Consumer Protection Archives - Page 2 of 9

Under the GDPR, Are Companies that Utilize Personal Information to Train Artificial Intelligence (AI) Controllers or Processors?

The EU’s General Data Protection Regulation (GDPR) applies to two types of entities – “controllers” and “processors.”

A “controller” refers to an entity that “determines the purposes and means” of how personal information will be processed.[1] Determining the “means” of processing refers to deciding “how” information will be processed.[2] That does not necessitate, however, that a controller makes every decision with respect to information processing. The European Data Protection Board (EDPB) distinguishes between “essential means” and “non-essential means.[3] “Essential means” refers to those processing decisions that are closely linked to the purpose and the scope of processing and, therefore, are considered “traditionally and inherently reserved to the controller.”[4] “Non-essential means” refers to more practical aspects of implementing a processing activity that may be left to third parties – such as processors.[5]

A “processor” refers to a company (or a person such as an independent contractor) that “processes personal data on behalf of [a] controller.”[6]

Data typically is needed to train and fine-tune modern artificial intelligence models. They use data – including personal information – in order to recognize patterns and predict results.

Whether an organization that utilizes personal information to train an artificial intelligence engine is a controller or a processor depends on the degree to which the organization determines the purpose for which the data will be used and the essential means of processing. The following chart discusses these variables in the context of training AI:

The following chart discusses these variables in the context of training AI:

Function	Activities Indicative of a Controller	Activities Indicative of a Processor
Purpose of processing
Why the AI is being trained.	If an organization makes its own decision to utilize personal information to train an AI, then the organization will likely be considered a “controller.”	If an organization is using personal information provided by a third party to train an AI, and is doing so at the direction of the third party, then the organization may be considered a processor.
Essential means
Data types used in training.	If an organization selects which data fields will be used to train an AI, the organization will likely be considered a “controller.”	If an organization is instructed by a third party to utilize particular data types to train an AI, the organization may be a processor.
Duration personal information is held within the training engine	If an organization determines how long the AI can retain training data, it will likely be considered a “controller.”	If an organization is instructed by a third party to use data to train an AI, and does not control how long the AI may access the training data, the organization may be a processor.
Recipients of the personal information	If an organization determines which third parties may access the training data that is provided to the AI, that organization will likely be considered a “controller.”	If an organization is instructed by a third party to use data to train an AI, but does not control who will be able to access the AI (and the training data to which the AI has access), the organization may be a processor.
Individuals whose information is included	If an organization is selecting whose personal information will be used as part of training an AI, the organization will likely be considered a “controller.”	If an organization is being instructed by a third party to utilize particular individuals’ data to train an AI, the organization may be a processor.

[1] GDPR, Article 4(7).

[2] EDPB, Guidelines 07/2020 on the concepts of controller and processor in the GDPR, Version 1, adopted 2 Sept. 2020, at ¶ 33.

[3] EDPB, Guidelines 07/2020 on the concepts of controller and processor in the GDPR, Version 1, adopted 2 Sept. 2020, at ¶ 38.

[4] EDPB, Guidelines 07/2020 on the concepts of controller and processor in the GDPR, Version 1, adopted 2 Sept. 2020, at ¶ 38.

[5] EDPB, Guidelines 07/2020 on the concepts of controller and processor in the GDPR, Version 1, adopted 2 Sept. 2020, at ¶ 38.

[6] GDPR, Article 4(8).

For more Privacy Legal News, click here to visit the National Law Review.

Montana Passes 9th Comprehensive Consumer Privacy Law in the U.S.

On May 19, 2023, Montana’s Governor signed Senate Bill 384, the Consumer Data Privacy Act. Montana joins California, Colorado, Connecticut, Indiana, Iowa, Tennessee, Utah, and Virginia in enacting a comprehensive consumer privacy law. The law is scheduled to take effect on October 1, 2024.

When does the law apply?

The law applies to a person who conducts business in the state of Montana and:

Controls or processes the personal data of not less than 50,000 consumers (defined as Montana residents), excluding data controlled or processed solely to complete a payment transaction.
Controls and processes the personal data of not less than 25,000 consumers and derive more than 25% of gross revenue from the sale of personal data.

