Within the past decade, regular tobacco users have turned to electronic cigarettes in an effort to wean off of traditional cigarettes, believing them to be a safer option for human health. E-cigarettes, also known as nicotine vaporizers, vaporizer cigarettes, or simply vape pens, have grown in popularity over the past several years, partially driven by the debut of Juul’s e-cig devices in 2015. Now, Juul Labs is a leading manufacturer of e-cigarette devices and e-liquid flavors nationwide. Despite its growing popularity, especially among teens and young adults, Juul has been at the center of several consumer legal battles, most of which allege that Juul’s e-cig devices are extremely detrimental to users’ health. Several suits have been filed by parents or guardians on behalf of teenage children.
Several consumers have accused Juul Labs of deliberately marketing its products to appeal to the younger generation. A lawsuit recently filed by the father of a Carmel, Indiana teen in the U.S. District Court in Indianapolis alleged that his son was enticed by the rainbow colors and fruity flavors of Juul’s e-cigarette products, which contained excessive levels of nicotine. The teen later developed an intense nicotine addiction and fears that his addiction may lead to health problems throughout his life.
Other suits have similarly claimed that Juul specifically targets underage markets with its presence on several social media platforms and use of online influencers to attract teen users.
This is not the first attack against Juul’s advertising practices. Stanford University researchers evaluated Juul’s marketing campaigns over its first three years on the market, and the resulting impact on teens and young adults, in a January 2019 study.
By analyzing Juul’s website, social media platforms, hashtags, and customer campaign emails, the researchers concluded that, “Juul’s advertising imagery in its first [six] months on the market was patently youth oriented.” Though Juul representatives have repeatedly denied that the company intentionally targets a younger generation in its marketing, the study revealed how Juul, “continued to engage in advertising either targeted to youth…or by placing its promotional material preferentially in youth consumed media channels…”
Juul lawsuits have also been filed in response to defective vape batteries and device explosions. Juul’s e-cigarette products are operated by lithium-ion batteries, which can allegedly overheat and explode. In several instances, vape explosions have damaged users’ mouths, hands, and other body parts, causing burns, broken jaws, and even deaths. Treacy Gangi, for example, filed a lawsuit in November 2017 on behalf of her husband who was killed by an exploding e-cigarette, similar to a Juul device.
Another lawsuit recently filed by an Ohio mother on behalf of her two teen daughters claimed that Juul failed to warn its customers of the high levels of nicotine in its devices. The complaint stated that the two twin daughters, who are now 16 years old, began vaping in 2016 and initially purchased the devices in a store that “knowingly sold e-cigarettes to underage customers.” The teens quickly became addicted to their e-cigarettes and were eventually vaping two Juul pods a day. According to the lawsuit, one Juul pod contains the same amount of nicotine as two packs of cigarettes.
Similar lawsuits have claimed that in addition to containing excessive levels of nicotine, Juul products are advertised as being a healthier alternative to traditional cigarettes. Recent cases, however, have shown that vaping Juul e-cigarettes is linked to a number of health conditions, including heart disease, lung damage, and seizures. The Centers for Disease Control and Prevention (CDC) is inspecting the recent hospitalizations of more than 149 individuals whose health problems are linked to vaping. The patients, who are predominantly teens and young adults, reportedly developed severe lung illnesses that have been associated with vaping.
According to recent cases, vaping also puts users at risk of experiencing seizures, which is a known symptom of nicotine poisoning. The FDA has received about 127 reports of seizures linked to vaping since 2010, and issued a warning about the potential correlation between vaping and seizures (convulsions) in April 2019.
Amid a lack of research and information on the health risks of using e-cigarettes, an Illinois patient was reportedly the first to die of a lung illness that was associated with vaping. Health experts say that more research needs to be done in order to understand the health implications of vaping, before other users face a similar fate.
The Federal Trade Commission and the Ohio attorney general recently initiated legal action against a payment processor arising from alleged activities that enabled its customers to defraud consumers.
According to the FTC, the defendants generated and processed remotely created payment orders (“RCPOs”) or checks that allowed unscrupulous merchants, including deceptive telemarketing schemes, to withdraw money from their victims’ bank accounts.
The FTC’s Telemarketing Sales Rules specifically prohibits the use of RCPOs in connection with telemarketing sales. RCPOs are created by the processor and result in debits to consumers’ bank accounts without a signature.
“To execute their payment processing scheme, Defendants open business checking accounts under various assumed names with banks and credit unions, the majority of which are local institutions,” according to the complaint. Within the last five years, the defendants opened at least 60 business checking accounts at 25 different financial institutions, mainly in Texas and Wisconsin, to enable their activity, the regulators said. “Defendants often misrepresent to the financial institution the type of business for which they open the account, and routinely fail to disclose the real reason for which they open the account—processing consumer payments for third-party merchants via RCPOs. Red flags about Defendants’ practices have led at least 15 financial institutions to close accounts opened by Defendants. When that happens, Defendants typically open new accounts with different financial institutions. ”
According to the Ohio AG and FTC lawyers, the defendants specifically market their RCPO payment processing service to high risk merchants. The complaint also alleges that the defendants are aware that some of their largest merchant- clients sell their products or services through telemarketing.
The FTC and Ohio AG also allege that the defendants violated the TSR by charging consumers advance fees before providing any debt relief service, failing to identify timely and clearly the seller of the purported service in telemarketing calls, and failing to pay to access the FTC’s National Do Not Call Registry.
The Ohio AG previously had previously filed suit against the defendants for similar violations.
According to the FTC CID attorneys, the telemarketing operations that defendants supported included, among others, student debt relief schemes, and a credit interest reduction scheme. The FTC and Ohio allege that using RCPOs, the defendants have withdrawn more than $13 million from accounts of victims of these telemarketing operations since January 2016.
“The FTC will continue to pursue such schemes aggressively, and hold accountable payment processors that are complicit in the illegal conduct,” FTC lawyer Andrew Smith said in a statement about the case.
The complaint alleges violations of the FTC Act and Ohio state law, and seeks injunctive relief plus disgorgement of alleged ill-gotten gains.
At the same time, the FTC and state of Ohio filed another enforcement action against one of the processor’s biggest clients based in Canada and the Dominican Republic.
