business Archives - Page 82 of 92 - The National Law Forum

EDPB on Dark Patterns: Lessons for Marketing Teams

“Dark patterns” are becoming the target of EU data protection authorities, and the new guidelines of the European Data Protection Board (EDPB) on “dark patterns in social media platform interfaces” confirm their focus on such practices. While they are built around examples from social media platforms (real or fictitious), these guidelines contain lessons for all websites and applications. The bad news for marketers: the EDPB doesn’t like it when dry legal texts and interfaces are made catchier or more enticing.

To illustrate, in a section of the guidelines regarding the selection of an account profile photo, the EDPB considers the example of a “help/information” prompt saying “No need to go to the hairdresser’s first. Just pick a photo that says ‘this is me.’” According to the EDPB, such a practice “can impact the final decision made by users who initially decided not to share a picture for their account” and thus makes consent invalid under the General Data Protection Regulation (GDPR). Similarly, the EDPB criticises an extreme example of a cookie banner with a humourous link to a bakery cookies recipe that incidentally says, “we also use cookies”, stating that “users might think they just dismiss a funny message about cookies as a baked snack and not consider the technical meaning of the term “cookies.”” The EDPB even suggests that the data minimisation principle, and not security concerns, should ultimately guide an organisation’s choice of which two-factor authentication method to use.

Do these new guidelines reflect privacy paranoia or common sense? The answer should lie somewhere in between, but the whole document (64 pages long) in our view suggests an overly strict approach, one that we hope will move closer to commonsense as a result of a newly started public consultation process.

Let us take a closer look at what useful lessons – or warnings – can be drawn from these new guidelines.

What are “dark patterns” and when are they unlawful?

According to the EDPB, dark patterns are “interfaces and user experiences […] that lead users into making unintended, unwilling and potentially harmful decisions regarding the processing of their personal data” (p. 2). They “aim to influence users’ behaviour and can hinder their ability to effectively protect their personal data and make conscious choices.” The risk associated with dark patterns is higher for websites or applications meant for children, as “dark patterns raise additional concerns regarding potential impact on children” (p. 8).

While the EDPB takes a strongly negative view of dark patterns in general, it recognises that dark patterns do not automatically lead to an infringement of the GDPR. The EDPB acknowledges that “[d]ata protection authorities are responsible for sanctioning the use of dark patterns if these breach GDPR requirements” (emphasis ours; p. 2). Nevertheless, the EDPB guidance strongly links the concept of dark patterns with the data protection by design and by default principles of Art. 25 GDPR, suggesting that disregard for those principles could lead to a presumption that the language or a practice in fact creates a “dark pattern” (p. 11).

The EDPB refers here to its Guidelines 4/2019 on Article 25 Data Protection by Design and by Default and in particular to the following key principles:

“Autonomy – Data subjects should be granted the highest degree of autonomy possible to determine the use made of their personal data, as well as autonomy over the scope and conditions of that use or processing.
Interaction – Data subjects must be able to communicate and exercise their rights in respect of the personal data processed by the controller.
Expectation – Processing should correspond with data subjects’ reasonable expectations.
Consumer choice – The controllers should not “lock in” their users in an unfair manner. Whenever a service processing personal data is proprietary, it may create a lock-in to the service, which may not be fair, if it impairs the data subjects’ possibility to exercise their right of data portability in accordance with Article 20 GDPR.
Power balance – Power balance should be a key objective of the controller-data subject relationship. Power imbalances should be avoided. When this is not possible, they should be recognised and accounted for with suitable countermeasures.
No deception – Data processing information and options should be provided in an objective and neutral way, avoiding any deceptive or manipulative language or design.
Truthful – the controllers must make available information about how they process personal data, should act as they declare they will and not mislead data subjects.”

Is data minimisation compatible with the use of SMS two-factor authentication?

One of the EDPB’s positions, while grounded in the principle of data minimisation, undercuts a security practice that has grown significantly over the past few years. In effect, the EDPB seems to question the validity under the GDPR of requests for phone numbers for two-factor authentication where e-mail tokens would theoretically be possible:

“30. To observe the principle of data minimisation, [organisations] are required not to ask for additional data such as the phone number, when the data users already provided during the sign- up process are sufficient. For example, to ensure account security, enhanced authentication is possible without the phone number by simply sending a code to users’ email accounts or by several other means.
31. Social network providers should therefore rely on means for security that are easier for users to re[1]initiate. For example, the [organisation] can send users an authentication number via an additional communication channel, such as a security app, which users previously installed on their mobile phone, but without requiring the users’ mobile phone number. User authentication via email addresses is also less intrusive than via phone number because users could simply create a new email address specifically for the sign-up process and utilise that email address mainly in connection with the Social Network. A phone number, however, is not that easily interchangeable, given that it is highly unlikely that users would buy a new SIM card or conclude a new phone contract only for the reason of authentication.” (emphasis ours; p. 15)

The EDPB also appears to be highly critical of phone-based verification in the context of registration “because the email address constitutes the regular contact point with users during the registration process” (p. 15).

This position is unfortunate, as it suggests that data minimisation may preclude controllers from even assessing which method of two-factor authentication – in this case, e-mail versus SMS one-time passwords – better suits its requirements, taking into consideration the different security benefits and drawbacks of the two methods. The EDPB’s reasoning could even be used to exclude any form of stronger two-factor authentication, as additional forms inevitably require separate processing (e.g., phone number or third-party account linking for some app-based authentication methods).

For these reasons, organisations should view this aspect of the new EDPB guidelines with a healthy dose of skepticism. It likewise will be important for interested stakeholders to participate in the consultation to explain the security benefits of using phone numbers to keep the “two” in two-factor authentication.

Consent withdrawal: same number of clicks?

Recent decisions by EU regulators (notably two decisions by the French authority, the CNIL have led to speculation about whether EU rules effectively require website operators to make it possible for data subjects to withdraw consent to all cookies with one single click, just as most websites make it possible to give consent through a single click. The authorities themselves have not stated that this is unequivocally required, although privacy activists notably filed complaints against hundreds of websites, many of them for not including a “reject all” button on their cookie banner.

The EDPB now appears to side with the privacy activists in this respect, stating that “consent cannot be considered valid under the GDPR when consent is obtained through only one mouse-click, swipe or keystroke, but the withdrawal takes more steps, is more difficult to achieve or takes more time” (p. 14).

Operationally, however, it seems impossible to comply with a “one-click withdrawal” standard in absolute terms. Just pulling up settings after registration or after the first visit to a website will always require an extra click, purely to open those settings. We expect this issue to be examined by the courts eventually.

Is creative wording indicative of a “dark pattern”?

The EDPB’s guidelines contain several examples of wording that is intended to convince the user to take a specific action.

The photo example mentioned in the introduction above is an illustration, but other (likely fictitious) examples include the following:

For sharing geolocation data: “Hey, a lone wolf, are you? But sharing and connecting with others help make the world a better place! Share your geolocation! Let the places and people around you inspire you!” (p.17)
To prompt a user to provide a self-description: “Tell us about your amazing self! We can’t wait, so come on right now and let us know!” (p. 17)

The EDPB criticises the language used, stating that it is “emotional steering”:

“[S]uch techniques do not cultivate users’ free will to provide their data, since the prescriptive language used can make users feel obliged to provide a self-description because they have already put time into the registration and wish to complete it. When users are in the process of registering to an account, they are less likely to take time to consider the description they give or even if they would like to give one at all. This is particularly the case when the language used delivers a sense of urgency or sounds like an imperative. If users feel this obligation, even when in reality providing the data is not mandatory, this can have an impact on their “free will”” (pp. 17-18).

Similarly, in a section about account deletion and deactivation, the EDPB criticises interfaces that highlight “only the negative, discouraging consequences of deleting their accounts,” e.g., “you’ll lose everything forever,” or “you won’t be able to reactivate your account” (p. 55). The EDPB even criticises interfaces that preselect deactivation or pause options over delete options, considering that “[t]he default selection of the pause option is likely to nudge users to select it instead of deleting their account as initially intended. Therefore, the practice described in this example can be considered as a breach of Article 12 (2) GDPR since it does not, in this case, facilitate the exercise of the right to erasure, and even tries to nudge users away from exercising it” (p. 56). This, combined with the EDPB’s aversion to confirmation requests (see section 5 below), suggests that the EDPB is ignoring the risk that a data subject might opt for deletion without fully recognizing the consequences, i.e., loss of access to the deleted data.