Hereafter these covered persons are referred to as controllers.

The following entities are exempt from coverage under the law:

Body, authority, board, bureau, commission, district, or agency of this state or any political subdivision of this state;
Nonprofit organization;
Institution of higher education;
National securities association that is registered under 15 U.S.C. 78o-3 of the federal Securities Exchange Act of 1934;
A financial institution or an affiliate of a financial institution governed by Title V of the Gramm- Leach-Bliley Act;
Covered entity or business associate as defined in the privacy regulations of the federal Health Insurance Portability and Accountability Act (HIPAA);

Who is protected by the law?

Under the law, a protected consumer is defined as an individual who resides in the state of Montana.

However, the term consumer does not include an individual acting in a commercial or employment context or as an employee, owner, director, officer, or contractor of a company partnership, sole proprietorship, nonprofit, or government agency whose communications or transactions with the controller occur solely within the context of that individual’s role with the company, partnership, sole proprietorship, nonprofit, or government agency.

What data is protected by the law?

The statute protects personal data defined as information that is linked or reasonably linkable to an identified or identifiable individual.

There are several exemptions to protected personal data, including for data protected under HIPAA and other federal statutes.

What are the rights of consumers?

Under the new law, consumers have the right to:

Confirm whether a controller is processing the consumer’s personal data
Access Personal Data processed by a controller
Delete personal data
Obtain a copy of personal data previously provided to a controller.
Opt-out of the processing of the consumer’s personal data for the purpose of targeted advertising, sales of personal data, and profiling in furtherance of solely automated decisions that produce legal or similarly significant effects.

What obligations do businesses have?

The controller shall comply with requests by a consumer set forth in the statute without undue delay but no later than 45 days after receipt of the request.

If a controller declines to act regarding a consumer’s request, the business shall inform the consumer without undue delay, but no later than 45 days after receipt of the request, of the reason for declining.

The controller shall also conduct and document a data protection assessment for each of their processing activities that present a heightened risk of harm to a consumer.

How is the law enforced?

Under the statute, the state attorney general has exclusive authority to enforce violations of the statute. There is no private right of action under Montana’s statute.

For more Privacy Legal News, click here to visit the National Law Review.

Tempur Sealy Acquisition of Mattress Firm: A Vertical Bridge Too Far for the FTC?

In a deal announced on May 9, Tempur Sealy International, Inc., the world’s largest mattress manufacturer, has agreed to acquire Houston-based Mattress Firm Group, Inc., the largest U.S. brick-and-mortar bedding retailer, with more than 2,300 locations and a robust e-commerce platform. The companies hope to finalize the $40 billion deal in the second half of 2024.

Following pre-merger notification of the deal last October, the FTC is reportedly taking a deep dive into the mattress industry to assess whether the transaction is likely to harm competition. The depth of the investigation itself signals a departure from the antitrust agencies’ traditional approach to “vertical” mergers in which firms in the same industry but in non-overlapping market segments (such as manufacturing and retailing the same product category) benefit from a soft presumption of legality. Customarily, vertical integration was perceived to be benign, if not somehow “efficiency enhancing.”

Whatever the merits of applying such leniency to traditional supply chains of widgets, it does not serve competition policy well in an economy dominated by technology-driven platforms that serve several enormous groups of customers at once. In today’s markets, non-overlapping vertical arrangements can severely affect whether rival firms can gain access to inputs, markets, or prospective customers.

Evidence of the FTC’s awareness of the potential for vertical mergers to cause competitive harm abounds. On September 15, 2021, the FTC withdrew the FTC/Department of Justice 2020 Vertical Merger Guidelines and Commentary. The Commission’s majority said that the 2020 Guidelines included a “flawed discussion of the purported procompetitive benefits (i.e., efficiencies) of vertical mergers, especially its treatment of the elimination of double marginalization” and by failing to address “increasing levels of consolidation across the economy.”