Federal and state regulators have evidenced a willingness to both go after merchants that engage in unfair and deceptive practices that are injurious to consumers, as well as the payment processors that enable merchants to engage in such conduct.
The defendant New England Coffee Company sells a “Hazelnut Crème” coffee. The plaintiff sued because the coffee contains no nut – it’s all coffee, no nut, only nut flavored. The district court dismissed the complaint without leave to amend on the basis that the complaint wasn’t sufficiently specific. After rejecting that ground for dismissal and also rejecting a preemption argument, the majority noted that the defendants argued as an alternative ground to support the dismissal that the factual allegations complaint failed to state a plausible claim, and that’s the part of the decision that interests us.
Whether the label was deceptive, Judge Kayatta, writing for himself and Judge Torruella, opined was a question of fact. While the label said it was “100% Arabica coffee” and listed no hazelnut as an ingredient, Judge Kayatta said that perhaps a reasonable factfinder could conclude the name of the product was sufficient, without having to read the “fine print,” “much like one might easily buy a hazelnut cake without studying the ingredients list to confirm that the cake actually contains some hazelnut.”
Responding to the dissent, Judge Kayatta wrote: “Our dissenting colleague [Judge Lynch] envisions a more erudite reader of labels, tipped off by the accent grave on the word “crème,” and armed perhaps with several dictionaries, a bit like a federal judge reading a statute. We are less confident that ‘common parlance’ would exhibit such linguistic precision. Indeed, we confess that one of us thought “crème” was a fancy word for cream, with Hazelnut Crème being akin, for example, to hazelnut butter, a product often found in another aisle of the supermarket.”
Judge Kayatta further wrote: “None of this is to say that our dissenting colleague’s reading is by any means unreasonable. To the contrary, we ourselves would likely land upon that reading were we in the grocery aisle with some time to peruse the package.”
In her dissent, Judge Lynch said that she disagreed with the majority that this presented a “close” question – in her view “a reasonable consumer plainly could not view the phrase ‘Hazelnut Crème’ as announcing the presence of actual hazelnut in a bag of coffee which also proclaims it is ‘100% Arabica Coffee.’” Aside from noting that the package ingredient only said it included 100% Arabica coffee and never said it contained an actual nut, Judge Lynch explained how the word “Crème” means, both in the dictionary and in common parlance, a cream or cream sauce as used in cookery or a sweet liqueur, with the latter usually “used with the flavor specified” (citing Webster’s) – in short, “hazelnut Crème” clearly indicates a flavoring, not an ingredient. The majority’s hazelnut cake analogy was inapt because cakes are “made up of many ingredients.” .
My thoughts on this opinion are, first, it sounds like a lively chambers discussion, and second, I wonder about the degree to which each of the members of the panel does his or her own grocery shopping, and, if so, whether he or she reads labels, and whether this, consciously or not, influenced their thinking.
Since according to the majority opinion, either Judge Kayatta or Judge Torruella thought “Hazelnut Crème” meant hazelnut butter (really? in coffee? And despite the fact no dairy product was listed on the label?), did the majority reason that it follows that a reasonable consumer could be confused, because obviously the members of the majority are reasonable consumers? As noted above, the majority stated that “we” would “likely” realize there was no actual hazelnut in the coffee “were we in the grocery aisle with some time to peruse the package.” Are they saying that’s not the reasonable consumer standard –someone with time to peruse a package? It’s unreasonable to have them look at the ingredients? Or is the majority saying “likely” isn’t good enough to avoid a jury question?
This week, the Federal Trade Commission (FTC) entered into a proposed settlement with Unrollme Inc. (“Unrollme”), a free personal email management service that offers to assist consumers in managing the flood of subscription emails in their inboxes. The FTC alleged that Unrollme made certain deceptive statements to consumers, who may have had privacy concerns, to persuade them to grant the company access to their email accounts. (In re Unrolllme Inc., File No 172 3139 (FTC proposed settlement announced Aug. 8, 2019).
This settlement touches many relevant issues, including the delicate nature of online providers’ privacy practices relating to consumer data collection, the importance for consumers to comprehend the extent of data collection when signing up for and consenting to a new online service or app, and the need for downstream recipients of anonymized market data to understand how such data is collected and processed. (See also our prior post covering an enforcement action involving user geolocation data collected from a mobile weather app).
A quick glance at headlines announcing the settlement might give the impression that the FTC found Unrollme’s entire business model unlawful or deceptive, but that is not the case. As described below, the settlement involved only a subset of consumers who received allegedly deceptive emails to coax them into granting access to their email accounts. The model of providing free products or services in exchange for permission to collect user information for data-driven advertising or ancillary market research remains widespread, though could face some changes when California’s CCPA consumer choice options become effective or in the event Congress passes a comprehensive data privacy law.
As part of the Unrollme registration process, users grant Unrollme access to selected personal email accounts for decluttering purposes. However, this permission also allows Unrollme to access and scan inboxes for so-called “e-receipts” or emailed receipts from e-commerce transactions. After scanning users’ e-receipt data (which might include billing and shipping addresses and information about the purchased products or services), Unrollme’s parent company, Slice Technologies, Inc., would anonymize the data and package it into market research reports that are sold to various companies, retailers and others. According to the FTC complaint, when some consumers declined to grant permission to their email accounts during signup, Unrollme, during the relevant time period, tried to make them reconsider by sending allegedly deceptive statements about its access (e.g, “You need to authorize us to access your emails. Don’t worry, this is just to watch for those pesky newsletters, we’ll never touch your personal stuff”). The FTC claimed that such messages did not tell users that access to their inboxes would also be used to collect e-receipts and to package that data for sale to outside companies, and that thousands of consumers changed their minds and signed up for Unrollme.
As part of the settlement, Unrollme is prohibited from misrepresentations about the extent to which it accesses, collects, uses, stores or shares information in connection with its email management products. Unrollme must also send an email to all current users who enrolled in Unrollme after seeing the allegedly deceptive statements and explain Unrollme’s data collection and usage practices. Unrollme is also required to delete all e-receipt data obtained from recipients who enrolled in Unrollme after seeing the challenged statements (unless Unrollme receives affirmative consent to maintain such data from the affected consumers).