The EDPB’s approach suggests that any effort to woo users into giving more data or leaving data with the organisation will be viewed as harmful by data protection authorities. Yet data protection rules are there to prevent abuse and protect data subjects, not to render all marketing techniques illegal.

In this context, the guidelines should in our opinion be viewed as an invitation to re-examine marketing techniques to ensure that they are not too pushy – in the sense that users would in effect truly be pushed into a decision regarding personal data that they would not otherwise have made. Marketing techniques are not per se unlawful under the GDPR but may run afoul of GDPR requirements in situations where data subjects are misled or robbed of their choice.

Other key lessons for marketers and user interface designers

Avoid continuous prompting: One of the issues regularly highlighted by the EDPB is “continuous prompting”, i.e., prompts that appear again and again during a user’s experience on a platform. The EDPB suggests that this creates fatigue, leading the user to “give in,” i.e., by “accepting to provide more data or to consent to another processing, as they are wearied from having to express a choice each time they use the platform” (p. 14). Examples given by the EDPB include the SMS two-factor authentication popup mentioned above, as well as “import your contacts” functionality. Outside of social media platforms, the main example for most organisations is their cookie policy (so this position by the EDPB reinforces the need to manage cookie banners properly). In addition, newsletter popups and popups about “how to get our new report for free by filling out this form” are frequent on many digital properties. While popups can be effective ways to get more subscribers or more data, the EDPB guidance suggests that regulators will consider such practices questionable from a data protection perspective.
Ensure consistency or a justification for confirmation steps: The EDPB highlights the “longer than necessary” dark pattern at several places in its guidelines (in particular pp. 18, 52, & 57), with illustrations of confirmation pop-ups that appear before a user is allowed to select a more privacy-friendly option (and while no such confirmation is requested for more privacy-intrusive options). Such practices are unlawful according to the EDPB. This does not mean that confirmation pop-ups are always unlawful – just that you need to have a good justification for using them where you do.
Have a good reason for preselecting less privacy-friendly options: Because the GDPR requires not only data protection by design but also data protection by default, make sure that you are able to justify an interface in which a more privacy-intrusive option is selected by default – or better yet, don’t make any preselection. The EDPB calls preselection of privacy-intrusive options “deceptive snugness” (“Because of the default effect which nudges individuals to keep a pre-selected option, users are unlikely to change these even if given the possibility” p. 19).
Make all privacy settings available in all platforms: If a user is asked to make a choice during registration or upon his/her first visit (e.g., for cookies, newsletters, sharing preferences, etc.), ensure that those settings can all be found easily later on, from a central privacy settings page if possible, and alongside all data protection tools (such as tools for exercising a data subject’s right to access his/her data, to modify data, to delete an account, etc.). Also make sure that all such functionality is available not only on a desktop interface but also for mobile devices and across all applications. The EDPB illustrates this point by criticising the case where an organisation has a messaging app that does not include the same privacy statement and data subject request tools as the main app (p. 27).
Be clearer in using general language such as “Your data might be used to improve our services”: It is common in most privacy statements to include a statement that personal data (e.g., customer feedback) “can” or “may be used” to improve an organisation’s products and services. According to the EDPB, the word “services” is likely to be “too general” to be viewed as “clear,” and it is “unclear how data will be processed for the improvement of services.” The use of the conditional tense in the example (“might”) also “leaves users unsure whether their data will be used for the processing or not” (p. 25). Given that the EDPB’s stance in this respect is a confirmation of a position taken by EU regulators in previous guidance on transparency, and serves as a reminder to tell data subjects how data will be used.
Ensure linguistic consistency: If your website or app is available in more than one language, ensure that all data protection notices and tools are available in those languages as well and that the language choice made on the main interface is automatically taken into account on the data-related pages (pp. 25-26).

Best practices according to the EDPB

Finally, the EDPB highlights some other “best practices” throughout its guidelines. We have combined them below for easier review:

Structure and ease of access:
- Shortcuts: Links to information, actions, or settings that can be of practical help to users to manage their data and data protection settings should be available wherever they relate to information or experience (e.g., links redirecting to the relevant parts of the privacy policy; in the case of a data breach communication to users, to provide users with a link to reset their password).
- Data protection directory: For easy navigation through the different section of the menu, provide users with an easily accessible page from where all data protection-related actions and information are accessible. This page could be found in the organisation’s main navigation menu, the user account, through the privacy policy, etc.
- Privacy Policy Overview: At the start/top of the privacy policy, include a collapsible table of contents with headings and sub-headings that shows the different passages the privacy notice contains. Clearly identified sections allow users to quickly identify and jump to the section they are looking for.
- Sticky navigation: While consulting a page related to data protection, the table of contents could be constantly displayed on the screen allowing users to quickly navigate to relevant content thanks to anchor links.
Transparency:
- Organisation contact information: The organisation’s contact address for addressing data protection requests should be clearly stated in the privacy policy. It should be present in a section where users can expect to find it, such as a section on the identity of the data controller, a rights related section, or a contact section.
- Reaching the supervisory authority: Stating the specific identity of the EU supervisory authority and including a link to its website or the specific website page for lodging a complaint is another EDPB recommendation. This information should be present in a section where users can expect to find it, such as a rights-related section.
- Change spotting and comparison: When changes are made to the privacy notice, make previous versions accessible with the date of release and highlight any changes.
Terminology & explanations:
- Coherent wording: Across the website, the same wording and definition is used for the same data protection concepts. The wording used in the privacy policy should match that used on the rest of the platform.
- Providing definitions: When using unfamiliar or technical words or jargon, providing a definition in plain language will help users understand the information provided to them. The definition can be given directly in the text when users hover over the word and/or be made available in a glossary.
- Explaining consequences: When users want to activate or deactivate a data protection control, or give or withdraw their consent, inform them in a neutral way of the consequences of such action.
- Use of examples: In addition to providing mandatory information that clearly and precisely states the purpose of processing, offering specific data processing examples can make the processing more tangible for users
Contrasting Data Protection Elements: Making data protection-related elements or actions visually striking in an interface that is not directly dedicated to the matter helps readability. For example, when posting a public message on the platform, controls for geolocation should be directly available and clearly visible.
Data Protection Onboarding: Just after the creation of an account, include data protection points within the onboarding experience for users to discover and set their preferences seamlessly. This can be done by, for example, inviting them to set their data protection preferences after adding their first friend or sharing their first post.
Notifications (including data breach notifications): Notifications can be used to raise awareness of users of aspects, changes, or risks related to personal data processing (e.g., when a data breach occurs). These notifications can be implemented in several ways, such as through inbox messages, pop-in windows, fixed banners at the top of the webpage, etc.

Next steps and international perspectives

These guidelines (available online) are subject to public consultation until 2 May 2022, so it is possible they will be modified as a result of the consultation and, we hope, improved to reflect a more pragmatic view of data protection that balances data subjects’ rights, security, and operational business needs. If you wish to contribute to the public consultation, note that the EDPB publishes feedback it receives (as a result, we have occasionally submitted feedback on behalf of clients wishing to remain anonymous).

Irrespective of the outcome of the public consultation, the guidelines are guaranteed to have an influence on the approach of EU data protection authorities in their investigations. From this perspective, it is better to be forewarned – and to have legal arguments at your disposal if you wish to adopt an approach that deviates from the EDPB’s position.

Moreover, these guidelines come at a time when the United States Federal Trade Commission (FTC) is also concerned with dark patterns. The FTC recently published an enforcement policy statement on the matter in October 2021. Dark patterns are also being discussed at the Organisation for Economic Cooperation and Development (OECD). International dialogue can be helpful if conversations about desired policy also consider practical solutions that can be implemented by businesses and reflect a desirable user experience for data subjects.

Organisations should consider evaluating their own techniques to encourage users to go one way or another and document the justification for their approach.