Mattresses and Widgets

A course correction is borne out by the Commission’s recent challenges to several proposed vertical mergers, including Nvidia Corp.’s attempted acquisition of Arm Ltd., Lockheed Martin Corporation’s attempted acquisition of Aerojet Rocketdyne Holdings, Inc., Microsoft Corp.’s acquisition of Activision Blizzard Inc., and Illumina, Inc.’s acquisition of GRAIL, Inc. After the parties abandoned the Nvidia/Arm acquisition, the FTC’s press release was effusive: “This result is particularly significant because it represents the first abandonment of a litigated vertical merger in many years,” the Commission said.

Enter the Tempur Sealy/Mattress Firm transaction, a vertical acquisition in a product category whose markets resemble widgets more than online merchandising or payment networks. Tempur Sealy became the world’s largest mattress manufacturer in 2012, when Tempur-Pedic acquired Sealey Corp. for $1.3 billion. The company currently earns revenues of $5 billion a year, almost a third of the $17 billion U.S. mattress market. Mattress Firm, the largest mattress retailer in the U.S. with annual revenues of $2.5 billion a year, has been owned since 2016 by German retail holding company Steinhoff International Holdings NV. The firm filed for Chapter 11 bankruptcy protection in October 2018, but quickly emerged the following month after closing 700 stores.

The merging parties are no strangers to one another, having engaged in a commercial relationship for the past 35 years. In 2017, Tempur Sealy sued Mattress Firm for selling mattresses that infringed on the Tempur-Pedic line-up, but in 2019, after its emergence from bankruptcy, Mattress Firm and Tempur Sealy struck a long-term partnership agreement. A merger of the two firms has been under discussion in one form or another for most of the past decade.

Public statements by the parties stress the complementarity of the deal, which they describe as combining “Tempur Sealy’s extensive product development and manufacturing capabilities with vertically integrated retail.” The merged entity will end up with about 3,000 retail stores, 30 e-commerce platforms, 71 manufacturing facilities, and 4 R&D facilities around the world. It is the kind of combination of complementary businesses that not long ago might not have even earned a Second Request from the antitrust agencies.

The FTC, which at least since last December has been investigating the potential effects on the mattress industry of a merger between the two market leaders, issued a Second Request earlier this month. By February, the Commission had already interviewed executives from the top 20 mattress manufacturers, according to a report in Furniture Today (February 2, 2023).

Disruptors and Goliaths

The FTC is likely to discover a large and growing global industry undergoing significant changes in how mattresses are designed, marketed, and sold in reaction to changing consumer preferences.

Several online mattress-in-a-box companies have disrupted the industry. Today, nearly half of all consumers purchases are online. They will also find fairly low barriers to entry into both brick-and-mortar and online retailing and mattress manufacturing. Their review of the Tempur Sealy/Mattress Firm transaction will also encounter two players in the market with a long history of cooperation.

With 20 manufacturers significant enough to interview, the Commission would appear to be faced with a fairly competitive market – one in which little or no foreclosure of rivals to the ability to obtain inputs or the availability of channels of distribution to reach consumers will result from the proposed transaction. Additional competitive pressure comes from Amazon, which began selling its own mattresses in 2018 as part of the Amazon Essentials line, and Walmart, which introduced its own mattress-in-box brand, Allswell, available online and in stores.

On balance, the acquisition of Mattress Firm by Tempur Sealy would not appear to raise significant antitrust issues. A challenge to this transaction by the FTC may be a vertical bridge too far. That is no doubt the assessment reached by Scott Thompson, chairman and CEO of Tempur Sealy, who expressed confidence in clearing the FTC’s antitrust review, “either in the traditional sense or through litigation.”

For more Antitrust and FTC news, click here to visit the National Law Review.

How to Succeed in Environmental Marketing Claims

Environmental marketing claims often present something of a Catch-22—companies that are doing actual good for the environment deserve to reap the benefits of their efforts, and consumers deserve to know, while at the same time, heightened scrutiny from the Federal Trade Commission (FTC), the National Advertising Division (NAD), state regulators and the plaintiffs’ bar have made such claims increasingly risky.