In an effort at increased transparency, Unrollme’s current home page displays several links to detailed explanations of how the service collects and analyzes user data (e.g., “How we use data”).
Interestingly, this is not the first time Unrollme’s practices have been challenged, as the company faced a privacy suit over its data mining practices last year. (See Cooper v. Slice Technologies, Inc., No. 17-7102 (S.D.N.Y. June 6, 2018) (dismissing a privacy suit that claimed that Unrollme did not adequately disclose to consumers the extent of its data mining practices, and finding that consumers consented to a privacy policy that expressly allowed such data collection to build market research products and services).
Hyperconnectivity is a real phenomenon and it is changing the concerns of society because of the kinds of interactions that can be brought about by IoT devices, which could be: i) People to people; ii) People to things (objects, machines); iii) Things/machines to things/machines.
It gives rise to different issues for people. According to a European Survey, 72% of EU Internet users worry that too much of their personal data is being shared online and that they have little control over what happens to this information[1]. It gives rise to inevitable ethical issues and its relationship with the techno environment.
The discussion on ethics that follows aims to provide a quick tour on general ethical principles and theories that are available as they may apply to IoT[2]. Law and ethics are overlapping, but ethics goes beyond law. Thus, a comparison of law and ethics is made and their differences are pointed out in the great work of Spyros G Tzafestas, who wrote Ethics and Law in the Internet of Things World. In this article, he considers that the risks and harms in a digital world are very high and complex, especially explaining those tech terms and their impact in our private life. Thus, it is of primary importance to review IoT and understand the limitations of protective legal, regulatory and ethical frameworks, in order to provide sound recommendations for maximizing good and minimizing harm[3].
Major data security concerns have also been raised with respect to ‘cloud’-supported IoT. Cloud computing (‘the cloud’) essentially consists of the concentration of resources, e.g. hardware and software, into a few physical locations by a cloud service provider (e.g. Amazon Web Service)[4]. We are living in a data-sharing storm and the economic impact of IoT’s cyber risks is increasing with the integration of digital infrastructure in the digital economy[5]. We are surrounded by devices which contain our data, for instance:
Wearable health technologies: wearable devices that continuously monitor the health status of a patient or gather real-world information about the patient such as heart rate, blood pressure, fever;
Wearable textile technologies: clothes that can change their color on demand or based on the biological condition of the wearer or according to the wearer’s emotions;
As a result of the serious impact IoT may have and because it involves a huge number of connected devices, it creates a new social, political, economic, and ethical landscape. Therefore, for a sustainable development of IoT, political and economic decision-making bodies have to develop proper regulations in order to be able to control the fair use of IoT in society.
In this sense, the most developed regions as regards establishing IoT Regulations and an ethical framework are the European Union and the United States both of which have enacted:
Legislation/regulations.
Ethics principles, rules and codes.
Standards/guidelines;
Contractual arrangements;
Regulations for the devices connected;
Regulations for the networks and their security; and
Regulations for the data associated with the devices.
In light of this, the next section will deal with Data Protection Regulations, Consumer Protection Acts, IoT and Cyber Risks Laws, Roadmap for Standardization of Regulations, Risk Maturity, Strategy Design and Impact Assessment related with 2020 scenario, which is: 200 billion sensor devices and market size that, by 2025, will be between $2.7 trillion and $3 trillion a year.
Europe
The Alliance for Internet of Things Innovation (AIOTI) was initiated by the European Commission in order to open a stream of dialogue between European stakeholders within the Internet of Things (IoT) market. The overall goal of this initiative was the creation of a dynamic European IoT ecosystem to unleash the potential of IoT.
In October 2015, the Alliance published 12 reports covering IoT policy and standards issues. It provided detailed recommendations for future collaborations in the Internet of Things Focus Area of the 2016-2017 Horizon 2020 programme[7].
The IoT regulation framework in Europe is a growth sector:
EU Directive-2013/40: this Directive deals with “Cybercrime” (i.e., attacks against information systems). It provides definitions of criminal offences and sets proper sanctions for attacks against information systems[8].
EU NIS Directive 2016/1148: this Network and Information Security (NIS) Directive concerns “Cybersecurity” issues. Its aim is to provide legal measures to assure a common overall level of cybersecurity (network/information security) in the EU, and an enhanced coordination degree among EU Members[9].
EU Directive 2014/53: this Directive “On the harmonization of the laws of the member states relating to the marketing of radio equipment”[10] is concerned with the standardization issue which is important for the joint and harmonized development of technology in the EU.
EU GDPR: European General Data Protection Regulation 2016/679: this regulation concerns privacy, ownership, and data protection and replaces EU DPR-2012. It provides a single set of rules directly applicable in the EU member states.
EU Connected Communities Initiative: this initiative concerns the IoT development infrastructure, and aims to collect information from the market about existing public and private connectivity projects that seek to provide high-speed broadband (more than 30 Mbps).
United States
A quick overview of the general US legislation that protects civil rights (employment, housing, privacy, information, data, etc.) includes:
Fair Housing Act (1968);
Fair Credit Reporting Act (1970);
Electronic Communication Privacy Act (1986), which is applied to service providers that transmit data, the Privacy Act 1974 which is based on the Fair Information Practice Principle (FIPP) Guidelines;
Breach Notification Rule which requires companies utilizing health data to notify consumers that are affected by the occurrence of any data breach; and
IoT Cybersecurity Improvement Act 2019: the Bill seeks “[t]o leverage Federal Government procurement power to encourage increased cybersecurity for Internet of Things devices.” In other words, this bill aims to shore up cybersecurity requirements for IoT devices purchased and used by the federal government, with the aim of affecting cybersecurity on IoT devices more broadly.
SB-327 Information privacy: connected devices: California’s new SB 327 law, which will take effect in January 2020, requires all “connected devices” to have a “reasonable security feature.”
The above legislation is general, and in principle can cover IoT activities, although it was not designed with IoT in mind. Legislation devoted particularly to IoT includes the following:
White House Initiative 2012: the purpose of this initiative is to specify a framework for protecting the privacy of the consumer in a networked work.