Article By Peter Craddock, Sheila A. Millar, and Tracy P. Marshall of Keller and Heckman LLP

For more cybersecurity legal news, click here to visit the National Law Review.

Surprise! The No Surprises Act Changes Again

The No Surprises Act (Act), which became effective Jan. 1, 2022, is the latest health care law passed with the best of intent: to create consumer protection from unexpected out-of-network medical bills and to create a federal independent dispute resolution (IDR) process to resolve payment disputes between payers and out-of-network providers. Unfortunately, the Act, especially the U.S. Department of Health and Human Services’ (HHS) implementation of the IDR process, also creates a new administrative burden for health care providers. Providers and medical associations filed lawsuits in multiple jurisdictions to challenge HHS’ implementation of the IDR process and the constitutionality of the Act before it was even in effect.

On Feb. 24, 2022, the United States District Court for the Eastern District of Texas granted the Texas Medical Association’s Motion for Summary Judgement to vacate select IDR requirements. The Court found that HHS’ interim final rule’s IDR process, intended to resolve payment disputes regarding reimbursement for out-of-network emergency services and out-of-network services provided at in-network facilities, was contrary to the clear language of the Act[1] (Rule).

In general, the Act[2] requires health insurance payers (Insurers) to reimburse providers for certain out-of-network services at a statutorily calculated “out-of-network rate.”[3] Where an All-Payer Model Agreement or specified state law does not exist, to set such a rate, an Insurer must issue an initial out-of-network rate decision and pay such amount to the providers within 30 days after the out-of-network claim is submitted.[4] If the provider disagrees with the Insurer’s proposed out-of-network reimbursement rate, the provider has a 30-day window to negotiate a different payment rate with the Insurer.[5] If these negotiations fail, the parties can proceed to the IDR process.[6]

Congress adopted a baseball-style arbitration model for the Act’s IDR process. The Insurer and provider each submit a proposed out-of-network rate with limited supporting evidence. The arbitrator picks one of the offers while taking into account specified considerations, including the “qualified payment amount,” the provider’s training, experience, quality, and outcomes measurements, the provider’s market share, the patient’s acuity, the provider’s teaching status, case mix, and scope of services, and the provider’s/Insurer’s good-faith attempts to enter into a network agreement.[7] The “qualifying payment amount” (QPA), is designed to represent the median rate the Insurer would pay for the item or service if it were provided by an in-network provider.[8]

The Rule requires the IDR arbitrator to select the proposed payment amount that is closest to the QPA unless “the certified IDR entity [arbitrator] determines that credible information submitted by either party … clearly demonstrates that the [QPA] is materially different[9] from the appropriate out-of-network rate.”[10] This is a clear departure from the analysis set forth in the Act.

The Texas Medical Association challenged the Rule under the Administrative Procedures Act (APA), arguing that the Departments exceeded their authority by giving “outsized weight” to one statutory factor over the others specified by Congress, and that the Departments failed to comply with the APA’s notice and comments requirements in promulgating the Rule. In turn, the Departments argued that the plaintiffs did not have standing to bring the claims.

After dispensing with defendant’s standing arguments, the Eastern District of Texas Court ruled in favor of the plaintiff’s Motion for Summary Judgment and determined that “the Act unambiguously establishes the framework for deciding payment disputes and concludes that the Rule conflicts with the statutory text.” Under the Act, the arbitrators (or certified IDR entities) “shall consider … the qualifying payment amounts” and the provider’s level of training, experience, and quality outcomes, the market share held by the provider, the patient’s acuity, the provider’s teaching status, case mix, and scope of services, and the demonstrated good faith efforts of both parties in entering into a network agreement.”[11] The Act did not specify that any one factor should be considered the “primary” or “most important” factor. The Rule, in contrast, requires arbitrators to “select the offer closest to the [QPA]” unless “credible” information, including information supporting the “additional factors,” “clearly demonstrates that the [QPA] is materially different from the appropriate out-of-network rate.”[12] The Departments characterized the other factors as “permissible additional factors” that may be considered only when appropriate.[13] The Court found that the Department’s Rule was inconsistent with the Act and that since Congress had spoken clearly on the factors to be considered in the arbitration process, the Department’s interpretation of the Act was not appropriate and had exceeded the Department’s authority.[14]

Following the Court’s decision, the Departments issued a memorandum on Feb. 28, 2022, clarifying the Act’s requirements for providers and Insurers. The memo specifically noted that the Court’s decision would not, in their opinion, affect the patient-provider dispute resolution process.[15] The Departments also stated they would withdraw any guidance inconsistent with the Court’s Opinion, provide additional training for interested parties, and keep the IDR process portal open to resolve disputes. The Departments also will be considering further rulemaking to address the IDR process.

The No Surprises Act continues to surprise us all with more adaptations. Enforcement of this new law remains uncertain in light of the numerous legal challenges, including at least one constitutionality challenge.

[1] Requirements Related to Surprise Billing: Part II, 86 Fed. Reg. 55,980 (Oct. 7, 2021).

[2] Consolidated Appropriations Act of 2021, Pub. L. No. 116-260, div. BB, tit. I, 134 Stat. 1182, 2758-2890 (2020).

[3] 300gg-111(a)(1)(C)(iv)(II) and (b)(1)(D).

[4] 300gg-111(a)(1)(C)(iv) and (b)(1)(C).

[5] 300gg-111(c)(1)(A).

[6] 300gg-111(c)(1)(B).

[7] 300gg-111(c)(5).

[8] 300gg-111(a)(3)(E)(i)(I)-(II).

[9] “Material difference” is defined as “a substantial likelihood that a reasonable person with the training and qualifications of a certified IDR entity making a payment determination would consider the submitted information significant in determining the out-of-network rate and would view the information as showing that the [QPA] is not the appropriate out-of-network rate. 149.510(a)(2)(viii).

[10] 45 C.F.R. 149.510(c)(4)(ii).

[11] 300gg-111(c)(5)(C)(i)-(ii).

[12] 45 C.F.R. 149.510(c)(4)(ii)(A).

[13] 86 Fed. Reg. 56,080.

[14] Because the Departments had exceeded their statutory authority, no Chevron deference was owed to their regulations. Chevron U.S.A. v. Natural Resources Defense Council, Inc., 468 U.S. 837 (1984).

[15] This is a separate dispute resolution process designed to address disputes between patients and providers when bills for uninsured and self-pay patients are inconsistent with the good faith estimate provided by the health care provider.

Article By Stacey A. Borowicz and Joseph D. Wheeler of Dinsmore & Shohl LLP

For more healthcare legal news, click here to visit the National Law Review.

OIG: Telehealth “Critical” to Maintaining Access to Care Amidst COVID-19

The federal Office of Inspector General (OIG) recently published a report (OIG Report) as part of a series of analyses of the expansion and utilization of telehealth in response to the COVID-19 public health emergency. In its report, the OIG concludes that telehealth was “critical for providing services to Medicare beneficiaries during the first year of the pandemic” and that the utilization of telehealth “demonstrates the long-term potential of telehealth to increase access to health care for beneficiaries.” The OIG’s conclusions are notable because they come at a time when policymakers and health care stakeholders are determining whether and how to make permanent certain expansions of telehealth for patients nationwide.

The OIG Report is based on Medicare claims and encounter data from the “first” year of the pandemic (March 1, 2020 through February 28, 2021) as compared to data for the immediately preceding year (March 1, 2019 through February 29, 2020). Per the OIG Report, the OIG observed that approximately 43% of Medicare beneficiaries used telehealth during the first year of the pandemic, and that office visits were the most common telehealth encounter for those patients. The telehealth utilization data showed an 88-fold increase over the utilization of telehealth services for the prior year, which in part reflects the significant limitations on telehealth reimbursement under Medicare prior to COVID-19, in addition to the significant regulatory expansion of telehealth at the federal and state levels in response to COVID-19.