In 2012, the FTC issued the Green Guides for the use of environmental marketing claims to protect consumers and to help advertisers avoid deceptive environmental marketing. Compliance with the Green Guides may provide a safe harbor from FTC enforcement, and from liability under state laws, such as California’s Environmental Marketing Claims Act, that incorporate the Green Guides. The FTC has started a process to revise the Green Guides, including a request for comments about the meaning of “sustainable.” In the meantime, any business considering touting the environmental attributes of its products should consider the following essential takeaways from the Green Guides in their current form:

- Substantiation: Substantiation is key! Advertisers should have a reasonable basis for their environmental claims. Substantiation is the support for a claim, which helps ensure that the claim is truthful and not misleading or deceptive. Among other things, substantiation requires documentation sufficient to verify environmental claims.
- General benefit claims: Advertisers should avoid making unqualified claims of general benefit because substantiation is required for each reasonable interpretation of the claim. The more narrowly tailored the claim, the easier it is to substantiate.
- Comparative claims: Advertisers should be careful and specific when making comparative claims. For example, a claim that states “20% more recycled content” begs the question: “compared to what?” A prior version of the same product? A competing product? Without further detail, the advertiser would be responsible for the reasonable interpretation that the product has 20% more recycled content than other brands, as well as the interpretation that the product has 20% more recycled content than the advertiser’s older products.
- General greenwashing terms: Advertisers should be very cautious when using general environmental benefit terms such as “eco-friendly,” “sustainable,” “green,” and “planet-friendly.” Those kinds of claims feature prominently in many complaints alleging greenwashing, and they should only be used where the advertiser knows and explains what the term means, and can substantiate every reasonable interpretation of the claim.

Putting it into Practice: Given the scrutiny that environmental claims tend to attract, advertisers should exercise care when making environmental benefit claims about their products and services. They should narrowly tailor their claims to the specific environmental attributes they want to promote, and perhaps most important, they should ensure they have adequate backup to substantiate their claims. While the FTC Green Guides are due for a refresh (which we will surely report on), for the time being, they will continue to serve as important guidance for advertisers seeking to inform consumers without exposing their business to FTC scrutiny or class action litigation.

CFPB Investigates Crypto Lender

On December 1, 2022, the Consumer Financial Protection Bureau (Bureau) made public an administrative order denying Nexo Financial LLC’s (Nexo) petition to modify the Bureau’s civil investigative demand. The order represents the first publicly known Bureau investigation of a digital asset company, in this case, over Nexo’s “Earn Interest” crypto lending product.

The Bureau served Nexo with a civil investigative demand in late 2021 seeking further information about whether Nexo products were subject to federal consumer financial law, and in particular Nexo’s compliance with the Consumer Financial Protection Act and regulations under the Electronic Funds Transfer Act. Nexo sought to set aside the civil investigative demand and argued that, because the SEC had taken the position that other crypto lending products were securities, the Bureau was estopped from investigating it under provisions of federal law that preempt the Bureau from regulating securities products.

The Bureau rejected Nexo’s line of reasoning. According to the Bureau order, “Nexo Financial is trying to avoid answering any of the Bureau’s questions about the Earn Interest Product (on the theory that the product is a security subject to SEC oversight) while at the same time preserving the argument that the product is not a security subject to SEC oversight.” The order continues, “This attempt to have it both ways dooms Nexo Financial’s petition from the start.” The Bureau also found that Nexo’s petition was not timely filed.

As we recently noted, the Bureau has been increasing its attention to the digital asset sector. The Nexo order includes a lengthy discussion about the breadth of its jurisdiction and ability to investigate potential violations of law. As the crypto winter persists, we expect to see the Bureau continue to explore ways to assert its authority to regulate elements of the digital asset sector.

Article By Scott H. Kimpel of Hunton Andrews Kurth

For more financial legal news, click here to visit the National Law Review.

What You Need to Know About the DOJ’s Consumer Protection Branch

The Consumer Protection Branch of the United States Department of Justice (DOJ) is one of the most overlooked and misunderstood parts of the country’s largest law enforcement agency. With a wide field of enforcement, the Branch can pursue civil enforcement actions or even criminal prosecutions against companies based in the United States and even foreign companies doing business in the country.

Here are four things that Dr. Nick Oberheiden, a defense lawyer at Oberheiden P.C., thinks that people and businesses need to know about the DOJ’s Consumer Protection Branch.