This initiative involves a report on a ‘Consumer Bill of Rights” which is based on the so-called “Fair Information Practice Principles” (FIPP). This includes two principles:
Respect for Context Principle: consumers have a right to insist that the collection, use, and disclosure of personal data by Companies is done in ways that are compatible with the context in which consumers provide the data;
Individual Control Principle: consumers have a right to exert control over the personal data companies collect from them or how they use it.
China
Where we start to see the most advanced picture is in China. In 2017, the Ministry of Industry and Information Technology (MIIT), China’s telecom regulator and industrial policy maker, issued the Circular on Comprehensively Advancing the Construction and Development of Mobile Internet of Things (NB-IoT) (MIIT Circular [2017] No. 351, the “Circular”), with the following approach in the opening provisions:
Building a wide-coverage, large-connect, low-power mobile Internet of Things (NB-IoT) infrastructure and developing applications based on NB-IoT technology will help promote the construction of network powers and manufacturing powers, and promote “mass entrepreneurship, innovation” and “Internet +” development. In order to further strengthen the IoT application infrastructure, promote the deployment of NB-IoT networks and expand industry applications, and accelerate the innovation and development of NB-IoT[11]
Nowadays China already has a huge packet of regulation on technological matters:
2015 State Council – China Computer Information System Security Protection Regulation (first in 1994);
2007 MPS – Management Method for Information Security Protection for Classified Levels;
2001 NPC Standing Committee – Resolution about Protection of Internet Security;
2012 NPC Standing Committee – Resolution about Enhance Network Information Protection;
July 2015: National Security Law – ‘secure and controllable’ systems and data security in critical infrastructure and key areas;
2014 MIIT – Guidance on Enhance Telecom and Internet Security;
2013 MIIT – Regulation about Telecom and Internet Personal Information Protection
2014 China Banking Regulatory Commission – Guidance for Applying Secure and Controllable Information;
Technology to Enhance Banking Industry Cybersecurity and Informatization Development
Further, as if this were not enough, the Chinese government is being proactive and has several important laws and regulations in the Pipeline, as it can be seen from the list below:
CAC: Administrative Measures on Internet Information Services;
CAC Rules on Security Protection for Critical Information Infrastructure;
Cybersecurity Law;
Cyber Sovereignty;
Security of Product and Service;
Security of Network Operation (Classified Levels Protection, Critical Infrastructure);
Data Security (Category, Personal Information);
Information Security.
Finally, China established, in 2016, the National Information Security Standardization Technical Committee and its current work is developing a Standardization – TC260 (IT Security) on Technical requirement for Industrial network protocol and general reference model and requirements for Machine-to-Machine (M2M) security.
Latin America
The Latin American countries have different levels of development and this sets up a huge asymmetry between the domestic legal frameworks. The following is a quick regulation overview on Latin American countries:
Brazil has the “National IoT Plan” (Decree N. 9.854/2019) that aims to ensure the development of public policies for this technology sector and members of Brazilian parliament presented the bill No. 7.656/17 with the purpose of eliminating tax charges on IoT products;
Colombia has a Draft of Law No. 152/2018 on the Modernization of the Information and Communication providing investments incentives to IT Techs (article 3);
Chile has a new Draft Law Boletín N° 12.192-25/2018 on Cyber crimes and regulation on internet devices and hackers attacks;
In 2017, Argentina launched a Public Consultation on IoT regarding regulations that must be updated and how to get more security and improve the technological level of the country[12].
Most Promising Smart Environments
Smart environments are regarded as the space within which IoT devices interact connected through a continuous network. Thus, smart environments aim to satisfy the experience of individuals from every environment, by replacing the hazardous work, physical labor and repetitive tasks with automated agents. Generally speaking, sensors are the basis of these kind of smart devices with many different applications e.g. Smart Parking, Waste Management, Smart Roads and Traffic Congestion, Air Pollution, River Floods, M2M Applications, Vehicle auto-diagnosis, Smart Farming, Energy and Water Uses, Medical and Health Smart applications, etc[13].
Another way of looking at smart environments and assess their relative capacity to produce business opportunities is to identify and examine the most important IoT use cases that are either already being exploited or will be fully exploited by 2020.
For the purposes of this article, the approach was restricted to sectors consisting of the most promising smart environments to be developed up to 2020 in the European Market as displayed in the Chart below:
Vertical IoT Market Size in Europe
The conclusions of the last report of the European Commission are impressive and can help to understand the continuous development of the IoT market and how every market has to comply with the law and they will emerge facing a regulatory avalanche as mentioned in item 2 on the Regulatory Ecosystem.
Final Considerations: IoT as Consumer Product Health and Safety
IoT safety is becoming more important every day. On the one hand, as mentioned above, most concerns for IoT safety are primarily in the areas of cyber-attacks, hacking, data privacy, and similar topics; what is better referred to as security than safety. On the other hand, it can be approached by physical safety hazards which may result from the operation of consumer products in an IoT environment or system. IoT provides a new way to approach business and it is not restricted to one or other market or topic. It is a metatopic ormetamarketshowing different possibilities and applications and will be spread in the near future.
In general, IoT products are electrical or electronic applications with a power source and a battery connected by a charging device. So long as the power source, batteries and charging devices are present we have the usual risks of electrical related hazards (fire, burns, electrical shock, etc.). Nonetheless, IoT makes matters more complicated as smart devices have the function to send commands and control devices in the real world.
IoT applications can switch the main electrical powers of secondary products or can operate complex motor systems and so on. Then they have to be accurate and might provide minimal requirements to care of consumer health and safety. Risk assessment and hazard mitigations will have to adapt to IoT applications reinventing new methods to assure regular standards of IoT usability. Traditional health and safety regulations might be up to date with this new technological reality to be effective at reducing safety hazards for consumer products.
To conclude, this article was intended to summarize two main issues: I) IoT as an increasing and cross topic market which will become a present reality closer to our daily lives; II) IoT will be regulated and become an important concern in consumer product health and safety.
[1] Nóra Ni Loideain. Port in the Data-Sharing Storm: The GDPR and the Internet of Things. King’s College London Dickson Poon School of Law Legal Studies Research Paper Series: Paper No. 2018-27.P2.