Interestingly, the OIG Report states that beneficiaries enrolled in a Medicare Advantage plan “were more likely to use telehealth” than Medicare fee-for-service beneficiaries, and that “CMS’s temporary policy changes enabled the monumental growth in the use of telehealth in multiple ways,” including by expanding the permissible patient locations, and the types of services that could be provided via telehealth. In addition, the OIG indicated that the use of telehealth for behavioral health services by beneficiaries “stands out” because of the higher incidence of beneficiaries accessing those services via telehealth, which may in turn influence policymaking and increase access to critical behavioral health care services.

Finally, the OIG Report notably includes a footnote which indicates that a separate report on “Program Integrity Risks” is forthcoming, which may shed light on corresponding compliance concerns that have arisen in connection with the significant expansion of telehealth in response to COVID-19.

Article By Conor O. Duffy of Robinson & Cole LLP

For more health law legal news, click here to visit the National Law Review.

“Levitating” Lawsuits: Understanding Dua Lipa’s Copyright Infringement Troubles

Even global stardom will not make copyright woes levitate away from British superstar Dua Lipa. The pop icon is making headlines following a week of back-to-back, bi-coastal lawsuits alleging copyright infringement with her hit “Levitating.” First, on Tuesday, March 1st, members of reggae band Artikal Sound System sued Dua Lipa for copyright infringement in a Los Angeles federal district court¹. Then, on Friday, March 4th, songwriters L. Russell Brown and Sandy Linzer filed their own copyright infringement lawsuit against the pop star in a New York federal district court². Both lawsuits were filed claiming violations of the Copyright Act, 17 U.S.C. §§ 101 et seq.³

The Artikal Sound System lawsuit is short and alleges that Dua Lipa and the co-creators of “Levitating” copied Artikal Sound System’s 2017 song “Live Your Life.”⁴ The lawsuit does not provide any details in the allegation, other than explaining that “Live Your Life” was commercially released in 2017, was available during the time Dua Lipa and her co-creators wrote “Levitating,” and that because the two songs are substantially similar “Levitating” could not have been created independently.⁵ As a remedy, Artikal Sound System seeks actual damages, a portion of Dua Lipa’s profits stemming from the alleged infringement, the cost of the lawsuit, and any additional remedies the Court sees fit.⁶

Similarly, the Brown and Linzer lawsuit alleges that Dua Lipa and her “Levitating” co-creators copied their works “Wiggle and Giggle All Night” and “Don Diablo.”⁷ More specifically, the Brown and Linzer lawsuit alleges that “Levitating” is substantially similar to “Wiggle and Giggle All Night” and “Don Diablo.”⁸

Accordingly, the lawsuit claims that the defining melody in “Levitating,” the “signature melody,” is a direct duplicate of the opening melody in “Wiggle and Giggle All Night” and “Don Diablo,” and therefore appears in all three songs.⁹ As additional support, the lawsuit points to professionals and laypersons noticing a similarity between the three songs, and Dua Lipa previously admitting that she “purposely sought influences from past eras for the album Future Nostalgia.”¹⁰

As for a remedy, Brown and Linzer request full compensatory and/or statutory damages, punitive damages, an injunction on “Levitating,” a portion of Dua Lipa’s profits stemming from the alleged infringement, the cost of the lawsuit, and any additional remedies the Court sees fit.¹¹

The copyright infringement legal framework

A general overview of the copyright infringement legal framework is helpful in assessing the potential outcomes of the “Levitating” lawsuits. Specifically, the legal framework from the 9th Circuit, where one of the “Levitating” lawsuits was filed, provides great guidance.

In order to establish copyright infringement, one must prove two elements: owning a valid copyright and copying of “constituent elements of the work that are original.”¹²Importantly, when there is no direct evidence of copying, but rather circumstantial evidence, plaintiffs must show that:

the accused infringers had access to the copyrighted work, and
the infringing work and the copyrighted work “are substantially similar.

Plaintiffs can easily show access to the copyrighted work, but “substantial similarity” is harder to show.

2-Part Test

Luckily, the 9th Circuit devised a 2-part test to prove “substantial similarity.”¹³ Under the test, there is sufficient copying, and therefore “substantial similarity,” if an infringing work meets an “extrinsic” and “intrinsic” prong.¹⁴ The intrinsic prong is met if there is “similarity of expression” between the works, as evaluated from the subjective standpoint of an “ordinary reasonable observer.”¹⁵ The extrinsic prong is objective and requires comparing the “constituent elements” of the copyrighted and infringing works to see if there is substantial similarity in terms of the “protected” elements in the copyrighted work.¹⁶

As such, if the commonality between the copyrighted and infringing works is not based on “protected” elements, then the extrinsic prong is not met, and there is no “substantial similarity” between the works for purposes of a copyright infringement action. It must be noted that the 9th Circuit recognizes that, in certain situations, there can be a “substantial similarity” even if the constituent elements are individually unprotected, but only if their “selection and arrangement” reflects originality.¹⁷

To understand “substantial similarity” one must define what is “protectable” under copyright law. Copyright protection extends only to works that contain original expression.¹⁸ In this context, the standard for originality is a minimal degree of creativity.¹⁹ According to the Copyright Act, protection does not extend to ideas or concepts used in original works of authorship.²⁰ In the musical context, copyright does not protect “common or trite musical elements, or commonplace elements that are firmly rooted in the genre’s tradition” because “[t]hese building blocks belong in the public domain and cannot be exclusively appropriated by any particular author.”²¹

Katy Perry “Dark Horse” case and an ostinato

While the “Levitating” lawsuits are still young, a recent decision by the 9th Circuit in the infamous Katy Perry “Dark Horse” case is a good example of how courts conduct legal analyses in copyright infringement cases. The precedential ruling (Gray v. Hudson), released on March 10th, affirms a U.S. District Judge’s decision to vacate a jury verdict that awarded US$2.8 million in damages to a group of rappers who claimed Katy Perry’s “Dark Horse” copied their song “Joyful Noise.”²²

The 9th Circuit’s opinion cogently applies copyright law to hold that the plaintiffs in the original lawsuit did not provide legally sufficient evidence that “Joyful Noise” and “Dark Horse” were “extrinsically similar” in terms of musical features protected by copyright law.²³

Specifically, the Court reasoned that while “Dark Horse” used an ostinato (a repeating musical figure) similar to the one in “Joyful Noise,” the resemblance in the ostinatos stemmed from “commonplace, unoriginal musical principles” and made them uncopyrightable.²⁴ Without the ostinatos, the plaintiffs could not point to any “individually copyrightable” elements from “Joyful Noise” that were “substantially similar” in “Dark Horse.”²⁵

Additionally, the Court held that the “Joyful Noise” ostinato was not original enough to be a protectable combination of uncopyrightable elements.²⁶ In turn, under the legal framework for copyright infringement the plaintiffs failed to meet their burden.²⁷ The Court put it best by opining that:

“[a]llowing a copyright over [the] material would essentially amount to allowing an improper monopoly over two-note pitch sequences or even the minor scale itself, especially in light of the limited number of expressive choices available when it comes to an eight-note repeated musical figure.”²⁸

“Levitating” lawsuits likely outcomes

Applying the copyright infringement framework to the “Levitating” lawsuits allows us to understand the likely outcomes. First, the Artikal Sound System lawsuit does not allege any direct evidence of copying. As such, Artikal Sound System must show that Dua Lipa had access to “Live Your Life” and that “Levitating” is “substantially similar” to their song under the 2-prong test. Access is easily proved, as “Live Your Life” was commercially available on multiple streaming services when Dua Lipa wrote “Levitating.”²⁹

However, the Artikal Sound System lawsuit does not provide enough information to pass the 2-prong “substantial similarity” test. The lawsuit only alleges that “Levitating” is “substantially similar” to “Live Your Life,” but does not detail any similarities much less provide any evidence that there is similarity of expression between the works from the point of view of a reasonable observer, as required by the intrinsic component of the test.³⁰

More importantly, the lawsuit does not even mention any protectable elements from “Live Your Life” copied in “Levitating” and would, therefore, fail the extrinsic prong of the “substantial similarity” test.³¹ In turn, as submitted, the Artikal Sound System lawsuit fails to make a prima facie case of copyright infringement by Dua Lipa’s “Levitating.”