The Wide Reach of “Protecting Consumers”

According to the agency itself, the Consumer Protection Branch “leads Department of Justice enforcement efforts to enforce consumer protection laws that protect Americans’ health, safety, economic security, and identity integrity.” While “identity integrity” is relatively tightly confined to issues surrounding identity theft and the unlawful use of personal data and information, “health,” “safety,” and “economic security” are huge and vaguely defined realms of jurisdiction.

Under the Branch’s enforcement focus or interpretation of its law enforcement mandate, it has the power to prosecute fraud and misconduct in the fields of:

Pharmaceuticals and medical devices
Food and dietary supplements
Consumer fraud, including elder fraud and other scams
Deceptive trade practices
Telemarketing
Data privacy
Veterans fraud
Consumer product safety and tampering
Tobacco products

Business owners and executives are often surprised to learn that the Consumer Protection Branch has so many oversight powers. But the Consumer Protection Branch’s wide reach is not limited to the laws that it can invoke and enforce; it also has a wide geographical reach, as well. In order to carry out its objective, the Branch brings both criminal and affirmative civil enforcement cases throughout the country. In one recent case, the Consumer Protection Branch prosecuted a drug manufacturer for violations of the federal Food, Drug, and Cosmetic Act (FDCA) after the drug maker hid and destroyed records before an inspection by the U.S. Food and Drug Administration (FDA). The drug manufacturer, however, was an Indian company that sold several cancer drugs in the U.S. The plant inspection took place in West Bengal, India.

The Branch Has Lots of Laws at Its Disposal

The extremely broad reach of the Consumer Protection Branch comes with a significant implication: There are numerous laws that the Branch can invoke as it regulates and investigates businesses. Many of these are substantive laws that prohibit certain types of conduct, like:

Food, Drug, and Cosmetic Act (FDCA)
Identify theft and fraud (18 U.S.C. § 1028) and aggravated identity theft (18 U.S.C. § 1028A)
Bank fraud (18 U.S.C. § 1344)
Healthcare fraud (18 U.S.C. § 1347)
Anti-Kickback Statute (42 U.S.C. § 1320a-7b)
Physician Self-Referral Law (42 U.S.C. § 1395nn)
False Claims Act (31 U.S.C. § 3729 – 3733)

Others, however, are procedural laws, which prohibit using certain means to carry out a crime, like:

Mail fraud (18 U.S.C. § 1341), which is the crime of using the mail system to commit fraud
Wire fraud (18 U.S.C. § 1343), which is the crime of using wire, radio, or television communication devices to commit fraud, including the internet

This can mean that many defendants get hit with multiple criminal charges for the same line of conduct, drastically increasing the severity of a criminal case. For example, in one case, a group of pharmacists fraudulently billed insurers for over $900 million in medications that they knew were not issued under a valid doctor-patient relationship. They were charged with misbranding medication and healthcare fraud, in addition to numerous counts of mail fraud for shipping that medication through the mail.

The Branch Has the Power to Pursue Civil and Criminal Sanctions

Lots of business owners and executives are also unaware of the fact that the DOJ’s Consumer Protection Branch has the power to pursue both civil and criminal cases if the law being enforced allows for it.

This has serious consequences for companies, and not just because the Branch can imprison individuals for putting consumers at risk: It also complicates the strategy for defending against enforcement action.

A good example of how this works in real life is a healthcare fraud allegation that is pursued by the Consumer Protection Branch under the False Claims Act, or FCA, because the alleged fraud implicated money from a government healthcare program, like Medicare or Medicaid. For it to be the crime of healthcare fraud, the Consumer Protection Branch would have to prove that there was an intent to defraud the program. If there is no intent, though, the Branch can still pursue civil penalties.

This complicates the defense strategy because keeping prosecutors from establishing your intent is not the end of the case. It just takes prison time off the table. While this is a big step in protecting your rights and interests, it still leaves you and your company open to civil liability. That liability can be quite substantial, as many anti-fraud laws – including the FCA – impose civil penalties on each violation and impose treble damages, or three times the amount fraudulently obtained.