[4] Nóra Ni Loideain. Port in the Data-Sharing Storm: The GDPR and the Internet of Things. King’s College London Dickson Poon School of Law Legal Studies Research Paper Series: Paper No. 2018-27.P. 19.
[5] Petar Radanliev, David Charles De Roure and others. Definition of Internet of Things (IoT) Cyber Risk – Discussion on a Transformation Roadmap for Standardization of Regulations, Risk Maturity, Strategy Design and Impact Assessment. Oxford University. MPRA Paper No. 92569, March 2019, P. 1.
And with all of the hacking news flying past us day after day, our imaginations have not even begun to grasp what could happen if a hostile person decided to hack our automotive computers – individually or en masse. What better way to attack the American way of life but disable and crash armies of cars, stranding them on the road, killing tens of thousands, shutting down functionality of every city? Set every Ford F-150 to accelerated to 80 miles an hour at the same time on the same day and don’t stick around to clean up the mess.
We learned the cyberwarfare could turn corporal with the US/Israeli STUXNET bug forcing Iran’s nuclear centrifuges to overwork and physically break themselves (along with a few stray Indian centrifuges caught in the crossfire). This seems like a classic solution for terror attacks – slip malicious code into machines that will actually kill people. Imagine if the World Trade Center attack was carried out from a distance by simply taking over the airplanes’ computer operations and programing them to fly into public buildings. Spectacular mission achieved and no terrorist would be at risk.
This would be easy to do with automobiles. For example, buy a recent year used car on credit at most U.S. lots and the car comes with a remote operation tool that allows the lender to shut off the car, to keep it from starting up, and to home in on its location so the car can either be “bricked” or grabbed by agents of the lender due to non-payment. We know that a luxury car includes more than 100 million lines of code, where a Boeing 787 Dreamliner contains merely 6.5 million lines of code and a U.S. Airforce F-22 Raptor Jet holds only 1.7 million lines of code. Such complexity leads to further vulnerability.
The diaphanous separation between the real and electronic worlds is thinning every day, and not enough people are concentrating on the problem of keeping enormous, powerful machines from being hijacked from afar. We are a society that loves its freedom machines, but that love may lead to our downfall.
An organization called Consumer Watchdog has issued a report subtly titled KILL SWITCH: WHY CONNECTED CARS CAN BE KILLING MACHINES AND HOW TO TURN THEM OFF, which urges auto manufacturers to install physical kill switches in cars and trucks that would allow the vehicles to be disconnected from the internet. The switch would cost about fifty cents and could prevent an apocalyptic loss of control for nearly every vehicle on the road at the same time. (The IoT definition of a bad day)
“Experts agree that connecting safety-critical components to the internet through a complex information and entertainment device is a security flaw. This design allows hackers to control a vehicle’s operations and take it over from across the internet. . . . By 2022, no less than two-thirds of new cars on American roads will have online connections to the cars’ safety-critical system, putting them at risk of deadly hacks.”
And if that isn’t frightening enough, the report continued,
“Millions of cars on the internet running the same software means a single exploit can affect millions of vehicles simultaneously. A hacker with only modest resources could launch a massive attack against our automotive infrastructure, potentially causing thousands of fatalities and disrupting our most critical form of transportation,”
If the government dictates seat belts and auto emissions standards, why on earth wouldn’t the Transportation Department require a certain level of security of connectivity and software invulnerability from the auto industry. We send millions of multi-ton killing machines capable of blinding speeds out on our roads every day, and there seems to be no standard for securing the hackability of these machines. Why not?
And why not require the 50 cent kill switch that can isolate each vehicle from the internet?
50 years ago, when Ralph Nader’s Unsafe at Any Speed demonstrated the need for government regulation of the auto industry so that car companies’ raw greed would not override customer safety concerns. Soon after, Lee Iacocca led a Ford design team that calculated it was worth the horrific flaming deaths of 180 Ford customers each year in 2,100 vehicle explosions due to flawed gas tank design that was eventually fixed with a tool costing less than one dollar per car.
Granted that safety is a much more important issue for auto manufacturers now than in the 1970s, but if so, why have we not seen industry teams meeting to devise safety standards in auto electronics the same way standards have been accepted in auto mechanics? If the industry won’t take this standard-setting task seriously, then the government should force them to do so.
And the government should be providing help in this space anyway. Vehicle manufacturers have only a commercially reasonable amount of money to spend addressing this electronic safety problem. The Russian and Iranian governments have a commercially unreasonable amount of money to spend attacking us. Who makes up the difference in this crital infrastructure space? Recognizing our current state of cyber warfare – hostile government sponsored hackers are already attacking our banking and power systems on a regular basis, not to mention attempting to manipulate our electorate – our government should be rushing in to bolster electronic and software security for the automotive and trucking sectors. Why doesn’t the TSB regulate the area and provide professional assistance to build better protections based on military grade standards?
Nothing in our daily lives is more dangerous than our vehicles out of control. Nearly 1.25 million people die in road crashes each year, on average 3,287 deaths a day. An additional 20-50 million per year are injured or disabled. A terrorist or hostile government attack on the electronic infrastructure controlling our cars would easily multiply this number as well as shutting down the US roads, economy and health care system for all practical purposes.
We are not addressing the issue now with nearly the seriousness that it demands.
How many true car–mageddons will need to occur before we all take electric security seriously?
BMJ’s journal, Tobacco Control, just released a study recommending that the FDA do more to control Juul’s e-cigarette advertising in social media. The study included a review of over 15000 posts in a three-month period during 2018. Approximately 30% of reviewed posts were promotional, e.g., leading to Juul purchase locations, and over half the posts included “youth” and “youth lifestyle” themes. Because many of these posts were re-posts or user-generated, rather than ads specifically placed by Juul, the company protested that 99% were third-party content over which Juul had no control. However, the intended goal for social media advertising is to “share” and to inspire creation of third-party user-generated content that is also shared. Juul’s public comments weirdly suggest they don’t understand social media advertising. That is quite unlikely.
Juul first came under fire for its youth-focused advertising back in 2016, but has only recently made changes to restrict it. Not until late 2018, long after being called-out by educational and government agencies for targeting youth, did it begin to materially limit its social media accounts and social media messaging.