The story may be different for the Brown and Linzer lawsuit. Like the first suit, the Brown and Linzer lawsuit does not provide direct evidence of copying and will therefore only succeed if it passes the circumstantial evidence requirements of 1) access and 2) “substantial similarity.” Unlike the first suit, however, the Brown and Linzer complaint includes comparisons of the notes in “Levitating” to the notes in “Wiggle and Giggle All Night” and “Don Diablo” as support for the allegation of “substantial similarity.”

The 2nd Circuit, where the lawsuit was filed, held that a court can determine as a matter of law that two works are not “substantially similar” if the similarity between the two works concerns non-copyrightable elements of the copyrighted work.³² In practice, this means that the 2nd Circuit can apply the 2-prong “substantial similarity” test. Brown and Linzer can easily prove access to “Wiggle and Giggle All Night” and “Don Diablo” since both songs are internationally popular.³³

Brown and Linzer can also meet the intrinsic prong of the test because, as they point out, “laypersons” (ordinary reasonable observers) have noticed the commonality between their copyrighted works and “Levitating,” as supported by widespread postings on mediums like TikTok.³⁴ The extrinsic prong of the test is more uncertain.

In their lawsuit, Brown and Linzer point to a “signature melody” that repeats in “bars 10 and 11 of all three songs… [and] with some slight variation, in bars 12 and 13.”³⁵ The court may find that this “signature melody” is not protected by copyright if it reasons that a melody is a basic musical principle, much like the 9th Circuit did for ostinatos in the Katy Perry “Dark Horse” case.

At its core, it seems like Brown and Linzer will have to convince the court that a melody, which they define as “a linear succession of musical tones,” qualifies as copyrightable because it is an original creative expression. Conversely, Brown and Linzer can concede that a melody is not copyrightable, but that their original arrangement and use of the melody in their copyrighted songs is copyrightable. In the end, it will be up to whether or not a court finds that the “signature melody” is copyrightable. As such, the outcome of Brown and Linzer’s action for copyright infringement is uncertain.

Nonetheless, one thing is for sure, copied or not, “Levitating” will continue powering gym visits and nights out dancing.

Footnotes

See Complaint, Cope v. Warner Records, Inc., Case 2:22-cv-01384 (C.D. Cal. 2022).
See Complaint, Larball Publ’g Co., Inc. v. Dua Lipa, Case 1:22-cv-01872 (S.D.N.Y. 2022).
See Complaint at ¶ 7, Larball Publ’g Co., Inc. v. Dua Lipa, Case 1:22-cv-01872 (S.D.N.Y. 2022); Complaint at ¶ 12, Cope v. Warner Records, Inc., Case 2:22-cv-01384 (C.D. Cal. 2022).
See Complaint at ¶ 17, Cope v. Warner Records, Inc., Case 2:22-cv-01384 (C.D. Cal. 2022).
See Complaint at ¶ 15-18, Cope v. Warner Records, Inc., Case 2:22-cv-01384 (C.D. Cal. 2022).
See Complaint at ¶ 19-22, Cope v. Warner Records, Inc., Case 2:22-cv-01384 (C.D. Cal. 2022).
See Complaint at ¶ 2, Larball Publ’g Co., Inc. v. Dua Lipa, Case 1:22-cv-01872 (S.D.N.Y. 2022).
See Complaint at ¶ 2, Larball Publ’g Co., Inc. v. Dua Lipa, Case 1:22-cv-01872 (S.D.N.Y. 2022).
See Complaint at ¶ 3, Larball Publ’g Co., Inc. v. Dua Lipa, Case 1:22-cv-01872 (S.D.N.Y. 2022).
See Complaint at ¶ 49, Larball Publ’g Co., Inc. v. Dua Lipa, Case 1:22-cv-01872 (S.D.N.Y. 2022).
See Complaint at 13-14, Larball Publ’g Co., Inc. v. Dua Lipa, Case 1:22-cv-01872 (S.D.N.Y. 2022).
Feist Publ’ns, Inc. v. Rural Tel. Serv. Co., 499 U.S. 340, 361 (1991).
Apple Comput., Inc. v. Microsoft Corp., 35 F.3d 1435, 1442 (9th Cir. 1994).
Id.
Id.
Swirsky v. Carey, 376 F.3d 841, 845 (9th Cir. 2004).
Satava v. Lowry, 323 F.3d 805, 811 (9th Cir. 2003).
See 17 U.S.C. § 102(a); Feist, 499 U.S. at 345.
See Feist, 499 U.S. at 345.
See 17 U.S.C. § 102(b); Skidmore as Tr. for the Randy Craig Wolfe Tr. v. Led Zeppelin, 952 F.3d 1051, 1069 (9th Cir. 2020) (en banc).
Skidmore, 952 F.3d at 1069.
Gray v. Hudson, No. 20-55401, slip op at 26 (9th Cir. Mar. 10, 2022).
Id.
Id. at 14-21.
Id. at 17.
Id. at 22.
Id. at 26.
Id. at 24.
See Complaint at ¶ 16, Cope v. Warner Records, Inc., Case 2:22-cv-01384 (C.D. Cal. 2022).
See Complaint at ¶ 18, Cope v. Warner Records, Inc., Case 2:22-cv-01384 (C.D. Cal. 2022).
See Complaint at ¶ 18, Cope v. Warner Records, Inc., Case 2:22-cv-01384 (C.D. Cal. 2022).
Peter F. Gaito Architecture, LLC v. Simone Dev. Corp., 602 F.3d 57, 63-65 (2d Cir. 2010).
See Complaint at ¶ 35, Larball Publ’g Co., Inc. v. Dua Lipa, Case 1:22-cv-01872 (S.D.N.Y. 2022).
See Complaint at ¶ 4, Larball Publ’g Co., Inc. v. Dua Lipa, Case 1:22-cv-01872 (S.D.N.Y. 2022).
See Complaint at ¶ 38, Larball Publ’g Co., Inc. v. Dua Lipa, Case 1:22-cv-01872 (S.D.N.Y. 2022).

Article By Adrian Gonzalez Cerrillo and Sana Hakim of K&L Gates

For more intellectual property legal news, click here to visit the National Law Review.

Google to Launch Google Analytics 4 in an Attempt to Address EU Privacy Concerns

On March 16, 2022, Google announced the launch of its new analytics solution, “Google Analytics 4.” Google Analytics 4 aims, among other things, to address recent developments in the EU regarding the use of analytics cookies and data transfers resulting from such use.

Background

On August 17, 2020, the non-governmental organization None of Your Business (“NOYB”) filed 101 identical complaints with 30 European Economic Area data protection authorities (“DPAs”) regarding the use of Google Analytics by various companies. The complaints focused on whether the transfer of EU personal data to Google in the U.S. through the use of cookies is permitted under the EU General Data Protection Regulation (“GDPR”), following the Schrems II judgment of the Court of Justice of the European Union. Following these complaints, the French and Austrian DPAs ruled that the transfer of EU personal data from the EU to the U.S. through the use of the Google Analytics cookie is unlawful.

Google’s New Solution

According to Google’s press release, Google Analytics 4 “is designed with privacy at its core to provide a better experience for both our customers and their users. It helps businesses meet evolving needs and user expectations, with more comprehensive and granular controls for data collection and usage.”

The most impactful change from an EU privacy standpoint is that Google Analytics 4 will no longer store IP address, thereby limiting the data transfers resulting from the use of Google Analytics that were under scrutiny in the EU following the Schrems II ruling. It remains to be seen whether this change will ease EU DPAs’ concerns about Google Analytics’ compliance with the GDPR.

Google’s previous analytics solution, Universal Analytics, will no longer be available beginning July 2023. In the meantime, companies are encouraged to transition to Google Analytics 4.

Read Google’s press release.

Article By Privacy and Cybersecurity Practice Group at Hunton Andrews Kurth

For more cybersecurity legal news, click here to visit the National Law Review.