As Dr. Nick Oberheiden, a consumer protection defense lawyer at the national law firm Oberheiden P.C., explains, “While relying on a lack of intent defense can work with other criminal offenses, it is a poor choice when fighting against allegations of fraud because it tacitly admits to the fraudulent actions. Enforcement agencies like the DOJ’s Consumer Protection Branch can then easily impose civil liability against your company.”

The Branch Works in Tandem With Other Agencies

The Consumer Protection Branch only has about 200 prosecutors, support professionals, embedded law enforcement agents, and investigators. However, between October 2020 and December 2021, the Branch charged at least 96 individuals and corporations with criminal offenses and another 112 with civil enforcement actions, collecting $6.38 billion in judgments and resolutions.

The Branch can do this in large part because it works closely with other federal law enforcement agencies, like the:

By pooling their resources with other agencies like these, the DOJ’s Consumer Protection Branch can bring more weight to its enforcement action against your company.

Article By Dr. Nick Oberheiden of Oberheiden P.C.

For more consumer protection legal news, click here to visit the National Law Review.

Pair of Lawsuits Target Mint Flavored Products

Spencer Sheehan, a well-known class-action attorney, has filed a pair of class-action lawsuits in the U.S. District Court for the Northern District of Illinois, alleging that mint flavored products which do not contain mint are deceptively labeled.
The first lawsuit alleged that a “mint chocolate chip ice cream” statement of identity is misleading to consumers where the product’s flavor is derived from “natural flavor” and not any mint or mint-containing ingredient. The product also contains images of mint leaves on the front panel. As support for the allegation that the lack of mint is deceptive, the complaint cites to the ice cream flavoring regulation (21 CFR 135.110(f)(2)), which requires that the term “flavored” (e.g., mint flavored) be used where a product contains a natural flavor which predominates.
The second lawsuit alleged that consumers are misled by a gum product which is labeled as “original flavor” with a backdrop of what appears to be a blue mint leaf, but which only contains “natural and artificial flavor,” and no mint-based ingredients. Plaintiff, citing to the general flavoring regulation (21 CFR 101.22), alleged that the product should have been labeled as “naturally and artificially flavored mint” and that the failure to disclose the flavor or include the other qualifiers is misleading.
Although Plaintiffs have alleged technical violations of FDA’s labeling regulations, courts have consistently held that a reasonable consumer may not be aware of the intricacies of FDA’s labeling regulations and that therefore a technical labeling violation is not in itself sufficient to show that a reasonable consumer would be misled.

Article By Food and Drug Law Practice Group at Keller and Heckman LLP

For more biotech, food, and drug law legal news, click here to visit the National Law Review.

California PFAS Legislation Will Dramatically Impact Businesses

We previously reported on three significant pieces of California PFAS legislation that were before California’s Governor Newsom for ratification. Two of the bills were passed, which means that several categories of products will have applicable PFAS bans. The third bill was not signed by the Governor, which would have required companies to report certain data to the state for goods sold in or otherwise brought into California that contain PFAS.

With increasing attention being given to PFAS in consumer goods in the media, scientific community, and in state legislatures, the California PFAS bills underscore the importance of companies anywhere in the manufacturing or supply chain for consumer goods to immediately assess the impact of the proposed PFAS legislation on corporate practices, and make decisions regarding continued use of PFAS in products, as opposed to substituting for other substances. At the same time, companies impacted by the PFAS legislation must be aware that the new laws pose risks to the companies involvement in PFAS litigation in both the short and long term.

California PFAS Bills

One of our prior reports was on the first significant PFAS bill that Governor Newsom was expected to sign into law – AB 2771 – and which was indeed passed into law. The bill prohibits the manufacture, sale, delivery, hold, or offer for sale any cosmetics product that contains any intentionally added PFAS. The law would go into effect on January 1, 2025. The bill defines a cosmetics products as “an article for retail sale or professional use intended to be rubbed, poured, sprinkled, or sprayed on, introduced into, or otherwise applied to the human body for cleansing, beautifying, promoting attractiveness, or altering the appearance.”