Juul’s chief administrative officer, Ashley Gould, was quoted last year telling CNN that Juul was “completely surprised by the youth usage of the product.” (Source: CNN.) In response, Dr. Robert Jackler, founder of the Stanford Research into the Impact of Tobacco Advertising, said, “I don’t believe that, not for a minute, because they’re also a very digital, very analytical company,” he added. “They know their market. They know what they’re doing.”
Gould’s obfuscation about underage users doesn’t fool people in the know—and it certainly doesn’t generate trust that Juul will voluntarily follow ethical practices. Juul only instituted its recent changes to restrict youth advertising after FDA scrutiny and bad press.
Juul also advertises its products are for smoking cessation. Last week, in response to San Francisco’s imminent ban on e-cigarette sales, Juul raised concerns that people would resort back to traditional cigarettes—implying this would further negatively impact the health of San Franciscans.
Unfortunately for Juul, the internet remembers everything. In a 2015 Verge interview at the beginning of Juul’s meteoric rise, one of Juul’s R&D engineers made it clear that Juul didn’t care about smoking cessation nor had any concerns about creating an addictive product. The engineer (Atkins) was quoted saying, “We don’t think a lot about addiction here because we’re not trying to design a cessation product at all,” he said, “anything about health is not on our mind.”
Juul’s public “feint and parry” strategy tends to mirror the traditional tobacco industry—a group with a sordid history of youth-focused advertising, concealment, lying to officials, and purposely creating highly addictive products in order to boost sales. It took multiple lawsuits and the Master Settlement Agreement of the nineties for big tobacco to materially comply with government regulations.
Unfortunately, despite all of that history, the tobacco industry’s disregard for consumer protection has spread into the e-cigarette industry. As late as 2017, big tobacco-owned e-cigarette, Blu, launched its “Something Better” advertising campaign. The campaign mocked government-mandated package warnings on traditional cigarettes. The ads included variations of the following text and were designed to look like cigarette warning labels:
The parody on government-mandated safety warnings mocks consumer protection efforts by government agencies—a tactic not surprising coming from a tobacco company. Right now, there is very little regulation over e-cigarettes despite the fact that the FDA was granted oversight in 2016. Like Blu, Juul also has heavy ties to big tobacco. Altria, parent company to Phillip Morris, the maker of Marlboro, is heavily invested in Juul.
If Juul truly intends to address social media advertising, consumer protection, and youth e-cigarette use, it must do more than spew rhetoric through the media. It must take incisive, prophylactic action to reduce exposure of its products to underage users. If history is any indication, that won’t happen without strict FDA regulation.
If you or someone you know has become seriously addicted to nicotine in e-cigarettes, has health problems associated with e-cigarettes, or has been injured by a malfunctioning e-cigarette, you should contact an experienced e-cigarette injury attorney to advise you on the ability to seek compensation for your injuries.
A few years ago, hoverboards drew a lot of attention from the U.S. Consumer Product Safety Commission (CPSC). Formally known as self-balancing electric scooters, hoverboards became an instant success because they combined practical mobility and enjoyment. But that success was not without some setbacks. When news stories in 2015 linked hoverboards to fires (which we wrote about here), the same popularity that drove sales also attracted public and government scrutiny.
While the CPSC typically does not discuss ongoing investigations, in January 2016, the attention around hoverboards drove then-Chairman Elliot Kaye to make public statements about the agency’s inquiries. And in February 2016, then-Acting Director of Compliance Robert Howell issued a public letter to manufacturers, urging them to test their products according to Underwriters Laboratories (UL) 2272, which would not become a formal voluntary consensus standard for another nine months. These statements were unusual. The public and congressional attention on alleged hoverboard fires drove the CPSC to be more public in its efforts.
Poised for the Next New Thing
With the hoverboard memory fresh in its mind, the CPSC is likely to get ahead of future potential emerging technology issues. One product that the agency may see as ripe for early intervention is a cousin of hoverboards: electric scooters. We last wrote about how scooter manufacturers have provided a roadmap for other technology companies to respond to complaints. Scooters share some features of regulatory interest with hoverboards – they’re both powered by lithium ion batteries, for instance – but they also have some unique features. Specifically, the wildly popular scooter-sharing rental model means scooters carry riders with varying levels of ability and knowledge about the product, presenting companies with the challenge of addressing rider safety without a readily available opportunity to warn or instruct them on scooters’ use.
Scooters are everywhere in many cities, creating both opportunities and litigation challenges for companies. States and municipalities have struggled to figure out how they can address the safety of riders and others, including pedestrians, cyclists, and motorists. They have set a variety of rules on issues like how many scooters can operate, where they can go, and how fast they can move. Some cities are testing the waters carefully, using pilot programs to see how scooters could integrate with other modes of transport. These debates are usually about how scooter riders should ride – the rules of the road/sidewalk – but not about how scooters should be designed and built.
The CPSC has the authority to regulate the safety of scooters. In addition to the question of battery safety, CPSC staff and commissioners have expressed concerns about falls or other mechanical hazards, such as the consequences of potential structural failures. And while the agency is engaged, so far its activities have been modest. CPSC staff have collaborated on UL 2272 since it was issued in 2016. The standard now includes electric scooters under the term “Light Electric Vehicles,” but the standards committee has not adopted any scooter-specific provisions.
However, consumer advocacy groups are asking the government to pay more attention to allegations of injuries associated with scooters, which may pressure the CPSC to be more assertive. The Consumer Federation of America (CFA) has urged the agency to conduct more research and seek recalls of scooters associated with injuries. The CFA has also asked Congress to give the CPSC a nudge. So far, groups like the CFA have not called for a mandatory product safety standard, but that possibility always exists.
How Scooter Companies Can Engage the CPSC
What’s going on in Washington presents scooter companies with the opportunity to ensure their voices are heard in these conversations. As with any CPSC-regulated industry, companies should comply with their obligations to report potential hazards and, as appropriate, recall products. Some companies have already conducted recalls, though seemingly without the CPSC’s public involvement. Companies should also continue to go beyond these case-by-case actions and ensure product safety issues are on their policy agenda in conversations with the CPSC, Congress, and other stakeholders.