The Gensler SEC: What to Expect in 2022

Since Gary Gensler became chair of the U.S. Securities and Exchange Commission in April 2021, his agency has signaled an active agenda that many expect will be aggressively enforced. Cornerstone Research recently brought together distinguished experts with SEC experience to share what they expect the SEC will focus on in 2022. The expert forum, “The Gensler SEC: Policy, Progress, and Problems,” featured Joseph Grundfest, a former commissioner of the SEC and currently serving as the W. A. Franke Professor of Law and Business at Stanford Law School; and Mary Jo White, senior chair, litigation partner, and leader of Debevoise & Plimpton’s Strategic Crisis Response and Solutions Group who previously served as chair of the SEC and as U.S. Attorney for the Southern District of New York. Moderated by Jennifer Marietta-Westberg of Cornerstone Research, the forum was held before an audience of attorneys and economists and explored the major regulatory and enforcement themes expected to take center stage in the coming year.

ESG Disclosures and Materiality

In its Unified Regulatory Agenda first released in June of last year, the SEC indicated that it will propose disclosure requirements in the environmental, social, and governance (ESG) space, particularly on climate-related risks and human capital management. However, as documented by the numerous comments received as a result of the SEC’s March 15, 2021, request for input on climate change disclosures, there is substantial debate as to whether these disclosures must, or should, require disclosure only of material information. During the expert forum, Grundfest and White agreed that ESG disclosures should call for material information only. However, they have different predictions on whether ESG disclosures actually will be qualified by a materiality requirement.

White emphasized that materiality is a legal touchstone in securities laws. “If the SEC strays far from materiality, the risk is that a rule gets overturned,” she said. “Not every single rule needs to satisfy the materiality requirement, but it would be a mistake for the SEC not to explain what its basis for materiality is in this space.”

Grundfest added, “There is a spectrum of ESG issues, and while some are within the SEC’s traditional purview, others are new and further away from it. For example, to better ensure robust greenhouse emissions disclosure, the Environmental Protection Agency should be the one to require disclosure rules that would not be overturned.”

Gensler has indicated that investors want ESG disclosures in order to make investment and voting decisions. For instance, in his remarks before the Principles for Responsible Investment in July 2021, Gensler stated that “[i]nvestors are looking for consistent, comparable, and decision-useful disclosures so they can put their money in companies that fit their needs.” White predicts that some but not all ESG disclosure requirements in the proposed rules the SEC is working on will call for material information.

Grundfest, however, believes that the rules the SEC eventually adopts will require disclosure only of material information. “The SEC’s proposal on ESG disclosures will ask for everything, from the moon to the stars,” he said. “But public comments will sober the rules. The SEC staff will take into account the Supreme Court standard and the Chevron risk. It will settle on adopting materiality-based disclosure rules.”

There is also debate over the potential definition of materiality in the context of any proposed ESG disclosures. The panelists were asked whether the fact that large institutional investors assert various forms of ESG information are important to their investment decisions is a sufficient basis upon which to conclude that the information is material. Neither White nor Grundfest believes the Supreme Court as currently composed would accept this argument, but they differ on the reasons.

Grundfest believes the Supreme Court will stick with its approach of a hypothetical reasonable investor. “The fact that these institutional investors ask for this information doesn’t necessarily mean that it’s material,” he said. “If the SEC wants to have something done in this space, it has to work within the law.”

White said an important aspect of the rule will be the economic analysis, though she, too, does not think materiality can be “decided by an opinion poll among institutional investors.” For example, a shareholder proposal requesting certain information that has not received support does not necessarily make the information immaterial. “The Supreme Court will be tough on the survey approach,” she said.

Digital Assets and Crypto Exchanges

In several statements and testimonies, Gensler has declared the need for robust enforcement and better investor protection in the markets for digital currencies. He has publicly called the cryptocurrency space “a Wild West.” In addition to bringing enforcement actions against token issuers and other market participants on the theory that the tokens constitute securities, the SEC under his leadership has brought enforcement actions against at least one unregistered digital asset exchange on the theory that the exchange traded securities and should therefore register as securities exchange.

“The crypto space is the SEC’s most problematic area,” Grundfest said. “Franz Kafka’s most famous novel is The Trial. It’s about a person arrested and prosecuted for a crime that is never explained based on evidence that he never sees. Some recent SEC enforcement proceedings make me wonder whether Kafka is actually still alive and well, and working deep in the bowels of the SEC’s Enforcement Division.” In support of this literary reference, Professor Grundfest noted that, in bringing enforcement actions against crypto exchanges alleging that they traded tokens that were unregistered securities, the SEC never specified which tokens traded on these exchanges were securities. “This is almost beyond regulation by enforcement. It’s regulation by FUD—fear, uncertainty, and doubt,” Grundfest said.

White predicted that, of the 311 active crypto exchanges listed by CoinMarketCap as of December 1, 2021, the SEC will bring cases against at least four in the coming year.

Gensler has publicly argued for bringing the cryptocurrency-related industry under his agency’s oversight. “We need additional congressional authorities to prevent transactions, products, and platforms from falling between regulatory cracks,” he said in August at the Aspen Security Forum. But neither White nor Grundfest believes the current Congress will enact legislation giving the SEC authority to regulate crypto transactions that do not meet the definition of an investment contract under the Howey test.

In November 2021, a federal jury in Audet v. Fraser at the District Court of Connecticut decided that certain cryptocurrency products that investors purchased were not securities under Howey. Neither Grundfest nor White believes this finding will cause the SEC to become more cautious about asserting that some forms of crypto are securities.

“One jury verdict is hardly a precedent,” White said. “The facts of the case didn’t have many of the nuances under Howey that other cases have. It will not deter the SEC.”

The panelists agreed that SEC enforcement activity will be aggressive in the crypto space. A report by Cornerstone Research, titled SEC Cryptocurrency Enforcement: 2021 Update, found that, under the new administration, the SEC has continued its role as one of the main regulators in the cryptocurrency space. In 2021, the SEC brought 20 enforcement actions against digital asset market participants, including first-of-their-kind actions against a crypto lending platform, an unregistered digital asset exchange, and a decentralized finance (DeFi) lender.

Proxy Voting

With the 2022 proxy season on the horizon, people will be watching the SEC closely, as Gensler’s Commission recently adopted new rules for universal proxy cards, and it has revisited amendments adopted under the former chair of the SEC, Jay Clayton.

Last November, the SEC adopted universal proxy rules that now allow shareholders to vote for their preferred mix of board candidates in contested elections, similar to voting in person. These rules would put investors voting in person and by proxy on equal footing. “Universal proxy was proposed at the time when I was the chair of the SEC, and the logic for the rule is overpowering,” White said. “In adoption, some commissioners had reservations on the thresholds of voting power a dissident would be required to solicit, but voted in favor anyway based on its logic. It was a 4 to 1 vote.”

Grundfest and White expect the number of proxy contests that proceed to a vote will go up as a result. From 2019 to 2020, the incidence of proxy contests increased from 6 to 13. Looking ahead to the coming year, Grundfest predicts the rule change will increase the incidence of proxy contests by somewhere between 50% and 100%. White predicts a more modest increase of about 50%.

Regarding rules on proxy voting advice, the SEC issued Staff Legal Bulletin No. 14L (CF) last November to address Rule 14a-8(i)(7), which permits exclusion of a shareholder proposal that “deals with a matter relating to the company’s ordinary business operations.”

The bulletin puts forth a new Staff position that now denies no-action relief to registrants seeking to exclude shareholder proposals that transcend the company’s day-to-day business matters. “This exception is essential for preserving shareholders’ right to bring important issues before other shareholders by means of the company’s proxy statement, while also recognizing the board’s authority over most day-to-day business matters,” the bulletin said.

Both White and Grundfest believe a modest number of issuers will go to court in the 2022 proxy season seeking to exclude Rule 14a-8 shareholder proposals as “transcending” day-to-day operations. “I think companies will challenge shareholder proposals in court but not a lot,” White said. “It depends on the shareholder proposal.”

Grundfest believes any such cases would be driven as much by CEOs as by any other factor. “Companies may challenge a shareholder proposal in court if they have a CEO who is offended by a certain proposal or for First Amendment reasons,” he said. Grundfest cited a hypothetical example of a software company in Texas with a shareholder proposal on gun rights or abortion rights, which have nothing to do with the cybersecurity software the company produces. “It would be hard to force a company to put forth a politically charged proposal that is not related to that company’s business,” he said. “If it’s a First Amendment right, the company will go to court.”