The second bill signed into law by the Governor is AB 1817, which bans the use of PFAS in textiles manufactured and sold in California. More specifically, the bill prohibits, beginning January 1, 2025, any person from “manufacturing, distributing, selling, or offering for sale in the state any new, not previously owned, textile articles that contain regulated PFAS” and requires a manufacturer to use the least toxic alternative when removing PFAS in textile articles to comply with these provisions. The bill requires a manufacturer of a textile article to provide persons that offer the product for sale or distribution in the state with a certificate of compliance stating that the textile article is in compliance with these provisions and does not contain any regulated PFAS. The bill specifically regulates three categories of textiles:

(1) “Textile articles” means textile goods of a type customarily and ordinarily used in households and businesses, and include, but are not limited to, apparel, accessories, handbags, backpacks, draperies, shower curtains, furnishings, upholstery, beddings, towels, napkins, and tablecloths;

(2) “Outdoor apparel” means clothing items intended primarily for outdoor activities, including, but not limited to, hiking, camping, skiing, climbing, bicycling, and fishing; and

(3) “Apparel”, defined as “clothing items intended for regular wear or formal occasions, including, but not limited to, undergarments, shirts, pants, skirts, dresses, overalls, bodysuits, costumes, vests, dancewear, suits, saris, scarves, tops, leggings, school uniforms, leisurewear, athletic wear, sports uniforms, everyday swimwear, formal wear, onesies, bibs, diapers, footwear, and everyday uniforms for workwear…outdoor apparel and outdoor apparel for severe wet conditions.

The bill that California’s Governor vetoed was AB 2247, which would have established reporting requirements for companies that utilize products or substances that contain PFAS and which are used in California in the stream of commerce. “The bill would [have] require[d], on or before July 1, 2026, and annually thereafter, a manufacturer, as defined, of PFAS or a product or a product component containing intentionally added PFAS that, during the prior calendar year, is sold, offered for sale, distributed, or offered for promotional purposes in, or imported into, the state to register the PFAS or the product or product component containing intentionally added PFAS, and specified other information, on the publicly accessible data collection interface.”

Impact of California PFAS Legislation On Businesses

California PFAS legislation places some of the most significant and widely used consumer products in the crosshairs with respect to PFAS. While other states have banned or otherwise regulated PFAS in certain specific consumer goods, California’s bills are noteworthy given the economic impact that it will have, considering that California is the fifth largest economy in the world.

It is of the utmost importance for businesses along the whole cosmetics supply chain to evaluate their PFAS risk. Public health and environmental groups urge legislators to regulate these compounds. One major point of contention among members of various industries is whether to regulate PFAS as a class or as individual compounds. While each PFAS compound has a unique chemical makeup and impacts the environment and the human body in different ways, some groups argue PFAS should be regulated together as a class because they interact with each other in the body, thereby resulting in a collective impact. Other groups argue that the individual compounds are too diverse and that regulating them as a class would be over restrictive for some chemicals and not restrictive enough for others.

Companies should remain informed so they do not get caught off guard. States are increasingly passing PFAS product bills that differ in scope. For any manufacturers, especially those who sell goods interstate, it is important to understand how those various standards will impact them, whether PFAS is regulated as individual compounds or as a class. Conducting regular self-audits for possible exposure to PFAS risk and potential regulatory violations can result in long term savings for companies and should be commonplace in their own risk assessment.

Article By John Gardella of CMBG3 Law

For more environmental legal news, click here to visit the National Law Review.

THE OLD 9999 SCAM?: Plaintiff Alleges Defendant Made 5000 Illegal Phone Calls to his Number–But is it a Set Up?

So ostensiby the case of Mongeon v. KPH Healthcare, 2022 WL 1978674 Case No. 2:21-cv-00195 (D. Vt. 06/06/2022) is simply a case about the definition of “consumer” under the Vermont Consumer Protection Act (“VCPA”), 9 V.S.A. § 2453.

The plaintiff alleges his receipt of 4000 calls from the Defendant after the Defendant promised to stop calling was an act of “fraud” and “deceit” under the VCPA. But since the Plaintiff has not alleged facts establishing he is a “consumer” within the meaning of the Act the Court dismissed the case, without prejudice.

Pretty blasé.