For example, companies may want to set up introductory meetings with CPSC commissioners to build positive working relationships long before commissioners have a vote on a recall or a rule. Scooter companies may also want to engage at safety-related events to present themselves as thoughtful, responsible innovators.
Companies should also maintain their active involvement in voluntary standards bodies, namely with UL with respect to its 2272 standard on hoverboard and scooter electrical systems. Voluntary standards both help protect consumers and protect responsible companies against undercutting by less safety-minded market players. Currently, safety practices vary between companies. More uniformity can build consumer confidence and help establish the kind of “reasonably prudent company” benchmark that is key to litigation defense. Moreover, when companies work alongside the CPSC’s technical experts on the voluntary standards, they can build trust and rapport that can help future discussions.
Electric scooters are not going away. Their enormous potential in urban transportation is too valuable. But discussions about how to regulate scooters are just getting started. Scooter companies should make sure they are seated at the table; that is, as always, the best way to avoid being on the menu.
Over the next year, California and New York will begin phasing in requirements for manufacturers of cleaning products – including household cleaners, as well as and clothes and dish detergents – to make extensive ingredient disclosures. This will eventually require disclosures on both product labels and manufacturer websites. Both laws involve complex questions regarding which ingredients must be disclosed, whether certain chemical identities may be withheld to protect confidential business information (CBI), and what else must be publicly disclosed (e.g., certain manufacturer studies). Manufacturers of in-scope products should gear up for compliance now.
Scope of Cleaning Products Covered
The California Cleaning Products Right to Know Act applies to general cleaning products (e.g., soaps and detergents for fabric, dishes, counters, and appliances); polish or floor maintenance products; certain air care products (e.g., indoor air fresheners); certain automotive products (e.g., cleaning, polishing, or waxing products for the exterior or interior of automobiles). The law does not apply to food; drugs; cosmetics (including personal care items such as shampoo, hand soap, and toothpaste); or industrial products specifically manufactured for, and exclusively used in, certain industries.
The New York law applies to products “containing a surfactant as a wetting or dirt emulsifying agent and used primarily for domestic or commercial cleaning purposes, including but not limited to the cleansing of fabrics, dishes, food utensils, and household and commercial premises.” The definition contains exclusions for food; drugs; cosmetics; and pesticides.
California Disclosure Requirements
The California law will impose separate disclosure requirements applicable to product labels (effective January 1, 2021) and manufacturer websites (effective January 1, 2020).
Label Requirements
The product labeling requirements go into effect on January 1, 2021. Determining whether the chemical identity of an ingredient needs to be disclosed on the label can be a complicated process necessitating answers to the following questions.
Is the ingredient on a designated list? The law requires disclosure of certain ingredients that appear on one or more lists maintained by environmental agencies worldwide, including California’s Proposition 65 list; the European Union list of Substances of Very High Concern (SVHCs); chemicals for which neurotoxicity is indicated by EPA’s Integrated Risk Information System; chemicals with certain EU classification (carcinogens, mutagens, or reproductive toxicants); chemicals identified as persistent, bioaccumulative, and toxic under the Canadian Environmental Protection Act; etc.
Has the ingredient been intentionally added to the product? The law defines “intentionally added ingredient” as: “a chemical that a manufacturer has intentionally added to a designated product and that has a functional or technical effect in the designated product, including, but not limited to, the components of intentionally added fragrance ingredients and colorants and intentional breakdown products of an added chemical that also have a functional or technical effect in the designated product.”
Is the ingredient a listed fragrance allergen? The law requires disclosure of certain fragrance allergens included on Annex III of the EU Cosmetics Regulation No. 1226/2009, as required by be labeled by the EU Detergents Regulation No. 648/2004.
Is the ingredient eligible for CBI protection? The law provides certain disclosure protections for ingredients that appear on the Toxic Substances Control Act Confidential Inventory or for which the manufacturer or its supplier claim protection under the Uniform Trade Secrets Act. CBI claims are not available for certain ingredients, including intentionally added ingredients that appear on a designated list.
The law also requires that a product label include the manufacturer’s phone number and website. If the list does not disclose all intentionally added ingredients in the product, the label must contain a statement similar to “For more ingredient information, visit [manufacturer’s website].”
Website Requirements
The website disclosure requirements go into effect on January 1, 2020. These are broader than the product label requirements, i.e., there may be some ingredients that must be disclosed on a website but need not be disclosed on the product label. Generally, all intentionally added ingredients must be disclosed on the manufacturer’s website (with certain exceptions, e.g., for CBI ingredients), as must any of 34 substances listed in the law if they are present at or above 100 parts per million, whether intentionally or not. Manufacturers’ websites also must contain additional information, for example Chemical Abstract Service numbers, the purpose of certain ingredients (e.g., fragrance, color, etc.), certain regulatory information, and links to safety data sheets.
New York Disclosure Requirements
New York law has long empowered the Department of Environmental Conservation (DEC) to require manufacturers of household cleaning products to disclose certain information. N.Y. Envtl. Conserv. Law § 35-0103. Until recently, DEC’s disclosure requirements were largely limited to phosphorous-containing ingredients and to other ingredients above 5% concentration. In 2017, DEC proposed expanded disclosure requirements and solicited stakeholder input on the proposal. Future reporting requirements, to be phased in starting this year, will significantly expand the scope of disclosures manufacturers must make.
DEC originally announced the deadline for initial disclosures to be July 1, 2019. DEC recently announced, however, that it would not begin enforcing any violations until October 2, 2019, making the new de facto compliance deadline October 1, 2019. By that date, manufacturers of in-scope products should complete and submit DEC’s Certification Form, as well as make the required disclosures on its website. The Certification Form must be re-submitted at a minimum every two years thereafter, and additionally when a triggering event occurs (e.g., change in formulation).
The first round of disclosure will require the identification of all intentionally added ingredients other than fragrance ingredients, as well as all nonfunctional ingredients present above trace quantities. The law allows manufacturers to assert CBI claims to protect the identity of certain chemicals. Disclosure requirements for additional ingredients will be phased in on July 1, 2020 and January 1, 2023.
Manufacturers must also disclose additional information, including:
Whether ingredients are present on one or more lists of concern (e.g., certain substances regarded by the EU as SVHCs, etc.), regardless of whether the identity of the chemical is withheld due to a CBI claim;
Whether ingredients are nanoscale materials;
The function of ingredients (e.g., fragrance, color, etc.); and
Information regarding investigations and research the manufacturer has conducted or directed regarding environmental or health effects of ingredients.
Due to the complexity of the questions surrounding these disclosures, manufacturers would be wise to begin gathering the relevant information now.
If you have spent any time in Los Angeles or New York City recently, you may have noticed adults riding two-wheeled electric scooters − the type we are more accustomed to seeing kids ride. These scooters are the latest transportation tools in the ever-evolving sharing economy.
The sharing economy, a term used to describe the growth of an economy based on sharing goods and services, just witnessed the newest heavyweight enter the ring – motorized electric scooter companies. All you have to do is download an app on your smartphone, enter your credit card information, find an electric scooter using the app, and scan a barcode. Typically, rental scooters cost $1 to start and 15 cents a minute thereafter. When you reach your destination, simply leave the scooter in a public space and tap your screen to end the ride.
The scooters can reach speeds of up to 15 miles per hour, and there are almost no regulations in place to ensure their safe use. Additionally, it is not always clear whether the scooters should be driven on sidewalks, in bike lanes, or on roadways. In fact, some cities do not require riders to wear helmets. Finally, few riders are clear on whether they are subject to traffic laws (they are in most, if not all, cities).
Recently, scooter-sharing companies have drawn the ire of plaintiffs’ lawyers across the country. Both riders and pedestrians injured on or by scooters are making waves in courthouses and the media, calling for increased regulation or, in some cases, prohibition of the scooters altogether. Complaints have been filed against scooter-sharing companies based on allegations of gross negligence, aiding and abetting assault, and creating a public nuisance. These companies are not alone, however, in facing potential liability for injured riders and pedestrians. Scooter manufacturers also have been named for any number of alleged defects with the scooters.
Scooter and parts defects
Scooter manufacturers may soon face a number of product defect claims. While not an exhaustive list, these claims could include the following:
Failed brakes – At 15 miles per hour, functioning brakes are essential to riders and pedestrians. And, the 15 mile-per-hour maximum speed does not account for scooters going downhill. The scooters can reach even higher speeds and, consequently, create a higher risk of serious injury or death.
Stuck throttles – Likewise, riders and pedestrians face an increased risk of injury when throttles get stuck, making the rider unable to slow down.
Exploding batteries
Flat tires
Inoperative lights
Broken tubes – If the tubes that transmit power within the vehicle suddenly break, riders risk being thrown off.
Defective handlebars
Failure to warn of hidden dangers associated with the use of this unique electric vehicle.
The potential of such claims should be enough to capture the attention of astute product liability insurers.
Why electric scooters?
An array of products are used as part of the sharing economy – cars, houses, bicycles, cameras, kitchenware, musical instruments, boats, construction equipment, outdoor gear, and more. So why should insurance companies pay particularly close attention to scooters?
The answer is because the popularity of electric scooters is growing at an unprecedented pace. Adoption rates in metro areas across the United States are accelerating faster than other players in the ride-sharing economy (i.e., cars). In addition to the incredible adoption rates, public support is high among people from anywhere on the socioeconomic spectrum, with the greatest support from low-income groups, presumably because scooters require much fewer infrastructure investments. And, scooter-sharing companies are not going away. On the contrary, major scooter-sharing companies such as Bird and Lime have begun expanding internationally. So, what should risk advisors expect with regard to claims and lawsuits?
What to expect
The leading electric scooter company, Bird Rides, Inc.’s robust liability waiver has so far limited the number of cases plaintiffs’ lawyers are willing to take. The waiver provides that all riders, in exchange for the use of “Bird Services, [v]ehicles, and other equipment… [,] agree[ ] to fully release, indemnify, and hold harmless Bird…from liability for all ‘Claims’ arising out of or in any way related to … use of the Bird Services, [v]ehicles, or related equipment…[,] except for [c]laims based on … gross negligence or willful misconduct.” Nonetheless, the class-action lawsuit filed in Los Angeles County Superior Court on October 19, 2018 – case number 18-STCV-01416 – has garnered enough attention from the public and media that an influx of claims should be expected.
The Los Angeles County lawsuit names, in addition to Bird, leading competitor Lime (formerly LimeBike), and manufacturers Xiaomi USA, Inc. and Segway, Inc. The plaintiffs’ claims include Strict Products Liability, Negligence, Negligence Per Se, Gross Negligence, Breach of Implied Warranty of Fitness for a Particular and/or Intended Purpose, and Breach of Implied Warranty of Merchantability. The blanket of negligence theories cast against the manufacturers is broad. They allege manufacturing defects, design defects, and a charge of inadequate user warnings. It is to be determined how much protection, if any, manufacturers will receive under Bird’s liability waiver. It is very likely, though, that the plaintiffs will be allowed to pursue lawsuits under a theory of, at least, gross negligence.
Another big question is whether and how many of these suits will get to a jury. The comprehensive waiver in Bird’s user agreement includes an administrative dispute resolution process, followed by a binding arbitration provision in the event the parties are unable to settle a claim. It also includes a class action waiver. However, the opt-out provision in the same section of the agreement provides: “You have the right to opt-out and not be bound by the arbitration and class action waiver provisions … by sending written notice of your decision to opt-out to the [Bird] address…. The notice must be sent within 30 days of the effective date or your first use of the Service, whichever is later….”
Whether claims are brought in court or moved into arbitration, a rigorous defense is called for on behalf of the manufacturers. Because scooters are often left at the scene of an incident wherein injuries were suffered, there may be no physical evidence of a defect in the scooter and/or parts. Even if there were some malfunction, mechanical or otherwise, plaintiffs must prove that any injuries were the direct and proximate result of the scooter, rather than user error. These factual hurdles also have served to limit the number of lawsuits brought thus far.
There is an array of issues, legal and factual, that must be scrutinized upon receiving notice of a claim or suit. And, it is not simply the electric scooter companies that need to brace for an influx of claims – scooter and parts manufacturers are being sued right along with them.
