Levels Protection, Critical Infrastructure);
Data Security (Category, Personal Information);
Information Security.
Finally, China established, in 2016, the National Information Security Standardization Technical Committee and its current work is developing a Standardization – TC260 (IT Security) on Technical requirement for Industrial network protocol and general reference model and requirements for Machine-to-Machine (M2M) security.
Latin America
The Latin American countries have different levels of development and this sets up a huge asymmetry between the domestic legal frameworks. The following is a quick regulation overview on Latin American countries:
Brazil has the “National IoT Plan” (Decree N. 9.854/2019) that aims to ensure the development of public policies for this technology sector and members of Brazilian parliament presented the bill No. 7.656/17 with the purpose of eliminating tax charges on IoT products;
Colombia has a Draft of Law No. 152/2018 on the Modernization of the Information and Communication providing investments incentives to IT Techs (article 3);
Chile has a new Draft Law Boletín N° 12.192-25/2018 on Cyber crimes and regulation on internet devices and hackers attacks;
In 2017, Argentina launched a Public Consultation on IoT regarding regulations that must be updated and how to get more security and improve the technological level of the country[12].
Most Promising Smart Environments
Smart environments are regarded as the space within which IoT devices interact connected through a continuous network. Thus, smart environments aim to satisfy the experience of individuals from every environment, by replacing the hazardous work, physical labor and repetitive tasks with automated agents. Generally speaking, sensors are the basis of these kind of smart devices with many different applications e.g. Smart Parking, Waste Management, Smart Roads and Traffic Congestion, Air Pollution, River Floods, M2M Applications, Vehicle auto-diagnosis, Smart Farming, Energy and Water Uses, Medical and Health Smart applications, etc[13].
Another way of looking at smart environments and assess their relative capacity to produce business opportunities is to identify and examine the most important IoT use cases that are either already being exploited or will be fully exploited by 2020.
For the purposes of this article, the approach was restricted to sectors consisting of the most promising smart environments to be developed up to 2020 in the European Market as displayed in the Chart below:
Vertical IoT Market Size in Europe
The conclusions of the last report of the European Commission are impressive and can help to understand the continuous development of the IoT market and how every market has to comply with the law and they will emerge facing a regulatory avalanche as mentioned in item 2 on the Regulatory Ecosystem.
Final Considerations: IoT as Consumer Product Health and Safety
IoT safety is becoming more important every day. On the one hand, as mentioned above, most concerns for IoT safety are primarily in the areas of cyber-attacks, hacking, data privacy, and similar topics; what is better referred to as security than safety. On the other hand, it can be approached by physical safety hazards which may result from the operation of consumer products in an IoT environment or system. IoT provides a new way to approach business and it is not restricted to one or other market or topic. It is a metatopic ormetamarketshowing different possibilities and applications and will be spread in the near future.
In general, IoT products are electrical or electronic applications with a power source and a battery connected by a charging device. So long as the power source, batteries and charging devices are present we have the usual risks of electrical related hazards (fire, burns, electrical shock, etc.). Nonetheless, IoT makes matters more complicated as smart devices have the function to send commands and control devices in the real world.
IoT applications can switch the main electrical powers of secondary products or can operate complex motor systems and so on. Then they have to be accurate and might provide minimal requirements to care of consumer health and safety. Risk assessment and hazard mitigations will have to adapt to IoT applications reinventing new methods to assure regular standards of IoT usability. Traditional health and safety regulations might be up to date with this new technological reality to be effective at reducing safety hazards for consumer products.
To conclude, this article was intended to summarize two main issues: I) IoT as an increasing and cross topic market which will become a present reality closer to our daily lives; II) IoT will be regulated and become an important concern in consumer product health and safety.
[1] Nóra Ni Loideain. Port in the Data-Sharing Storm: The GDPR and the Internet of Things. King’s College London Dickson Poon School of Law Legal Studies Research Paper Series: Paper No. 2018-27.P2.
[4] Nóra Ni Loideain. Port in the Data-Sharing Storm: The GDPR and the Internet of Things. King’s College London Dickson Poon School of Law Legal Studies Research Paper Series: Paper No. 2018-27.P. 19.
[5] Petar Radanliev, David Charles De Roure and others. Definition of Internet of Things (IoT) Cyber Risk – Discussion on a Transformation Roadmap for Standardization of Regulations, Risk Maturity, Strategy Design and Impact Assessment. Oxford University. MPRA Paper No. 92569, March 2019, P. 1.