Article By Jennifer Marietta-Westberg and Simona Mola of Cornerstone Research

For more SEC and securities legal news, click here to visit the National Law Review.

Regulation by Definition: CFPB Broadens Definition of “Unfairness” to Rein in Discrimination

In a significant move, the CFPB announced on March 16 a revision to its supervisory operations to address discrimination outside of the traditional fair lending context, with future plans to scrutinize discriminatory conduct that violates the federal prohibition against “unfair” practices in such areas as advertising, pricing, and other areas to ensure that companies are appropriately testing for and eliminating illegal discrimination. Specifically, the CFPB updated its Exam Manual for Unfair, Deceptive, or Abusive Acts or Practices (UDAAPs) noting that discrimination may meet the criteria for “unfairness” by causing substantial harm to consumers that they cannot reasonably avoid.

With this update, the CFPB intends to target discriminatory practices beyond its use of the Equal Credit Opportunity Act (ECOA) – a fair lending law which covers extensions of credit – and plans to also enforce the Consumer Financial Protection Act (CFPA), which prohibits UDAAPs in connection with any transaction for, or offer of, a consumer financial product or service. To that end, future examinations will focus on policies or practices that, for example, exclude individuals from products and services, such as “not allowing African-American consumers to open deposit accounts, or subjecting African-American consumers to different requirements to open deposit accounts” that may be an unfair practice where the ECOA may not apply to this particular situation.

The CFPB notes that, among other things, examinations will (i) focus on discrimination in all consumer finance markets; (ii) require supervised companies to include documentation of customer demographics and the impact of products and fees on different demographic groups; and (iii) look at how companies test and monitor their decision-making processes for unfair discrimination, as well as discrimination under ECOA.

In a statement accompanying this announcement, CFPB Director Chopra stated that “[w]hen a person is denied access to a bank account because of their religion or race, this is unambiguously unfair . . . [w]e will be expanding our anti-discrimination efforts to combat discriminatory practices across the board in consumer finance.”

Putting it Into Practice: This announcement expands the CFPB’s examination footprint beyond discrimination in the fair lending context and makes it likely that examiners will assess a company’s anti-discrimination programs as applied to all aspects of all consumer financial products or services, regardless of whether that company extends any credit. By framing discrimination also as an UDAAP issue, the CFPB appears ready to address bias in connection with other kinds of financial products and services. In particular, the CFPB intends to closely examine advertising and marketing activities targeted to consumers based on machine learning models and any potential discriminatory outcomes.

Article By Moorari Shah and A.J. S. Dhaliwal of Sheppard, Mullin, Richter & Hampton LLP

For more financial legal news, click here to visit the National Law Review.

Congress Grants Five Month Extension for Telehealth Flexibilities

On Tuesday, March 16, 2022, President Biden signed into law H.R. 2471, the Consolidated Appropriations Act, 2022 (“2022 CAA”). This new law includes several provisions that extend the Medicare telehealth waivers and flexibilities, implemented as a result of COVID-19 to facilitate access to care, for an additional 151 days after the end of the Public Health Emergency (“PHE”). This equates to about a five-month period.

The 2022 CAA extension captures most of the core PHE telehealth flexibilities authorized as part of Medicare’s pandemic response, including the following:

Geographic Restrictions and Originating Sites: During the extension, Medicare beneficiaries can continue to receive telehealth services from anywhere in the country, including their home. Medicare is permitting telehealth services to be provided to patients at any site within the United States, not just qualifying zip codes or locations (e.g. physician offices/facilities).
Eligible Practitioners: Occupational therapists, physical therapists, speech-language pathologists, and qualified audiologists will continue to be able to furnish and receive payment for telehealth services as eligible distant site practitioners during the extension period.
Mental Health: In-person requirements for certain mental health services will continue to be waived through the 151-day extension period.
Audio-Only Telehealth Services: Medicare will continue to provide coverage and payment for most telehealth services furnished using audio-only technology. This includes professional consultations, office visits, and office psychiatry services (identified as of July 1, 2000 by HCPCS Codes 99241-99275, 99201-99215, 90804-90809 and 90862) and any other services added to the telehealth list by the CMS Secretary for which CMS has not expressly required the use of real-time, interactive audio-visual equipment during the PHE.

Additionally, the 2022 CAA allocates $62,500,000 from the federal budget to be used for grants for telemedicine and distance learning services in rural areas. Such funds may be used to finance construction of facilities and systems providing telemedicine services and distance learning services in qualified “rural areas.”

Passage of the 2022 CAA is a substantial step in the right direction for stakeholders hoping to see permanent legislative change surrounding Medicare telehealth reimbursement.

Article By Joelle M. Wilson and Laura Little of Polsinelli PC

For more health law legal news, click here to visit the National Law Review.

EV Buses: Arriving Now and Here to Stay

In the words of Miss Frizzle, “Okay bus—do your stuff!”¹ A favorable regulatory environment, direct subsidy, private investment, and customer demand are driving an acceleration in electric vehicle (EV) bus adoption and the lane of busiest traffic is filling with school buses. The United States has over 480,000 school buses, but currently, less than one percent are EVs. Industry watchers expect that EV buses will eventually become the leading mode for student transportation. School districts and municipalities are embracing EV buses because they are perceived as cleaner, requiring less maintenance, and predicted to operate more reliably than current fossil fuel consuming alternatives. EV bus technology has improved in recent years, with today’s models performing better in cold weather than their predecessors, with increased ranges on a single charge, and requiring very little special training for drivers.² Moreover, EV buses can serve as components in micro-grid developments (more on that in a future post).

The Investment Incline

Even if the expected operational advantages of EV buses deliver, the upfront cost to purchase vehicles or to retrofit existing fleets remains an obstacle to expansion. New EV buses price out significantly more than traditional diesel buses and also require accompanying new infrastructure, such as charging stations. Retrofitting drive systems in existing buses comparatively reduces some of that cost, but also requires significant investment.³

To detour around these financial obstacles, federal, state, and local governments have made funding available to encourage the transition to EV buses.⁴ In addition to such policy-based subsidies, private investment from both financial and strategic quarters has increased. Market participants who take advantage of such funding earlier than their competitors have a forward seat to position themselves as leaders.

You kids pipe down back there, I’ve got my eyes on a pile of cash up ahead!

Government funding incentives for electrification are available for new EV buses and for repowering existing vehicles.⁵ Notably, the Infrastructure Investment and Jobs Act committed $5 billion over five years to replace existing diesel buses with EV buses. Additionally, the Diesel Emissions Reduction Act provided $18.7 million in rebates for fiscal year 2021 through an ongoing program.

In 2021, New York City announced its commitment to transition school buses to electric by 2035. Toward that goal, the New York Truck Voucher Incentive Program provides vouchers to eligible fleets towards electric conversions and covers up to 80% of those associated costs.⁶ California’s School Bus Replacement Program had already set aside over $94 million, available to districts, counties, and joint power authorities, to support replacing diesel buses with EVs, and the state’s proposed budget for 2022-23 includes a $1.5 billion grant program to support purchase of EV buses and charging stations.

While substantial growth in EV bus sales will continue in the years ahead, it will be important to keep an eye out for renewal, increase or sunset of these significant subsidies.

Market Players and Market Trends, OEMs, and Retrofitters

The U.S is a leader in EV school bus production: two of the largest manufacturers, Blue Bird and Thomas Built (part of Daimler Truck North America), are located domestically, and Lion Electric (based in Canada) expects to begin delivering vehicles from a large facility in northern Illinois during the second half of 2022. GM has teamed up with Lighting eMotors on a medium duty truck platform project that includes models prominent in many fleets, and Ford’s Super Duty lines of vehicles (which provide the platform for numerous vans and shuttle vehicles) pop up in its promotion of a broader electric future. Navistar’s IC Bus now features an electric version of its flagship CE series.

Additionally, companies are looking to a turn-key approach to deliver complete energy ecosystems, encompassing vehicles, charging infrastructure, financing, operations, maintenance, and energy optimization. In 2021, Highland Electric Transportation raised $253 million from Vision Ridge Partners, Fontinalis Partners (co-founded by Bill Ford) and existing investors to help accelerate its growth, premised on a turn-key fleet approach.⁷

Retrofitting is also on the move. SEA Electric (SEA), a provider of electric commercial vehicles, recently partnered with Midwest Transit Equipment (MTE) to convert 10,000 existing school buses to EVs over the next five years.⁸ MTE will provide the frame for the school uses and SEA will provide its SEA-drive propulsion system to convert the buses to EV.⁹ In a major local project, Logan Bus Company announced its collaboration with AMPLY Power and Unique Electric Solutions (UES) to deploy New York City’s first Type-C (conventional) school bus.¹⁰

Industry followers should expect further collaborations, because simplifying the route to adopting an EV fleet makes it more likely EV products will reach customers.

Opportunities Going Forward

Over the long haul, EV buses should do well. Scaling up investments and competition on the production side should facilitate making fleet modernization more affordable for school districts while supporting profit margins for manufacturers. EVs aren’t leaving town, so manufacturers, fleet operators, school districts and municipalities will either get on board or risk being left at the curb.

Article By Michael J. Small and Samantha Ruppenthal at Foley & Lardner LLP

For more utilities and transportation legal news, click here to visit the National Law Review.

¹https://shop.scholastic.com/parent-ecommerce/series-and-characters/magic-school-bus.html

²https://www.busboss.com/blog/having-an-electric-school-bus-fleet-is-easier-than-many-people-think

³https://thehill.com/opinion/energy-environment/570326-electric-school-bus-investments-could-drive-us-vehicle

⁴https://info.burnsmcd.com/white-paper/electrifying-the-nations-mass-transit-bus-fleets

⁵https://stnonline.com/partner-updates/electric-repower-the-cheaper-faster-and-easier-path-to-electric-buses/

⁶https://www1.nyc.gov/office-of-the-mayor/news/296-21/recovery-all-us-mayor-de-blasio-commits-100-electric-school-bus-fleet-2035

⁷https://www.bloomberg.com/press-releases/2021-02-16/highland-electric-transportation-raises-253-million-from-vision-ridge-partners-fontinalis-partners-and-existing-investors

⁸https://www.electrive.com/2021/12/07/sea-electric-to-convert-10k-us-school-buses/#:~:text=SEA%20Electric%20and%20Midwest%20Transit,become%20purely%20electric%20school%20buses.

⁹ Id.

¹⁰https://stnonline.com/news/new-york-city-deploys-first-type-c-electric-school-bus/

L’Oreal PFAS Lawsuit Shows the Danger of ESG Marketing

For the second time in less than a month, L’Oreal finds itself embroiled in a PFAS lawsuit related to its mascara products. The L’Oreal PFAS lawsuit was filed in the New York federal court on March 9, 2022. Cosmetics and PFAS is a topic that saw increased scrutiny from the scientific community, legislature, and the media in 2021. As we predicted in early 2021, the increased attention on the industry presented significant risks to the cosmetics industry, and our prediction was that the developments made the cosmetics industry the number two target for future PFAS lawsuits. In less than three months, four industry giants – Shiseido, CoverGirl, L’Oreal and Burt’s Bees – were hit with lawsuits related to their cosmetics and PFAS content in some of the companies’ products. The industry, insurers, and investment companies interested in the consumer goods vertical with niche interest in cosmetics companies must pay careful attention to the Burt’s Bees lawsuit and the increasing trend of lawsuits targeting the industry.

PFAS and Cosmetics: the 2021 Foundation

On June 15, 2021, a scientific study in the Journal of Environmental Science and Technology Letters published conclusions regarding testing of a variety of cosmetics products from the United States and Canada for PFAS content, and found PFAS present in over half of the products. On the same day that the study was published, the No PFAS In Cosmetics Act 2021 was introduced in the Senate by U.S. Senators Susan Collins (R-ME), Richard Blumenthal (D-CT), Dianne Feinstein (D-CA), Maggie Hassan (D-NH), Jeanne Shaheen (D-NH), Kirsten Gillibrand (D-NY), and Angus King (I-ME). The bill sought to ban PFAS in cosmetics.

These two developments led us to conclude “with these developments, our prediction that cosmetics is the number two target for PFAS litigation issues behind water rings true.”

Why PFAS In Cosmetics Is A Concern

PFAS content in cosmetics raises concerns for human health in scientific communities due to the fact that PFAS are capable of entering the bloodstream in ways other than direct oral ingestion, and one of these ways includes dermal absorption. Concerns have also been raised regarding absorption of PFAS into the bloodstream by way of tear ducts. The absorption issue is one that is being studied fairly extensively through various pending scientific studies. At the end of 2021, the federal Agency for Toxic Substances and Disease Registry (ATSDR) went so far as to recommend that citizens in Southern New Hampshire reduce their risk of further PFAS exposure by avoiding the use of certain consumer goods, including cosmetics.

L’Oreal PFAS Lawsuit

On March 9, 2022, plaintiffs Zada Hicks and Stephanie Vargas filed a lawsuit in the New York federal court seeking a proposed class action lawsuit against LOreal. The L’Oreal PFAS lawsuit alleges that the company does not disclose to consumers that its mascara and other products contain PFAS. Instead, the lawsuit states, the products were fraudulently and misleadingly marketed as safe for consumers and environmentally friendly, in violation of federal and state consumer laws. The Complaint details several examples of L’Oreal marketing indicating the safe and environmentally-friendly nature of the products.

The plaintiff seeks certification of the class action lawsuit, injunctive relief, damages, fees, costs and a jury trial. The proposed class is any consumer in the United States, or in the subclass of New York, who purchased the relevant L’Oreal products.

Just the Beginning For Cosmetics Industry

With studies underway, legislation pending that targets cosmetics, and increasing media reporting on cosmetics concerns to human health, the cosmetics industry has a target on its back with respect to PFAS that will have impacts on the industry’s involvement in litigation. Twelve months ago, we made this prediction: “Personal injury / products liability cases, false advertising, and failure to disclose theories of liability are some of the more prominent allegations that cosmetics companies are likely to face. Further, the cosmetics industry is concerned about federal and state level regulatory enforcement action for environmental pollution remediation costs stemming from placing PFAS waste into the environment as a by-product of the manufacturing process.”

The first part of our prediction is becoming reality, as four significant cosmetics industry players now find themselves embroiled in litigation focused on false advertising, consumer protection violations, and deceptive statements made in marketing and ESG reports. The lawsuits may well serve as a test case for plaintiffs’ bar to determine whether similar lawsuits will be successful in any (or all) of the fifty states in this country. Each cosmetics company faces the stark possibility of needing to defend lawsuits involving plaintiffs in all fifty states for products that contain PFAS.

It should be noted that these lawsuits would only touch on the marketing, advertising, ESG reporting, and consumer protection type of issues. Separate products lawsuits could follow that take direct aim at obtaining damages for personal injury for plaintiffs from cosmetics products. In addition, environmental pollution lawsuits could seek damage for diminution of property value, cleanup costs, and PFAS filtration systems if drinking water cleanup is required.

Conclusion

It is of the utmost importance that businesses along the whole supply chain in the cosmetics industry evaluate their PFAS risk. Public health and environmental groups urge legislators to regulate PFAS at an ever-increasing pace. Similarly, state level EPA enforcement action is increasing at a several-fold rate every year. Now, the first wave of lawsuits take direct aim at the cosmetics industry. Companies that did not manufacture PFAS, but merely utilized PFAS in their manufacturing processes, are therefore becoming targets of costly enforcement actions at rates that continue to multiply year over year. Lawsuits are also filed monthly by citizens or municipalities against companies that are increasingly not PFAS chemical manufacturers.

Article By John Gardella of CMBG3 Law

For more environmental legal news, click here to visit the National Law Review.

Tag: business

Surprise! The No Surprises Act Changes Again

Like this:

OIG: Telehealth “Critical” to Maintaining Access to Care Amidst COVID-19

Like this:

“Levitating” Lawsuits: Understanding Dua Lipa’s Copyright Infringement Troubles