But let’s back up. Why would Defendant–seemingly a local pharmacy–blast the Plaintiff’s number so many times?

Well the Plaintiff’s full number is not set forth in the decision–but the last four digits are “9999.”

Many years ago before I became a TCPA class action defense lawyer I–like many out there–had a very low impression of the TCPA. I remember a guy in law school who made tuition bring junk fax cases. And I had a colleague who was locked in mortal battle with some clown who was bringing a series of small claims TCPA suits in Southern California arising out of calls to a “designer phone number”: 999-999-9999.

Hmmmmm.

Much like the old case of Stoops in which the Plaintiff had over 80 cell phones–or the recent case of Barton in which the Plaintiff had a cell phone purchased specifically to set up TCPA suits–a 9999 scammer will pick up a “designer number” like 999-999-9999 and wear it is for a legitimate purpose. “I run a real estate agency, etc.” Looking deeper there is rarely any utility behind the number–although other designer numbers like (800) 444-4444 are very helpful–and the numbers are often just used to net TCPA lawsuits.

The reason it works is rather obvious.

When I walk into my local Sports Clips for my monthly trim there is no way I’m going to give them my private cell phone number. So I give them 999-999-9999. (Of course, I also give them my email of no@no.com.) It works perfectly well for check in, and I never receive any texts or calls from them reminding me to come back to style my luscious used-to-be-black locks.

Apart from folks providing the number 999-999-9999 to a business, many companies will knowingly have their agents enter the number as a default when the customer does not otherwise provide their number. This was the case in the old “small claims bandit” run of suits I mentioned earlier–apparently a local hospital group was engaging in this practice, which lead to an endless number of TCPA suits being filed against them by an enterprising Plaintiff.

Well Mongeon appears to be the same issue. Per the ruling: , Defendant’s representatives advised Plaintiff “that his phone number was attached to multiple other customers who had prescriptions at the pharmacy” because Plaintiff’s phone number, XXX-XXX-9999, is “the ‘default’ number for all new or current customers in [Defendant’s] system without a phone number.”

Pro tip: the 9999 play is arguably the oldest manufactured lawsuit trick in TCPAWorld. Don’t fall for it. Never use 999-999-9999 (or any other series of numbers) as a “default” setting for customer phone numbers. And if you do, you definitely want to suppress dialing to those numbers.

Stay safe out there TCPAWorld.

Article By Eric J. Troutman of Troutman Firm

For more communications, media, and internet news, click here to visit the National Law Review.

Thailand’s Personal Data Protection Act Enters into Force

On June 1, 2022, Thailand’s Personal Data Protection Act (“PDPA”) entered into force after three years of delays. The PDPA, originally enacted in May 2019, provides for a one-year grace period, with the main operative provisions of the law originally set to come into force in 2020. Due to the COVID-19 pandemic, however, the Thai government issued royal decrees to extend the compliance deadline to June 1, 2022.

The PDPA mirrors the EU General Data Protection Regulation (“GDPR”) in many respects. Specifically, it requires data controllers and processors to have a valid legal basis for processing personal data (i.e., data that can identify living natural persons directly or indirectly). If such personal data is sensitive personal data (such as health data, biometric data, race, religion, sexual preference and criminal record), data controllers and processors must ensure that data subjects give explicit consent for any collection, use or disclosure of such data. Exemptions are granted for public interest, contractual obligations, vital interest or compliance with the law.

The PDPA applies both to entities in Thailand and abroad that process personal data for the provision of products or services in Thailand. Like the GDPR, data subjects are guaranteed rights, including the right to be informed, access, rectify and update data; restrict and object to processing; and the right to data erasure and portability. Breaches may result in fines between THB500,000 (U.S.$14,432) and THB5 million, plus punitive compensation. Certain breaches involving sensitive personal data and unlawful disclosure also carry criminal penalties including imprisonment of up to one year.

Article By Hunton Andrews Kurth’s Privacy and Cybersecurity of Hunton Andrews Kurth

For more communications, media & internet news, click here to visit the National Law Review.

Tag: Consumer Protection

Montana Passes 9th Comprehensive Consumer Privacy Law in the U.S.

Like this: